CN117350288B - Case matching-based network security operation auxiliary decision-making method, system and device - Google Patents

Case matching-based network security operation auxiliary decision-making method, system and device Download PDF

Info

Publication number
CN117350288B
CN117350288B CN202311629837.8A CN202311629837A CN117350288B CN 117350288 B CN117350288 B CN 117350288B CN 202311629837 A CN202311629837 A CN 202311629837A CN 117350288 B CN117350288 B CN 117350288B
Authority
CN
China
Prior art keywords
case
decision
corpus
similarity
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311629837.8A
Other languages
Chinese (zh)
Other versions
CN117350288A (en
Inventor
李丁炜
孙钢
林叶明
陈宇磊
虞轩昂
茅雨琦
张振洲
陈依阳
苗子羿
金子遥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yiqiyin Hangzhou Technology Co ltd
China Zheshang Bank Co Ltd
Original Assignee
Yiqiyin Hangzhou Technology Co ltd
China Zheshang Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yiqiyin Hangzhou Technology Co ltd, China Zheshang Bank Co Ltd filed Critical Yiqiyin Hangzhou Technology Co ltd
Priority to CN202311629837.8A priority Critical patent/CN117350288B/en
Publication of CN117350288A publication Critical patent/CN117350288A/en
Application granted granted Critical
Publication of CN117350288B publication Critical patent/CN117350288B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/289Phrasal analysis, e.g. finite state techniques or chunking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/205Parsing
    • G06F40/216Parsing using statistical methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Data Mining & Analysis (AREA)
  • Probability & Statistics with Applications (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Machine Translation (AREA)

Abstract

The invention discloses a network security operation auxiliary decision-making method, a system and a device based on case matching, which are characterized in that firstly, cases of network security operation practice are obtained, case descriptions are extracted, word segmentation and text cleaning are carried out, and decision-making case corpus is generated; then constructing a training set based on the decision case corpus, and training to obtain an auxiliary decision model; finally, extracting event description from the target event, generating corpus after word segmentation, calculating the similarity between all decision case corpus and the event description of the target event based on the auxiliary decision model, correcting the similarity, and selecting a plurality of decision cases with the highest corrected similarity as auxiliary decision basis. The method and the system are beneficial to fully multiplexing the safety operation experience previously accumulated by safety specialists, so that matched coping strategies are intelligently found aiming at specific safety operation scenes, and quick and effective response of different safety scenes is supported.

Description

Case matching-based network security operation auxiliary decision-making method, system and device
Technical Field
The present invention relates to the field of network security operations, and in particular, to a case matching-based network security operation auxiliary decision method, system, and device.
Background
The network topology and business characteristics of different enterprises and organizations are different, except the conventional protection means, the security policy and operation experience accumulated based on the long-term experience of security specialists in the organizations cannot be reused in other organizations, on one hand, a protection system integrating prevention, detection, response and prevention and organization, which is enough to cover all security operation scenes, is difficult to build, and on the other hand, the problems of inaccurate decision, slow response and treatment and the like are difficult to avoid when huge data and complex scenes are faced. In response to the above problems, the aid decision-making can provide a solution to effectively multiplex the long-term accumulated security experience of the organization.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a case matching-based network security operation auxiliary decision-making method, system and device.
The aim of the invention is realized by the following technical scheme: in a first aspect, the present invention provides a case matching-based network security operation auxiliary decision method, which includes the following steps:
(1) Acquiring a case of a network security operation practice, extracting a case description, and generating a decision case corpus after word segmentation and text cleaning;
(2) Constructing a training set based on all the decision case corpus obtained in the step (1), and training a word2vec model to obtain an auxiliary decision model;
(3) Extracting event description from a target event, processing the event description according to a word segmentation processing mode of the step (1) to generate a corpus, calculating and sequencing the similarity between all decision case corpuses obtained in the step (1) and the event description of the target event based on the auxiliary decision model in the step (2), selecting partial similar decision cases, comparing the case types, the data flow directions, the case grades and the corresponding information of the influence system and the target event based on the selected similar decision cases, multiplying the similarity of the similar decision cases by a similarity correction base to carry out similarity correction if each item is the same, and selecting a plurality of decision cases with the highest corrected similarity as auxiliary decision bases.
Further, in the step (1), according to the name, the type and the analysis information of each case, the case name or the analysis result is used as a case description.
Further, in the step (1), the word segmentation process uses thulac to traverse all target sentences to be segmented, a word sequence after word segmentation is generated, the word parts of speech of each word are marked, and professional vocabularies related in a safe operation case are formed into a user dictionary for the word segmentation process.
Further, in the step (1), word sequences obtained after word segmentation are converted into list types from character string types, decision case corpus is obtained, and the decision case corpus is stored in a centralized mode to construct a decision case corpus.
Further, in the step (3), extracting event description of the target event, event type, data flow direction, event level and influence system information, and performing de-duplication processing on the corpus in the decision case corpus to form a temporary case description library for extracting similar cases of the subsequent target event.
Further, in step (3), each decision case with a defined similarity from high to low is described as: Wherein The similarity corresponding to the ith decision case description is/>The top n decision case descriptions with highest similarity to the target event are selected, and the value of n is as follows:
i. Calculating a threshold value If there is minimum/>Make/>Then/>
Ii. if not presentMake/>Then/>
Further, in the step (3), the case types are divided into 4 major classes of threat response cases, emergency treatment cases, standard operation flows and other operation experiences, each major class is continuously subdivided into a plurality of minor classes, and the similarity is corrected once only when the major class and the minor class of the case type to which the decision case belongs are the same as the target event; in the case that the data flow only has threat response, the data flow is the data flow when an attacker attacks a victim, and the similarity is corrected once only when the decision case and the target event both have the field and the content is completely the same; the case grade is the event grade of the target event and the decision case according to the type and threat grade information assignment, and the similarity is corrected only once when the decision case is completely the same as the case grade of the target event; when the target event is generated, judging that the event affects the system, if judging that the event fails, setting the field by a safety operator, and correcting the similarity only once when the decision case is completely the same as the field of the target event.
In a second aspect, the invention also provides a case matching-based network security operation auxiliary decision-making system, which comprises a decision case corpus generating module, an auxiliary decision model constructing module and a similar decision case recommending module;
the decision case corpus generation module is used for acquiring cases of network security operation practice, extracting case descriptions, and generating decision case corpus after word segmentation and text cleaning;
The auxiliary decision model building module is used for building a training set based on all the obtained decision case corpus, and training a word2vec model to obtain an auxiliary decision model;
The similar decision case recommendation module extracts event descriptions from the target event, generates corpus after processing according to word segmentation processing mode, calculates similarity between all decision case corpus and event descriptions of the target event based on the auxiliary decision model, sorts the event descriptions, selects partial similar decision cases, compares the case types, data flow directions, case grades and influence systems of the selected similar decision cases with corresponding information of the target event, multiplies the similarity of the similar decision cases by a similarity correction base to carry out similarity correction if each item is the same, and selects a plurality of decision cases with highest corrected similarity as auxiliary decision basis.
In a third aspect, the present invention further provides a case matching-based network security operation auxiliary decision method apparatus, including a memory and one or more processors, where the memory stores executable codes, and when the processor executes the executable codes, the processor implements the case matching-based network security operation auxiliary decision method.
In a fourth aspect, the present invention further provides a computer readable storage medium having a program stored thereon, which when executed by a processor, implements the case matching-based network security operation assistance decision making method
The invention has the beneficial effects that: aiming at the problems that expert strength is insufficient, safety strategies and operation experience cannot be effectively promoted in the organization and enterprise network safety operation, thulac word segmentation and word2vec technologies in the natural language processing field are introduced, and a network safety operation auxiliary decision making method and system are designed by establishing a decision case corpus and training an auxiliary decision making model. The method is beneficial to fully multiplexing the safety operation experience previously accumulated by safety specialists, so that matched coping strategies are intelligently found for specific safety operation scenes, and quick and effective response of different safety scenes is supported.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a case matching-based network security operation auxiliary decision method provided by the invention.
Fig. 2 is a schematic diagram of a construction decision case corpus.
FIG. 3 is a schematic diagram of the Skip-gram algorithm for predicting the windows words before and after the Skip-gram algorithm according to the center word.
Fig. 4 is a schematic diagram of a similar case recommendation flow.
Fig. 5 is a block diagram of a case-matching-based network security operation auxiliary decision device provided by the invention.
Detailed Description
The following describes the embodiments of the present invention in further detail with reference to the drawings.
As shown in fig. 1, the network security operation auxiliary decision-making method based on case matching provided by the invention extracts expert priori experiences through a certain NLP technology to construct a training corpus, and thereby completes training of an intelligent auxiliary decision-making model. Based on the intelligent auxiliary decision model, the matched coping strategy is intelligently found for the specific safety operation scene, so that quick and effective response of different safety scenes is supported. The invention applies thulac Word segmentation and Word2Vec technology to complete the construction of training corpus and auxiliary decision-making model. Thulac is a high-efficiency Chinese text segmentation tool, which is mainly used for Chinese text segmentation in NLP; word2Vec is a Word vector conversion model based on a double-layer neural network, and the Word is mapped to a specific vector to represent the relationship between words, so that the calculation of the similarity between words and between sentences is realized.
The method comprises the following specific steps:
1. Decision case corpus establishment
The decision case corpus is used for storing the word-segmented network security operation case language materials so as to provide training corpus for model training in the process of constructing an auxiliary decision model, and the establishment of the decision case corpus is based on the accumulation and classification of long-term network security operation cases. In the invention, in long-term network security operation practice, various security operation cases including threat response cases, emergency disposal cases, standard operation flows and other operation experiences are recorded, the characteristic information such as names, types, data flow directions, case grades, influence systems, analysis results, disposal flows and the like of each case are defined through an automatic flow, the characteristic information is stored in a security operation case library, and the case names or analysis results are selected as case descriptions of the cases according to the information such as the names, the types, the analysis and the like of each case. Based on this, a decision case corpus is constructed by two steps of word segmentation and corpus generation of case descriptions, as shown in fig. 2.
(1.1) Case description segmentation
The word segmentation is a process of recombining continuous word sequences into semantic independent word sequences according to a certain specification, and the word segmentation target of the invention is case description of each case in a case library, namely, word sequences separated by a string of spaces are processed by word segmentation. The word segmentation is completed by thulac, namely all target sentences to be segmented are traversed, word sequences after word segmentation are generated, and the word parts of speech of the words are marked. The word segmentation process requires the application of a user dictionary, i.e., a domain-specific vocabulary entered by the user based on the characteristics of the segmented text. The invention sorts the professional vocabulary related in the long-term accumulated safe operation cases to form a user dictionary for word segmentation process. Meanwhile, cleaning operation is needed to be carried out on the segmented text, including punctuation mark removal and common stop words, and the stop word content includes auxiliary words, prepositions, interjections, personification and the like.
(1.2) Corpus generation
And converting word sequences obtained after word segmentation from character string types into list types, namely obtaining decision case corpus, and storing the decision case corpus in a centralized way. Because the model training requires the corpus to fully reflect the occurrence frequency of each word in all cases, the corpus is not subjected to de-duplication processing. Meanwhile, corpus generation is a continuous process, namely, after a new case is recorded in a case library, the corpus needs to be updated in a supplementary manner in time.
2. Auxiliary decision model establishment
Training of the auxiliary decision model is performed using word2vec model packages in gensim libraries. Reading all the corpus of the corpus library as a model training set, and setting the following training parameters:
(2.1) sg was used to specify the algorithm used for model training, the present invention uses the skip-gram algorithm, setting sg=1. Skip-gram algorithm is based on the center word The prediction is performed for each window word before and after it, as shown in fig. 3.
(2.2) Window represents the maximum distance between the current word and the central word, and window=3 is set, namely 3-n words before and n words after the central word are predicted, wherein n is a random number between 0 and 3.
(2.3) Min_count represents a filtering threshold for word frequency, i.e. words in the corpus with a frequency less than the value will be ignored, which value is typically determined by the size of the corpus, min_count=3 being defined in the present invention.
(2.4) Sample represents a random down-sampling configuration threshold of the high frequency vocabulary, and a default value 1e-3 is selected.
(2.5) Negative represents the number of negative samples noise words, and navigative =3 is set.
(2.6) Hs indicates whether or not the hierarchy softmax is used, and hs=1 is set.
(2.7) Workers represents the number of training parallel runs, as determined by the performance of the training resources, the present invention sets workers =4.
After model training is completed, the model is stored in a file form. In addition, since the word2vec model package in the gensim library supports updating the trained model by using the newly added corpus, the auxiliary decision model is updated by using the newly added corpus periodically based on the updating.
3. Similar case recommendation
The purpose of similar case recommendation is to search cases most similar to an event to be decided (target event) from historical network security decision cases based on an auxiliary decision-making model and a series of similarity correction algorithms, so that analysis results and treatment flows of the similar cases are provided for a decision maker to assist the decision maker in decision making. A similar case recommendation flow is shown in fig. 4.
And (3.1) extracting the event description of the target event, and information such as event type, data flow, influence system and the like, and performing word segmentation on the event description of the target event. In order to ensure that the same event description word segmentation result is completely the same as the existing corpus in the corpus, the user dictionary, the stop word lexicon and the corpus construction stage adopted by word segmentation are completely consistent. After the word segmentation is completed, the event description word segmentation result is converted into a list type consisting of a plurality of word strings.
And (3.2) reading the corpus, and performing de-duplication processing to form a temporary case description library for first extraction of similar cases of the subsequent target event. This step needs to ensure that there are no duplicate case description corpora in the temporary case description library.
And (3.3) reading the trained auxiliary decision model, traversing all decision case corpora in the temporary case description library, calculating the similarity between the decision case corpora and the event description of the target event, and sequencing in a descending order. Each case defining a similarity from high to low is described as: Wherein/> The similarity corresponding to the i-th case description is/>. The top n case description with the highest similarity with the target event after sorting is selected, and the value mode of n is as follows:
i. Calculation of If there is minimum/>Make/>Then/>
Ii. if not presentMake/>Then/>
(3.4) Retrieving historical cases from the safe operation case library according to the following conditions:
thereby satisfying the information including case description, type, data flow direction, case grade, influence system, analysis result and treatment flow of the history case of the condition, and assigning similarity to the corresponding information Wherein/>. On the basis, the case type, the data flow direction, the case grade and the influence system are compared with the corresponding information of the target event in sequence, and if each item is the same, the case similarity is multiplied by the similarity correction base SRB, and the value is set to be 1.5 in the invention. The comparison modes of the various information are as follows:
a. case type. The case types are divided into 4 major classes of threat response cases, emergency treatment cases, standard operation flows and other operation experiences, each major class is continuously subdivided into a plurality of minor classes, and the similarity is corrected only once when the major class and the minor class of the case type to which the historical case belongs are the same as the target event.
B. The data flow is in the same direction. Only threat response cases exist in this field, which is the data flow direction when an attacker attacks a victim, such as "extranet-intranet". Only when the field exists in both the historical case and the target event and the content is identical, the similarity is corrected once.
C. Case grade. When the target event is generated, the event grade is automatically assigned by the automatic flow according to the information such as the type, threat grade and the like of the event, namely a case grade field in a safety operation case base. Only when the field of the historical case is identical to that of the target event, the similarity is corrected once.
D. Affecting the system. When the target event is generated, the automation flow judges that the event affects the system, and if the judgment fails, the field is set by the safety operator. Only when the field of the historical case is identical to that of the target event, the similarity is corrected once.
And (3.5) after finishing the similarity correction of each case, sorting the cases in descending order according to the similarity value, selecting the first 3 pieces with the highest similarity, extracting and displaying the case treatment suggestion and various pieces of information thereof as auxiliary decision basis.
The invention also provides a case matching-based network security operation auxiliary decision-making system, which comprises a data access module, a decision case corpus generating module, an auxiliary decision-making model constructing module and a similar decision-making case recommending module;
The data access module is used for interfacing with external systems, acquiring various types of safety operation case data from each external system in real time, fusing and formatting and storing the heterogeneous data from each source to form a safety operation case library, and providing support for corpus generation, model training and auxiliary decision making for other modules.
The decision case corpus generation module is used for extracting a case description field of the safety operation case, generating a decision case corpus by word segmentation processing of the field, constructing a case corpus on the basis and storing corpus data in a standardized mode, and supporting periodic scanning of newly added safety operation cases and updating of the corpus.
The auxiliary decision model construction module is used for generating and obtaining standardized decision case corpus data by butting decision case corpus, training an auxiliary decision model and periodically updating the model according to the standardized decision case corpus data, and meanwhile, aiming at key parameters in the training process of the auxiliary decision model, the model management module supports configuration of the auxiliary decision model.
The similar decision case recommending module is used for realizing auxiliary decision case recommending logic according to an auxiliary decision model and an algorithm, pushing the recommended similar case information to a safety operator through a visual interface, and simultaneously, continuously feeding back and optimizing the model and the algorithm according to an auxiliary decision result.
The data access module accesses data from external systems such as a safety operation platform, a situation awareness platform, a knowledge base platform and the like in a API, syslog, kafka mode and obtains various safety operation case records including threat response records, emergency disposal records, standard operation flows, other safety operation experiences and SOPs, and the data access module cleans, merges and enriches various source data, normalizes characteristic information such as names, types, data flow directions, case grades, influence systems, analysis results, disposal flows and the like of the standardized cases, and selects case names or analysis results as case descriptions of the cases according to the names, types, analysis and the like of the cases so that the various source cases convert the structured data to be stored to form a safety operation case base. The safety operation case library, the corpus management module, the model management module and the auxiliary decision-making module provide data support.
The decision case corpus generation module is connected with the safety operation case library under the data access module, and word segmentation processing is carried out on case descriptions of safety operation cases which are not subjected to corpus extraction based on an embedded thulac word segmentation tool. In order to improve word segmentation accuracy, the user dictionary and the stop word dictionary are supported to be maintained, word segmentation results are optimized according to the user dictionary, and stop word removal processing is carried out on the word segmentation results according to the content of the stop word dictionary. The decision case corpus generation carries out format conversion on word segmentation results to be stored in a centralized mode to form a decision case corpus, and carries out new corpus adding operation on the corpus according to the set frequency periodicity or by adopting a new case triggering mode.
The auxiliary decision model building module periodically reads the decision case corpus to generate stored structured corpus data as auxiliary decision model training data, and model training is performed based on an embedded word2vec algorithm. Training is divided into 2 cases, one is model pre-training, and the purpose is to construct an auxiliary decision model for the first time, and apply all decision case corpus to construct and store the model; and secondly, retraining the model, wherein the auxiliary decision model construction module reads the trained model and the new corpus of the corpus, and updates and trains the model.
The similar decision case recommendation module searches cases which are most similar to the event to be decided from the historical network security decision cases based on the auxiliary decision model and a series of similarity correction algorithms, so that analysis results and treatment flows of the similar cases are provided for a decision maker. The similar decision case recommendation module visually displays the auxiliary decision results through a graphical interface, opens a result query API (application program interface) to support the output of the auxiliary decision results to systems such as an external safety operation platform and the like, and further supports the threat response and the closed loop of emergency treatment cases on the external systems.
Corresponding to the embodiment of the case matching-based network security operation auxiliary decision method, the invention also provides an embodiment of the case matching-based network security operation auxiliary decision device.
Referring to fig. 5, the network security operation assistance decision making device based on case matching provided by the embodiment of the invention includes a memory and one or more processors, wherein executable codes are stored in the memory, and when the executable codes are executed by the processors, the processor is used for implementing the network security operation assistance decision making method based on case matching in the above embodiment.
The embodiment of the network security operation auxiliary decision-making device based on case matching can be applied to any equipment with data processing capability, and the equipment with data processing capability can be equipment or a device such as a computer. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. Taking software implementation as an example, the device in a logic sense is formed by reading corresponding computer program instructions in a nonvolatile memory into a memory by a processor of any device with data processing capability. From the hardware level, as shown in fig. 5, a hardware structure diagram of an arbitrary device with data processing capability where the case matching-based network security operation auxiliary decision apparatus provided by the present invention is located is shown in fig. 5, and in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 5, the arbitrary device with data processing capability in the embodiment generally includes other hardware according to the actual function of the arbitrary device with data processing capability, which is not described herein again.
The implementation process of the functions and roles of each unit in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be described herein again.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present invention. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The embodiment of the invention also provides a computer readable storage medium, on which a program is stored, which when executed by a processor, implements a case matching-based network security operation aid decision-making method in the above embodiment.
The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any of the data processing enabled devices described in any of the previous embodiments. The computer readable storage medium may also be an external storage device of any device having data processing capabilities, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), an SD card, a flash memory card (FLASH CARD), etc. provided on the device. Further, the computer readable storage medium may include both internal storage units and external storage devices of any data processing device. The computer readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing apparatus, and may also be used for temporarily storing data that has been output or is to be output.
The above-described embodiments are intended to illustrate the present invention, not to limit it, and any modifications and variations made thereto are within the spirit of the invention and the scope of the appended claims.

Claims (8)

1. The network security operation auxiliary decision-making method based on case matching is characterized by comprising the following steps of:
(1) Acquiring a case of a network security operation practice, extracting a case description, and generating a decision case corpus after word segmentation and text cleaning;
(2) Constructing a training set based on all the decision case corpus obtained in the step (1), and training a word2vec model to obtain an auxiliary decision model;
(3) Extracting event description from the target event, processing the event description according to the word segmentation processing mode of the step (1) to generate corpus, calculating and sequencing the similarity between all decision case corpus obtained in the step (1) and the event description of the target event based on the auxiliary decision model in the step (2), selecting partial similar decision cases, and defining each decision case description with the similarity from high to low as follows: case i, where i e 1, in +++). The similarity corresponding to the ith decision Case description is S i, the top n decision Case descriptions with highest similarity to the target event are selected, and the value of n is as follows:
i. Calculating a threshold value I is e [0, + ] infinity, if there is a minimum i such that SR i >1.5, n=min (i, 3);
if there is no i such that SR i >1.5, then n=3;
Based on the case type, data flow direction, case grade and influence system of the selected similar decision case and the corresponding information of the target event, each item is the same, the similarity of the similar decision case is multiplied by a similarity correction base to carry out similarity correction, a plurality of decision cases with the highest corrected similarity are selected as auxiliary decision bases, the case type is divided into 4 major classes of threat response cases, emergency treatment cases, standard operation flow and other operation experience, each major class is continuously subdivided into a plurality of minor classes, and the similarity is corrected once only when the major class and the minor class of the case type to which the decision case belongs are the same as the target event; in the case that the data flow only has threat response, the data flow is the data flow when an attacker attacks a victim, and the similarity is corrected once only when the decision case and the target event both have the field and the content is completely the same; the case grade is the event grade of the target event and the decision case according to the type and threat grade information assignment, and the similarity is corrected only once when the decision case is completely the same as the case grade of the target event; when the target event is generated, judging that the event affects the system, if judging that the event fails, setting the field by a safety operator, and correcting the similarity only once when the decision case is completely the same as the field of the target event.
2. The case matching-based network security operation aid decision-making method according to claim 1, wherein in the step (1), the case name or the analysis result is used as a case description according to the name, the type and the analysis information of each case.
3. The case matching-based network security operation aid decision-making method according to claim 1, wherein in the step (1), a word segmentation process uses thulac to traverse all target sentences to be segmented, a word sequence after word segmentation is generated, word parts of speech of each word are marked, and professional vocabularies involved in a security operation case are formed into a user dictionary for the word segmentation process.
4. The case-matching-based network security operation auxiliary decision-making method of claim 1, wherein in the step (1), word sequences obtained after word segmentation are converted into list types from character string types, decision case corpuses are obtained, and the decision case corpuses are stored in a centralized manner to construct a decision case corpus.
5. The case-matching-based network security operation auxiliary decision-making method as claimed in claim 4, wherein in the step (3), the event description of the target event, the event type, the data flow, the event level and the influence system information are extracted, and the corpus in the decision-making case corpus is subjected to de-duplication processing to form a temporary case description library for extracting similar cases of the subsequent target event.
6. A case matching based network security operation auxiliary decision making system for implementing the method of any one of claims 1-5, characterized in that the system comprises a decision case corpus generating module, an auxiliary decision making model constructing module and a similar decision case recommending module;
the decision case corpus generation module is used for acquiring cases of network security operation practice, extracting case descriptions, and generating decision case corpus after word segmentation and text cleaning;
The auxiliary decision model building module is used for building a training set based on all the obtained decision case corpus, and training a word2vec model to obtain an auxiliary decision model;
The similar decision case recommendation module extracts event descriptions from the target event, generates corpus after processing according to word segmentation processing mode, calculates similarity between all decision case corpus and event descriptions of the target event based on the auxiliary decision model, sorts the event descriptions, selects partial similar decision cases, compares the case types, data flow directions, case grades and influence systems of the selected similar decision cases with corresponding information of the target event, multiplies the similarity of the similar decision cases by a similarity correction base to carry out similarity correction if each item is the same, and selects a plurality of decision cases with highest corrected similarity as auxiliary decision basis.
7. A case-matching-based network security operation aid decision method device, comprising a memory and one or more processors, wherein executable code is stored in the memory, and wherein the processor implements a case-matching-based network security operation aid decision method as claimed in any one of claims 1 to 5 when executing the executable code.
8. A computer readable storage medium having stored thereon a program, which when executed by a processor, implements a case matching based network security operator assistance decision making method according to any one of claims 1-5.
CN202311629837.8A 2023-12-01 2023-12-01 Case matching-based network security operation auxiliary decision-making method, system and device Active CN117350288B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311629837.8A CN117350288B (en) 2023-12-01 2023-12-01 Case matching-based network security operation auxiliary decision-making method, system and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311629837.8A CN117350288B (en) 2023-12-01 2023-12-01 Case matching-based network security operation auxiliary decision-making method, system and device

Publications (2)

Publication Number Publication Date
CN117350288A CN117350288A (en) 2024-01-05
CN117350288B true CN117350288B (en) 2024-05-03

Family

ID=89371326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311629837.8A Active CN117350288B (en) 2023-12-01 2023-12-01 Case matching-based network security operation auxiliary decision-making method, system and device

Country Status (1)

Country Link
CN (1) CN117350288B (en)

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002011035A1 (en) * 2000-08-01 2002-02-07 Logical Images, Inc. System and method to aid diagnoses using cross-referenced knowledge and image databases
CN105761155A (en) * 2015-08-26 2016-07-13 北京师范大学 Agricultural drought rapid evaluation method based on historical cases
CN105956151A (en) * 2016-05-13 2016-09-21 中国有色金属长沙勘察设计研究院有限公司 Plan-based assistant decision-making method, tailing pond monitoring method and system
CN108921411A (en) * 2018-06-19 2018-11-30 国网湖南省电力有限公司 A kind of electric power accident emergency aid decision-making method of case-based reasioning
EP3474561A1 (en) * 2017-10-23 2019-04-24 Advanced Digital Broadcast S.A. System and method for automatic adjustment of scheduled recording time
CN109947806A (en) * 2019-03-27 2019-06-28 江苏扬建集团有限公司 A kind of Super High construction safety accident emergency aid decision-making method of case-based reasioning
CN111198550A (en) * 2020-02-22 2020-05-26 江南大学 Cloud intelligent production optimization scheduling on-line decision method and system based on case reasoning
CN113011789A (en) * 2021-04-23 2021-06-22 集美大学 Overwater dangerous chemical accident emergency aid decision-making method, terminal equipment and storage medium
CN113011788A (en) * 2021-04-23 2021-06-22 集美大学 Emergency decision-making method for marine traffic accident, terminal equipment and storage medium
CN114220535A (en) * 2021-09-08 2022-03-22 首都医科大学附属北京中医医院 Real world data-based exogenous febrile disease assistant decision-making system
CN114862081A (en) * 2021-02-04 2022-08-05 西安电子科技大学青岛计算技术研究院 Case reasoning and artificial neural network-based aid decision-making method
CN115577701A (en) * 2022-09-23 2023-01-06 刘娇平 Risk behavior identification method, device, equipment and medium for big data security
CN115659011A (en) * 2022-10-14 2023-01-31 上海东方明珠数字电视有限公司 Decision case module recommendation implementation method based on autonomous recommendation mechanism
CN115660577A (en) * 2022-10-14 2023-01-31 上海东方明珠数字电视有限公司 Intelligent decision-making case base construction and extraction method and system
WO2023098445A1 (en) * 2021-11-30 2023-06-08 国家食品安全风险评估中心 Emergency disposal recommendation method and system for emergencies associated with food safety
CN116561594A (en) * 2023-03-13 2023-08-08 江苏数兑科技有限公司 Legal document similarity analysis method based on Word2vec
CN116720194A (en) * 2023-06-14 2023-09-08 北京卓识网安技术股份有限公司 Method and system for evaluating data security risk
CN116957319A (en) * 2023-04-07 2023-10-27 华东理工大学 Auxiliary decision-making method for preventing and controlling risk of preservation environment of cultural relics in collection of cultural relics
CN116976043A (en) * 2023-05-26 2023-10-31 南京航空航天大学 Knowledge graph-based intelligent auxiliary decision-making method for SDSS (Standard data System) power grid

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7974850B2 (en) * 2003-09-26 2011-07-05 Brideway Software, Inc. Method of early case assessment in law suits

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002011035A1 (en) * 2000-08-01 2002-02-07 Logical Images, Inc. System and method to aid diagnoses using cross-referenced knowledge and image databases
CN105761155A (en) * 2015-08-26 2016-07-13 北京师范大学 Agricultural drought rapid evaluation method based on historical cases
CN105956151A (en) * 2016-05-13 2016-09-21 中国有色金属长沙勘察设计研究院有限公司 Plan-based assistant decision-making method, tailing pond monitoring method and system
EP3474561A1 (en) * 2017-10-23 2019-04-24 Advanced Digital Broadcast S.A. System and method for automatic adjustment of scheduled recording time
CN108921411A (en) * 2018-06-19 2018-11-30 国网湖南省电力有限公司 A kind of electric power accident emergency aid decision-making method of case-based reasioning
CN109947806A (en) * 2019-03-27 2019-06-28 江苏扬建集团有限公司 A kind of Super High construction safety accident emergency aid decision-making method of case-based reasioning
CN111198550A (en) * 2020-02-22 2020-05-26 江南大学 Cloud intelligent production optimization scheduling on-line decision method and system based on case reasoning
CN114862081A (en) * 2021-02-04 2022-08-05 西安电子科技大学青岛计算技术研究院 Case reasoning and artificial neural network-based aid decision-making method
CN113011788A (en) * 2021-04-23 2021-06-22 集美大学 Emergency decision-making method for marine traffic accident, terminal equipment and storage medium
CN113011789A (en) * 2021-04-23 2021-06-22 集美大学 Overwater dangerous chemical accident emergency aid decision-making method, terminal equipment and storage medium
CN114220535A (en) * 2021-09-08 2022-03-22 首都医科大学附属北京中医医院 Real world data-based exogenous febrile disease assistant decision-making system
WO2023098445A1 (en) * 2021-11-30 2023-06-08 国家食品安全风险评估中心 Emergency disposal recommendation method and system for emergencies associated with food safety
CN115577701A (en) * 2022-09-23 2023-01-06 刘娇平 Risk behavior identification method, device, equipment and medium for big data security
CN115659011A (en) * 2022-10-14 2023-01-31 上海东方明珠数字电视有限公司 Decision case module recommendation implementation method based on autonomous recommendation mechanism
CN115660577A (en) * 2022-10-14 2023-01-31 上海东方明珠数字电视有限公司 Intelligent decision-making case base construction and extraction method and system
CN116561594A (en) * 2023-03-13 2023-08-08 江苏数兑科技有限公司 Legal document similarity analysis method based on Word2vec
CN116957319A (en) * 2023-04-07 2023-10-27 华东理工大学 Auxiliary decision-making method for preventing and controlling risk of preservation environment of cultural relics in collection of cultural relics
CN116976043A (en) * 2023-05-26 2023-10-31 南京航空航天大学 Knowledge graph-based intelligent auxiliary decision-making method for SDSS (Standard data System) power grid
CN116720194A (en) * 2023-06-14 2023-09-08 北京卓识网安技术股份有限公司 Method and system for evaluating data security risk

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
shuguang Deng等.Spatial case revision in case-based reasoning for risk assessment of geological disasters.《Geomatics Natural Hazards and Risk》.2020,第11卷(第1期),1052-1074. *
Yu X B等.A novel case adaptation method based on differential evolution algorithm for disaster emergency.《Applied Soft Computing》.2020,第92卷1-12. *
李逍.基于贝叶斯网络和案例推理的铁路突发事件应急决策研究.《中国优秀硕士学位论文全文数据库 工程科技I辑》.2022,第2022年卷(第3期),B026-250. *
闫长健等.基于博弈论的海上交通事故案例推理方法及应用.《上海海事大学学报》.2021,第42卷(第2期),75-80. *

Also Published As

Publication number Publication date
CN117350288A (en) 2024-01-05

Similar Documents

Publication Publication Date Title
CN111310438B (en) Chinese sentence semantic intelligent matching method and device based on multi-granularity fusion model
WO2020001373A1 (en) Method and apparatus for ontology construction
CN112507699B (en) Remote supervision relation extraction method based on graph convolution network
CN107315737A (en) A kind of semantic logic processing method and system
CN113268370B (en) Root cause alarm analysis method, system, equipment and storage medium
CN114357190A (en) Data detection method and device, electronic equipment and storage medium
CN116910633B (en) Power grid fault prediction method based on multi-modal knowledge mixed reasoning
CN113742733A (en) Reading understanding vulnerability event trigger word extraction and vulnerability type identification method and device
CN114780746A (en) Knowledge graph-based document retrieval method and related equipment thereof
CN115688920A (en) Knowledge extraction method, model training method, device, equipment and medium
CN109299470A (en) The abstracting method and system of trigger word in textual announcement
CN112417887A (en) Sensitive word and sentence recognition model processing method and related equipment thereof
CN110362828B (en) Network information risk identification method and system
CN117350288B (en) Case matching-based network security operation auxiliary decision-making method, system and device
CN112417996A (en) Information processing method and device for industrial drawing, electronic equipment and storage medium
CN116467403A (en) Enterprise identity information data fusion method and device
KR101826921B1 (en) Sentence generating appratus for defining thechnology, and control method thereof
CN115858776A (en) Variant text classification recognition method, system, storage medium and electronic equipment
US20110172991A1 (en) Sentence extracting method, sentence extracting apparatus, and non-transitory computer readable record medium storing sentence extracting program
CN114265931A (en) Big data text mining-based consumer policy perception analysis method and system
CN111753540A (en) Method and system for collecting text data to perform Natural Language Processing (NLP)
CN111125319A (en) Enterprise basic law intelligent consultation terminal, system and method
CN112784033B (en) Aging grade identification model training and application method and electronic equipment
CN113590768B (en) Training method and device for text relevance model, question answering method and device
CN113823274B (en) Voice keyword sample screening method based on detection error weighted editing distance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant