CN116389130A - Large-scale network security defense system based on knowledge graph - Google Patents
Large-scale network security defense system based on knowledge graph Download PDFInfo
- Publication number
- CN116389130A CN116389130A CN202310381691.3A CN202310381691A CN116389130A CN 116389130 A CN116389130 A CN 116389130A CN 202310381691 A CN202310381691 A CN 202310381691A CN 116389130 A CN116389130 A CN 116389130A
- Authority
- CN
- China
- Prior art keywords
- defense
- key
- monitoring period
- monitoring
- marking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 212
- 238000012544 monitoring process Methods 0.000 claims abstract description 135
- 238000004458 analytical method Methods 0.000 claims abstract description 70
- 230000000694 effects Effects 0.000 claims abstract description 13
- 238000004891 communication Methods 0.000 claims abstract description 8
- 238000000034 method Methods 0.000 claims description 24
- 238000004364 calculation method Methods 0.000 claims description 10
- 230000000737 periodic effect Effects 0.000 claims description 8
- 230000005484 gravity Effects 0.000 claims description 4
- 238000007405 data analysis Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to the field of network security defense, relates to a data analysis technology, and is used for solving the problems that the existing network security defense system cannot comprehensively analyze network attack data and the security protection effect is poor due to characteristic marks, in particular to a large-scale network security defense system based on a knowledge graph, which comprises a security defense platform, wherein the security defense platform is in communication connection with a defense analysis module, a period management module, a characteristic analysis module and a storage module; the defense analysis module is used for monitoring and analyzing network security defense data: generating a monitoring period, and acquiring a defense failure data packet of a security defense platform in the monitoring period; the invention can monitor and analyze the network security defense data, so as to feed back the attack danger and the defense difficulty of the monitored object according to the numerical value of the defense coefficient, and further can carry out targeted defense upgrading aiming at the network attack characteristic.
Description
Technical Field
The invention belongs to the field of network security defense, relates to a data analysis technology, and in particular relates to a large-scale network security defense system based on a knowledge graph.
Background
Network security generally refers to the security of a computer network and may in fact also refer to the security of a computer communication network. The computer communication network is a system for interconnecting a plurality of computers with independent functions through communication equipment and transmission media and realizing information transmission and exchange among the computers under the support of communication software. The computer network is a system in which a plurality of independent computer systems, terminal devices and data devices distributed in a region are connected by communication means for the purpose of sharing resources, and data exchange is performed under the control of a protocol.
In network attacks and defenses, numerous factors need to be considered, such as: network topology, host software and hardware configuration, vulnerabilities, firewall settings, task dependencies, etc. Conventional security assessment approaches can only be used to provide an isolated base assessment of these aspects, which is difficult to effectively combine to analyze the vulnerability of the system at a higher level.
Aiming at the technical problems, the application provides a solution.
Disclosure of Invention
The invention aims to provide a large-scale network security defense system based on a knowledge graph, which is used for solving the problems that the existing network security defense system cannot comprehensively analyze network attack data and the security protection effect is poor due to feature marks;
the technical problems to be solved by the invention are as follows: how to provide a large-scale network security defense system based on a knowledge graph, which can comprehensively analyze network attack data and sign features.
The aim of the invention can be achieved by the following technical scheme:
the large-scale network security defense system based on the knowledge graph comprises a security defense platform, wherein the security defense platform is in communication connection with a defense analysis module, a period management module, a feature analysis module and a storage module;
the defense analysis module is used for monitoring and analyzing network security defense data: generating a monitoring period, and acquiring a defense failure data packet of a security defense platform in the monitoring period; marking defense failure data as a monitoring object, and acquiring missing table data LB and attack table data GB of the monitoring object; obtaining a defense coefficient FY of a monitored object by carrying out numerical calculation on missing table data LB and attack table data GB; marking the monitoring object as a common object or a key object according to the value of the defense coefficient FY;
the period management module is used for carrying out periodic management analysis on defense failure data in a monitoring period: the method comprises the steps of obtaining the number of key objects in a monitoring period and marking the number as key data, marking the ratio of the number of the key data to the number of the monitoring objects in a defense failure data packet as a key coefficient, marking the difference value between the network attack time of the key objects and the starting time of the monitoring period as key time, establishing a key set of the key time of all the key objects, carrying out variance calculation on the key set to obtain a gravity bias coefficient, and marking the defense characteristic of the monitoring period according to the numerical values of the key coefficient and the gravity bias coefficient;
the characteristic analysis module is used for monitoring and analyzing the defensive characteristics of the monitoring period.
As a preferred implementation mode of the invention, the defending failure data packet comprises vulnerability data and attack data, the vulnerability data comprises vulnerability types when each defending failure, and the vulnerability types comprise firewall mismatching, server misconfiguration, software patch updating, weak password and information leakage; the attack data includes attack characteristics at each defense failure, the attack characteristics including the attacked network node and the attacked path.
As a preferred embodiment of the present invention, the process of obtaining the missing table data LB includes: obtaining the vulnerability types of the monitoring objects, marking the occurrence times of the same vulnerability types in the defense failure data packet as a leaky-type value, and marking the ratio of the leaky-type value to the total number of the monitoring objects in the defense failure data packet as leaky-table data LB; the acquisition process of the attack list data GB comprises the following steps: and obtaining the attack characteristics of the monitored objects, marking the occurrence times of the same attack characteristics in the defending data packet as an attack sign value, and marking the ratio of the attack sign value to the total number of the monitored objects in the defending failure data packet as attack table data GB.
As a preferred embodiment of the present invention, the specific process of marking the monitoring object as a normal object or a key object includes: the defense threshold value FYmax is obtained through the storage module, and the defense coefficient FY of the monitored object is compared with the defense threshold value FY: if the defense coefficient FY is smaller than the defense threshold FYmax, marking the corresponding monitoring object as a common object; and if the defense coefficient is greater than or equal to the defense threshold FYmax, marking the corresponding monitoring object as a key object.
As a preferred embodiment of the present invention, the specific process of marking the defensive characteristic of the monitoring period comprises: the key threshold and the re-bias threshold are obtained through the storage module, and the key coefficient and the re-bias coefficient of the monitoring period are compared with the key threshold and the re-bias threshold respectively: if the key coefficient is smaller than the key threshold value, judging that the network defense effect in the monitoring period meets the requirement, and marking the defense characteristic of the monitoring period as normal; if the key coefficient is greater than or equal to the key threshold value and the re-bias coefficient is greater than or equal to the re-bias threshold value, judging that the network defense effect in the monitoring period does not meet the requirement, and marking the defense characteristic of the monitoring period as integral upgrading; if the key coefficient is larger than or equal to the key threshold value and the re-bias coefficient is smaller than the re-bias threshold value, judging that the network defense effect in the monitoring period does not meet the requirement, marking the defense characteristic of the monitoring period as local upgrading, summing all key time periods to obtain a marked time period BJ, obtaining marked threshold values BJmin and BJmax through formulas BJmin=t1 and BJmax=t2, wherein t1 and t2 are both proportional coefficients, t1 is more than or equal to 0.85 and less than or equal to 0.95, t2 is more than or equal to 1.05 and less than or equal to 1.15, forming a marked range by the marked threshold values BJmin and BJmax, transmitting the marked range to a security defense platform, and transmitting the marked range to a mobile phone terminal of a manager after the security defense platform receives the marked range; and sending the defending characteristics of the monitoring period to a security defending platform, and sending the received defending characteristics of the monitoring period to a characteristic analysis module by the security defending platform.
As a preferred embodiment of the present invention, the specific process of the feature analysis module for performing the monitoring analysis on the defensive feature of the monitoring period includes: frequency analysis is performed when the feature analysis module receives the defending feature of the whole upgrade or the local upgrade for the first time: setting an upgrade value with an initial value of zero, adding one to the value of the upgrade value at the beginning of frequency analysis, and obtaining the defending feature of the monitoring period received by the feature analysis module next time: if the frequency analysis is normal, ending the frequency analysis, and carrying out the frequency analysis again when the feature analysis module receives the defending feature of the whole upgrade or the local upgrade next time; if the whole upgrading or the partial upgrading is carried out, the value of the upgrading value is increased by one, a defense early warning signal is generated when the upgrading value is not smaller than a preset upgrading threshold value, the defense early warning signal is sent to a safety defense platform, the safety defense platform sends the defense early warning signal to a mobile phone terminal of a manager after receiving the defense early warning signal until the next received defense characteristic of a monitoring period is normal, and the frequency analysis is finished; and resetting the numerical value of the upgrade value at the end time of the frequency analysis.
As a preferred embodiment of the present invention, the working method of the large-scale network security defense system based on the knowledge graph includes the following steps:
step one: monitoring and analyzing network security defense data: generating a monitoring period, acquiring a defense failure data packet of a security defense platform in the monitoring period, performing numerical calculation on the defense failure data packet to obtain a defense coefficient FY of a monitored object, and marking the monitored object as a common object or a key object through the numerical value of the defense coefficient FY;
step two: and (3) carrying out periodic management analysis on defense failure data in a monitoring period: the method comprises the steps of acquiring the number of key objects in a monitoring period, marking the key objects as key data, acquiring key coefficients and re-biasing coefficients of the monitoring period through the key data, and marking defense features of the monitoring period through the key coefficients and the re-biasing coefficients;
step three: monitoring and analyzing the defensive characteristics of the monitoring period: and when the upgrading value of the frequency analysis is not smaller than a preset upgrading threshold value, a defending early warning signal is sent to a mobile phone terminal of a manager.
The invention has the following beneficial effects:
1. the network security defense data can be monitored and analyzed through the defense analysis module, and the defense coefficient of each monitored object is obtained through comprehensive analysis of the vulnerability data and the attack data in the defense failure data packet, so that the attack risk and the defense difficulty of the monitored object are fed back according to the numerical value of the defense coefficient, and the targeted defense upgrading can be performed according to the network attack characteristics;
2. the periodic management analysis can be carried out on the defense failure data in the monitoring period through the period management module, the key coefficient and the re-bias coefficient are obtained through analysis and calculation on the key data in the monitoring period, so that the defense characteristics of the monitoring period are marked according to the key coefficient and the re-bias coefficient, and the network security defense state is periodically monitored through the defense characteristic marking result;
3. the characteristic analysis module can monitor and analyze the defending characteristics of the monitoring period, and the frequency analysis result can monitor the network security defending state of the monitoring period and feed back the network security defending upgrading effect, so that the network security defending upgrading scheme is continuously optimized, and the subsequent network operation security degree is improved.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a system block diagram of a first embodiment of the present invention;
fig. 2 is a flowchart of a method according to a second embodiment of the invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is obvious that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
As shown in fig. 1, a large-scale network security defense system based on a knowledge graph comprises a security defense platform, wherein the security defense platform is in communication connection with a defense analysis module, a period management module, a feature analysis module and a storage module.
The defense analysis module is used for monitoring and analyzing the network security defense data: generating a monitoring period, and acquiring a defense failure data packet of a security defense platform in the monitoring period, wherein the defense failure data packet comprises vulnerability data and attack data, the vulnerability data comprises vulnerability types when each defense fails, and the vulnerability types comprise mismatching of a firewall, improper configuration of a server, updating of a software patch, weak password and information leakage; the attack data comprises attack characteristics when each defense fails, wherein the attack characteristics comprise an attacked network node and an attacked path; marking defense failure data as a monitoring object, and acquiring missing table data LB and attack table data GB of the monitoring object, wherein the acquisition process of the missing table data LB comprises the following steps: obtaining the vulnerability types of the monitoring objects, marking the occurrence times of the same vulnerability types in the defense failure data packet as a leaky-type value, and marking the ratio of the leaky-type value to the total number of the monitoring objects in the defense failure data packet as leaky-table data LB; the acquisition process of the attack list data GB comprises the following steps: acquiring attack characteristics of the monitored objects, marking the occurrence times of the same attack characteristics in the defending data packet as attack sign values, and marking the ratio of the attack sign values to the total number of the monitored objects in the defending failure data packet as attack table data GB; obtaining a defense coefficient FY of the monitored object through a formula FY=α1LB+α2GB, wherein the defense coefficient is a value reflecting attack risk and defense difficulty of the monitored object, and the larger the value of the defense coefficient is, the higher the attack risk and the larger the defense difficulty of the monitored object are; wherein, alpha 1 and alpha 2 are both proportional coefficients, and alpha 1 is more than alpha 2 is more than 1; the defense threshold value FYmax is obtained through the storage module, and the defense coefficient FY of the monitored object is compared with the defense threshold value FY: if the defense coefficient FY is smaller than the defense threshold FYmax, marking the corresponding monitoring object as a common object; if the defense coefficient is greater than or equal to the defense threshold FYmax, marking the corresponding monitoring object as a key object; the network security defense data are monitored and analyzed, and the defense coefficient of each monitored object is obtained through comprehensive analysis of vulnerability data and attack data in the defense failure data packet, so that the attack danger and the defense difficulty of the monitored object are fed back according to the numerical value of the defense coefficient, and the network attack characteristics can be subjected to targeted defense upgrading.
The period management module is used for carrying out periodic management analysis on the defense failure data in the monitoring period: the method comprises the steps of obtaining the number of key objects in a monitoring period, marking the number ratio of the key data to the number of the monitoring objects in a defense failure data packet as a key coefficient, marking the difference value between the network attack time of the key objects and the starting time of the monitoring period as key time, establishing a key set of key time of all the key objects, performing variance calculation on the key set to obtain a heavy bias coefficient, obtaining a key threshold value and a heavy bias threshold value through a storage module, and comparing the key coefficient and the heavy bias coefficient of the monitoring period with the key threshold value and the heavy bias threshold value respectively: if the key coefficient is smaller than the key threshold value, judging that the network defense effect in the monitoring period meets the requirement, and marking the defense characteristic of the monitoring period as normal; if the key coefficient is greater than or equal to the key threshold value and the re-bias coefficient is greater than or equal to the re-bias threshold value, judging that the network defense effect in the monitoring period does not meet the requirement, and marking the defense characteristic of the monitoring period as integral upgrading; if the key coefficient is larger than or equal to the key threshold value and the re-bias coefficient is smaller than the re-bias threshold value, judging that the network defense effect in the monitoring period does not meet the requirement, marking the defense characteristic of the monitoring period as local upgrading, summing all key time periods to obtain a marked time period BJ, obtaining marked threshold values BJmin and BJmax through formulas BJmin=t1 and BJmax=t2, wherein t1 and t2 are both proportional coefficients, t1 is more than or equal to 0.85 and less than or equal to 0.95, t2 is more than or equal to 1.05 and less than or equal to 1.15, forming a marked range by the marked threshold values BJmin and BJmax, transmitting the marked range to a security defense platform, and transmitting the marked range to a mobile phone terminal of a manager after the security defense platform receives the marked range; the method comprises the steps that the defending characteristics of a monitoring period are sent to a safety defending platform, and the safety defending platform sends the received defending characteristics of the monitoring period to a characteristic analysis module; and carrying out periodic management analysis on the defense failure data in the monitoring period, analyzing and calculating key data in the monitoring period to obtain a key coefficient and a re-biasing coefficient, marking the defense characteristics of the monitoring period according to the key coefficient and the re-biasing coefficient, and periodically monitoring the network security defense state according to the defense characteristic marking result.
The characteristic analysis module is used for monitoring and analyzing the defensive characteristic of the monitoring period: frequency analysis is performed when the feature analysis module receives the defending feature of the whole upgrade or the local upgrade for the first time: setting an upgrade value with an initial value of zero, adding one to the value of the upgrade value at the beginning of frequency analysis, and obtaining the defending feature of the monitoring period received by the feature analysis module next time: if the frequency analysis is normal, ending the frequency analysis, and carrying out the frequency analysis again when the feature analysis module receives the defending feature of the whole upgrade or the local upgrade next time; if the whole upgrading or the partial upgrading is carried out, the value of the upgrading value is increased by one, a defense early warning signal is generated when the upgrading value is not smaller than a preset upgrading threshold value, the defense early warning signal is sent to a safety defense platform, the safety defense platform sends the defense early warning signal to a mobile phone terminal of a manager after receiving the defense early warning signal until the next received defense characteristic of a monitoring period is normal, and the frequency analysis is finished; resetting the numerical value of the upgrade value at the end time of the frequency analysis; the defending characteristics of the monitoring period are monitored and analyzed, the network security defending state of the monitoring period can be monitored through the frequency analysis result, and the network defending upgrading effect can be fed back, so that the network security defending upgrading scheme is continuously optimized, and the subsequent network operation security degree is improved.
Example two
As shown in fig. 2, a large-scale network security defense method based on a knowledge graph includes the following steps:
step one: monitoring and analyzing network security defense data: generating a monitoring period, acquiring a defense failure data packet of a security defense platform in the monitoring period, performing numerical calculation on the defense failure data packet to obtain a defense coefficient FY of a monitored object, and marking the monitored object as a common object or a key object through the numerical value of the defense coefficient FY;
step two: and (3) carrying out periodic management analysis on defense failure data in a monitoring period: the method comprises the steps of acquiring the number of key objects in a monitoring period, marking the key objects as key data, acquiring key coefficients and re-biasing coefficients of the monitoring period through the key data, and marking defense features of the monitoring period through the key coefficients and the re-biasing coefficients;
step three: monitoring and analyzing the defensive characteristics of the monitoring period: and when the upgrading value of the frequency analysis is not smaller than a preset upgrading threshold value, a defending early warning signal is sent to a mobile phone terminal of a manager.
The large-scale network security defense system based on the knowledge graph generates a monitoring period during operation, acquires a defense failure data packet of a security defense platform in the monitoring period, carries out numerical calculation on the defense failure data packet to obtain a defense coefficient FY of a monitored object, and marks the monitored object as a common object or a key object through the numerical value of the defense coefficient FY; the method comprises the steps of acquiring the number of key objects in a monitoring period, marking the key objects as key data, acquiring key coefficients and re-biasing coefficients of the monitoring period through the key data, and marking defense features of the monitoring period through the key coefficients and the re-biasing coefficients; and when the upgrading value of the frequency analysis is not smaller than a preset upgrading threshold value, a defending early warning signal is sent to a mobile phone terminal of a manager.
The foregoing is merely illustrative of the structures of this invention and various modifications, additions and substitutions for those skilled in the art can be made to the described embodiments without departing from the scope of the invention or from the scope of the invention as defined in the accompanying claims.
The formulas are all formulas obtained by collecting a large amount of data for software simulation and selecting a formula close to a true value, and coefficients in the formulas are set by a person skilled in the art according to actual conditions; such as: the formula fy=α1×lb+α2×gb; collecting a plurality of groups of sample data by a person skilled in the art and setting a corresponding defense coefficient for each group of sample data; substituting the set defense coefficient and the acquired sample data into a formula, forming a binary one-time equation set by any two formulas, screening the calculated coefficient and taking an average value to obtain values of alpha 1 and alpha 2 which are respectively 3.47 and 2.15;
the size of the coefficient is a specific numerical value obtained by quantizing each parameter, so that the subsequent comparison is convenient, and the size of the coefficient depends on the number of sample data and the corresponding defense coefficient is preliminarily set for each group of sample data by a person skilled in the art; as long as the proportional relation between the parameter and the quantized value is not affected, for example, the defense coefficient is in direct proportion to the value of the missing table data.
In the description of the present specification, the descriptions of the terms "one embodiment," "example," "specific example," and the like, mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The preferred embodiments of the invention disclosed above are intended only to assist in the explanation of the invention. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. The invention is limited only by the claims and the full scope and equivalents thereof.
Claims (7)
1. The large-scale network security defense system based on the knowledge graph is characterized by comprising a security defense platform, wherein the security defense platform is in communication connection with a defense analysis module, a period management module, a feature analysis module and a storage module;
the defense analysis module is used for monitoring and analyzing network security defense data: generating a monitoring period, and acquiring a defense failure data packet of a security defense platform in the monitoring period; marking defense failure data as a monitoring object, and acquiring missing table data LB and attack table data GB of the monitoring object; obtaining a defense coefficient FY of a monitored object by carrying out numerical calculation on missing table data LB and attack table data GB; marking the monitoring object as a common object or a key object according to the value of the defense coefficient FY;
the period management module is used for carrying out periodic management analysis on defense failure data in a monitoring period: the method comprises the steps of obtaining the number of key objects in a monitoring period and marking the number as key data, marking the ratio of the number of the key data to the number of the monitoring objects in a defense failure data packet as a key coefficient, marking the difference value between the network attack time of the key objects and the starting time of the monitoring period as key time, establishing a key set of the key time of all the key objects, carrying out variance calculation on the key set to obtain a gravity bias coefficient, and marking the defense characteristic of the monitoring period according to the numerical values of the key coefficient and the gravity bias coefficient;
the characteristic analysis module is used for monitoring and analyzing the defensive characteristics of the monitoring period.
2. The knowledge-based large-scale network security defense system of claim 1, wherein the defense failure data packet includes vulnerability data and attack data, the vulnerability data includes a vulnerability type at each defense failure, the vulnerability type includes a firewall mismatch, a server configuration mismatch, a software patch update, a weak password, and information disclosure; the attack data includes attack characteristics at each defense failure, the attack characteristics including the attacked network node and the attacked path.
3. The large-scale network security defense system based on the knowledge graph according to claim 2, wherein the obtaining process of the missing table data LB comprises: obtaining the vulnerability types of the monitoring objects, marking the occurrence times of the same vulnerability types in the defense failure data packet as a leaky-type value, and marking the ratio of the leaky-type value to the total number of the monitoring objects in the defense failure data packet as leaky-table data LB; the acquisition process of the attack list data GB comprises the following steps: and obtaining the attack characteristics of the monitored objects, marking the occurrence times of the same attack characteristics in the defending data packet as an attack sign value, and marking the ratio of the attack sign value to the total number of the monitored objects in the defending failure data packet as attack table data GB.
4. A large-scale network security defense system based on a knowledge graph according to claim 3, wherein the specific process of marking the monitored object as a common object or a key object comprises: the defense threshold value FYmax is obtained through the storage module, and the defense coefficient FY of the monitored object is compared with the defense threshold value FY: if the defense coefficient FY is smaller than the defense threshold FYmax, marking the corresponding monitoring object as a common object; and if the defense coefficient is greater than or equal to the defense threshold FYmax, marking the corresponding monitoring object as a key object.
5. The large-scale network security defense system based on knowledge-graph of claim 4 wherein the specific process of marking the defense features of the monitoring cycle comprises: the key threshold and the re-bias threshold are obtained through the storage module, and the key coefficient and the re-bias coefficient of the monitoring period are compared with the key threshold and the re-bias threshold respectively: if the key coefficient is smaller than the key threshold value, judging that the network defense effect in the monitoring period meets the requirement, and marking the defense characteristic of the monitoring period as normal; if the key coefficient is greater than or equal to the key threshold value and the re-bias coefficient is greater than or equal to the re-bias threshold value, judging that the network defense effect in the monitoring period does not meet the requirement, and marking the defense characteristic of the monitoring period as integral upgrading; if the key coefficient is larger than or equal to the key threshold value and the re-bias coefficient is smaller than the re-bias threshold value, judging that the network defense effect in the monitoring period does not meet the requirement, marking the defense characteristic of the monitoring period as local upgrading, summing all key time periods to obtain a marked time period BJ, obtaining marked threshold values BJmin and BJmax through formulas BJmin=t1 and BJmax=t2, wherein t1 and t2 are both proportional coefficients, t1 is more than or equal to 0.85 and less than or equal to 0.95, t2 is more than or equal to 1.05 and less than or equal to 1.15, forming a marked range by the marked threshold values BJmin and BJmax, transmitting the marked range to a security defense platform, and transmitting the marked range to a mobile phone terminal of a manager after the security defense platform receives the marked range; and sending the defending characteristics of the monitoring period to a security defending platform, and sending the received defending characteristics of the monitoring period to a characteristic analysis module by the security defending platform.
6. The large-scale network security defense system based on knowledge-graph according to claim 5, wherein the specific process of the feature analysis module for monitoring and analyzing the defense features of the monitoring period comprises: frequency analysis is performed when the feature analysis module receives the defending feature of the whole upgrade or the local upgrade for the first time: setting an upgrade value with an initial value of zero, adding one to the value of the upgrade value at the beginning of frequency analysis, and obtaining the defending feature of the monitoring period received by the feature analysis module next time: if the frequency analysis is normal, ending the frequency analysis, and carrying out the frequency analysis again when the feature analysis module receives the defending feature of the whole upgrade or the local upgrade next time; if the whole upgrading or the partial upgrading is carried out, the value of the upgrading value is increased by one, a defense early warning signal is generated when the upgrading value is not smaller than a preset upgrading threshold value, the defense early warning signal is sent to a safety defense platform, the safety defense platform sends the defense early warning signal to a mobile phone terminal of a manager after receiving the defense early warning signal until the next received defense characteristic of a monitoring period is normal, and the frequency analysis is finished; and resetting the numerical value of the upgrade value at the end time of the frequency analysis.
7. The knowledge-based large-scale network security defense system according to any one of claims 1-6, wherein the working method of the knowledge-based large-scale network security defense system comprises the steps of:
step one: monitoring and analyzing network security defense data: generating a monitoring period, acquiring a defense failure data packet of a security defense platform in the monitoring period, performing numerical calculation on the defense failure data packet to obtain a defense coefficient FY of a monitored object, and marking the monitored object as a common object or a key object through the numerical value of the defense coefficient FY;
step two: and (3) carrying out periodic management analysis on defense failure data in a monitoring period: the method comprises the steps of acquiring the number of key objects in a monitoring period, marking the key objects as key data, acquiring key coefficients and re-biasing coefficients of the monitoring period through the key data, and marking defense features of the monitoring period through the key coefficients and the re-biasing coefficients;
step three: monitoring and analyzing the defensive characteristics of the monitoring period: and when the upgrading value of the frequency analysis is not smaller than a preset upgrading threshold value, a defending early warning signal is sent to a mobile phone terminal of a manager.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310381691.3A CN116389130A (en) | 2023-04-11 | 2023-04-11 | Large-scale network security defense system based on knowledge graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310381691.3A CN116389130A (en) | 2023-04-11 | 2023-04-11 | Large-scale network security defense system based on knowledge graph |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116389130A true CN116389130A (en) | 2023-07-04 |
Family
ID=86980412
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310381691.3A Pending CN116389130A (en) | 2023-04-11 | 2023-04-11 | Large-scale network security defense system based on knowledge graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116389130A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116760716A (en) * | 2023-08-18 | 2023-09-15 | 南京天谷电气科技有限公司 | Intelligent network topology management system and method for new energy station |
| CN117061170A (en) * | 2023-08-14 | 2023-11-14 | 长沙诺邦机电设备有限公司 | Intelligent manufacturing industry big data analysis method based on feature selection |
| CN117745220A (en) * | 2023-12-20 | 2024-03-22 | 广州阳光耐特电子有限公司 | Electronic file management system and method |
-
2023
- 2023-04-11 CN CN202310381691.3A patent/CN116389130A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117061170A (en) * | 2023-08-14 | 2023-11-14 | 长沙诺邦机电设备有限公司 | Intelligent manufacturing industry big data analysis method based on feature selection |
| CN117061170B (en) * | 2023-08-14 | 2024-04-30 | 长沙诺邦机电设备有限公司 | Intelligent manufacturing industry big data analysis method based on feature selection |
| CN116760716A (en) * | 2023-08-18 | 2023-09-15 | 南京天谷电气科技有限公司 | Intelligent network topology management system and method for new energy station |
| CN116760716B (en) * | 2023-08-18 | 2023-11-03 | 南京天谷电气科技有限公司 | Intelligent network topology management system and method for new energy station |
| CN117745220A (en) * | 2023-12-20 | 2024-03-22 | 广州阳光耐特电子有限公司 | Electronic file management system and method |
| CN117745220B (en) * | 2023-12-20 | 2024-06-11 | 广州阳光耐特电子有限公司 | Electronic file management system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116389130A (en) | Large-scale network security defense system based on knowledge graph | |
| US11451571B2 (en) | IoT device risk assessment and scoring | |
| EP4027604A1 (en) | Security vulnerability defense method and device | |
| KR101619414B1 (en) | System for detecting abnomal behaviors using personalized early use behavior pattern analsis | |
| KR101600295B1 (en) | System for detecting abnomal behaviors using personalized the whole access period use behavior pattern analsis | |
| CN102611713B (en) | Entropy operation-based network intrusion detection method and device | |
| CN102724208B (en) | For controlling the system and method for the access to Internet resources | |
| CN111614696A (en) | Network security emergency response method and system based on knowledge graph | |
| KR101281456B1 (en) | Apparatus and method for anomaly detection in SCADA network using self-similarity | |
| Fan et al. | A method for identifying critical elements of a cyber-physical system under data attack | |
| KR20170082936A (en) | System for detecting abnomal behaviors allowing for personalized the whole access period use behavior pattern error rate deviation | |
| CN117527412A (en) | Data security monitoring method and device | |
| CN114598506A (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN117061257A (en) | Network security assessment system | |
| Garcia-Lebron et al. | A framework for characterizing the evolution of cyber attacker-victim relation graphs | |
| CN109218315B (en) | Safety management method and safety management device | |
| CN112491801B (en) | Incidence matrix-based object-oriented network attack modeling method and device | |
| CN112866186B (en) | Security level determination method and device | |
| KR101619419B1 (en) | System for detecting abnomal behaviors using personalized continuative behavior pattern analsis | |
| CN113839911B (en) | Detection rule management method for IPS | |
| CN114338175B (en) | Data collection management system and data collection management method | |
| Seo et al. | Simulation of network security with collaboration among IDS models | |
| CN118041693A (en) | Security defense method, system, equipment and medium of switch | |
| CN116709335A (en) | Security detection method, security detection device, electronic equipment and storage medium | |
| CN116633770B (en) | Automatic configuration operation supervision system suitable for operation of local area network equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |