CN116886342A - Network environment evaluation and anomaly tracing method and device, electronic equipment and medium - Google Patents
Network environment evaluation and anomaly tracing method and device, electronic equipment and medium Download PDFInfo
- Publication number
- CN116886342A CN116886342A CN202310756450.2A CN202310756450A CN116886342A CN 116886342 A CN116886342 A CN 116886342A CN 202310756450 A CN202310756450 A CN 202310756450A CN 116886342 A CN116886342 A CN 116886342A
- Authority
- CN
- China
- Prior art keywords
- network
- tracing
- network device
- network environment
- anomaly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011156 evaluation Methods 0.000 title claims abstract description 58
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000005856 abnormality Effects 0.000 claims abstract description 20
- 239000011159 matrix material Substances 0.000 claims description 67
- 238000003860 storage Methods 0.000 claims description 23
- 230000002159 abnormal effect Effects 0.000 claims description 20
- 230000003287 optical effect Effects 0.000 claims description 20
- 239000013307 optical fiber Substances 0.000 claims description 15
- 238000000513 principal component analysis Methods 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000000875 corresponding effect Effects 0.000 description 24
- 238000004891 communication Methods 0.000 description 12
- 238000004364 calculation method Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000001514 detection method Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 230000009467 reduction Effects 0.000 description 4
- 230000006978 adaptation Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004140 cleaning Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000002596 correlated effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000005526 G1 to G0 transition Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000003825 pressing Methods 0.000 description 1
- 238000012847 principal component analysis method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000011426 transformation method Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a network environment evaluation and anomaly traceability method, a device, electronic equipment and a medium, and relates to the technical field of network security. The network environment evaluating and anomaly tracing method comprises the following steps: respectively carrying out feature dimension constraint set on the original data of each network device to obtain indexes of each network device; respectively carrying out network environment evaluation on each network device according to the index of each network device to obtain the network environment score of each network device; the network environment score is used for indicating a network security level; detecting and tracing the abnormality of each network device according to the index and the network environment score to obtain an abnormality tracing result of each network device; the anomaly tracing result is used for indicating an attack source in the network. The method solves the problem of low accuracy of evaluating the network environment and tracing the anomaly in the related technology.
Description
Technical Field
The application relates to the technical field of network security, in particular to a network environment evaluation and anomaly tracing method, a device, electronic equipment and a medium.
Background
The network security event prediction refers to the application of scientific theory, method and existing experience to the major security events found in the network system to judge and predict the development trend and hazard condition thereof, and is an important stage of network security situation awareness and a main purpose of network security situation awareness. The network security event prediction requires analysis of potential and probable attack paths, prediction of attack paths based on vulnerability profiles of my networks and systems. Under the current complex network security situation, the sudden change peak value generated by network security data may identify the important change of the network situation, which is a key point of concern, but the traditional time sequence prediction model is difficult to accurately predict the sudden change peak value, so that the network environment evaluation and anomaly tracing accuracy is lower.
From the above, the problem of low accuracy of evaluating the network environment and tracing the anomaly exists in the prior art.
Disclosure of Invention
The application provides a network environment evaluation and anomaly traceability method, a device, electronic equipment and a medium, which can solve the problem of low network environment evaluation and anomaly traceability accuracy in the related technology. The technical scheme is as follows:
According to one aspect of the application, a network environment evaluating and anomaly tracing method comprises the following steps: respectively carrying out feature dimension constraint set on the original data of each network device to obtain indexes of each network device; respectively carrying out network environment evaluation on each network device according to the index of each network device to obtain the network environment score of each network device; the network environment score is used for indicating a network security level; detecting and tracing the abnormality of each network device according to the index and the network environment score to obtain an abnormality tracing result of each network device; the anomaly tracing result is used for indicating an attack source in the network.
According to one aspect of the present application, a network environment evaluating and anomaly tracing device includes: the characteristic dimension constraint set module is used for respectively carrying out characteristic dimension constraint set on the original data of each network device to obtain the index of each network device; the network environment evaluation module is used for respectively evaluating the network environment of each network device according to the index of each network device to obtain the network environment score of each network device; the network environment score is used for indicating a network security level; the anomaly tracing module is used for detecting and tracing the anomalies of the network devices according to the indexes and the network environment scores to obtain anomaly tracing results of the network devices; the anomaly tracing result is used for indicating an attack source in the network.
In an exemplary embodiment, the feature dimension constraint set module includes: and the principal component analysis unit is used for processing the original data by using a principal component analysis algorithm to obtain indexes of all network devices.
In an exemplary embodiment, the principal component analysis unit includes: a covariance matrix calculation subunit, configured to calculate a covariance matrix of the original data; each row of the covariance matrix corresponds to the original data of one network device; each column of the covariance matrix corresponds to a dimension in the raw data; a diagonal matrix calculation subunit, configured to calculate a diagonal matrix according to the covariance matrix; and the marking subunit is used for marking the index of each network device according to the index association relation in the diagonal matrix to obtain the index of each network device.
In an exemplary embodiment, the diagonal matrix computing subunit includes: and the orthogonal matrix construction subunit is used for constructing an orthogonal matrix and calculating the diagonal matrix based on the orthogonal matrix and the covariance matrix, so that elements of the diagonal matrix on a diagonal line are sequentially arranged from large to small.
In an exemplary embodiment, the metrics include light decay values, network latency, and host lifetime; the network environment evaluation module comprises: the weight determining unit is used for determining weights corresponding to the light attenuation value, the network delay and the host service life respectively; and the network environment scoring unit is used for obtaining the network environment score according to the light attenuation value, the network delay, the score of the host service life indication and the weights respectively corresponding to the light attenuation value, the network delay and the score of the host service life indication.
In an exemplary embodiment, the anomaly tracing module includes: the network traffic condition determining unit is used for determining whether the optical fiber has physical damage or not and/or determining the network traffic condition according to the optical attenuation value; the network anomaly detection unit is used for detecting whether the network equipment has network anomalies according to the determined physical damage of the optical fiber and/or the network traffic condition; and the anomaly tracing unit is used for tracing the anomaly based on the IP of the network equipment if the network equipment is detected to have network anomaly.
In an exemplary embodiment, the anomaly tracing unit includes: an IP positioning subunit, configured to position an IP of the network device according to the optical attenuation value corresponding to the network device having the network abnormality; a vulnerability query subunit, configured to query a vulnerability of the network device with an IP of the network device as a query condition; the abnormal dimension feature acquisition subunit is used for searching for attacks associated with the loopholes through the inquired loopholes and acquiring abnormal dimension features related to the searched attacks as the abnormal tracing results.
According to one aspect of the application, an electronic device comprises at least one processor and at least one memory, wherein the memory has computer readable instructions stored thereon; the computer readable instructions are executed by one or more of the processors to cause an electronic device to implement the network environment evaluation and anomaly tracing method as described above.
According to one aspect of the application, a storage medium has stored thereon computer readable instructions that are executed by one or more processors to implement the network environment evaluation and anomaly tracing method as described above.
According to one aspect of the application, a computer program product includes computer readable instructions stored in a storage medium, one or more processors of an electronic device reading the computer readable instructions from the storage medium, loading and executing the computer readable instructions, causing the electronic device to implement the network environment evaluation and anomaly tracing method as described above.
The technical scheme provided by the application has the beneficial effects that:
in the technical scheme, the original data of the network equipment is subjected to feature dimension constraint set to obtain indexes of the network equipment, and network environment evaluation is respectively carried out on each network equipment based on the indexes to obtain the network environment score of each network equipment; and then performing anomaly detection and tracing according to the indexes and the network environment scores. According to the scheme, network environment evaluation is performed by selecting indexes such as network delay, light attenuation value and host service life, different indexes are given with different weights to obtain network environment scores, false alarm caused by network jitter is avoided by considering network delay, judging characteristics of whether optical fibers are physically damaged or not are utilized by using the light attenuation value, a hardware layer is used as a factor of network environment evaluation, and network environment and quality can be evaluated in all directions, and network security level of each network device can be accurately obtained; and detecting and tracing the network intrusion based on the acquired network environment score, and rapidly positioning a fault source so as to solve the network fault and the safety problem in time.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that are required to be used in the description of the embodiments of the present application will be briefly described below. It is evident that the drawings in the following description are only some embodiments of the application and that other drawings may be obtained from these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic illustration of an implementation environment in accordance with the present application;
FIG. 2 is a flowchart illustrating a network environment evaluation and anomaly tracing method according to an example embodiment;
FIG. 3 is a flow chart of step 200 in one embodiment of the corresponding embodiment of FIG. 2;
FIG. 4 is a flow chart of step 220 in one embodiment of the corresponding embodiment of FIG. 2;
FIG. 5 is a flow chart of step 240 in one embodiment of the corresponding embodiment of FIG. 2;
FIG. 6 is a flow chart of step 300 in one embodiment of the corresponding embodiment of FIG. 3;
FIG. 7 is a flow chart of step 620 in one embodiment in the corresponding embodiment of FIG. 6;
FIG. 8 is a flow chart of step 540 in one embodiment of the corresponding embodiment of FIG. 5;
FIG. 9 is a block diagram illustrating a network environment evaluation and anomaly tracing device, according to an example embodiment;
FIG. 10 is a hardware block diagram of a server shown in accordance with an exemplary embodiment;
fig. 11 is a hardware configuration diagram of a terminal according to an exemplary embodiment;
fig. 12 is a block diagram illustrating a configuration of an electronic device according to an exemplary embodiment.
Detailed Description
Embodiments of the present application are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification of this disclosure, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. The term "and/or" as used herein includes all or any element and all combination of one or more of the associated listed items.
As described above, in the prior art, there is a problem that the accuracy of evaluating the network environment and tracing anomalies is low.
The network security data requires a series of pre-processes before analysis can be performed. Through data cleaning and data integration, network security data acquired from multiple channels can be provided for analysts through a unified format, but the network security data has too many related attributes, and the data cleaning and data integration only solve the problems of data errors, redundancy and the like, but do not solve the problems of large data volume, multiple attributes and the like, and the data needs to be compressed through data protocol so as to further improve the efficiency of the analysts.
The data protocol is a feasible method, and by simplifying the data, the data to be processed is greatly reduced, so that analysts can pay attention to more important data. Common data reduction methods include sample reduction, feature reduction, dimension reduction, and the like. At present, the principle of data protocol and the computing process are insufficient, and the accuracy of evaluating the network environment and tracing the anomaly is affected.
In addition, in the current scheme, only a single element is considered when the network environment evaluation is carried out, and the error of the network environment evaluation is large, so that the network environment evaluation and anomaly traceability accuracy is lower.
From the above, the related art still has the defect of low accuracy of evaluating the network environment and tracing the anomaly.
Therefore, the network environment evaluation and anomaly tracing method provided by the application can effectively improve the accuracy of network environment evaluation and anomaly tracing, and is correspondingly suitable for a network environment evaluation and anomaly tracing device which can be deployed in electronic equipment, wherein the electronic equipment can be computer equipment for configuring a von neumann system structure, and for example, the computer equipment comprises a desktop computer, a notebook computer, a server and the like; the electronic device may also refer to a portable mobile electronic device, including, for example, a smart phone, a tablet computer, etc.
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of an implementation environment related to a network environment evaluation and anomaly tracing method. The implementation environment includes a device 110, a device 130, and a device 150.
Wherein device 110, device 130, and device 150 constitute a particular network environment, which may be an enterprise network, a cloud environment, the internet, and government and national level networks.
The device 110 may be an electronic device such as a desktop computer, a notebook computer, a tablet computer, a smart phone, etc., without limitation.
The device 130 and the device 150 may be independent physical servers, or may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, and the like.
In the implementation environment shown in fig. 1, any one network device (devices 110, 130, 150) may become an object to be attacked, and in a specific application, the original data of each network device is respectively subjected to a feature dimension constraint set to obtain an index of each network device; respectively carrying out network environment evaluation on each network device according to the index of each network device to obtain the network environment score of each network device; and detecting and tracing the abnormality of each network device according to the index and the network environment score to obtain an abnormality tracing result of each network device. And then, according to the scoring of the network environment and the abnormal tracing result, the security threat and attack in the network environment are monitored, analyzed and evaluated in real time, so that corresponding security measures can be taken in time, and the security of the network equipment is protected.
Referring to fig. 2, an embodiment of the present application provides a method for evaluating a network environment and tracing anomalies, which is applicable to an electronic device, and the electronic device may be the device 110, the device 130, or the device 150 in the implementation environment shown in fig. 1.
In the following method embodiments, for convenience of description, the execution subject of each step of the method is described as an electronic device, but this configuration is not particularly limited.
As shown in fig. 2, the method may include the steps of:
and 200, respectively performing feature dimension constraint set on the original data of each network device to obtain indexes of each network device.
Raw data refers to network security data, which refers to security-related information collected, recorded, and analyzed in a network environment. Such data includes, but is not limited to, network traffic data, security event logs, vulnerability scanning results, security policy configuration data, malware samples, security threat intelligence, and the like. For example, the original data may be data related to optical transmission.
The feature dimension constraint set may help us select the most relevant or representative feature to extract information useful for the problem, and by the method of feature dimension constraint set, the appropriate feature dimension may be selected to better describe and interpret the data. For example, it may help extract important features related to light attenuation values and network delays to better understand and analyze the data for relevant predictions.
The raw data is subjected to a feature dimension constraint set, and a plurality of indexes (such as an optical attenuation value and a network delay) are obtained from the feature dimension constraint set, which is not particularly limited herein.
As shown in fig. 3, step 200 may include the steps of:
and 300, processing the original data by using a principal component analysis algorithm to obtain indexes of all network devices.
The principal component analysis method finds k subspaces that most represent data in a p-dimensional orthogonal vector (p-dimensional data attribute), and projects the original data into an attribute space of k dimensions by a projection method. Which converts observed data represented by linearly related variables into a few data represented by linearly independent variables, called principal components, using orthogonal transformation. A few linear independent variables can be extracted from a large number of variables with correlation by a principal component transformation method, so that subsequent analysis and calculation are simplified, and efficiency is improved.
In one possible implementation, the principal component analysis includes the following steps:
1. normalized data: the raw data is normalized so that each feature has the same scale. Data normalization can be achieved by subtracting the mean and dividing by the standard deviation.
2. Calculating a covariance matrix: and calculating a covariance matrix of the normalized raw data. The covariance matrix describes the relationship between the different features.
3. Calculating eigenvalues and eigenvectors: and carrying out eigenvalue decomposition on the covariance matrix to obtain eigenvalues and corresponding eigenvectors. The eigenvalues represent the degree of variance interpretation in the data, while the eigenvectors represent the projection of the data in different principal component directions, i.e. principal components.
4. And selecting main components: the first k principal components (eigenvectors) are selected according to the magnitude of the eigenvalue, where k is the number of dimensions that one wishes to preserve. The first few principal components with larger eigenvalues can be chosen because they contain more information.
5. Constructing a projection matrix: the selected principal components are formed into a projection matrix that is used to project the raw data into a low-dimensional space.
6. And (3) performing data conversion: multiplying the original data by a projection matrix to obtain the dimension reduced data. In this way, each sample becomes represented by the original features (original data) to be represented by the principal component.
Through this process we can extract the main features of the data and reduce the dimensionality of the data. The principal component analysis can help us understand the structure and relation of the data, reduce redundant information of the data, and improve the processing efficiency and the interpretability of the data.
And 220, respectively evaluating the network environment of each network device according to the index of each network device to obtain the network environment score of each network device.
The network environment score is used to indicate a network security level.
The metrics include light decay values, network latency, and host lifetime, as shown in fig. 4, step 220 may include the steps of:
step 400, determining weights corresponding to the light attenuation value, the network delay and the host service life respectively.
The optical attenuation value refers to the attenuation degree of an optical signal in the transmission process, and reflects the quality of the transmission quality of the optical fiber. Network delay refers to the time required for data to be sent from a source to a destination, which affects the response speed and real-time of the network. Host life refers to the life of a network device or computer, which relates to the stability and reliability of the device.
The weight setting can be adjusted according to the actual situation, for example, the light attenuation value is used as a core index, and a larger weight is given to the light attenuation value.
And step 420, obtaining a network environment score according to the light attenuation value, the network delay, the score of the host service life indication and the weight respectively corresponding to the light attenuation value, the network delay and the score.
The values of the light decay value, the network delay and the host life indication can be obtained by looking up a scoring table which is predefined.
Taking host life as an example: the production date is from the first year, the faults are more and gradually reduced, and the corresponding score can be set to be 2 points; the first year to the second year, the fault is less stationary phase, and the corresponding score can be set to be 3 points; in the second to third years, the number of faults is large, and the corresponding score can be set to be 1. Wherein, the higher the score, the better the network security.
For example, the network delay of the network device 1 is 50ms (the indicated score is 2 minutes), the light attenuation value is-30 db to-20 db (the indicated score is 2 minutes), the host lifetime is 2 years (the indicated score is 3 minutes), and if the weights corresponding to the light attenuation value, the network delay and the host lifetime are 1, the network environment score is 2+2+3=7 minutes.
And step 240, detecting and tracing the abnormality of each network device according to the index and the network environment score to obtain an abnormality tracing result of each network device.
The anomaly tracing result is used to indicate the source of the attack in the network.
In one possible implementation, the corresponding (network delay, light attenuation value, host lifetime) indexes of the network data are extracted, and network intrusion detection and tracing are performed from low to high according to scores in order.
As shown in fig. 5, step 240 may include the steps of:
Step 500, determining whether the optical fiber has physical damage and/or network traffic conditions according to the optical attenuation value.
Step 520, detecting whether network equipment has network anomalies according to whether the determined optical fiber has physical damage and/or network traffic conditions.
Step 540, if it is detected that the network device has network abnormality, performing abnormality tracing based on the IP of the network device.
Anomaly tracing refers to tracking and locating the source of anomalies or attacks in a network by analyzing network traffic and logs. This includes tracking information such as the IP address of the source of the attack, the identity of the attacker, the tools and techniques used by the attack, etc.
Through the process, the original data of the network equipment is subjected to feature dimension constraint set to obtain indexes of the network equipment, and network environment evaluation is respectively carried out on each network equipment based on the indexes to obtain the network environment score of each network equipment; and then performing anomaly detection and tracing according to the indexes and the network environment scores. According to the scheme, network environment evaluation is performed by selecting indexes such as network delay, light attenuation value and host service life, different indexes are given with different weights to obtain network environment scores, false alarm caused by network jitter is avoided by considering network delay, judging characteristics of whether optical fibers are physically damaged or not are utilized by using the light attenuation value, a hardware layer is used as a factor of network environment evaluation, and network environment and quality can be evaluated in all directions, and network security level of each network device can be accurately obtained; and detecting and tracing the network intrusion based on the acquired network environment score, and rapidly positioning a fault source so as to solve the network fault and the safety problem in time.
Referring to fig. 6, in an exemplary embodiment, step 300 may further include the steps of:
step 600, a covariance matrix of the raw data is calculated.
Each row of the covariance matrix corresponds to the original data of one network device; each column of the covariance matrix corresponds to a dimension in the raw data.
For example, a covariance matrix Σ is calculated from the acquired network device raw data, assuming that each data contains p-dimensional features { x } 1 ,x 2 ,…,x p The calculated covariance matrix is a p-row p-column matrix.
Step 620, a diagonal matrix is calculated from the covariance matrix.
In one possible implementation, as shown in fig. 7, step 620 may include the steps of:
in step 700, an orthogonal matrix is constructed, and a diagonal matrix is calculated based on the orthogonal matrix and the covariance matrix, so that elements of the diagonal matrix on the diagonal are sequentially arranged from large to small.
For example, the orthogonal matrix U is calculated such that U T Sigma U is a diagonal matrix, and the element lambda on the diagonal 1 ≥λ 2 ≥…≥λ p From big to smallArranged in sequence, i.e. lambda 1 ≥λ 2 ≥…≥λ p 。
And step 640, marking the index of each network device according to the index association relation in the diagonal matrix to obtain the index of each network device.
The metrics may include network latency, light decay values, host lifetime, and the like.
Under the action of the embodiment, a principal component analysis algorithm is constructed, so that a feature dimension constraint set of the original data is realized, the original data is reasonably processed and converted, and the increase of data distortion and errors is reduced as much as possible. Compared with the prior art, when the principal component analysis algorithm actually collects and observes data, it is difficult to judge whether the collected or extracted data features have correlation, so that a plurality of correlated features can be collected, the data processing effect is poor, and the accuracy of network environment evaluation and abnormal tracing is affected; the scheme of the application improves the principle of the current data protocol and the defects generated in the calculation process, avoids influencing the accuracy of network environment evaluation and abnormal tracing, and also improves the accuracy of network environment evaluation and abnormal tracing.
Referring to fig. 8, in an exemplary embodiment, step 540 may further include the steps of:
step 800, positioning the IP of the network equipment according to the light attenuation value corresponding to the network equipment with the network abnormality.
Step 820, query the vulnerability of the network device using the IP of the network device as a query condition.
In step 840, the attack associated with the vulnerability is searched through the queried vulnerability, and the abnormal dimension characteristics related to the searched attack are obtained as an abnormal tracing result.
For example, the security knowledge base of the MDATA network is accessed by taking the IP corresponding to the abnormal network data of the light attenuation value index as a query condition, and based on the dimension of the host asset associated with the IP, an IP traceability person can query the vulnerability of the host asset according to a certain suspected attacked host asset, and acquire the characteristic of the abnormal dimension related to the attack by searching the attack threat associated with the vulnerability through the vulnerability. Thus, the network fault can be traced.
It should be appreciated that the TCP protocol is one of the most widely used transport protocols over the internet, and that an attacker may take advantage of some unusual behavior of the TCP connection to attack. The unusual dimension features related to the attack may include: basic characteristics of a TCP connection, content characteristics of a TCP connection, time-based network traffic statistics characteristics, host-based network traffic statistics characteristics.
The basic characteristics of a TCP connection include 9-dimensional characteristics such as connection duration, protocol type, network service type of a target host, status data of normal or error connection, number of data bytes from a source host to a target host, number of data bytes from a target host to a source host, whether the same host and port are connected and used, number of error fragments, number of urgent packets, and the like, as described in this patent.
For example, the following are some of the basic features of a TCP connection that are relevant to an attack:
connection establishment speed: an attacker may attack by quickly setting up a large number of TCP connections, a behavior known as SYN flooding attack. Normally, the speed of TCP connection establishment should be reasonable, and if the connection establishment speed is abnormally fast or abnormally slow, it may indicate that there is an attack.
Connection duration: an attacker may consume system resources by maintaining a large number of long-term TCP connections, which is referred to as a keep-alive attack. Normally, the duration of a TCP connection should be reasonable, possibly indicating the existence of an attack if the connection duration is abnormally long.
Connection frequency: an attacker may attack by frequently setting up and closing TCP connections, which is known as a connection flicker attack. Normally, the frequency of the TCP connection should be reasonable, and if the connection frequency is abnormally high, it may indicate that there is an attack.
Connection number: an attacker may attack by setting up a large number of TCP connections, which is called a connection flooding attack. Normally, the number of TCP connections should be reasonable, and if the number of connections is abnormally large, it may indicate that there is an attack.
The content characteristics of a TCP connection include the following 13 different variable characteristics:
hot represents the number in the hot spot list;
num_failed_logins: indicating the number of failed login attempts;
logged in, which indicates whether the login was successful;
num_purified: representing the number of times a threat state is received;
root_shell indicates whether a shell of a super user is obtained;
su_scheduled: an attempt to indicate whether su command execution has occurred;
num_root: the number of root authority accesses is represented;
num_file_creation: representing the number of file creation operations;
num_shells: representing the number of times a shell command is used;
num_access_files: representing the number of times of accessing the control file, such as the number of times of accessing/etc/passwd and the like;
num_outbound_cmds represents the number of times a command is transferred in an FTP session;
is_hot_logic: a login indicating whether it belongs to a hotspot list, such as a superuser or administrator login, etc.;
is_guide_logic: indicating whether it is a gust login.
Under the action of the embodiment, the anomaly tracing is realized by acquiring the anomaly dimension characteristics related to the searched attack, and the fault source is rapidly positioned by creatively adopting the judging characteristic of whether the optical fiber is physically damaged by the optical attenuation value and the port identification of the self-contained 2-end equipment when the network has traffic anomaly.
Referring to table 1 below, a comprehensive analysis table for evaluating network environment in an application scenario is shown.
Table 1 comprehensive analysis table for network environment evaluation
And selecting indexes such as an optical attenuation value, network delay, host service life and the like to evaluate the network environment. The lower the composite score, the worse the network security; conversely, the higher the score, the better the network security.
Light decay value: setting an optical module at a port of the network equipment, collecting a real-time light attenuation value of the port of the network equipment through the optical module, and determining a light attenuation index of the network equipment; if the real-time light attenuation value in the light attenuation is lower than-30 db, the score of the light attenuation index is 1 score; if the real-time light attenuation value is between-30 db and-20 db, the score of the light attenuation index is 2 minutes; if the real-time light attenuation value is higher than-20 db, the score of the light attenuation index is 3 minutes.
Network delay: network latency refers to the round-trip time that a data packet takes to pass from the user's computer to the web server and then immediately back from the web server to the user's computer, i.e., the time it takes for the data to pass from side to side of the computer.
Host life: the production date is from the first year, the faults are more and gradually reduced. From the first year to the second year, the fault is less stationary. The second year to the third year, the faults are more.
In one possible implementation, different weights are respectively given to the light attenuation value, the network delay and the host life, for example, the comprehensive scores are the same, the light attenuation value is taken as a core index, if the light attenuation value is the same, the network delay is seen, and finally the host life is seen.
In the application scene, the optical attenuation value is innovatively adopted to judge whether the optical fiber has physical damage or not and the network is provided with the port identification of the 2-terminal equipment when the flow abnormality occurs, so that the fault source is rapidly positioned. False alarms due to network jitter are avoided. And simultaneously, the network environment and the quality are comprehensively evaluated from the hardware angle by combining the network equipment. The lower the score, the worse the network security.
The following is an embodiment of the device of the present application, which can be used to execute the network environment evaluation and anomaly tracing method related to the present application. For details not disclosed in the embodiment of the apparatus of the present application, please refer to an embodiment of a method for evaluating a network environment and tracing an anomaly.
Referring to fig. 9, in an embodiment of the present application, a network environment evaluating and anomaly tracing device 900 is provided, including but not limited to: a feature dimension constraint set module 910, a network environment evaluation module 930, and an anomaly tracing module 950.
The feature dimension constraint set module 910 is configured to perform feature dimension constraint set on the original data of each network device, so as to obtain an index of each network device.
The network environment evaluation module 930 is configured to perform network environment evaluation on each network device according to the index of each network device, so as to obtain a network environment score of each network device; the network environment score is used to indicate a network security level.
The anomaly tracing module 950 is configured to detect and trace the anomaly of each network device according to the index and the network environment score, so as to obtain an anomaly tracing result of each network device; the anomaly tracing result is used to indicate the source of the attack in the network.
In an exemplary embodiment, the feature dimension constraint set module 910 includes: the principal component analysis unit 9100 is configured to process the raw data using a principal component analysis algorithm to obtain an index of each network device.
In an exemplary embodiment, the principal component analysis unit 9100 includes: a covariance matrix calculation subunit 9101, configured to calculate a covariance matrix of the original data; each row of the covariance matrix corresponds to the original data of one network device; each column of the covariance matrix corresponds to a dimension in the original data; a diagonal matrix calculation subunit 9102 for calculating a diagonal matrix from the covariance matrix; the marking subunit 9103 is configured to mark the elements in the diagonal matrix according to the T association relationship in the diagonal matrix, so as to obtain an index of each network device.
In an exemplary embodiment, diagonal matrix computing subunit 9102 includes: the orthogonal matrix construction subunit 9103 is configured to construct an orthogonal matrix, and calculate a diagonal matrix based on the orthogonal matrix and the covariance matrix, so that elements of the diagonal matrix on a diagonal line are sequentially arranged from large to small.
In an exemplary embodiment, the metrics include light decay values, network latency, and host lifetime; the network environment evaluation module 930 includes: the weight determining unit 9300 is configured to determine weights corresponding to the light attenuation value, the network delay and the host lifetime respectively; the network environment scoring unit 9301 is configured to obtain a network environment score according to the light attenuation value, the network delay, the score of the host lifetime indication, and the weights respectively corresponding to the light attenuation value, the network delay, and the host lifetime indication.
In an exemplary embodiment, the anomaly tracing module 950 includes: a network traffic condition determining unit 9500, configured to determine whether the optical fiber has physical damage and/or network traffic condition according to the optical attenuation value; a network anomaly detection unit 9501, configured to detect whether a network anomaly exists in the network device according to the determined physical damage to the optical fiber and/or the network traffic condition; and the anomaly tracing unit 9502 is configured to perform anomaly tracing based on the IP of the network device if the network device is detected to have a network anomaly.
In an exemplary embodiment, the anomaly tracing unit 9502 includes: an IP positioning subunit 9503, configured to position an IP of the network device according to an optical attenuation value corresponding to the network device having the network abnormality; the vulnerability query subunit 9504 is configured to query a vulnerability of the network device with an IP of the network device as a query condition; the abnormal dimension feature obtaining subunit 9505 is configured to search for an attack associated with the vulnerability through the queried vulnerability, and obtain an abnormal dimension feature related to the searched attack as an abnormal tracing result.
It should be noted that, when the network environment evaluating and anomaly tracing device provided in the foregoing embodiments performs network environment evaluating and anomaly tracing, only the division of the foregoing functional modules is used for illustrating, in practical application, the foregoing functional allocation may be completed by different functional modules according to needs, that is, the internal structure of the network environment evaluating and anomaly tracing device may be divided into different functional modules, so as to complete all or part of the functions described above.
In addition, the network environment evaluation and anomaly tracing device and the network environment evaluation and anomaly tracing method provided in the foregoing embodiments belong to the same concept, and the specific manner in which each module performs the operation is described in detail in the method embodiment, which is not repeated here.
Fig. 10 shows a schematic structure of a server according to an exemplary embodiment. The server is suitable for use with the devices 130, 150 in the implementation environment shown in fig. 1.
It should be noted that this server is only an example adapted to the present application, and should not be construed as providing any limitation on the scope of use of the present application. Nor should the server be construed as necessarily relying on or necessarily having one or more of the components of the exemplary server 2000 illustrated in fig. 10.
The hardware structure of the server 2000 may vary widely depending on the configuration or performance, as shown in fig. 10, the server 2000 includes: a power supply 210, an interface 230, at least one memory 250, and at least one central processing unit (CPU, central Processing Units) 270.
Specifically, the power supply 210 is configured to provide an operating voltage for each hardware device on the server 2000.
The interface 230 includes at least one wired or wireless network interface 231 for interacting with external devices.
Of course, in other examples of the adaptation of the present application, the interface 230 may further include at least one serial-parallel conversion interface 233, at least one input-output interface 235, at least one USB interface 237, and the like, as shown in fig. 10, which is not particularly limited herein.
The memory 250 may be a carrier for storing resources, such as a read-only memory, a random access memory, a magnetic disk, or an optical disk, where the resources stored include an operating system 251, application programs 253, and data 255, and the storage mode may be transient storage or permanent storage.
The operating system 251 is used for managing and controlling various hardware devices and applications 253 on the server 2000 to implement the operation and processing of the massive data 255 in the memory 250 by the central processing unit 270, which may be Windows server, mac OS XTM, unixTM, linuxTM, freeBSDTM, etc.
The application 253 is based on computer readable instructions on the operating system 251 to perform at least one specific task, which may include at least one module (not shown in fig. 10), each of which may include computer readable instructions to the server 2000, respectively. For example, the network environment evaluation and anomaly traceability device can be considered as the application 253 deployed on the server 2000.
The data 255 may be a photograph, a picture, or the like stored in a disk, or may be original data of a network device, or the like, and stored in the memory 250.
The central processor 270 may include one or more of the above processors and is configured to communicate with the memory 250 via at least one communication bus to read computer readable instructions stored in the memory 250, thereby implementing operations and processing of the bulk data 255 in the memory 250. For example, the network environment evaluation and anomaly tracing method is accomplished by the central processor 270 reading a series of computer readable instructions stored in the memory 250.
Furthermore, the present application can be realized by hardware circuitry or by a combination of hardware circuitry and software, and thus, the implementation of the present application is not limited to any specific hardware circuitry, software, or combination of the two.
Referring to fig. 11, fig. 11 is a schematic diagram illustrating a structure of a terminal according to an exemplary embodiment. The terminal is suitable for use with the device 110 in the implementation environment shown in fig. 1.
It should be noted that the terminal is only an example adapted to the present application and should not be construed as providing any limitation on the scope of use of the present application. Nor should the terminal be construed as necessarily relying on or necessarily having one or more of the components of the exemplary terminal 1100 shown in fig. 11.
As shown in fig. 11, the terminal 1100 includes a memory 101, a memory controller 103, one or more (only one is shown in fig. 11) processors 105, a peripheral interface 107, a radio frequency module 109, a positioning module 111, a camera module 113, an audio module 115, a touch screen 117, and a key module 119. These components communicate with each other via one or more communication buses/signal lines 121.
The memory 101 may be configured to store computer readable instructions, such as computer readable instructions corresponding to the network environment evaluation and anomaly tracing method and apparatus according to the exemplary embodiment of the present application, and the processor 105 performs various functions and data processing by reading the computer readable instructions stored in the memory 101, that is, the network environment evaluation and anomaly tracing method is completed.
Memory 101, which is the carrier of resource storage, may be random access memory, e.g., high speed random access memory, non-volatile memory, such as one or more magnetic storage devices, flash memory, or other solid state memory. The storage means may be a temporary storage or a permanent storage.
The peripheral interface 107 may include at least one wired or wireless network interface, at least one serial-to-parallel conversion interface, at least one input/output interface, at least one USB interface, etc. for coupling external various input/output devices to the memory 101 and the processor 105 to enable communication with the external various input/output devices.
The radio frequency module 109 is configured to receive and transmit electromagnetic waves, and to implement mutual conversion between the electromagnetic waves and the electrical signals, so as to communicate with other devices through a communication network. The communication network may include a cellular telephone network, a wireless local area network, or a metropolitan area network, and may employ various communication standards, protocols, and techniques.
The positioning module 111 is configured to obtain a current geographic location of the terminal 1100. Examples of the positioning module 111 include, but are not limited to, global satellite positioning system (GPS), wireless local area network or mobile communication network based positioning technology.
The camera module 113 is attached to a camera for taking pictures or videos. The photographed pictures or videos may be stored in the memory 101, and may also be transmitted to an upper computer through the rf module 109.
The audio module 115 provides an audio interface to the user, which may include one or more microphone interfaces, one or more speaker interfaces, and one or more earphone interfaces. The interaction of the audio data with other devices is performed through the audio interface. The audio data may be stored in the memory 101 or may be transmitted via the radio frequency module 109.
The touch screen 117 provides an input-output interface between the terminal 1100 and the user. Specifically, the user may perform an input operation, such as a gesture operation of clicking, touching, sliding, etc., through the touch screen 117 to make the terminal 1100 respond to the input operation. The terminal 1100 displays and outputs the output content formed by any one or combination of the text, the picture or the video to the user through the touch screen 117.
The key module 119 includes at least one key to provide an interface for a user to input to the terminal 1100, and the user can cause the terminal 1100 to perform different functions by pressing different keys. For example, the sound adjustment key may allow the user to adjust the volume of sound played by the terminal 1100.
It is to be understood that the structure shown in fig. 11 is merely illustrative, and that terminal 1100 may also include more or fewer components than shown in fig. 11, or have different components than shown in fig. 11. The components shown in fig. 11 may be implemented in hardware, software, or a combination thereof.
Referring to fig. 12, in an embodiment of the present application, an electronic device 4000 is provided, where the electronic device 4000 may include: desktop computers, notebook computers, servers, etc.
In fig. 12, the electronic device 4000 includes at least one processor 4001 and at least one memory 4003.
Among other things, data interaction between the processor 4001 and the memory 4003 may be achieved by at least one communication bus 4002. The communication bus 4002 may include a path for transferring data between the processor 4001 and the memory 4003. The communication bus 4002 may be a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus or an EISA (Extended Industry Standard Architecture ) bus, or the like. The communication bus 4002 can be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 12, but not only one bus or one type of bus.
Optionally, the electronic device 4000 may further comprise a transceiver 4004, the transceiver 4004 may be used for data interaction between the electronic device and other electronic devices, such as transmission of data and/or reception of data, etc. It should be noted that, in practical applications, the transceiver 4004 is not limited to one, and the structure of the electronic device 4000 is not limited to the embodiment of the present application.
The processor 4001 may be a CPU (Central Processing Unit ), general purpose processor, DSP (Digital Signal Processor, data signal processor), ASIC (Application Specific Integrated Circuit ), FPGA (Field Programmable Gate Array, field programmable gate array) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. The processor 4001 may also be a combination that implements computing functionality, e.g., comprising one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.
Memory 4003 may be, but is not limited to, ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, RAM (Random Access Memory ) or other type of dynamic storage device that can store information and instructions, EEPROM (Electrically Erasable Programmable Read Only Memory ), CD-ROM (Compact Disc Read Only Memory, compact disc Read Only Memory) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program instructions or code in the form of instructions or data structures and that can be accessed by electronic device 400.
The memory 4003 has computer readable instructions stored thereon, and the processor 4001 can read the computer readable instructions stored in the memory 4003 through the communication bus 4002.
The computer readable instructions are executed by the one or more processors 4001 to implement the network environment evaluation and anomaly tracing methods in the embodiments described above.
In addition, in an embodiment of the present application, a storage medium is provided, where computer readable instructions are stored on the storage medium, where the computer readable instructions are executed by one or more processors to implement the network environment evaluation and anomaly tracing method as described above.
In an embodiment of the present application, a computer program product is provided, where the computer program product includes computer readable instructions, where the computer readable instructions are stored in a storage medium, and one or more processors of an electronic device read the computer readable instructions from the storage medium, load and execute the computer readable instructions, so that the electronic device implements a network environment evaluation and anomaly tracing method as described above.
Compared with the related art, the application has the following beneficial effects:
1. performing feature dimension constraint set on the original data of the network equipment to obtain indexes of the network equipment, and performing network environment evaluation on each network equipment based on the indexes to obtain network environment scores of each network equipment; and then performing anomaly detection and tracing according to the indexes and the network environment scores. According to the scheme, network environment evaluation is performed by selecting indexes such as network delay, light attenuation value and host service life, different indexes are given with different weights to obtain network environment scores, false alarm caused by network jitter is avoided by considering network delay, judging characteristics of whether optical fibers are physically damaged or not are utilized by using the light attenuation value, a hardware layer is used as a factor of network environment evaluation, and network environment and quality can be evaluated in all directions, and network security level of each network device can be accurately obtained; and detecting and tracing the network intrusion based on the acquired network environment score, and rapidly positioning a fault source so as to solve the network fault and the safety problem in time.
2. And constructing a principal component analysis algorithm, so as to realize reasonable processing and conversion of the original data and reduce the increase of data distortion and errors as much as possible. Compared with the prior art, when the principal component analysis algorithm actually collects and observes data, it is difficult to judge whether the collected or extracted data features have correlation, so that a plurality of correlated features can be collected, the data processing effect is poor, and the accuracy of network environment evaluation and abnormal tracing is affected; the scheme of the application improves the principle of the current data protocol and the defects generated in the calculation process, avoids influencing the accuracy of network environment evaluation and abnormal tracing, and also improves the accuracy of network environment evaluation and abnormal tracing.
3. The characteristic of judging whether the optical fiber is physically damaged by creatively adopting the optical attenuation value is that the network is provided with the port identification of the 2-terminal equipment when the flow of the network is abnormal, so that the fault source can be rapidly positioned. False alarms due to network jitter are avoided. And simultaneously, the network environment and the quality are comprehensively evaluated from the hardware angle by combining the network equipment. The lower the score, the worse the network security.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
The foregoing is only a partial embodiment of the present application, and it should be noted that it will be apparent to those skilled in the art that modifications and adaptations can be made without departing from the principles of the present application, and such modifications and adaptations are intended to be comprehended within the scope of the present application.
Claims (10)
1. A network environment evaluating and anomaly tracing method is characterized by comprising the following steps:
respectively carrying out feature dimension constraint set on the original data of each network device to obtain indexes of each network device;
respectively carrying out network environment evaluation on each network device according to the index of each network device to obtain the network environment score of each network device; the network environment score is used for indicating a network security level;
detecting and tracing the abnormality of each network device according to the index and the network environment score to obtain an abnormality tracing result of each network device; the anomaly tracing result is used for indicating an attack source in the network.
2. The method of claim 1, wherein the performing feature dimension constraint set on the raw data of each network device to obtain the index of each network device includes:
And processing the original data by using a principal component analysis algorithm to obtain indexes of all network devices.
3. The method of claim 2, wherein processing the raw data using a principal component analysis algorithm to obtain metrics for each network device comprises:
calculating a covariance matrix of the original data; each row of the covariance matrix corresponds to the original data of one network device; each column of the covariance matrix corresponds to a dimension in the raw data;
calculating a diagonal matrix according to the covariance matrix;
marking the index of each network device according to the index association relation in the diagonal matrix to obtain the index of each network device.
4. The method of claim 3, wherein said calculating a diagonal matrix from said covariance matrix comprises:
constructing an orthogonal matrix, and calculating the diagonal matrix based on the orthogonal matrix and the covariance matrix, so that elements of the diagonal matrix on the diagonal are sequentially arranged from large to small.
5. The method of claim 1, wherein the metrics include a light decay value, a network delay, and a host lifetime;
The step of evaluating the network environment of each network device according to the index of each network device to obtain the network environment score of each network device comprises the following steps:
determining weights corresponding to the light attenuation value, the network delay and the service life of the host respectively;
and obtaining the network environment score according to the light attenuation value, the network delay, the score of the host service life indication and the weight respectively corresponding to the light attenuation value and the network delay.
6. The method of claim 5, wherein detecting and tracing the anomalies of each of the network devices according to the metrics and the network environment scores to obtain anomaly tracing results for each of the network devices, comprises:
determining whether the optical fiber has physical damage and/or network traffic conditions according to the optical attenuation value;
detecting whether the network equipment has network abnormality according to the determined physical damage of the optical fiber and/or the network traffic condition;
if the network equipment is detected to have network abnormality, performing abnormality tracing based on the IP of the network equipment.
7. The method of claim 6, wherein if the network device is detected to have a network anomaly, performing anomaly tracing based on the IP of the network device comprises:
Positioning the IP of the network equipment according to the light attenuation value corresponding to the network equipment with network abnormality;
inquiring the loophole of the network equipment by taking the IP of the network equipment as an inquiry condition;
searching for attacks associated with the loopholes through the inquired loopholes, and acquiring abnormal dimension characteristics related to the searched attacks as the abnormal tracing result.
8. The network environment evaluating and anomaly tracing device is characterized by comprising the following components:
the characteristic dimension constraint set module is used for respectively carrying out characteristic dimension constraint set on the original data of each network device to obtain the index of each network device;
the network environment evaluation module is used for respectively evaluating the network environment of each network device according to the index of each network device to obtain the network environment score of each network device; the network environment score is used for indicating a network security level;
the anomaly tracing module is used for detecting and tracing the anomalies of the network devices according to the indexes and the network environment scores to obtain anomaly tracing results of the network devices; the anomaly tracing result is used for indicating an attack source in the network.
9. An electronic device, comprising: at least one processor, and at least one memory, wherein,
the memory has computer readable instructions stored thereon;
the computer readable instructions are executed by one or more of the processors to cause an electronic device to implement the network environment evaluation and anomaly tracing method of any one of claims 1 to 7.
10. A storage medium having stored thereon computer readable instructions, the computer readable instructions being executable by one or more processors to implement the network environment evaluation and anomaly tracing method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310756450.2A CN116886342A (en) | 2023-06-26 | 2023-06-26 | Network environment evaluation and anomaly tracing method and device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310756450.2A CN116886342A (en) | 2023-06-26 | 2023-06-26 | Network environment evaluation and anomaly tracing method and device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116886342A true CN116886342A (en) | 2023-10-13 |
Family
ID=88265307
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310756450.2A Pending CN116886342A (en) | 2023-06-26 | 2023-06-26 | Network environment evaluation and anomaly tracing method and device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116886342A (en) |
-
2023
- 2023-06-26 CN CN202310756450.2A patent/CN116886342A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11785040B2 (en) | Systems and methods for cyber security alert triage | |
| US11044263B2 (en) | Systems and methods for threat discovery across distinct organizations | |
| US11025674B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| CN111092852B (en) | Network security monitoring method, device, equipment and storage medium based on big data | |
| US10560483B2 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| Schmidt et al. | Monitoring smartphones for anomaly detection | |
| CN108183916B (en) | Network attack detection method and device based on log analysis | |
| CN111368290B (en) | Data anomaly detection method and device and terminal equipment | |
| US10445163B2 (en) | Advanced computer system drift detection | |
| CN111522922A (en) | Log information query method and device, storage medium and computer equipment | |
| US10489720B2 (en) | System and method for vendor agnostic automatic supplementary intelligence propagation | |
| CN111371778B (en) | Attack group identification method, device, computing equipment and medium | |
| US11032303B1 (en) | Classification using projection of graphs into summarized spaces | |
| CN111385309B (en) | Security detection method, system and terminal for online office equipment | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| JP7069399B2 (en) | Systems and methods for reporting computer security incidents | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN116886342A (en) | Network environment evaluation and anomaly tracing method and device, electronic equipment and medium | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| US11533246B1 (en) | Network probe placement optimization | |
| US20230105087A1 (en) | Systems and methods for detecting malicious hands-on-keyboard activity via machine learning | |
| US11789743B2 (en) | Host operating system identification using transport layer probe metadata and machine learning | |
| US11997125B2 (en) | Automated actions in a security platform | |
| TW201928746A (en) | Method and apparatus for detecting malware | |
| CN110417744B (en) | Security determination method and device for network access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |