CN116996286A - Network attack and security vulnerability management framework platform based on big data analysis - Google Patents

Abstract

The invention discloses a network attack and security hole treatment framework platform based on big data analysis; the system comprises a network attack, security hole management and a big data query system, wherein the security hole management comprises a network security frame, firewall protection, data backup encryption, hole query detection, hole repair prevention and system security test, and the big data query system comprises a network communication module and a big database module.

Description

Network attack and security vulnerability management framework platform based on big data analysis

Technical Field

The invention belongs to the technical field of network security protection, and particularly relates to a network attack and security vulnerability management framework platform based on big data analysis.

Background

Cyber attacks refer to network criminals attempting to disable computers, steal data, or launch additional attacks using a corrupted computer system. In recent years, network attacks have become more and more complex, and thus, network attack prevention is indispensable to everyone and organization. Network crimes are based on the efficient exploitation of vulnerabilities. Security teams are disadvantageous in that they must protect all possible entry points, while attackers only need to find and exploit one vulnerability or vulnerability. This imbalance is beneficial to attackers, which means that even large organizations may have difficulty preventing network criminals from accessing their networks, so that when network security protection is performed, not only network attacks are blocked, but also vulnerabilities are repaired, but various network security protection problems still exist in the market.

The invention discloses a network attack detection method as disclosed in the authority bulletin No. CN101286979A, which realizes import and export of small and medium-sized networks, if the invention is applied to import and export of large-sized high-speed networks, the invention can be solidified on hardware in a hardware program mode or a plurality of computers are deployed for parallel processing, but the problems that the protection of network attack, the repair of loopholes, the detection processing according to a plurality of algorithms, the real-time updating of a large database and the like cannot be realized in the existing network security protection are not solved, and therefore, a network attack and security hole management framework platform based on big data analysis is provided.

Disclosure of Invention

The invention aims to provide a network attack and security hole management framework platform based on big data analysis so as to solve the problems in the background technology.

In order to achieve the above purpose, the present invention provides the following technical solutions: a network attack and security vulnerability management framework platform based on big data analysis comprises a network attack, security vulnerability management and big data query system: the network attack comprises abnormal access prevention, IP address search, data size analysis, deep learning detection, machine learning detection and intrusion detection data sets, wherein the abnormal access prevention is used for preventing abnormal access information and preventing abnormal information from carrying network attacks from entering, the IP address search is used for inquiring address information of the abnormal information, the data access is permanently prevented through the abnormal IP address, the data size analysis is used for acquiring data information of normal communication and carrying out size analysis processing on the data information of the normal communication, the deep learning detection is used for detecting threat by software, preventing unauthorized access or abuse and reporting attacks to a security administrator, the machine learning detection is used for detecting the abnormal attacks through a computer algorithm, and the intrusion detection data sets are used for evaluating and training the necessary conditions of an intrusion detection system based on abnormal behavior detection;

The security vulnerability management comprises a network security framework, a firewall protection, data backup encryption, vulnerability query detection, vulnerability repair prevention and system security test, wherein the network security framework is a set of standards, criteria and programs formulated by a network security professional organization and aims to help organize to know and manage the facing network security risks, the firewall protection is a technology for helping a computer network to construct a relatively isolated protection barrier between an inner network and an outer network by organically combining various software and hardware devices for security management and screening so as to protect user data and information security, the data backup encryption is used for realizing effective backup and encryption processing of data information of computer resources and improving the security of the computer resources, the vulnerability query detection is used for realizing the detection and query of the computer, implementing early queries of computer vulnerabilities, which typically seek common vulnerabilities or flaws by conducting a series of tests on systems and networks, including attempting to exploit known vulnerabilities, guessing default passwords or user accounts, or simply attempting to access restricted areas, the vulnerability repair prevention is used to effect repair of vulnerabilities obtained by detection of the vulnerability query, and the corrections include prioritizing vulnerabilities, determining appropriate follow-up steps, and generating correction tickets for IT team execution, and finally, correction tracking is an important tool to ensure that vulnerabilities or misconfigurations are properly resolved, the system security test is to discover and exploit vulnerabilities in computer systems through penetration test software, identify vulnerabilities in systems that may be exploited by actual attackers through simulated attacks, threat protection software enables organizations to track, monitoring, analyzing and prioritizing potential threats to better protect themselves by collecting data from various sources, including databases and security suggestions that have vulnerabilities;

The big data query system comprises a network communication module and a big database module, wherein the network communication module is used for realizing the system query of the big database and the query and acquisition of the type of the network attack, and the big database module is used for realizing the query and the download of various network attack modes and vulnerability management modes on the network.

Preferably, the deep learning detection is a deep neural network for feature extraction, perception and learning, the deep refers to the number of hidden layers in the neural network, the deep neural network comprises up to 150 hidden layers, the deep learning uses a plurality of continuous layers to perform operations, each layer is connected with each other, and each layer receives the output of the previous layer as input.

Preferably, the deep learning detection comprises a deep feedforward network, a recurrent neural network, a convolutional neural network and a self-encoder;

the deep feed forward network: the information can be transmitted from an input layer to an output layer in the feedforward neural network, and can only be transmitted unidirectionally but not reversely;

the recurrent neural network: also called a cyclic neural network, can effectively process sequence data, and unlike a deep feed forward network, the output of neurons directly acts on neurons of the layer at the next time stamp;

The convolutional neural network: the method comprises a convolution layer, a pooling layer and a full connection layer, and can effectively reduce the dimension of the image with large data volume to small data volume on the premise of keeping the picture characteristics;

the self-encoder: the non-supervision neural network model consists of an encoder and a decoder, and is mainly used for encoding an input value into an intermediate value and then decoding the intermediate value to reconstruct the input data so as to realize dimension reduction.

Preferably, the machine learning detection includes the following algorithm:

and (5) carrying out mathematical statistics: creating a statistical model by checking normal behavior and abnormal behavior of a user or a system, wherein the statistical model is used for identifying new attacks, and the common statistical methods comprise principal component analysis, chi-square distribution and Gaussian mixture distribution;

support vector machine: the support vector machine is an effective method for detecting intrusion events under the condition of limited data samples, and the aim of the vector machine is to distinguish two types of data by using one feature vector in the most proper way;

and (3) data mining: the data mining is a common method for analyzing the behavior of a user, and is characterized in that a large amount of information is extracted from the collected mass data, and key rules are extracted by analyzing the association relation between the user and the data;

Based on the rule set: analyzing attack flow in the network, extracting key rules, detecting intrusion behavior after reducing data dimension on the basis, reducing detection calculation to a certain extent, and improving detection efficiency;

artificial neural network: an artificial neural network is an intelligent information processing model that simulates the human brain to process, store and process information, the neural network obtains knowledge through learning, and stores the learned knowledge in the weights of the connection points, the model has learning and adaptation, and identifies unknown intrusions.

Preferably, the calculation formula of the convolutional neural network is as follows;

the input picture matrix and the following convolution kernel are square matrices, the size of the input matrix is w, the size of the convolution kernel is k, the step is s, the zero padding layer number is p, and the calculation formula of the size of the feature picture generated after convolution is:

the input formula is:

V＝cos v2(W,X,"valid")+b，

the output formula is:

the above input/output formula is for each convolution layer, each convolution layer has a different weight matrix W, and W, X, Y are in matrix form, for the last fully connected layer, set to the L-th layer, the output is in vector form Y ^L The desired output is d.

Preferably, the artificial neural network adopts an AI intelligent algorithm, and the neural network of the AI intelligent algorithm is determined by inputting neuron information and a corresponding weight matrix W ^T X _t X is a vector and W is a weight matrix, with W converting X into another vector;

information transfer from hidden layer neuron at previous moment to neuron at current moment, and its value is S _t-1 And corresponding weight matrix U ^T S _t-1 ，S _t-1 Is a vector, U is a weight matrix, and S is defined by U _t-1 Converting to a further vector;

neuron h, mainly at the current moment _t Integrating the inputs of the two parts, activating and generating the output of the hidden layer neuron at the current moment, wherein the integrating process is vector addition: w (W) ^T X _t +U ^T S _t-1 ；

After assuming that the activation function is f, the value of the neuron at the current moment is generated after activation: s is S _t ＝f(W ^T X _t +U ^T S _t-1 )；

The information transmission is mainly to transmit the value of the hidden layer neuron at the current moment to the output neuron at the current moment:

O _t ＝g(V ^T S _t )；

the forward formula is as follows:

S _t ＝f(W ^T X _t +U ^T S _t-1 ),O _t ＝g(V ^T S _t )＝g(V ^T f(W ^T X _t +U ^T S _t-1 ))；

in the whole neural network, three weight matrices are included together, wherein the first matrix is W, the dimension of the given matrix is (N, K), N represents the vector dimension of the neuron value of the hidden layer, K represents the vector dimension of the input neural unit, the second weight matrix is V, the dimension of the matrix is (L, N), wherein P represents the vector dimension of the neuron of the output layer, and the third is the weight matrix U, and the dimension of the matrix is (N, N).

Preferably, the intrusion detection data set includes the following:

the KDCup 99 data set is provided with marked training data and unmarked test data, and the data set has 3 characteristic attributes which are divided into basic characteristics, flow characteristics and content characteristics;

the NSL-KDD data set deletes repeated records in the KDCup 99, so that the data volume is reduced, the NSL-KDD contains basic records and data characteristics of the KDCup 99 data set, and the identified attack category is the same as the KDCup 99 data set;

training of the UNSW-NB15 data set is to simulate a real attack environment as far as possible according to the vulnerability information technology disclosed on the CVE website by utilizing an IXIA flow generator;

the CIC-IDS2017 data set uses a CICFlowMeter tool to extract more than 80 characteristic attributes from original data, and two methods for extracting the characteristics are respectively an online mode and an offline mode; the network flow is monitored in real time in an online mode, characteristics are generated, and after monitoring is finished, the characteristic attributes are stored locally in a CSV format; the offline mode is to submit a complete packet in pcap format to the ciclowmeter tool, which gets a CSV file containing the features.

Preferably, the network security framework includes the following:

The NIST network security framework is an iterative method that helps organizations develop consistency to identify, evaluate and manage network security risks, whose critical infrastructure to protect may be controlled by public or private sector organizations of varying scale, complexity and technical capabilities;

ISO/IEC27001/ISO27002 covers the requirements for designing, implementing, maintaining and continuously improving information security management systems, which are analyzed by organizations based on the following factors: assessing the risk faced by the organization to identify threats, the extent of susceptibility, the likelihood of occurrence, and potential impact; law and contractual obligations that an organization must fulfill; organizing information management internal processes, programs and business requirements for its business operations;

the CIS control framework adopts a crowdsourcing mode to identify the most common network threats and define security measures to prevent the threats, including enterprise asset inventory and control, data protection, e-mail Web browser and protection, security awareness and skill training, event response management and penetration testing;

HIPAA standardizes the way in which healthcare organizations process information, outlines three major aspects of information security compliance, including the adoption of rules and procedural management safeguards, and specifies how organizations will adhere to laws; providing physical security measures for physical access control to the protected data; technical support measures for protecting software and hardware systems for processing, storing and transmitting data;

The PCI-DSS handles more and more credit card data compromise events, and the organization of the framework has to meet six control objectives including establishing and maintaining secure networks and systems, protecting cardholder data, maintaining vulnerability management plans, implementing powerful access control measures, periodically monitoring and testing networks, maintaining information security policies.

Preferably, the data backup encryption adopts a hash algorithm;

the formula of the hash algorithm is as follows:

address＝H[key]；

the hash conflict resolution algorithm of the hash algorithm comprises a linear exploration method, a secondary exploration method and a double hash method;

the formula of the linear exploration method is as follows:

hi＝(h(key)+i)％m，0≤i≤m-1；

i.e. from address d, it first probes T [ d ], then T [ d+1], … in turn, until T [ m-1], and then loops back to T [0], T [1], …, until either a free address is probed or T [ d-1 ].

Preferably, when the large database module queries the network attack mode and the security hole treatment mode, a particle swarm algorithm is adopted to query and detect, and a large optimal method mode is searched for analysis and treatment;

the particle swarm algorithm utilizes the sharing of information by individuals in the swarm to enable the whole swarm to generate an unordered to ordered evolution process in the problem solving process, so that the solution of the problem is obtained;

The formula of the particle swarm algorithm is as follows:

the (d+1) th iteration,

wherein:

n is the number of the particles,

c ₁ individual learning factors, also known as individual acceleration factors,

c ₂ the social learning factor, also known as the social acceleration factor,

w is the inertial weight of the velocity,

at the d-th iteration, the speed of the i-th particle,

f (x) the position of the ith particle in the d-th iteration,

the fitness value at the position x,

by the d-th iteration, the best position for the i-th particle to pass,

pbest ^d until the d-th iteration, the best position for all particles to pass.

Compared with the prior art, the invention has the beneficial effects that:

when the method is used, the network attack can be effectively protected by detecting and preventing the network attack, and the network attack is detected in various forms through abnormal access prevention, IP address searching, data size analysis, deep learning detection, machine learning detection and intrusion detection data sets, so that the security degree can be improved, the network attack can be conveniently protected, the system loopholes are detected and repaired through security vulnerability management after the network attack is protected, the system protective security is improved through a security framework, the system framework is tested, the loopholes are detected in an attack simulation mode, the loopholes are repaired finally, the security is improved, the information of the network attack and the loopholes is obtained through a big data query system, and the network security is updated through big data information in real time.

Drawings

Fig. 1 is a schematic view of a frame platform structure according to the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1, the present invention provides a technical solution: a network attack and security vulnerability management framework platform based on big data analysis comprises a network attack, security vulnerability management and big data query system: the network attack comprises abnormal access prevention, IP address search, data size analysis, deep learning detection, machine learning detection and intrusion detection data sets, wherein the abnormal access prevention is used for preventing abnormal access information and preventing abnormal information from carrying network attacks from entering, the IP address search is used for inquiring address information of the abnormal information, the data access is permanently prevented through the abnormal IP address, the data size analysis is used for acquiring data information of normal communication and carrying out size analysis processing on the data information of the normal communication, the deep learning detection is used for detecting threat by software, preventing unauthorized access or abuse and reporting attacks to a security administrator, the machine learning detection is used for detecting the abnormal attacks through a computer algorithm, and the intrusion detection data sets are used for evaluating and training the necessary conditions of an intrusion detection system based on abnormal behavior detection;

The security vulnerability management comprises a network security framework, a firewall protection, data backup encryption, vulnerability query detection, vulnerability repair prevention and system security test, wherein the network security framework is a set of standards, criteria and programs formulated by a network security professional organization and aims to help organize to know and manage the facing network security risks, the firewall protection is a technology for helping a computer network to construct a relatively isolated protection barrier between an inner network and an outer network by organically combining various software and hardware devices for security management and screening so as to protect user data and information security, the data backup encryption is used for realizing effective backup and encryption processing of data information of computer resources and improving the security of the computer resources, the vulnerability query detection is used for realizing the detection and query of the computer, implementing early queries of computer vulnerabilities, which typically seek common vulnerabilities or flaws by conducting a series of tests on systems and networks, including attempting to exploit known vulnerabilities, guessing default passwords or user accounts, or simply attempting to access restricted areas, the vulnerability repair prevention is used to effect repair of vulnerabilities obtained by detection of the vulnerability query, and the corrections include prioritizing vulnerabilities, determining appropriate follow-up steps, and generating correction tickets for IT team execution, and finally, correction tracking is an important tool to ensure that vulnerabilities or misconfigurations are properly resolved, the system security test is to discover and exploit vulnerabilities in computer systems through penetration test software, identify vulnerabilities in systems that may be exploited by actual attackers through simulated attacks, threat protection software enables organizations to track, monitoring, analyzing and prioritizing potential threats to better protect themselves by collecting data from various sources, including databases and security suggestions that have vulnerabilities;

The big data query system comprises a network communication module and a big database module, wherein the network communication module is used for realizing the system query of the big database and the query and acquisition of the type of the network attack, and the big database module is used for realizing the query and the download of various network attack modes and vulnerability management modes on the network.

In order to realize deep learning protection for network attack, in this embodiment, preferably, the deep learning detection is a deep neural network for feature extraction, perception and learning, where the deep neural network refers to the number of hidden layers in the neural network, the deep neural network includes up to 150 hidden layers, the deep learning uses multiple continuous layers to perform operations, each layer is connected with each other, and each layer receives the output of the previous layer as input.

In order to realize detection processing of network attack through different algorithms, in this embodiment, preferably, the deep learning detection includes a deep feed-forward network, a recurrent neural network, a convolutional neural network and a self-encoder;

the deep feed forward network: the information can be transmitted from an input layer to an output layer in the feedforward neural network, and can only be transmitted unidirectionally but not reversely;

The recurrent neural network: also called a cyclic neural network, can effectively process sequence data, and unlike a deep feed forward network, the output of neurons directly acts on neurons of the layer at the next time stamp;

the convolutional neural network: the method comprises a convolution layer, a pooling layer and a full connection layer, and can effectively reduce the dimension of the image with large data volume to small data volume on the premise of keeping the picture characteristics;

the self-encoder: the non-supervision neural network model consists of an encoder and a decoder, and is mainly used for encoding an input value into an intermediate value and then decoding the intermediate value to reconstruct the input data so as to realize dimension reduction.

In order to realize the security protection of self-learning for the network attack, effectively identify the network attack and realize the prevention of the network attack, in this embodiment, preferably, the machine learning detection includes the following algorithm:

and (5) carrying out mathematical statistics: creating a statistical model by checking normal behavior and abnormal behavior of a user or a system, wherein the statistical model is used for identifying new attacks, and the common statistical methods comprise principal component analysis, chi-square distribution and Gaussian mixture distribution;

support vector machine: the support vector machine is an effective method for detecting intrusion events under the condition of limited data samples, and the aim of the vector machine is to distinguish two types of data by using one feature vector in the most proper way;

And (3) data mining: the data mining is a common method for analyzing the behavior of a user, and is characterized in that a large amount of information is extracted from the collected mass data, and key rules are extracted by analyzing the association relation between the user and the data;

based on the rule set: analyzing attack flow in the network, extracting key rules, detecting intrusion behavior after reducing data dimension on the basis, reducing detection calculation to a certain extent, and improving detection efficiency;

artificial neural network: an artificial neural network is an intelligent information processing model that simulates the human brain to process, store and process information, the neural network obtains knowledge through learning, and stores the learned knowledge in the weights of the connection points, the model has learning and adaptation, and identifies unknown intrusions.

In order to detect through image information and facilitate implementing security protection of different forms on the network system, in this embodiment, preferably, a calculation formula of the convolutional neural network is as follows;

the input picture matrix and the following convolution kernel are square matrices, the size of the input matrix is w, the size of the convolution kernel is k, the step is s, the zero padding layer number is p, and the calculation formula of the size of the feature picture generated after convolution is:

The input formula is:

V＝cos v2(W,X,"valid")+b，

the output formula is:

the above input/output formula is for each convolution layer, each convolution layer has a different weight matrix W, and W, X, Y are in matrix form, for the last fully connected layer, set to the L-th layer, the output is in vector form Y ^L The desired output is d.

In order to enable the network protection to realize self-learning and improve the protection level, in this embodiment, preferably, the artificial neural network adopts an AI intelligent algorithm, and the neural network of the AI intelligent algorithm inputs neuron information and corresponding weight matrix W to determine, W ^T X _t X is a vector and W is a weight matrix, with W converting X into another vector;

information transfer from hidden layer neuron at previous moment to neuron at current moment, and its value is S _t-1 And corresponding weight matrix U ^T S _t-1 ，S _t-1 Is a vector, U is a weight matrix, and S is defined by U _t-1 Converting to a further vector;

mainly is thatNeuron h at the present moment _t Integrating the inputs of the two parts, activating and generating the output of the hidden layer neuron at the current moment, wherein the integrating process is vector addition: w (W) ^T X _t +U ^T S _t-1 ；

After assuming that the activation function is f, the value of the neuron at the current moment is generated after activation: s is S _t ＝f(W ^T X _t +U ^T S _t-1 )；

The information transmission is mainly to transmit the value of the hidden layer neuron at the current moment to the output neuron at the current moment:

O _t ＝g(V ^T S _t )；

the forward formula is as follows:

S _t ＝f(W ^T X _t +U ^T S _t-1 ),O _t ＝g(V ^T S _t )＝g(V ^T f(W ^T X _t +U ^T S _t-1 ))；

in the whole neural network, three weight matrices are included together, wherein the first matrix is W, the dimension of the given matrix is (N, K), N represents the vector dimension of the neuron value of the hidden layer, K represents the vector dimension of the input neural unit, the second weight matrix is V, the dimension of the matrix is (L, N), wherein P represents the vector dimension of the neuron of the output layer, and the third is the weight matrix U, and the dimension of the matrix is (N, N).

In order to determine the intrusion detection data set, so as to facilitate the identification of the type of the network attack and the security protection, in this embodiment, preferably, the intrusion detection data set includes the following steps:

the KDCup 99 data set is provided with marked training data and unmarked test data, and the data set has 3 characteristic attributes which are divided into basic characteristics, flow characteristics and content characteristics;

the NSL-KDD data set deletes repeated records in the KDCup 99, so that the data volume is reduced, the NSL-KDD contains basic records and data characteristics of the KDCup 99 data set, and the identified attack category is the same as the KDCup 99 data set;

Training of the UNSW-NB15 data set is to simulate a real attack environment as far as possible according to the vulnerability information technology disclosed on the CVE website by utilizing an IXIA flow generator;

the CIC-IDS2017 data set uses a CICFlowMeter tool to extract more than 80 characteristic attributes from original data, and two methods for extracting the characteristics are respectively an online mode and an offline mode; the network flow is monitored in real time in an online mode, characteristics are generated, and after monitoring is finished, the characteristic attributes are stored locally in a CSV format; the offline mode is to submit a complete packet in pcap format to the ciclowmeter tool, which gets a CSV file containing the features.

In order to realize framework support for the security protection of the network and improve the security of the network, in this embodiment, preferably, the network security framework includes the following several types:

the NIST network security framework is an iterative method that helps organizations develop consistency to identify, evaluate and manage network security risks, whose critical infrastructure to protect may be controlled by public or private sector organizations of varying scale, complexity and technical capabilities;

ISO/IEC27001/ISO27002 covers the requirements for designing, implementing, maintaining and continuously improving information security management systems, which are analyzed by organizations based on the following factors: assessing the risk faced by the organization to identify threats, the extent of susceptibility, the likelihood of occurrence, and potential impact; law and contractual obligations that an organization must fulfill; organizing information management internal processes, programs and business requirements for its business operations;

The CIS control framework adopts a crowdsourcing mode to identify the most common network threats and define security measures to prevent the threats, including enterprise asset inventory and control, data protection, e-mail Web browser and protection, security awareness and skill training, event response management and penetration testing;

HIPAA standardizes the way in which healthcare organizations process information, outlines three major aspects of information security compliance, including the adoption of rules and procedural management safeguards, and specifies how organizations will adhere to laws; providing physical security measures for physical access control to the protected data; technical support measures for protecting software and hardware systems for processing, storing and transmitting data;

the PCI-DSS handles more and more credit card data compromise events, and the organization of the framework has to meet six control objectives including establishing and maintaining secure networks and systems, protecting cardholder data, maintaining vulnerability management plans, implementing powerful access control measures, periodically monitoring and testing networks, maintaining information security policies.

In order to realize the security protection of the network resources of the user and prevent intrusion attacks, in this embodiment, preferably, the data backup encryption adopts a hash algorithm;

The formula of the hash algorithm is as follows:

address＝H[key]；

the hash conflict resolution algorithm of the hash algorithm comprises a linear exploration method, a secondary exploration method and a double hash method;

the formula of the linear exploration method is as follows:

hi＝(h(key)+i)％m，0≤i≤m-1；

i.e. from address d, it first probes T [ d ], then T [ d+1], … in turn, until T [ m-1], and then loops back to T [0], T [1], …, until either a free address is probed or T [ d-1 ].

In order to realize inquiring the network attack mode and the protection method in the big data and inquiring the loopholes, and effectively realize symptomatic protection, in the embodiment, preferably, the big database module adopts a particle swarm algorithm to inquire and detect when inquiring the network attack mode and the security loophole treatment mode, and searches for the mode of the big optimal method for analysis processing;

the particle swarm algorithm utilizes the sharing of information by individuals in the swarm to enable the whole swarm to generate an unordered to ordered evolution process in the problem solving process, so that the solution of the problem is obtained;

the formula of the particle swarm algorithm is as follows:

the (d+1) th iteration,

wherein:

n is the number of the particles,

c ₁ individual learning factors, also known as individual acceleration factors,

c ₂ The social learning factor, also known as the social acceleration factor,

w is the inertial weight of the velocity,

at the d-th iteration, the speed of the i-th particle,

f (x) the position of the ith particle in the d-th iteration,

the fitness value at the position x,

by the d-th iteration, the best position for the i-th particle to pass,

pbest ^d until the d-th iteration, the best position for all particles to pass.

The working principle and the using flow of the invention are as follows: when the system is used, the network attack and security hole treatment framework platform stops the network attack, realizes the repair of the security hole treatment on the hole, and completes the protection on the security of the network;

namely, abnormal access information is prevented through abnormal access prevention in network attack, address information of abnormal information is queried through IP address searching, data access is permanently prevented through abnormal IP address, data size analysis is carried out on data information of normal communication, size analysis processing is carried out on the data information of normal communication, deep learning detection is used for detecting threat appearing in software, unauthorized access or abuse is prevented, attacks are reported to a security manager, the deep learning detection comprises a deep feed-forward network, a recurrent neural network, a convolutional neural network and a self-encoder, machine learning detection is used for detecting abnormal attacks through a computer algorithm, the machine learning detection comprises a mathematical statistics, a support vector machine, data mining, rule set and an artificial neural network, an intrusion detection data set is used for evaluating and training the necessary conditions of an intrusion detection system based on abnormal behavior detection, and the intrusion detection data set comprises a KDCup 99 data set, an NSL-KDD data set, a UNSW-NB15 data set and a CIC-IDS2017 data set;

After network attack is prevented, the vulnerability of the network is treated, the network security framework is a set of standard, rule and program formulated by network security professional institutions, and aims to help the organization to know and manage the facing network security risk, wherein the network security framework comprises NIST network security framework, ISO/IEC27001/ISO27002, CIS control framework, HIPAA and PCI-DSS, firewall protection is a technology for helping the computer network to construct a relatively isolated protection barrier between the internal network and the external network by organically combining various software and hardware equipment used for security management and screening so as to protect the security of user data and information, data backup encryption is used for realizing effective backup and encryption treatment of data information of computer resources, improving the security of the computer resources, and the encryption of the data adopts a hash algorithm for encryption treatment, vulnerability query detection is used to detect and query vulnerabilities of a computer, to implement advanced queries on vulnerabilities of the computer, vulnerability queries typically seek common vulnerabilities or defects by performing a series of tests on the system and network, including attempting to exploit known vulnerabilities, guessing default passwords or user accounts, or simply attempting to access restricted areas, vulnerability repair prevention repairs vulnerabilities obtained by vulnerability query detection, and corrections include determining priorities of vulnerabilities, determining appropriate follow-up steps, and generating correction tickets for IT team execution, and finally, correction tracking is an important tool to ensure that vulnerabilities or misconfigurations are properly resolved, system security tests are the discovery and exploitation of vulnerabilities in computer systems through penetration test software, identifying vulnerabilities in systems that may be exploited by actual attackers through simulated attacks, threat prevention software enables organizations to track, monitor, analyze, and prioritize potential threats to better protect themselves by collecting data from a variety of sources, including databases and security suggestions that are vulnerable;

The method comprises the steps of carrying out real-time query and update on the mode of network attack and the form of vulnerability and repairing the mode through big data, so that the network security is convenient to improve, the big data query system comprises a network communication module and a big database module, the network communication module is used for realizing the system query of the big database, realizing the query and acquisition of the type of the network attack, and the big database module is used for realizing the query and downloading of various network attack modes and vulnerability management modes on the network, and the particle swarm algorithm is adopted for the mode of the network attack of the big data and the form and repairing of the vulnerability, so that corresponding query can be effectively realized, and the subsequent use processing is convenient.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. The network attack and security hole management framework platform based on big data analysis is characterized by comprising a network attack, security hole management and big data query system: the network attack comprises abnormal access prevention, IP address search, data size analysis, deep learning detection, machine learning detection and intrusion detection data sets, wherein the abnormal access prevention is used for preventing abnormal access information and preventing abnormal information from carrying network attacks from entering, the IP address search is used for inquiring address information of the abnormal information, the data access is permanently prevented through the abnormal IP address, the data size analysis is used for acquiring data information of normal communication and carrying out size analysis processing on the data information of the normal communication, the deep learning detection is used for detecting threat by software, preventing unauthorized access or abuse and reporting attacks to a security administrator, the machine learning detection is used for detecting the abnormal attacks through a computer algorithm, and the intrusion detection data sets are used for evaluating and training the necessary conditions of an intrusion detection system based on abnormal behavior detection;

The security vulnerability management comprises a network security framework, a firewall protection, data backup encryption, vulnerability query detection, vulnerability repair prevention and system security test, wherein the network security framework is a set of standards, criteria and programs formulated by a network security professional organization and aims to help organize to know and manage the facing network security risks, the firewall protection is a technology for helping a computer network to construct a relatively isolated protection barrier between an inner network and an outer network by organically combining various software and hardware devices for security management and screening so as to protect user data and information security, the data backup encryption is used for realizing effective backup and encryption processing of data information of computer resources and improving the security of the computer resources, the vulnerability query detection is used for realizing the detection and query of the computer, implementing early queries of computer vulnerabilities, which typically seek common vulnerabilities or flaws by conducting a series of tests on systems and networks, including attempting to exploit known vulnerabilities, guessing default passwords or user accounts, or simply attempting to access restricted areas, the vulnerability repair prevention is used to effect repair of vulnerabilities obtained by detection of the vulnerability query, and the corrections include prioritizing vulnerabilities, determining appropriate follow-up steps, and generating correction tickets for IT team execution, and finally, correction tracking is an important tool to ensure that vulnerabilities or misconfigurations are properly resolved, the system security test is to discover and exploit vulnerabilities in computer systems through penetration test software, identify vulnerabilities in systems that may be exploited by actual attackers through simulated attacks, threat protection software enables organizations to track, monitoring, analyzing and prioritizing potential threats to better protect themselves by collecting data from various sources, including databases and security suggestions that have vulnerabilities;

The big data query system comprises a network communication module and a big database module, wherein the network communication module is used for realizing the system query of the big database and the query and acquisition of the type of the network attack, and the big database module is used for realizing the query and the download of various network attack modes and vulnerability management modes on the network.

2. The cyber attack and security vulnerability management framework platform based on big data analysis of claim 1, wherein: the deep learning detection is a deep neural network used for feature extraction, perception and learning, the depth refers to the number of hidden layers in the neural network, the deep neural network comprises up to 150 hidden layers, the deep learning uses a plurality of continuous layers to execute operation, the layers are connected with each other, and each layer receives the output of the previous layer as input.

3. The cyber attack and security vulnerability management framework platform based on big data analysis of claim 2, wherein: the deep learning detection comprises a deep feedforward network, a recurrent neural network, a convolutional neural network and a self-encoder;

the deep feed forward network: the information can be transmitted from an input layer to an output layer in the feedforward neural network, and can only be transmitted unidirectionally but not reversely;

The recurrent neural network: also called a cyclic neural network, can effectively process sequence data, and unlike a deep feed forward network, the output of neurons directly acts on neurons of the layer at the next time stamp;

the convolutional neural network: the method comprises a convolution layer, a pooling layer and a full connection layer, and can effectively reduce the dimension of the image with large data volume to small data volume on the premise of keeping the picture characteristics;

the self-encoder: the non-supervision neural network model consists of an encoder and a decoder, and is mainly used for encoding an input value into an intermediate value and then decoding the intermediate value to reconstruct the input data so as to realize dimension reduction.

4. The cyber attack and security vulnerability management framework platform based on big data analysis of claim 1, wherein: the machine learning detection comprises the following algorithm:

and (5) carrying out mathematical statistics: creating a statistical model by checking normal behavior and abnormal behavior of a user or a system, wherein the statistical model is used for identifying new attacks, and the common statistical methods comprise principal component analysis, chi-square distribution and Gaussian mixture distribution;

support vector machine: the support vector machine is an effective method for detecting intrusion events under the condition of limited data samples, and the aim of the vector machine is to distinguish two types of data by using one feature vector in the most proper way;

And (3) data mining: the data mining is a common method for analyzing the behavior of a user, and is characterized in that a large amount of information is extracted from the collected mass data, and key rules are extracted by analyzing the association relation between the user and the data;

based on the rule set: analyzing attack flow in the network, extracting key rules, detecting intrusion behavior after reducing data dimension on the basis, reducing detection calculation to a certain extent, and improving detection efficiency;

artificial neural network: an artificial neural network is an intelligent information processing model that simulates the human brain to process, store and process information, the neural network obtains knowledge through learning, and stores the learned knowledge in the weights of the connection points, the model has learning and adaptation, and identifies unknown intrusions.

5. A cyber attack and security breach remediation framework platform based on big data analysis according to claim 3, wherein: the calculation formula of the convolutional neural network is as follows;

the input picture matrix and the following convolution kernel are square matrices, the size of the input matrix is w, the size of the convolution kernel is k, the step is s, the zero padding layer number is p, and the calculation formula of the size of the feature picture generated after convolution is:

The input formula is:

V＝cos v2(W,X,"valid")+b，

the output formula is:

the above input/output formula is for each convolution layer, each convolution layer has a different weight matrix W, and W, X, Y are in matrix form, for the last fully connected layer, set to the L-th layer, the output is in vector form Y ^L The desired output is d.

6. The cyber attack and security breach remediation framework platform based on big data analysis of claim 4, wherein: the artificial neural network adopts an AI intelligent algorithm, and the neural network of the AI intelligent algorithm inputs neuron information and corresponding weight matrix W to determine, W ^T X _t X is a vector and W is a weight matrix, with W converting X into another vector;

information transfer from hidden layer neuron at previous moment to neuron at current moment, and its value is S _t-1 And corresponding weight matrixU is determined by U ^T S _t-1 ，S _t-1 Is a vector, U is a weight matrix, and S is defined by U _t-1 Converting to a further vector;

neuron h, mainly at the current moment _t Integrating the inputs of the two parts, activating and generating the output of the hidden layer neuron at the current moment, wherein the integrating process is vector addition: w (W) ^T X _t +U ^T S _t-1 ；

After assuming that the activation function is f, the value of the neuron at the current moment is generated after activation: s is S _t ＝f(W ^T X _t +U ^T S _t-1 )；

The information transmission is mainly to transmit the value of the hidden layer neuron at the current moment to the output neuron at the current moment:

O _t ＝g(V ^T S _t )；

the forward formula is as follows:

S _t ＝f(W ^T X _t +U ^T S _t-1 )O _t ＝g(V ^T S _t )＝g(V ^T f(W ^T X _t +U ^T S _t-1 ))；

in the whole neural network, three weight matrices are included together, wherein the first matrix is W, the dimension of the given matrix is (N, K), N represents the vector dimension of the neuron value of the hidden layer, K represents the vector dimension of the input neural unit, the second weight matrix is V, the dimension of the matrix is (L, N), wherein P represents the vector dimension of the neuron of the output layer, and the third is the weight matrix U, and the dimension of the matrix is (N, N).

7. The cyber attack and security vulnerability management framework platform based on big data analysis of claim 1, wherein: the intrusion detection data set comprises the following:

the KDCup 99 data set is provided with marked training data and unmarked test data, and the data set has 3 characteristic attributes which are divided into basic characteristics, flow characteristics and content characteristics;

the NSL-KDD data set deletes repeated records in the KDCup 99, so that the data volume is reduced, the NSL-KDD contains basic records and data characteristics of the KDCup 99 data set, and the identified attack category is the same as the KDCup 99 data set;

Training of the UNSW-NB15 data set is to simulate a real attack environment as far as possible according to the vulnerability information technology disclosed on the CVE website by utilizing an IXIA flow generator;

the CIC-IDS2017 data set uses a CICFlowMeter tool to extract more than 80 characteristic attributes from original data, and two methods for extracting the characteristics are respectively an online mode and an offline mode; the network flow is monitored in real time in an online mode, characteristics are generated, and after monitoring is finished, the characteristic attributes are stored locally in a CSV format; the offline mode is to submit a complete packet in pcap format to the ciclowmeter tool, which gets a CSV file containing the features.

8. The cyber attack and security vulnerability management framework platform based on big data analysis of claim 1, wherein: the network security framework comprises the following components:

the NIST network security framework is an iterative method that helps organizations develop consistency to identify, evaluate and manage network security risks, whose critical infrastructure to protect may be controlled by public or private sector organizations of varying scale, complexity and technical capabilities;

ISO/IEC27001/ISO27002 covers the requirements for designing, implementing, maintaining and continuously improving information security management systems, which are analyzed by organizations based on the following factors: assessing the risk faced by the organization to identify threats, the extent of susceptibility, the likelihood of occurrence, and potential impact; law and contractual obligations that an organization must fulfill; organizing information management internal processes, programs and business requirements for its business operations;

The CIS control framework adopts a crowdsourcing mode to identify the most common network threats and define security measures to prevent the threats, including enterprise asset inventory and control, data protection, e-mail Web browser and protection, security awareness and skill training, event response management and penetration testing;

HIPAA standardizes the way in which healthcare organizations process information, outlines three major aspects of information security compliance, including the adoption of rules and procedural management safeguards, and specifies how organizations will adhere to laws; providing physical security measures for physical access control to the protected data; technical support measures for protecting software and hardware systems for processing, storing and transmitting data;

the PCI-DSS handles more and more credit card data compromise events, and the organization of the framework has to meet six control objectives including establishing and maintaining secure networks and systems, protecting cardholder data, maintaining vulnerability management plans, implementing powerful access control measures, periodically monitoring and testing networks, maintaining information security policies.

9. The cyber attack and security vulnerability management framework platform based on big data analysis of claim 1, wherein: the data backup encryption adopts a hash algorithm;

The formula of the hash algorithm is as follows:

address＝H[key]；

the hash conflict resolution algorithm of the hash algorithm comprises a linear exploration method, a secondary exploration method and a double hash method;

the formula of the linear exploration method is as follows:

hi＝(h(key)+i)％m，0≤i≤m-1；

i.e. from address d, it first probes T [ d ], then T [ d+1], … in turn, until T [ m-1], and then loops back to T [0], T [1], …, until either a free address is probed or T [ d-1 ].

10. The cyber attack and security vulnerability management framework platform based on big data analysis of claim 1, wherein: the large database module is used for inquiring and detecting a particle swarm algorithm when inquiring the network attack mode and the security hole treatment mode, and analyzing and processing the method by searching the most suitable method;

the particle swarm algorithm utilizes the sharing of information by individuals in the swarm to enable the whole swarm to generate an unordered to ordered evolution process in the problem solving process, so that the solution of the problem is obtained;

the formula of the particle swarm algorithm is as follows:

the (d+1) th iteration,

wherein:

n is the number of the particles,

c ₁ individual learning factors, also known as individual acceleration factors,

c ₂ The social learning factor, also known as the social acceleration factor,

w is the inertial weight of the velocity,

at the d-th iteration, the speed of the i-th particle,

f (x) the position of the ith particle in the d-th iteration,

the fitness value at the position x,

by the d-th iteration, the best position for the i-th particle to pass,

pbest ^d until the d-th iteration, the best position for all particles to pass.