CN117478358A - Decision recommendation method and device - Google Patents
Decision recommendation method and device Download PDFInfo
- Publication number
- CN117478358A CN117478358A CN202311265077.7A CN202311265077A CN117478358A CN 117478358 A CN117478358 A CN 117478358A CN 202311265077 A CN202311265077 A CN 202311265077A CN 117478358 A CN117478358 A CN 117478358A
- Authority
- CN
- China
- Prior art keywords
- data
- network
- security
- network security
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 96
- 238000001514 detection method Methods 0.000 claims abstract description 149
- 238000012545 processing Methods 0.000 claims abstract description 44
- 238000007418 data mining Methods 0.000 claims abstract description 22
- 230000007123 defense Effects 0.000 claims abstract description 20
- 238000012098 association analyses Methods 0.000 claims abstract description 14
- 238000007405 data analysis Methods 0.000 claims abstract description 11
- 238000011282 treatment Methods 0.000 claims description 54
- 238000004422 calculation algorithm Methods 0.000 claims description 42
- 238000011156 evaluation Methods 0.000 claims description 39
- 230000004044 response Effects 0.000 claims description 21
- 238000013515 script Methods 0.000 claims description 20
- 238000005457 optimization Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 18
- 239000011159 matrix material Substances 0.000 claims description 17
- 230000002159 abnormal effect Effects 0.000 claims description 13
- 230000002787 reinforcement Effects 0.000 claims description 13
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 238000012706 support-vector machine Methods 0.000 claims description 7
- 238000013528 artificial neural network Methods 0.000 claims description 5
- 238000003066 decision tree Methods 0.000 claims description 5
- 238000007637 random forest analysis Methods 0.000 claims description 5
- 238000007619 statistical method Methods 0.000 claims description 4
- 230000006870 function Effects 0.000 description 23
- 230000009471 action Effects 0.000 description 15
- 230000006399 behavior Effects 0.000 description 12
- 238000004458 analytical method Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 238000012549 training Methods 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000006872 improvement Effects 0.000 description 4
- 238000010801 machine learning Methods 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000012407 engineering method Methods 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000009472 formulation Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000005065 mining Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 208000003443 Unconsciousness Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000002790 cross-validation Methods 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 238000013079 data visualisation Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000011369 optimal treatment Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000011158 quantitative evaluation Methods 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 230000033764 rhythmic process Effects 0.000 description 1
- 238000013432 robust analysis Methods 0.000 description 1
- 238000004659 sterilization and disinfection Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/16—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Databases & Information Systems (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides a decision recommendation method and device, and relates to the technical field of network security. The method comprises the following steps: collecting network environment data of a network; performing data analysis and mining processing on the network environment data to obtain network security data; according to the data types corresponding to the network security data, respectively calling a corresponding security detection model to identify the network security data, and obtaining security detection results corresponding to the data types respectively; performing association analysis processing on each security detection result to obtain a security situation result of the network; acquiring the device defense capability of network security devices in the network; and recommending a target decision rule matched with the security situation result and the equipment defensive capacity for the network according to a predefined decision rule.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a decision recommendation method and apparatus.
Background
At present, most network security situation awareness platforms only integrate network asset management, threat information, vulnerability management and User and Entity Behavior Analysis (UEBA) in a flow manner to simplify the flow complexity of the cross-module, and do not really realize effective protection of network space. With the tension of the situation in recent years, the number of network attacks against key infrastructure and industrial control systems is rapidly increasing, and strategic destruction becomes one of the main targets of network attacks. The strategic network attack acts more hidden, attacks more violent, the damage caused is more serious, and the influence scope is wider. Under the environmental background, the traditional situation awareness platform is difficult to keep up with the new form change of network security, and cannot make a correct decision based on the collected information, so that correct actions are executed, and more effective security protection is made to resist higher-level network security risks.
Since the network space security countermeasure environment to be faced is an extremely complex environment, a plurality of complex dynamic evolution mechanisms exist, and the main expression is "adaptability, dynamics, burstiness, ambiguity and uncertainty", while the summary of the network security ATT & CK tactical system at present can give a certain decision guidance opinion according to experience, the mechanisms and characteristics are combined together to make the whole network security space always chaotic. On the one hand, under the current network space big data environment, the space is wide, various tool means and attack elements are tightly coupled, various deception, camouflage, unconsciousness and other attack technologies are more peculiar, the current attack and defense rhythm is obviously accelerated, and the fighter is defended from being in the short time, so that the current network threat environment is more complex. On the other hand, network space networking is more and more complex, data to be acquired are more and more abundant, and comprehensive security situation information in a network space environment is required to be truly obtained, so that a situation state can be more accurately perceived, and a foundation is laid for making a correct decision subsequently.
Disclosure of Invention
In view of the above, the present application provides a decision recommendation method and apparatus for accurately recommending intelligent decisions for network security, so as to improve network security.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of the present application, there is provided a decision recommendation method, comprising:
collecting network environment data of a network;
performing data analysis and mining processing on the network environment data to obtain network security data;
according to the data types corresponding to the network security data, respectively calling a corresponding security detection model to identify the network security data, and obtaining security detection results corresponding to the data types respectively;
performing association analysis processing on each security detection result to obtain a security situation result of the network;
acquiring the device defense capability of network security devices in the network;
and recommending a target decision rule matched with the security situation result and the equipment defensive capacity for the network according to a predefined decision rule.
According to a second aspect of the present application, there is provided a decision recommendation apparatus comprising:
the acquisition module is used for acquiring network environment data of a network;
the processing module is used for carrying out data analysis and mining processing on the network environment data to obtain network security data;
the identification module is used for respectively calling a corresponding security detection model to identify the network security data according to the data types corresponding to the network security data so as to obtain security detection results corresponding to the data types respectively;
The association analysis module is used for carrying out association analysis processing on each security detection result to obtain a security situation result of the network;
an acquisition module, configured to acquire a device defense capability of a network security device in the network;
and the recommending module is used for recommending a target decision rule matched with the security situation result and the equipment defensive capability for the network according to a predefined decision rule.
According to a third aspect of the present application there is provided an electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fourth aspect of the present application there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are that:
in the decision recommendation method and device provided by the embodiment of the application, after the network environment data is acquired, the network environment data is subjected to data analysis and mining processing, so that the network security data in the network are obtained in a deeper level, namely, the network is understood in a deeper level; on the basis, according to the data types corresponding to the network security data, respectively calling the corresponding security detection models to identify the network security data, and obtaining the security detection results corresponding to the data types respectively; carrying out association analysis processing on each security detection result to obtain a security situation result of the network, so that the security situation in the current network can be obtained more accurately according to network security data; since network security is related to the defending capability of the network security device in the network, the application also acquires the defending capability of the network security device in the network; and recommending a target decision rule matched with the security situation result and the equipment defensive capability for the network according to a predefined decision rule, so that the recommended target decision rule is matched with the defensive capability of the network security equipment in the network and can be matched with the network security situation in the network, and attack in the network can be better and more accurately protected by utilizing the target decision rule, and the security in the network is further protected.
Drawings
Fig. 1 is a schematic flow chart of a decision recommendation method provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a decision recommendation apparatus according to an embodiment of the present application;
fig. 3 is a schematic hardware structure of an electronic device for implementing the decision recommendation method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects as described herein.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the corresponding listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first message may also be referred to as a second message, and similarly, a second message may also be referred to as a first message, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The decision recommendation method provided in the present application is described in detail below.
Referring to fig. 1, fig. 1 is a flowchart of a decision recommendation method provided in the present application, where the method may be applied to an electronic device, and the electronic device may be, but is not limited to, a network security device, a server, and so on. The network device may include the following steps when implementing the method:
s101, collecting network environment data of a network.
In this step, the network environment data may include, but is not limited to: log data, traffic data, intrusion detection data, etc., where the log data may be collected by a network security device in a network; the traffic data can be objectively existing traffic data and user behavior data such as data reported by network edge equipment in the current network, data reported by a terminal host side, cloud service operation data, threat information data and the like. The intrusion detection data can be recorded attack related data, such as network vulnerability, threat, attack behavior and the like, when the network security device has an attack on the affiliated network.
Optionally, after the network environment data is acquired, the following procedure may be further performed: the network environment data is preprocessed, and then step S102 is performed based on the preprocessed network environment data.
In particular, when preprocessing network environment data, the following preprocessing procedure may be involved: data cleaning, missing value filling, abnormal value detection, operation removal and other operations.
S102, carrying out data analysis and mining processing on the network environment data to obtain network security data.
In this step, the network environment data may be searched and analyzed by using a data analysis and mining technique, so as to generate the network security data. Specifically, the data analysis technique may be, but is not limited to, a security recognition algorithm, that is, a process of recognizing the network environment data by using the security recognition algorithm to recognize target security data of dangerous network security; the above-mentioned security recognition algorithm may be, but is not limited to, a pre-trained machine learning model or a deep learning model; and the training samples for training the model may be a preconfigured training sample set composed of network environment data samples.
Furthermore, the data mining techniques described above may be, but are not limited to: by setting association rules, user entity behavior analysis rules, and/or pre-trained data mining algorithms, etc. Specifically, a data mining library may be provided in which extensible security data, user behavior extension data, and the like may be stored in advance; in this way, when the network environment data is mined, the association rule can be adopted to match the network environment data with the expandable security data and the user behavior expansion data one by one, so that the associated target expandable security data and/or user behavior expansion data are obtained, and the associated target expandable security data and the target security data form the network security data; in addition, the user entity behavior analysis rule can be adopted to further match the network environment data with the data mining library so as to obtain target user behavior extension data with higher matching degree, and the target user behavior extension data and the target security data form the network security data. When the data mining algorithm is adopted for mining, the data mining algorithm can comprise a first data mining algorithm obtained after learning the principle of the association rule and a second data mining algorithm obtained after learning the principle of the user entity behavior analysis rule, and then the two algorithms are respectively used for matching network environment data and data in a data mining database, so that the network security data is finally generated. Therefore, the obtained network security data can be ensured to contain data of network edge equipment, data of a terminal host side, cloud service operation data, threat information data and the like, and the data of different modes (structure) with various forms such as data structuring, unstructured data and the like can be fused and shared, so that a foundation is laid for better understanding of security situations in a network in the follow-up process.
It is noted that the data mining library can be configured according to specific requirements and conditions and experience of safety operation and maintenance personnel, and can be dynamically updated.
S103, respectively calling a corresponding security detection model to identify the network security data according to the data types corresponding to the network security data, and obtaining security detection results respectively corresponding to the data types.
In this step, the currently existing data types may include, but are not limited to, text type, intrusion detection type, event type, high latitude data type, non-linear data type. On this basis, step S103 may be performed according to the following procedure: when text type and/or intrusion detection type data exist in the network security data, the text data or the intrusion detection data in the network security data are identified by using a corresponding naive Bayesian detection model, and a first security detection result is obtained; when the data of the event type exists in the network security data, classifying and identifying the network security event existing in the network security data by utilizing a decision tree detection model to obtain a second security detection result; when the high-latitude data type data exists in the network security data, the high-dimensionality security data or nonlinear security data existing in the network security data are identified by utilizing a corresponding support vector machine detection model or a corresponding random forest detection model, and a third security detection result is obtained; and when the network security data has nonlinear data type data, identifying vulnerability scanning data of the network security data by using a neural network detection model to obtain a fourth security detection result.
Specifically, the naive bayes detection model is applicable to the fields of text classification, intrusion detection and the like, and can classify and predict according to the prior probability of data; based on the method, a naive Bayesian model corresponding to the intrusion detection type can be called to identify and process intrusion detection data existing in network security data, so that a first security detection result corresponding to the intrusion detection type is obtained; and a naive Bayesian model corresponding to the text type can be called to identify and process the text data existing in the network security data, so that a first security detection result corresponding to the text type is obtained.
The first security detection result corresponding to the intrusion detection type may be: the specific intrusion detection type to which the intrusion detection data belongs is predicted, such as host-based intrusion detection, network-based intrusion detection, or hybrid-based intrusion detection. Accordingly, the first security detection result of the text type may be a specific text type to which the text data in the network security data belongs, such as a security attack introduced through SQL injection, an attack introduced through cross-site scripting, a malicious attack introduced through cookie tampering, and so on.
In addition, when detecting whether the intrusion detection data or text data exists in the network security data, the corresponding detection rule can be used for detection, or the network security data can be directly input into a naive Bayesian detection model corresponding to the intrusion detection type, and when the model outputs the corresponding intrusion detection classification, the intrusion detection data can be directly determined to exist in the network security data; similarly, the text type processing process is consistent with the intrusion detection type processing process, and detailed description is not given here; similarly, the processing procedure of the other data types is consistent with the processing procedure of the intrusion detection type, and will not be described in detail.
Aiming at event types, the decision tree detection model is used for classifying and predicting network security events existing in network security data, and can explain the decision process of the model. Based on the above, the decision tree detection model can be invoked to classify the network security event existing in the network security data, so as to obtain the event type corresponding to the existing network security event, namely the second security detection result. The event types may include, but are not limited to, a computer virus event, a worm event, a botnet event, a denial of service provisioning event, a back door attack event, a vulnerability attack event, a network scan eavesdropping event, an information tampering event, and the like.
For the high-latitude data type, the support vector machine detection model and the random forest detection model can be prepared to deal with the identification of the type of data, so that the embodiment proposes that the support vector machine detection model or the random forest detection model corresponding to the high-latitude data type can be called to identify the high-latitude data in the network security data, and whether the high-latitude data is abnormal or not is identified, so that abnormal data exists, namely the third security detection result.
For the nonlinear data type, the support vector machine detection model and the neural network detection model can be used for processing complex nonlinear problems, and for this reason, the support vector machine detection model and the neural network detection model corresponding to the type can be called for identifying nonlinear data in the network security data so as to identify whether the nonlinear data has an abnormality or not, and whether the nonlinear data has an abnormal data, namely, a fourth security detection result corresponding to the nonlinear data type. In addition, since the data with security threat such as vulnerability scanning generally belongs to the nonlinear data, the data with security threat such as vulnerability scanning in network security data can be effectively identified by adopting the identification method.
It should be noted that, each detection model may be obtained by training in advance, and the training sample is a data sample under a corresponding data type; for better understanding, taking the intrusion detection type as an example, a large number of intrusion detection data samples with each intrusion detection type may be preconfigured, and then the naive bayes model is trained by using the intrusion detection data samples, so as to obtain the trained naive bayes detection model. The training process of the detection model is similar to the foregoing, and the training samples are also adaptively adjusted, which is not described in detail herein.
In addition, when each model is trained by using a sample, modes such as feature extraction and the like are generally involved, and specifically, a feature engineering method can be adopted to extract and construct the features of the data sample, so that the data sample is converted into a form available for a machine learning model. The common feature engineering method comprises feature selection, feature transformation, feature generation and the like, and then model training and modeling are carried out on the processed data by using a machine learning and deep learning algorithm, so that each detection model can be obtained.
It should be noted that each of the above-mentioned detection models may be dynamically adjustable, that is, for any detection model, the detection model may be evaluated, and in particular, the performance of the detection model may be evaluated using indicators such as cross-validation, confusion matrix, ROC curve, etc. And then, according to the evaluation result, adopting corresponding optimization measures to optimize the detection model, for example, adjusting model parameters, algorithm tuning and the like so as to provide the accuracy and generalization capability of the detection model.
S104, carrying out association analysis processing on each security detection result to obtain a security situation result of the network.
In this step, step S104 may be performed according to the following procedure: identifying target elements with association relations in security detection results corresponding to all data types; and constructing a security situation map among all detection results according to the target elements.
In particular, for a better understanding of the above procedure, it is assumed that the pieces of network security data currently acquired include the contents of the following fields: source IP address, destination IP address, source port, destination port, protocol type, attack type, etc. The target elements described above may include, but are not limited to: data elements, classification elements, etc. After the security detection results are obtained based on the detection models, association processing may be performed based on the security detection results having the same classification result (i.e., the classification element), and then based on searching the same data and the data element, and further association may be performed based on the same data. For example, the data of the same attack type is associated, and then the data containing the same data elements are associated, so that potential attack chains can be mined, and a security attack graph, namely the security situation graph, is formed based on each attack chain, so as to indicate the relationship and evolution of different attack types.
After the security situation map is obtained, the security situation map can be subjected to graphical output display, so that a security analyst can better understand the network security situation and timely take corresponding measures to cope with potential attacks.
S105, acquiring the device defense capability of the network security device in the network.
In this step, in the field of network security defense, intelligent action decision is a very important task, and it is not only required to perform data mining and fusion, but also to perform deep analysis on portrait data of different aggressors and the capabilities of related defense devices. In order to better implement intelligent action decisions, the defensive capabilities of the device are quantified. In view of this, device defenses of network security devices in a network are first obtained when intelligently recommending decisions for a target network. The higher the equipment defending capability of the network security equipment is, the better the security of the network can be protected even if some decision rules with a defending level not as high are recommended; if the device defensive power of the network security device is lower, the network security device can be adapted by a decision rule with higher defensive level, so that the network security device can better protect the security of the network based on the decision rule.
The network security device has many different functions, such as network security policy control capability of a firewall, disinfection and isolation capability of a terminal, control capability of access rights of identity and application, data access rights control capability, user network access control capability and the like. Accordingly, the device defensive power of each network security device may be measured by a respective device defensive power evaluation index.
However, different device capabilities may not contribute the same amount to the security defenses, so a quantitative evaluation of the device defenses capability assessment index is required. That is, each device defensive power assessment index is characterized by a quantized value of the device defensive power assessment index; the quantized value of each equipment defensive ability evaluation index is obtained by scoring the equipment defensive ability evaluation index based on the evaluation standard of the equipment defensive ability evaluation index;
specifically, the embodiment proposes to score the defensive capability of each network security device by using a scoring card, and provide a reference for a subsequent algorithm by taking the score as an evaluation index.
Optionally, the device defensive ability evaluation index includes: functional completeness index, security intensity and robustness index, vulnerability updating and repairing capability index, performance and expandability index, security policy and control capability and linkage support capability of equipment.
The function completeness index is used for indicating whether the network security equipment plays various necessary network security functions, such as firewall, intrusion detection and defense system, malicious software protection and the like. Based on this, an evaluation criterion corresponding to the index can be set. Specifically, each function can be evaluated by using a scoring card according to a function list of the functions of the network security device and an evaluation standard corresponding to the index, and then the evaluation results of each function are comprehensively processed (such as weighted summation), so that a quantized value of the function completeness index can be obtained, and the function completeness of the network security device can be measured.
The above-mentioned safety strength and robustness index are extremely important for coping with various security threats. Based on the evaluation criteria corresponding to the index can be set, and then the authentication of the network security device and the compliance of the security criteria can be evaluated by using the evaluation criteria by using a scoring card, so as to obtain the quantized values of the security intensity and the robustness index.
The vulnerability updating and repairing capability index is used for representing whether the network security equipment can timely update and repair known vulnerabilities and whether the network security equipment can respond and repair newly-appearing vulnerabilities rapidly. Based on the method, corresponding evaluation standards can be set, and then a scoring card is used for evaluating a vulnerability management mechanism and a vulnerability restoration strategy of the network security equipment according to the evaluation standards, so that quantized values corresponding to the vulnerability restoration capability indexes are obtained.
The performance and scalability metrics described above are of paramount importance for large-scale and complex network security threats. Accordingly, corresponding scoring criteria, such as performance related to throughput, number of concurrent connections, may be set according to the index, and thus, scoring criteria for throughput and scoring criteria for number of concurrent connections may be set; similarly, corresponding scoring criteria may be set accordingly based on the evaluation index of extensibility. Based on the evaluation, the performance and the expandability of the network security device can be evaluated based on the two scoring standards and the scoring card, so that quantized values of the performance and the expandability indexes are obtained.
The above-described security policies and control capabilities, which are critical to the inclusion of network security. Based on this, the network access control mechanism of the device, the application access right control mechanism, the validity of the user authentication method, etc. can be examined based on the evaluation criteria of the index to obtain the quantized values of the security policy and the control capability.
The linkage support capability of the device is mainly measured by the support degree of completion of configuration management of the device through a remote issuing strategy, and based on the measurement, a scoring standard can be set first, and then a quantized value of the linkage support capability of the device can be obtained through evaluation based on the scoring standard and a scoring card.
In order to better understand the above evaluation manner, an example of evaluating the functional completeness index may be described, firstly, the functional requirements of the network security device are analyzed, and each functional requirement of the device is explicitly and specifically analyzed, so as to define the function, the range, the requirement and the corresponding security requirement of the function. The functionality of the network security device is then verified and tested, e.g., using appropriate test tools and environments. For example, for a firewall function, its blocking capability may be verified by sending different types of network traffic, evaluating its effectiveness against various attacks. For an intrusion detection and prevention system, various attack behaviors can be simulated, and the response and protection effects of the system are detected. Thirdly, the safety of each function of the network safety equipment is analyzed, the safety intensity and the credibility of the network safety equipment are evaluated, and the potential safety risks and the potential safety vulnerabilities can be identified by considering technologies such as disguise evaluation, robustness analysis and defect analysis. On the basis, the set scoring standard can refer to related standards and compliance requirements, such as ISO27001, NIST Cybersecurity, framework and the like, and then the functions of the network security equipment are evaluated by using the scoring standard to check whether the functions of the network security equipment meet the corresponding security standard and specification requirements, and quantization processing is carried out based on the scoring card, so that the quantized value of the function completeness index is obtained.
In addition, after the functional index is evaluated, the test result, the analysis report and the evaluation conclusion generated in the evaluation process can be audited and recorded to form an evaluation report. The assessment report may contain test results for various functions, security analysis, compliance assessment, etc. to provide explicit assessment conclusions and improvement suggestions.
S106, recommending a target decision rule matched with the security situation result and the equipment defensive capability to the network according to a predefined decision rule.
In practical application, based on decision problems and targets, comprehensive factors such as image information of an attacker, output of an intelligent network security understanding model, quantitative indexes of equipment defense capacity and the like are utilized, definition of decision rules and formulation of response strategies are completed through an intelligent algorithm, and in order to improve accuracy and efficiency of decision rule propulsion, the application proposes that scenario recommendation decision rules based on a preferred algorithm can be adopted. And then, by using methods such as an AHP algorithm, a gray correlation analysis method, a hierarchical analysis method and the like, various indexes and factors are comprehensively considered, and the optimal treatment script is recommended so as to realize the rapidness, accuracy and high efficiency of intelligent action decision.
It should be noted that the attack portrayal of the attacker is generally obtained according to threat information, namely common attack techniques of the attacker, attack weapons, common IP, domain names, hacking organization behind the attacker, and the like. In practical applications, the attack portrayal may be extracted from the network security data. Furthermore, the above treatment scenario can be understood as: a predetermined series of specific action steps and operational flows are performed in the face of a certain situation or event. In the field of network security, a disposition scenario refers to performing corresponding disposition operations according to predetermined procedures and steps when responding to and processing a network security event or attack. For example, when a certain type of security event occurs, the disposal script may characterize how the network security device needs to be scheduled, executing the disposal flow of the security event. For example, the treatment scenario may be understood as: the first step is to determine what devices are to be determined, and the second step is to determine what the determined devices are.
And each decision rule in the present application is used to select which treatment scenario to handle the security event that occurs. Furthermore, the above response strategy can be understood as: for determining a protection policy to be performed by the security device.
On this basis, step S106 may be performed according to the following procedure: acquiring n pre-configured treatment scripts, wherein each treatment script is used for representing corresponding treatment operation according to a preset flow when responding and processing network security events or network attacks; for each treatment script, determining m reference indexes matched with the treatment script according to the security situation result and the equipment defensive capability, and forming a first matrix of n x m by the reference indexes of each treatment script; acquiring a weight vector formed by weights corresponding to reference indexes of each treatment script, wherein the weight of each reference index is determined based on a weight method; calculating the product of the first matrix and the weight vector to obtain a second matrix, wherein each element in the second matrix is used for representing the score of the treatment script corresponding to the element; and determining a decision rule corresponding to the target treatment scenario, of which the score satisfies the recommendation condition, in the score of each treatment scenario as the target decision rule based on the corresponding relation between the treatment scenario and the decision rule.
In addition, the setting principle of the decision rule is as follows: the network device or security analyst may formulate specific decision rules based on the decision targets and the results output by the detection models. For example, if the probability of the naive bayes detection model output exceeds a certain set threshold, then the attack is judged, otherwise, the attack is judged as normal. Different thresholds can be set according to actual conditions to balance the detection rate and the false alarm rate.
The response policy formulation principle is as follows: the network device or security analyst may formulate a particular response strategy based on the results output by the model. For example, if an attack is determined, blocking measures such as blocking the IP address, closing the port, etc. may be selected; or take monitoring measures such as adding log records, sending alarms, etc. The specific response strategy can be formulated according to factors such as attack type, attack threat degree, system resources and the like.
On this basis, the recommendation mode of the target decision rule is exemplified as follows: assuming that n treatment scenarios are provided, based on the determined security situation result and the quantized value of the equipment defensive capability evaluation index, the current security situation result adapted to the treatment scenario and the quantized value of the target equipment defensive capability evaluation index can be determined for each treatment scenario and recorded as the m reference indexes, wherein the values of n and m can be configured according to actual conditions. Based on this, m reference indexes corresponding to the n treatment scenarios can be obtained respectively, and for convenience of subsequent calculation, the first matrix of n×m is formed.
It is noted that when determining, for each treatment scenario, a current security situation result adapted to the treatment scenario and a quantized value of a target device defensive ability evaluation index, each treatment scenario parameter adaptation rule may be set, and then the obtained security situation result and device defensive ability evaluation index are matched with the parameter adaptation rule of each treatment scenario, so as to obtain the m reference indexes corresponding to each treatment scenario; it should be noted that the number of the first indexes belonging to the security situation result and the number of the second indexes belonging to the equipment defensive power evaluation indexes included in the m reference indexes may be determined according to actual situations, but the m reference indexes corresponding to each treatment scenario respectively include the same number of the first indexes and the same number of the second indexes respectively included.
Notably, when the security situation result is a security attack graph, when the matching rule is used to determine a reference index for each treatment scenario, the reference index matched with the matching rule in the security attack graph may be each element on the matched attack chain, and then each element is assigned to participate in subsequent computation; if a plurality of attack chains are matched, one attack chain can be used as a reference index, then a plurality of attack chains are used as a plurality of reference indexes, and the value of each attack chain as the reference index can be calculated based on the elements on the attack chain according to a set calculation mode, for example, the element value of each element is subjected to weighted summation treatment, so that the value of the reference index is obtained; and each element can be assigned according to a set assignment rule when being assigned.
On this basis, each treatment scenario can have m reference indexes to evaluate the advantages and disadvantages. The reference index for each treatment scenario may be represented as an n x m first matrix, which may be denoted as a. In selecting the target treatment scenario, a preferred algorithm may be employed, e.g., a weighting method may be used, i.e., a weight vector w= [ w1, w2, ], wm is defined, where wi represents the i-th reference index weight. By calculating the weighted result of each reference index and its weight, a score for each treatment scenario, also referred to as priority, can be obtained.
On this basis, the score vector (i.e., the second matrix) of each treatment scenario is recorded as x= [ x1, x2, ], xn ], where xi represents the score of the i-th treatment scenario, and the score vector may be calculated by matrix multiplication, i.e., x=a×w. Further, the treatment scenario with the highest score in the score vector may be selected as the target treatment scenario, that is, the decision rule corresponding to the target treatment scenario may be recorded as the target decision rule to be recommended in the present application. Thereby, the decision rule adapting to the current network can be recommended to better protect the security of the network
Based on any one of the above embodiments, the decision recommendation method provided in this embodiment may further include the following procedures: and outputting a corresponding response strategy for the network according to the security detection results so as to execute corresponding network protection operation based on the response strategy.
Specifically, in recommending a response policy, the recommending method of the response policy may refer to the recommending method of the target decision rule, that is, each security detection result is used as each reference index, then a plurality of corresponding reference indexes are determined for each predefined response policy, and then the corresponding reference indexes are implemented according to the recommending method of the target decision rule, and detailed processes are not repeated herein. Therefore, the response strategy of the current network can be recommended to be adapted to execute the network protection operation better, so as to protect the security of the network.
Based on any one of the above embodiments, the network security data includes network attack data and abnormal behavior data; on the basis, the decision recommendation method provided by the embodiment can further comprise the following steps: processing the network attack data and the abnormal behavior data by using a statistical analysis tool, and identifying an attack rule and an attack trend of the network security data; identifying the network attack data and the abnormal behavior data by using an abnormal detection algorithm so as to identify the abnormal condition of the network; outputting the attack rule, the attack trend and the abnormal situation.
Specifically, in order to better understand the network security situation deeply and accurately, the embodiment may utilize data exploration and visualization technology to analyze and observe network attack data and abnormal behavior data in the network security data, so as to find rules, trends and abnormal situations in the network attack data and the abnormal behavior data. The system can use statistical analysis, data mining and visualization tools, such as statistical graphs, cluster analysis, anomaly detection and the like, and display analysis results and trends of network security states in the forms of graphs, reports and the like so as to help the system understand network security situations.
Optionally, based on any one of the foregoing embodiments, the decision recommendation method provided in this embodiment may further include the following procedures: acquiring a history use record of each decision rule; processing the historical use records of each decision rule by using a reinforcement learning algorithm or a self-supervision learning algorithm to obtain an optimization adjustment target; and carrying out optimization processing on each decision rule according to the optimization adjustment target.
In practical application, in network security defense, feedback optimization is an important method, and the accuracy and effect of intelligent action decision are improved by continuously learning and optimizing decision strategies. In view of this, the present embodiment proposes that reinforcement learning algorithms and self-supervised learning algorithms can be introduced, with updated optimization of decision rules using historical usage records, which may include actual feedback and historical data.
Specifically, the reinforcement learning algorithm is a method of learning an optimal decision strategy by trial and error. In network security defense, we can apply reinforcement learning to decision rule optimization to constantly learn and optimize decisions from actual feedback. Specifically, a reinforcement learning model may be built to model the decision process as a markov decision process, by defining elements such as states, actions, rewards, and decision rules, to allow the system to constantly learn and adjust the decision strategy during interactions with the environment to obtain the maximum cumulative rewards.
In the selection of the reinforcement learning algorithm, the Q-learning algorithm, the Deep Q Network (DQN) algorithm, and the like may be considered. These algorithms estimate the value of each action by building a Q-value function and optimize the decision rule by updating the Q-value. By introducing the reinforcement learning algorithm, the decision rule can be continuously learned and optimized from the actual feedback, and the accuracy and effect of the optimized decision rule are improved.
It should be noted that, taking the intrusion detection decision rule as an example for illustration, the states, actions, rewards and decision rules related to the reinforcement learning algorithm are defined as follows:
state definition: the network traffic data and the state of the intrusion detection system (such as the number of alarms, false alarm rate, attack type, etc.) are used as the states of the model. For example, statistical features of traffic data such as packet size, transmission frequency, protocol type, etc. may be used.
Action definition: defining response actions of the intrusion detection system, such as blocking traffic, enhancing logging, notifying security administrators, etc.
Prize definition: rewards and penalties are defined based on the accuracy of intrusion detection and the timeliness of the response. For example, for the case of successfully detecting an unknown attack and responding in time, a forward prize is awarded; a penalty is given to false positive or false negative events.
Decision rule definition: a reinforcement learning model, such as a Deep Q-Network, is built to optimize decision rules for intrusion detection systems by interacting with the environment. The model selects an action according to the current state and the rewarding situation, and updates the decision rule network according to feedback, so that the model gradually learns better intrusion detection decision rules.
In addition, the self-supervised learning is an unsupervised learning method, and potential problem decision rules requiring improvement are found by utilizing the inherent information in the history. In the network security defense, a self-supervised learning algorithm may also be used to mine and analyze the historical usage records, which have a relationship with time, each decision rule having a point in time, and the current decision record becomes the historical record as time goes back.
Specifically, the present embodiment can model and learn a history of use record using an algorithm such as a self encoder (autoencoder) or a variant self encoder (variational autoencoder). These algorithms enable the discovery of hidden structures and features in the data by learning a low-dimensional representation of the data. By mining historical usage records, potential problems and room for improvement can be found to guide the optimization of decision rules, roughly as follows:
1. Data preparation: historical decision records are collected, and preprocessing and feature extraction, such as statistical features or frequency analysis, are performed.
2. Modeling from an encoder: a self-encoder model is constructed, including encoder and decoder portions. The encoder maps the input historical usage record to a low-dimensional potential space and the decoder decodes the representation of the potential space into reconstructed data.
3. Loss function definition: the loss function of a custom encoder is defined, typically using reconstruction errors as the loss function to measure the difference between the reconstructed data and the original data.
4. Model training: using historical usage records to train the self-encoder model, optimization algorithms such as gradient descent can be used for parameter updating by optimizing the parameters of the encoder and decoder by minimizing the loss function.
5. Detecting abnormality: and reconstructing the new decision rule by using the trained self-encoder model, and calculating a reconstruction error. If the reconstruction error exceeds a predefined threshold, this decision rule may be considered abnormal and requires adjustment.
It should be noted that the response policy may also be optimized by referring to the optimization method of the decision rule, which is not described in detail herein.
By introducing reinforcement learning algorithms and self-supervised learning algorithms, the network security defense system can constantly learn and optimize decision rules or response strategies based on historical usage records. The reinforcement learning algorithm can continuously adjust the decision rule/response strategy from the actual feedback so as to obtain a better effect; the self-supervision learning algorithm can find potential problems and improved possibilities from the calendar usage records so as to guide the optimization of the decision rule, thereby further improving the accuracy and efficiency of the recommendation of the decision rule and enhancing the network security defense capability.
By implementing the decision recommendation method provided by the application, after the network environment data is acquired, the network environment data is subjected to data analysis and mining processing, so that the network security data in the network are obtained in a deeper level, namely, the network is understood in a deeper level; on the basis, according to the data types corresponding to the network security data, respectively calling the corresponding security detection models to identify the network security data, and obtaining the security detection results corresponding to the data types respectively; carrying out association analysis processing on each security detection result to obtain a security situation result of the network, so that the security situation in the current network can be obtained more accurately according to network security data; since network security is related to the defending capability of the network security device in the network, the application also acquires the defending capability of the network security device in the network; and recommending a target decision rule matched with the security situation result and the equipment defensive capability for the network according to a predefined decision rule, so that the recommended target decision rule is matched with the defensive capability of the network security equipment in the network and can be matched with the network security situation in the network, and attack in the network can be better and more accurately protected by utilizing the target decision rule, and the security in the network is further protected.
In addition, a full-element knowledge base can be formed through intelligent cognition, intelligent understanding and intelligent decision, a foundation is laid for efficiency and timeliness of a protection means which needs to be adopted when the network space security situation faces network attack, and meanwhile, assistance is provided for security operation and operation maintenance personnel to monitor the security situation of the whole network.
Based on the same inventive concept, the application also provides a decision recommendation device corresponding to the decision recommendation method. The implementation of the decision recommending apparatus may refer specifically to the above description of the decision recommending method, and will not be discussed here.
Referring to fig. 2, fig. 2 is a decision recommendation apparatus according to an exemplary embodiment of the present application, including:
the acquisition module 201 is configured to acquire network environment data of a network;
the first processing module 202 is configured to perform data analysis and mining processing on the network environment data to obtain network security data;
the identification module 203 is configured to respectively invoke a corresponding security detection model to identify the network security data according to the data type corresponding to the network security data, so as to obtain security detection results corresponding to each data type respectively;
the association analysis module 204 is configured to perform association analysis processing on each security detection result, so as to obtain a security situation result of the network;
A first obtaining module 205, configured to obtain a device defense capability of a network security device in the network;
and a recommending module 206, configured to recommend, for the network, a target decision rule matching the security situation result and the device defensive capability according to a predefined decision rule.
Optionally, based on the foregoing embodiment, in this embodiment, the data types include at least: text type, intrusion detection type, event type, high latitude data type, nonlinear data type;
on this basis, the above-mentioned identification module 203 is specifically configured to:
when text type and/or intrusion detection type data exist in the network security data, a naive Bayesian detection model is utilized to identify and process the text data and/or intrusion detection data in the network security data, and a first security detection result is obtained;
when the data of the event type exists in the network security data, classifying and identifying the network security event existing in the network security data by utilizing a decision tree detection model to obtain a second security detection result;
when the high-latitude data type and/or the nonlinear data type data exist in the network security data, the high-dimensionality security data and/or the nonlinear security data existing in the network security data are identified by using a support vector machine detection model or a random forest detection model, and a third security detection result is obtained; and when the network security data has nonlinear data type data, identifying vulnerability scanning data of the network security data by using a neural network detection model to obtain a fourth security detection result.
On this basis, the association analysis module 204 is specifically configured to identify target elements having an association relationship in the security detection result corresponding to each data type; and constructing a security situation map among all detection results according to the target elements.
Optionally, based on any one of the foregoing embodiments, device defensive abilities of the network security device in this embodiment are measured by device defensive ability evaluation indexes, and each device defensive ability evaluation index is characterized by a quantized value of the device defensive ability evaluation index; the quantized value of each equipment defensive ability evaluation index is obtained by scoring the equipment defensive ability evaluation index based on the evaluation standard of the equipment defensive ability evaluation index;
wherein the device defensive ability assessment index comprises: functional completeness index, security intensity and robustness index, vulnerability updating and repairing capability index, performance and expandability index, security policy and control capability and linkage support capability of equipment.
Further, the recommendation module 206 is specifically configured to:
acquiring n pre-configured treatment scripts, wherein each treatment script is used for representing corresponding treatment operation according to a preset flow when responding and processing network security events or network attacks;
Forming a first matrix of n x m by the n treatment scripts, the security situation results and m reference indexes formed by the equipment defensive capacity;
acquiring a weight vector formed by weights corresponding to each reference index, wherein the weight of each reference index is determined based on a weight method;
calculating the product of the first matrix and the weight vector to obtain a second matrix, wherein each element in the second matrix is used for representing the score of the treatment script corresponding to the element;
and determining a decision rule corresponding to the target treatment scenario, of which the score meets the recommendation condition, in the score of each treatment scenario as the target decision rule based on the corresponding relation between the treatment scenario and the decision rule.
Optionally, based on any one of the foregoing embodiments, the decision recommendation apparatus provided in this embodiment may further include:
and the first output module (not shown in the figure) is used for outputting a corresponding response strategy for the network according to the security detection results so as to execute corresponding network protection operation based on the response strategy.
Optionally, based on any one of the foregoing embodiments, the network security data provided in this embodiment includes network attack data and abnormal behavior data; on this basis, the decision recommendation apparatus provided in this embodiment may further include:
The statistical module (not shown in the figure) is used for processing the network attack data and the abnormal behavior data by using a statistical analysis tool and identifying the attack rule and attack trend of the network security data;
an anomaly detection module (not shown in the figure) for identifying the network attack data and the anomaly data by using an anomaly detection algorithm so as to identify an anomaly condition of the network;
and a second output module (not shown in the figure) for outputting the attack rule, the attack trend and the abnormal situation.
Optionally, based on any one of the foregoing embodiments, the decision recommendation apparatus provided in this embodiment may further include:
a second obtaining module (not shown in the figure) for obtaining a history of use record of each decision rule;
a second processing module (not shown in the figure) for processing the history usage record of each decision rule by using a reinforcement learning algorithm or a self-supervision learning algorithm to obtain an optimization adjustment target;
and the optimization module (not shown in the figure) is used for carrying out optimization processing on each decision rule according to the optimization adjustment target.
Based on the same inventive concept, the embodiment of the application provides an electronic device for implementing the decision recommendation method. As shown in fig. 3, the electronic device may include a processor 301 and a machine-readable storage medium 302, the machine-readable storage medium 302 storing a computer program executable by the processor 301, the processor 301 being caused by the computer program to perform the decision recommendation method provided by any of the embodiments of the present application. The electronic device further comprises a communication interface 303 and a communication bus 304, wherein the processor 301, the communication interface 303 and the machine readable storage medium 302 perform communication with each other via the communication bus 304.
The communication bus mentioned above for the electronic devices may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The machine-readable storage medium 302 may be a Memory, which may include random access Memory (Random Access Memory, RAM), DDR SRAM (Double Data Rate Synchronous Dynamic Random Access Memory, double rate synchronous dynamic random access Memory), or Non-Volatile Memory (NVM), such as at least one magnetic disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
For the electronic device and the machine-readable storage medium embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for relevant points, since the method content involved is substantially similar to that of the method embodiments described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and roles of each unit/module in the above device is specifically shown in the implementation process of the corresponding steps in the above method, and will not be repeated here.
For the device embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The above described apparatus embodiments are merely illustrative, wherein the units/modules illustrated as separate components may or may not be physically separate, and the components shown as units/modules may or may not be physical units/modules, i.e. may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the units/modules may be selected according to actual needs to achieve the purposes of the present application. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (11)
1. A decision recommendation method, comprising:
collecting network environment data of a network;
performing data analysis and mining processing on the network environment data to obtain network security data;
according to the data types corresponding to the network security data, respectively calling a corresponding security detection model to identify the network security data, and obtaining security detection results corresponding to the data types respectively;
performing association analysis processing on each security detection result to obtain a security situation result of the network;
acquiring the device defense capability of network security devices in the network;
and recommending a target decision rule matched with the security situation result and the equipment defensive capacity for the network according to a predefined decision rule.
2. The method according to claim 1, wherein the data types comprise at least: text type, intrusion detection type, event type, high latitude data type, nonlinear data type;
according to the data types corresponding to the network security data, respectively calling a corresponding security detection model to identify the network security data, and obtaining security detection results respectively corresponding to the data types, wherein the method comprises the following steps:
When text type and/or intrusion detection type data exist in the network security data, the text data or the intrusion detection data in the network security data are identified by using a corresponding naive Bayesian detection model, and a first security detection result is obtained;
when the data of the event type exists in the network security data, classifying and identifying the network security event existing in the network security data by utilizing a decision tree detection model to obtain a second security detection result;
when the high-latitude data type and/or the nonlinear data type data exist in the network security data, the high-dimensionality security data and/or the nonlinear security data existing in the network security data are identified by using a support vector machine detection model or a random forest detection model, and a third security detection result is obtained;
and when the network security data has nonlinear data type data, identifying vulnerability scanning data of the network security data by using a neural network detection model to obtain a fourth security detection result.
3. The method of claim 1, wherein the device defensive power of the network security device is measured by device defensive power assessment indicators, each device defensive power assessment indicator being characterized by a quantized value of the device defensive power assessment indicator; the quantized value of each equipment defensive ability evaluation index is obtained by scoring the equipment defensive ability evaluation index based on the evaluation standard of the equipment defensive ability evaluation index;
Wherein the device defensive ability assessment index comprises: functional completeness index, security intensity and robustness index, vulnerability updating and repairing capability index, performance and expandability index, security policy and control capability and linkage support capability of equipment.
4. A method according to claim 3, characterized in that recommending for the network a target decision rule matching the security posture result, the device defensive power, according to a predefined decision rule, comprises:
acquiring n pre-configured treatment scripts, wherein each treatment script is used for representing corresponding treatment operation according to a preset flow when responding and processing network security events or network attacks;
for each treatment script, determining m reference indexes matched with the treatment script according to the security situation result and the equipment defensive capability, and forming a first matrix of n x m by the reference indexes of each treatment script;
acquiring a weight vector formed by weights corresponding to reference indexes of each treatment script, wherein the weight of each reference index is determined based on a weight method;
calculating the product of the first matrix and the weight vector to obtain a second matrix, wherein each element in the second matrix is used for representing the score of the treatment script corresponding to the element;
And determining a decision rule corresponding to the target treatment scenario, of which the score meets the recommendation condition, in the score of each treatment scenario as the target decision rule based on the corresponding relation between the treatment scenario and the decision rule.
5. The method as recited in claim 1, further comprising:
and outputting a corresponding response strategy for the network according to the security detection results so as to execute corresponding network protection operation based on the response strategy.
6. The method according to claim 1, wherein the network security data comprises network attack data, abnormal behavior data; the method further comprises the steps of:
processing the network attack data and the abnormal behavior data by using a statistical analysis tool, and identifying an attack rule and an attack trend of the network security data;
identifying the network attack data and the abnormal behavior data by using an abnormal detection algorithm so as to identify the abnormal condition of the network;
outputting the attack rule, the attack trend and the abnormal situation.
7. The method as recited in claim 1, further comprising:
acquiring a history use record of each decision rule;
Processing the historical use records of each decision rule by using a reinforcement learning algorithm or a self-supervision learning algorithm to obtain an optimization adjustment target;
and carrying out optimization processing on each decision rule according to the optimization adjustment target.
8. The method of claim 1, wherein performing an association analysis process on each security detection result to obtain a security situation result of the network, comprises:
identifying target elements with association relations in security detection results corresponding to all data types;
and constructing a security situation map among all detection results according to the target elements.
9. A decision recommendation device, comprising:
the acquisition module is used for acquiring network environment data of a network;
the processing module is used for carrying out data analysis and mining processing on the network environment data to obtain network security data;
the identification module is used for respectively calling a corresponding security detection model to identify the network security data according to the data types corresponding to the network security data so as to obtain security detection results corresponding to the data types respectively;
the association analysis module is used for carrying out association analysis processing on each security detection result to obtain a security situation result of the network;
An acquisition module, configured to acquire a device defense capability of a network security device in the network;
and the recommending module is used for recommending a target decision rule matched with the security situation result and the equipment defensive capability for the network according to a predefined decision rule.
10. An electronic device comprising a processor and a machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method of any one of claims 1-8.
11. A machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311265077.7A CN117478358A (en) | 2023-09-27 | 2023-09-27 | Decision recommendation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311265077.7A CN117478358A (en) | 2023-09-27 | 2023-09-27 | Decision recommendation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117478358A true CN117478358A (en) | 2024-01-30 |
Family
ID=89630207
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311265077.7A Pending CN117478358A (en) | 2023-09-27 | 2023-09-27 | Decision recommendation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117478358A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118014165A (en) * | 2024-04-08 | 2024-05-10 | 珠海市嘉德电能科技有限公司 | Traceability management method and traceability management system for lithium ion battery production |
-
2023
- 2023-09-27 CN CN202311265077.7A patent/CN117478358A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118014165A (en) * | 2024-04-08 | 2024-05-10 | 珠海市嘉德电能科技有限公司 | Traceability management method and traceability management system for lithium ion battery production |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2023077617A1 (en) | Network security situation adaptive active defense system and method | |
| US10185832B2 (en) | Methods and systems for defending cyber attack in real-time | |
| Ramaki et al. | Real time alert correlation and prediction using Bayesian networks | |
| US11347867B2 (en) | Methods and apparatuses to evaluate cyber security risk by establishing a probability of a cyber-attack being successful | |
| CN110620759A (en) | Network security event hazard index evaluation method and system based on multidimensional correlation | |
| Tianfield | Cyber security situational awareness | |
| CN104125217A (en) | Cloud data center real-time risk assessment method based on mainframe log analysis | |
| Al-Janabi | Pragmatic miner to risk analysis for intrusion detection (PMRA-ID) | |
| CN108092985B (en) | Network security situation analysis method, device, equipment and computer storage medium | |
| Masarat et al. | A novel framework, based on fuzzy ensemble of classifiers for intrusion detection systems | |
| CN117478358A (en) | Decision recommendation method and device | |
| CN117056951B (en) | Data security management method for digital platform | |
| Pappaterra et al. | A review of intelligent cybersecurity with Bayesian Networks | |
| CN115225384B (en) | Network threat degree evaluation method and device, electronic equipment and storage medium | |
| Sen et al. | On using contextual correlation to detect multi-stage cyber attacks in smart grids | |
| Muhati et al. | Hidden-Markov-model-enabled prediction and visualization of cyber agility in IoT era | |
| Bode et al. | Risk analysis in cyber situation awareness using Bayesian approach | |
| Nour et al. | A survey on threat hunting in enterprise networks | |
| Alshammari | Design of capability maturity model integration with cybersecurity risk severity complex prediction using bayesian-based machine learning models | |
| Amin et al. | A holistic framework for process safety and security analysis | |
| Qasaimeh et al. | Advanced security testing using a cyber‐attack forecasting model: A case study of financial institutions | |
| Sallhammar | Stochastic models for combined security and dependability evaluation | |
| Rose et al. | Something is better than everything: A distributed approach to audit log anomaly detection | |
| Heartfield et al. | Evaluating the reliability of users as human sensors of social media security threats | |
| Salazar et al. | Monitoring approaches for security and safety analysis: application to a load position system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |