CN117749448B - Intelligent early warning method and device for network potential risk - Google Patents
Intelligent early warning method and device for network potential risk Download PDFInfo
- Publication number
- CN117749448B CN117749448B CN202311682893.8A CN202311682893A CN117749448B CN 117749448 B CN117749448 B CN 117749448B CN 202311682893 A CN202311682893 A CN 202311682893A CN 117749448 B CN117749448 B CN 117749448B
- Authority
- CN
- China
- Prior art keywords
- fuzzy
- data
- result
- classification
- risk assessment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012502 risk assessment Methods 0.000 claims abstract description 73
- 230000004927 fusion Effects 0.000 claims abstract description 34
- 230000008859 change Effects 0.000 claims abstract description 12
- 238000013145 classification model Methods 0.000 claims description 54
- 230000006870 function Effects 0.000 claims description 50
- 238000013507 mapping Methods 0.000 claims description 18
- 230000005484 gravity Effects 0.000 claims description 16
- 238000012549 training Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 8
- 238000003066 decision tree Methods 0.000 claims description 7
- 230000004913 activation Effects 0.000 claims description 5
- 238000012937 correction Methods 0.000 claims description 4
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 12
- 230000000694 effects Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000000354 decomposition reaction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000006798 recombination Effects 0.000 description 2
- 238000005215 recombination Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a network potential risk intelligent early warning method and device, and relates to the technical field of network early warning, wherein the method comprises the following steps: performing fuzzy logic operation according to the fuzzy data and a preset condition library to calculate the matching degree and operation result of each condition; converting the operation result into a specific numerical value and generating fusion data; constructing a dynamic risk assessment model according to the fusion data; according to the dynamic network state and the dynamic risk assessment model, a risk assessment result is obtained; and predicting the risk level according to the risk assessment result. The invention can monitor the security event and abnormal behavior in the network in real time, intelligently pre-warn the potential network risk, and adjust and optimize in real time according to the change of the network environment and the evolution of the attack behavior so as to improve the defending capability.
Description
Technical Field
The invention relates to the technical field of network early warning, in particular to an intelligent early warning method and device for potential risks of a network.
Background
In the current network environment, network security problems are increasingly serious, and network attacks and threats are increasing. Traditional network security defense methods often rely on static rules and fixed models, and cannot adapt to dynamically changing network environments and novel network attack means. This results in the following problems:
1. the limitations of static rules, conventional network security defense methods typically use static rules to detect and block known attack patterns. However, network attackers continually change the attack strategies and means, making it difficult for static rules to keep pace with new types of attacks.
2. The limitations of fixed models, conventional network security defense approaches typically use fixed models to identify and classify network traffic. These models are often trained based on known attack characteristics and behaviors and cannot accommodate new types of attacks and unknown network behaviors.
Disclosure of Invention
The invention aims to solve the technical problem of providing an intelligent early warning method and device for network potential risks, which can monitor security events and abnormal behaviors in a network in real time, can intelligently early warn potential network risks, and can adjust and optimize the potential network risks in real time according to the change of a network environment and the evolution of attack behaviors so as to improve the defending capability.
In order to solve the technical problems, the technical scheme of the invention is as follows:
in a first aspect, a network potential risk intelligent early warning method includes:
acquiring a data stream generated by security equipment in a network;
Dynamically extracting key features from the data stream;
Dynamically adjusting the classification model according to the key features so that the classification model classifies the events according to preset priority to obtain classification results;
fuzzifying the classification result through a membership function so as to map each event to a corresponding fuzzy set to form fuzzified data;
performing fuzzy logic operation according to the fuzzy data and a preset condition library to calculate the matching degree and operation result of each condition;
converting the operation result into a specific numerical value and generating fusion data;
Constructing a dynamic risk assessment model according to the fusion data;
According to the dynamic network state and the dynamic risk assessment model, a risk assessment result is obtained;
and predicting the risk level according to the risk assessment result.
Further, dynamically extracting key features in the data stream includes:
Calculating entropy of the current data set;
According to each feature, calculating a conditional entropy corresponding to each feature value under the current data set;
Calculating an information gain result of each feature according to the conditional entropy;
and determining the final distinguishing feature according to the information gain result of each feature.
Further, according to the key features, dynamically adjusting the classification model to enable the classification model to classify the event according to a preset priority, so as to obtain a classification result, including:
determining priorities of different events according to application scenes and requirements;
Determining a classification model according to the data characteristics and the classification requirements, and training the classification model by using the marked training data set;
dynamically adjusting the classification model according to the change of the real-time data stream and the priority of the event;
and classifying the new event according to the dynamically adjusted classification model, and generating a classification result.
Further, blurring the classification result by a membership function to map each event to a corresponding fuzzy set to form blurred data, including:
Classifying the events according to the classification model to obtain a determined classification result;
Mapping deterministic results onto one or more fuzzy sets using membership functions to reflect fuzzy relationships between events and different categories or priorities;
For each determined classification result, mapping the classification result onto a corresponding fuzzy set by using a membership function, wherein the mapped result is a fuzzy membership value which indicates the degree of the event belonging to different categories or priorities;
And combining fuzzy membership values obtained after all the events are mapped by membership functions to form fuzzy data.
Further, performing fuzzy logic operation according to the fuzzy data and a preset condition library to calculate the matching degree and operation result of each condition, including:
Presetting a condition library, comprising descriptions of different conditions and fuzzy logic conditions corresponding to the different conditions, wherein each condition is associated with one or more input variables, and determining a fuzzy set and a membership function of the fuzzy set;
for each condition, according to each input variable, comparing the fuzzy value of the input variable with fuzzy sets in the condition, and calculating the matching degree of each condition;
Combining the matching degree of each input variable, and calculating the result of fuzzy logic operation according to the fuzzy logic activation condition;
summarizing the fuzzy logic operation results of all conditions to obtain final fuzzy output.
Further, converting the operation result into a specific numerical value, and generating fusion data, including:
For each fuzzy output, through Calculating a weighted average of membership of each fuzzy set, wherein/>Representing the result after defuzzification, y i representing the result of defuzzification of the fuzzy set, μ i representing the membership of the fuzzy set, w i representing the weight of the fuzzy set,/>The defuzzification result of the weighted average is represented, and n represents the number of fuzzy sets;
Taking the weighted average result as a defuzzification result;
For each fuzzy output, through Calculating the center of gravity of each fuzzy set, wherein c i represents the center of gravity of the fuzzy set, mu i (y) represents the membership function of the fuzzy set, and f (y) represents the correction factor;
taking the weighted average of the gravity centers as a de-blurring result;
And combining the obtained specific numerical results to generate fusion data.
Further, constructing a dynamic risk assessment model according to the fusion data, including:
Determining an index for evaluating risk according to the application scene and the requirement;
Determining a data set for constructing a dynamic risk assessment model, wherein the data set comprises fusion data and corresponding risk assessment indexes;
And constructing a dynamic risk assessment model through a decision tree model according to the data characteristics and the risk assessment requirements.
In a second aspect, a network risk potential intelligent early warning device includes:
The acquisition module is used for acquiring a data stream generated by the security equipment in the network; dynamically extracting key features from the data stream; dynamically adjusting the classification model according to the key features so that the classification model classifies the events according to preset priority to obtain classification results; fuzzifying the classification result through a membership function so as to map each event to a corresponding fuzzy set to form fuzzified data;
The processing module is used for carrying out fuzzy logic operation according to the fuzzy data and a preset condition library so as to calculate the matching degree and operation result of each condition; converting the operation result into a specific numerical value and generating fusion data; constructing a dynamic risk assessment model according to the fusion data; according to the dynamic network state and the dynamic risk assessment model, a risk assessment result is obtained; and predicting the risk level according to the risk assessment result.
In a third aspect, a computing device includes:
one or more processors;
And a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the above-described methods.
In a fourth aspect, a computer readable storage medium stores a program that when executed by a processor implements the above method.
The scheme of the invention at least comprises the following beneficial effects:
According to the scheme, the method can monitor the security event and the abnormal behavior in the network in real time by acquiring the data stream generated by the security equipment in the network and dynamically extracting the key characteristics, so that the timely sensing and early warning of the potential risk are realized. By dynamically adjusting the classification model, the event is classified according to the preset priority, and the method can adapt to the change of the network environment and the continuously evolving network attack means, so that the identification capability of novel attack is improved. By blurring the classification result through the membership function, each event is mapped to a corresponding fuzzy set, and the method can process uncertainty and complexity and better reflect diversification and dynamics in a real network environment. The matching degree and the operation result of each condition are calculated by carrying out fuzzy logic operation according to the fuzzy data and a preset condition library, and the method can synthesize multidimensional data comprising classification results, key features and preset conditions so as to more comprehensively evaluate the network risk. By constructing the dynamic risk assessment model according to the fusion data, the method can realize dynamic risk assessment based on real-time data and network states, and improves the accuracy and effectiveness of network threats.
Drawings
Fig. 1 is a flow chart of a network potential risk intelligent early warning method provided by an embodiment of the invention.
Fig. 2 is a schematic diagram of a network potential risk intelligent early warning device provided by an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described more closely below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As shown in fig. 1, an embodiment of the present invention proposes a network potential risk intelligent early warning method, where the method includes:
Step 11, obtaining a data stream generated by security equipment in a network;
Step 12, dynamically extracting key features from the data stream;
Step 13, dynamically adjusting the classification model according to the key features so that the classification model classifies the events according to preset priorities to obtain classification results;
Step 14, blurring the classification result through a membership function so that each event is mapped to a corresponding fuzzy set to form fuzzy data;
step 15, performing fuzzy logic operation according to the fuzzy data and a preset condition library to calculate the matching degree and operation result of each condition;
step 16, converting the operation result into a specific numerical value and generating fusion data;
Step 17, constructing a dynamic risk assessment model according to the fusion data;
Step 18, according to the dynamic network state and the dynamic risk assessment model, obtaining a risk assessment result;
and step 19, predicting the risk level according to the risk assessment result.
In the embodiment of the invention, the method can monitor the security event and the abnormal behavior in the network in real time by acquiring the data stream generated by the security equipment in the network and dynamically extracting the key characteristics, thereby realizing timely sensing and early warning of the potential risk. By dynamically adjusting the classification model, the event is classified according to the preset priority, and the method can adapt to the change of the network environment and the continuously evolving network attack means, so that the identification capability of novel attack is improved. By blurring the classification result through the membership function, each event is mapped to a corresponding fuzzy set, and the method can process uncertainty and complexity and better reflect diversification and dynamics in a real network environment. The matching degree and the operation result of each condition are calculated by carrying out fuzzy logic operation according to the fuzzy data and a preset condition library, and the method can synthesize multidimensional data comprising classification results, key features and preset conditions so as to more comprehensively evaluate the network risk. By constructing the dynamic risk assessment model according to the fusion data, the method can realize dynamic risk assessment based on real-time data and network state, and improve the accuracy and effectiveness of network threat
In another preferred embodiment of the present invention, the step 11 may include:
step 111, the security device is configured in a listening mode, ready to receive a data stream in the network; the relevant parameters of the encryption channel C and the security authentication mechanism A are preloaded into the device;
Step 112, when there is a data flow in the network, the security device starts capturing data packets, each data packet including various information related to the data packet, such as a source IP address, a destination IP address, a protocol type, etc.;
In step 113, the captured data packets first pass through a filter that selects only data packets with a time stamp t according to a preset rule, ensuring that the analysis is focused on network activity within a specific time period.
Step 114, the filtered data packet is further sent to an encryption channel verification module, and the content of the data packet is checked to ensure that the content of the data packet is transmitted through the encryption channel C, thereby ensuring confidentiality of the data and preventing unauthorized access.
Step 115, the data packet verified by the encryption channel is digitally signed by a security authentication mechanism A to ensure the integrity and authenticity of the data packet and prevent the data from being tampered in the transmission process; the authenticated packet will be parsed to extract key information features including source IP (IPsrc), destination IP (IPdst), protocol type (Proto) and event identification (EventID).
Step 116, the data packets with extracted features are organized into a set containing all data packets satisfying all preset conditions (including encryption channel, security authentication, and specific IP address, protocol type, and event identifier) at time stamp t; if a set of data packets is generated, the security device will stop capturing more data packets, wait for the next round of analysis or until a new instruction is received.
In the embodiment of the invention, step 11 not only extracts key information from the data stream generated by the security device in the network, but also ensures confidentiality, integrity and authenticity of the data through encryption and security authentication mechanisms.
In a preferred embodiment of the present invention, the step 12 may include:
step 121, calculating entropy of the current data set;
Step 122, calculating the conditional entropy corresponding to each characteristic value under the current data set according to each characteristic;
step 123, calculating the information gain result of each feature according to the conditional entropy;
And step 124, determining the final distinguishing feature according to the information gain result of each feature.
In the embodiment of the invention, the information gain of the features is calculated, so that the features which are most critical for distinguishing different categories or conditions can be found. The selection of the most distinguishable features is helpful for establishing a model with more conciseness and stronger generalization capability, and by reducing unnecessary features, the performance of the model can be improved, and the risk of overfitting is reduced. Selecting features may speed up the training process of the model, with a smaller number of features meaning that the amount of data that needs to be processed during the training process is reduced, thereby reducing the computational complexity. The final distinguishing characteristics are chosen to make the model more interpretable, and these characteristics can more clearly interpret the changes in the data and the decision making process of the model.
In another preferred embodiment of the present invention, the step 121 may include:
Step 1211, grouping according to the data set, according to the source IP, destination IP, protocol type and event identification of the data packet, and calculating the distribution probability of the data packet inside each group, and using the distribution probability of the data packet inside each group by Calculating the weighted entropy of the whole data set, wherein H (D) represents the weighted entropy of the data set D; n represents the number of different packets in the dataset, G i represents the ith packet in the dataset, defined according to source IP, destination IP, protocol type and event identification; p (G i) represents the probability that the i-th packet appears in the dataset, m i represents the number of packets in the i-th packet, P ij represents the j-th packet in the i-th packet, and P (P ij∣Gi) represents the probability that packet P ij appears in the i-th packet.
In another preferred embodiment of the present invention, the step 122 may include:
Step 1221, calculating a conditional entropy corresponding to each feature value in the current data set, where the conditional entropy measures the uncertainty remaining in the data set given a certain feature value, and specifically includes: for feature F, which has k different feature values F 1,f2,…,fk, the set of packets belonging to feature value F i in the dataset is D fi, and the calculation formula of conditional entropy H (d|f=f i) is:
Wherein H (d|f=f i) represents the conditional entropy of dataset D when feature F takes on the value F i; k denotes the number of different eigenvalues of the feature F, and F i denotes the ith eigenvalue of the feature F.
In another preferred embodiment of the present invention, the step 123 may include:
Step 1231, according to the conditional entropy, by Calculating an information gain result of each feature, wherein D represents a data set, X represents a feature set, H (D) represents entropy of the data set, H (D|x) represents conditional entropy of the data set under the condition of a given feature value X, and the uncertainty or confusion degree of the data set D under the condition of the feature value X is represented; the information gain of IG (X) feature set X represents the information gain obtained by the division of the data set by feature set X.
In another preferred embodiment of the present invention, the step 124 may include:
In step 1241, based on each feature, the information gain for that feature in the current dataset is calculated, the information gain being a measure of the improvement in classification ability of the dataset given the feature. Selecting a feature having a maximum value from the information gains of all the features; the feature with the greatest information gain is taken as the final distinguishing feature. The final distinguishing feature can provide the greatest classification capability in the current dataset and is therefore selected for dynamic adjustment of the classification model.
Step 1242 dynamically adjusts the classification model to more effectively classify the event based on the determined final distinguishing characteristics, including updating the weight, threshold, or other relevant parameters of the model to improve the accuracy of the model in distinguishing characteristics. Step 124 determines the most discriminating feature in the current dataset by calculating the information gain for each feature and selecting the feature with the greatest information gain.
In a preferred embodiment of the present invention, the step 13 may include:
Step 131, determining priorities of different events according to application scenes and requirements;
Step 132, determining a classification model according to the data characteristics and the classification requirements, and training the classification model by using the marked training data set;
step 133, dynamically adjusting the classification model according to the change of the real-time data stream and the priority of the event;
step 134, classifying the new event according to the dynamically adjusted classification model, and generating a classification result.
In the embodiment of the invention, the priority of different events is determined according to the application scene and the requirement, so that the importance of the events can be distinguished, and the subsequent classification and evaluation are performed according to the priority, for example, certain security events can have higher influence on the stability and confidentiality of the network. Based on the data features and classification requirements, a classification model is determined and the model is trained using the labeled training dataset to more accurately classify the event in a subsequent step. Along with the change of the real-time data flow and the dynamic adjustment of the event priority, the classification model can be correspondingly and dynamically adjusted, so that the system can adapt to the change of the network environment, and the classification model is ensured to have excellent effect all the time under different conditions. Based on the dynamically adjusted classification model, new real-time events can be classified, and corresponding classification results are generated, so that the system can timely respond to the newly-appearing network activities, identify potential risks and take corresponding early warning measures.
In another preferred embodiment of the present invention, the step 131 may include:
Step 1311, based on a plurality of factors of the event, by The priority of the event is calculated and determined, wherein n represents the number of factors, w i represents the weight of the ith factor, F i (x) represents the calculation function of the ith factor, the related attribute x of the event is input, and the priority score corresponding to the factor is output.
In another preferred embodiment of the present invention, the step 132 may include:
At step 1321, an optimal set of parameters θ * is determined to minimize risk on the training dataset D train by classifying the model f θ (x), wherein, Θ is a parameter of the classification model, x is an input data feature, L (f θ(xi),yi) is a loss function for measuring a gap between the model prediction f θ(xi and the real label y i, Ω (θ) is a regularization term, and λ is a regularization coefficient.
In another preferred embodiment of the present invention, the step 133 may include:
Step 1331, dynamically adjusting the parameters of the model according to the priority P t of the event when new data (x t,yt) arrives in the real-time data stream D stream according to the classification model f θ (x), wherein, (X t,yt) represents a new data point in the real-time data stream, including data feature x t and corresponding class label y t,Pt represents priority of event t, η t is used to control step size of parameter update,/>Is the gradient of the loss function with respect to the classification model parameters.
In another preferred embodiment of the present invention, the step 134 may include:
step 1341, performing necessary preprocessing on the new event data to ensure that the data format and characteristics are consistent with those of training; inputting the preprocessed data into a classification model after dynamic adjustment, and generating probability or confidence that the event belongs to each category by the classification model according to the internal parameters and logic of the classification model; and after the classification model is predicted, generating corresponding output according to a classification result, wherein the output comprises information such as a class label to which an event belongs, and confidence level or probability of classification.
In a preferred embodiment of the present invention, the step 14 may include:
step 141, classifying the event according to the classification model to obtain a determined classification result;
step 142, mapping deterministic results onto one or more fuzzy sets using membership functions to reflect fuzzy relationships between events and different categories or priorities;
Step 143, for each determined classification result, mapping the classification result onto a corresponding fuzzy set using a membership function, wherein the mapped result is a fuzzy membership value indicating the degree to which the event belongs to different categories or priorities;
And 144, combining the fuzzy membership values obtained after all the events are mapped by the membership function to form fuzzy data.
In the embodiment of the invention, the deterministic classification result is mapped to one or more fuzzy sets by using the membership function, the mapping reflects the fuzzy relation between the event and different categories or priorities, and the membership function can fuzzify the deterministic result, so that the uncertainty and the fuzziness of classification can be better captured. For each determined classification result, a membership function is used to map the classification result to a corresponding fuzzy set, resulting in a fuzzy membership value that represents the degree to which the event belongs to a different class or priority than just a deterministic classification. And combining fuzzy membership values obtained after mapping all the events by membership functions to form fuzzy data, and obtaining fuzzy measurement of each event on different categories or priorities.
In another preferred embodiment of the present invention, the step 141 may include:
Step 1411, performing necessary preprocessing and formatting on event data to be classified to ensure that the event data are consistent with the data format and characteristic representation used in training a model; reading parameters and structures of a model from a storage, reconstructing an instance of the model in a computing environment, inputting preprocessed event data into the model for prediction, computing the input data by a classification model according to internal logic and parameters of the model, generating one or more prediction results, analyzing the results output by the model after the model is predicted, and outputting probability of each category by the model for multi-classification tasks; determining a most probable category of the event based on the probability value; and outputting the analyzed classification result.
In another preferred embodiment of the present invention, the step 142 may include:
Step 1421, the event classification result is an n-dimensional vector c= [ C 1,c2,…,cn ], where each element C i represents the classification result of the event on the i-th attribute; there are M fuzzy sets F m, where m=1, 2, …, M, each fuzzy set having a corresponding n-dimensional membership function By/> Mapping is performed to reflect the ambiguous relationship between events and different categories or priorities.
In another preferred embodiment of the present invention, the step 143 may include:
Step 1431, determining a membership function for each determined classification result to ensure that the relationship between the event and the fuzzy set can be reasonably described; determining parameters of the membership functions; mapping the determined classification result to a corresponding fuzzy set by using a membership function, mapping each classification result if the event has a plurality of determined classification results, and processing a plurality of fuzzy membership values obtained by mapping each classification result; by comparing with a set threshold, for example, a membership threshold is set, and when the membership value of an event exceeds the threshold, the event is considered to belong to a certain category or priority.
In a preferred embodiment of the present invention, the step 15 may include:
step 151, presetting a condition library, including descriptions of different conditions and fuzzy logic conditions corresponding to the different conditions, wherein each condition is associated with one or more input variables, and determining a fuzzy set and a fuzzy set membership function;
Step 152, for each condition, according to each input variable, comparing the fuzzy value of the input variable with the fuzzy set in the condition, and calculating the matching degree of each condition;
step 153, combining the matching degree of each input variable, and calculating the result of the fuzzy logic operation according to the fuzzy logic activation condition;
And 154, summarizing the fuzzy logic operation results of all conditions to obtain final fuzzy output.
In the embodiment of the invention, the fuzzy logic operation is used, so that the ambiguity and the uncertainty of the input variable can be flexibly processed, and the system is suitable for complex and dynamic network environments, so that the system can better understand and process the uncertain risk condition. The summary fuzzy output provides more comprehensive information, is not limited to deterministic classification results, and is helpful for the system to more comprehensively and deeply understand the characteristics and priorities of the events. The flexibility of presetting and fuzzy logic operation of the condition library enables the system to be customized and adjusted according to actual conditions, and is suitable for different application scenes and changes of requirements.
In another preferred embodiment of the present invention, the step 151 may include:
Step 1511, describes in detail various conditions encountered, which may be attributes, features, context information, or other relevant factors related to the event. For example, in a fault detection system, the conditions may be temperature, pressure, run time, etc. of the device.
Step 1512, for each condition, determining input variables associated therewith, which are actual data sources for triggering and evaluating fuzzy logic conditions, the input variables may be continuous values, discrete labels, or other data types;
at step 1513, the corresponding fuzzy sets are determined, and the fuzzy sets are used to represent different states or degrees of the condition, for example, for the temperature condition of the device, three fuzzy sets of "low temperature", "medium temperature" and "high temperature" may be defined.
Step 1514, determining fuzzy sets, defining a membership function for each fuzzy set, wherein the membership function is used for mapping the value of the input variable to the membership value on the fuzzy set, and representing the degree of the input variable belonging to the fuzzy set;
Step 1515, integrating the condition description, the associated input variables, the fuzzy set definition and the membership function together to form a condition library, continuously updating and maintaining the condition library in the practical application process, and providing rich conditions and rules for subsequent fuzzy logic reasoning by presetting a condition library, so that the system can trigger corresponding fuzzy logic conditions according to the change of the input variables, and perform reasonable evaluation and decision.
In another preferred embodiment of the present invention, the step 152 may include:
Step 1521, obtaining fuzzy values of the input variables, obtaining current fuzzy values of each input variable, and obtaining the current fuzzy values by transmitting actual values of the input variables to corresponding membership functions thereof, wherein the membership functions output a membership value between 0 and 1, and represent the degree that the input variables belong to a certain fuzzy set;
Step 1522, selecting a fuzzy set in the conditions, selecting a fuzzy set to be compared with the fuzzy value of the input variable from a preset condition library, and determining according to the current processing requirement or context information; comparing the fuzzy value of the input variable with the fuzzy set, and comparing the fuzzy value of the input variable with the selected fuzzy set to judge the matching degree between the fuzzy value and the fuzzy set;
step 1523, calculating the matching degree of the conditions, and calculating the matching degree of each condition based on the comparison result, wherein the matching degree is a value between 0 and 1, and represents the matching degree of the input variable and the fuzzy set, for example, if fuzzy intersection reasoning is used, the matching degree may be the minimum value between the membership value of the input variable and the membership value of the fuzzy set; processing the matching degree of a plurality of conditions, if a plurality of conditions need to be evaluated, repeating the process for each condition, and processing a plurality of obtained matching degree values; the calculated matching degree value is used as an output result, so that the current situation or state can be more accurately understood and evaluated, and the matching degree between the input variable and the preset condition can be evaluated through the comparison and calculation process in the step 152.
In another preferred embodiment of the present invention, the step 153 may include:
step 1531, combining the matching degree values to form a comprehensive matching degree representation;
Step 1532, determining a fuzzy logic activation condition according to a preset condition library and a fuzzy logic rule;
Step 1533, when performing the fuzzy logic operation, adjusting the parameters of the operation, for example, adjusting the threshold value of the fuzzy intersection and the weight of the fuzzy union, so as to optimize the operation result and adapt to different scenes; and taking the result of the fuzzy logic operation as an output.
In a preferred embodiment of the present invention, the step 16 may include:
Step 161, for each fuzzy output, of Calculating a weighted average of membership of each fuzzy set, wherein/>Representing the result after defuzzification, y i representing the result of defuzzification of the fuzzy set, μ i representing the membership of the fuzzy set, w i representing the weight of the fuzzy set,/>The defuzzification result of the weighted average is represented, and n represents the number of fuzzy sets;
step 162, taking the weighted average result as the defuzzification result;
step 163, for each fuzzy output, by Calculating the center of gravity of each fuzzy set, wherein c i represents the center of gravity of the fuzzy set, mu i (y) represents the membership function of the fuzzy set, and f (y) represents the correction factor;
Step 164, taking the weighted average of the center of gravity as a result of the defuzzification;
and step 165, combining the obtained specific numerical results to generate fusion data.
In the embodiment of the invention, the membership weighted average of each fuzzy set is calculated, and the defuzzification result is more accurate and reasonable according to the weight difference among different fuzzy sets; the weighted average result is used as a defuzzification result, and the output of the fuzzy logic operation can be converted into a specific numerical value; the description of the fuzzy sets is further refined by calculating the gravity center of each fuzzy set, and the gravity center considers the shape and distribution of membership functions, so that the central position of the fuzzy set can be reflected more accurately; the weighted average of the gravity centers is used as a defuzzification result, and the defuzzification result is more stable and reliable according to the weight and the gravity center position of each fuzzy set; the obtained specific numerical results are combined to generate fusion data, so that comprehensive and accurate description can be provided, and the method is suitable for complex and changeable scenes.
In a preferred embodiment of the present invention, the step 17 may include:
Step 171, determining an index for evaluating risk according to the application scene and the requirement;
Step 172, determining a data set for constructing a dynamic risk assessment model, wherein the data set comprises fusion data and corresponding risk assessment indexes;
Step 173, constructing a dynamic risk assessment model through the decision tree model according to the data characteristics and the risk assessment requirements.
In the embodiment of the invention, the index for evaluating the risk is determined according to the application scene and the requirement, so that the pertinence of risk evaluation is improved; and determining a data set for constructing the dynamic risk assessment model, wherein the data set comprises fusion data and corresponding risk assessment indexes, and the data set integrates information of various sources and layers by using the fusion data, so that the risk assessment is more comprehensive and accurate. Meanwhile, the inclusion of the corresponding risk assessment index is beneficial to establishing the association between the data and the risk, so that the prediction capability of the risk assessment model is enhanced; according to the data characteristics and risk assessment requirements, a dynamic risk assessment model is built through a decision tree model, and automatic learning and classification can be carried out according to different characteristics of the data, so that risk modes and trends in the data are identified. By constructing the dynamic risk assessment model, continuous risk assessment can be carried out according to the data updated in real time, potential risks can be captured and responded in time, and the efficiency and accuracy of risk management are improved. By determining appropriate risk assessment indexes, constructing a data set by using fusion data and constructing a dynamic risk assessment model by applying a decision tree model, comprehensive, accurate and timely assessment of potential risks is realized. This approach not only improves the accuracy and reliability of risk assessment, but also helps make more informed decisions when faced with risk, thereby reducing potential losses and risk. Meanwhile, by dynamically updating the data and the model, the method can adapt to the continuously changing environment and risk conditions, and the continuity and adaptability of risk assessment are maintained.
In a preferred embodiment of the present invention, the step 18 may include:
Various state information of the network, such as traffic, connection number, abnormal events and the like, is acquired in real time. This information reflects the real-time operation of the network and the possible risk points; inputting real-time network state data into a previously constructed dynamic risk assessment model, wherein the dynamic risk assessment model automatically processes and classifies the data according to a built-in decision tree algorithm and rules, and recognizes risk modes and trends in the network; through the operation of the dynamic risk assessment model, the system outputs one or more risk assessment results, which may be specific risk scores, risk probabilities, risk impact levels, etc., for quantifying risk levels representing the current network state.
In a preferred embodiment of the present invention, the step 19 may include:
Presetting a series of risk level standards, such as low risk, medium risk, high risk and the like; and (5) comparing and mapping the risk assessment result generated in the step 18 with a risk level standard. The system can determine the corresponding risk level according to the numerical value, the threshold value or the relative position of the risk assessment result; based on the mapping relation, the system can predict the risk level of the current network state. The prediction result provides an intuitive and easily understood risk assessment index for the user, is helpful for the user to quickly understand the security condition of the network and take corresponding risk management measures; if the predicted risk level exceeds a preset warning line, the system can trigger an automatic early warning and notification mechanism to inform relevant management personnel or the system in time so as to take emergency countermeasures. Through the two steps, the current risk level can be rapidly and accurately predicted according to the real-time network state and the dynamic risk assessment model, so that network security management and risk control can be more targeted. The dynamic and continuous risk assessment method is beneficial to timely finding and coping with potential network threats and guaranteeing the safe and stable operation of the network.
As shown in fig. 2, an embodiment of the present invention further provides a network risk potential intelligent early warning apparatus 20, including:
An acquisition module 21, configured to acquire a data stream generated by a security device in a network; dynamically extracting key features from the data stream; dynamically adjusting the classification model according to the key features so that the classification model classifies the events according to preset priority to obtain classification results; fuzzifying the classification result through a membership function so as to map each event to a corresponding fuzzy set to form fuzzified data;
The processing module 22 is configured to perform fuzzy logic operation according to the fuzzy data and a preset condition library, so as to calculate a matching degree and an operation result of each condition; converting the operation result into a specific numerical value and generating fusion data; constructing a dynamic risk assessment model according to the fusion data; according to the dynamic network state and the dynamic risk assessment model, a risk assessment result is obtained; and predicting the risk level according to the risk assessment result.
Optionally, dynamically extracting key features in the data stream includes:
Calculating entropy of the current data set;
According to each feature, calculating a conditional entropy corresponding to each feature value under the current data set;
Calculating an information gain result of each feature according to the conditional entropy;
and determining the final distinguishing feature according to the information gain result of each feature.
Optionally, dynamically adjusting the classification model according to the key feature, so that the classification model classifies the event according to a preset priority to obtain a classification result, including:
determining priorities of different events according to application scenes and requirements;
Determining a classification model according to the data characteristics and the classification requirements, and training the classification model by using the marked training data set;
dynamically adjusting the classification model according to the change of the real-time data stream and the priority of the event;
and classifying the new event according to the dynamically adjusted classification model, and generating a classification result.
Optionally, blurring the classification result by a membership function to map each event onto a corresponding fuzzy set to form fuzzy data, including:
Classifying the events according to the classification model to obtain a determined classification result;
Mapping deterministic results onto one or more fuzzy sets using membership functions to reflect fuzzy relationships between events and different categories or priorities;
For each determined classification result, mapping the classification result onto a corresponding fuzzy set by using a membership function, wherein the mapped result is a fuzzy membership value which indicates the degree of the event belonging to different categories or priorities;
And combining fuzzy membership values obtained after all the events are mapped by membership functions to form fuzzy data.
Optionally, performing fuzzy logic operation according to the fuzzy data and a preset condition library to calculate the matching degree and operation result of each condition, including:
Presetting a condition library, comprising descriptions of different conditions and fuzzy logic conditions corresponding to the different conditions, wherein each condition is associated with one or more input variables, and determining a fuzzy set and a membership function of the fuzzy set;
for each condition, according to each input variable, comparing the fuzzy value of the input variable with fuzzy sets in the condition, and calculating the matching degree of each condition;
Combining the matching degree of each input variable, and calculating the result of fuzzy logic operation according to the fuzzy logic activation condition;
summarizing the fuzzy logic operation results of all conditions to obtain final fuzzy output.
Optionally, converting the operation result into a specific numerical value, and generating fusion data, including:
For each fuzzy output, through Calculating a weighted average of membership of each fuzzy set, wherein/>Representing the result after defuzzification, y i representing the result of defuzzification of the fuzzy set, μ i representing the membership of the fuzzy set, w i representing the weight of the fuzzy set,/>The defuzzification result of the weighted average is represented, and n represents the number of fuzzy sets;
Taking the weighted average result as a defuzzification result;
For each fuzzy output, through Calculating the center of gravity of each fuzzy set, wherein c i represents the center of gravity of the fuzzy set, mu i (y) represents the membership function of the fuzzy set, and f (y) represents the correction factor;
taking the weighted average of the gravity centers as a de-blurring result;
And combining the obtained specific numerical results to generate fusion data.
Optionally, constructing a dynamic risk assessment model according to the fusion data includes:
Determining an index for evaluating risk according to the application scene and the requirement;
Determining a data set for constructing a dynamic risk assessment model, wherein the data set comprises fusion data and corresponding risk assessment indexes;
And constructing a dynamic risk assessment model through a decision tree model according to the data characteristics and the risk assessment requirements.
It should be noted that the apparatus is an apparatus corresponding to the above method, and all implementation manners in the above method embodiment are applicable to this embodiment, so that the same technical effects can be achieved.
Embodiments of the present invention also provide a computing device comprising: a processor, a memory storing a computer program which, when executed by the processor, performs the method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform a method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
Furthermore, it should be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. Also, the steps of performing the series of processes described above may naturally be performed in chronological order in the order of description, but are not necessarily performed in chronological order, and some steps may be performed in parallel or independently of each other. It will be appreciated by those of ordinary skill in the art that all or any of the steps or components of the methods and apparatus of the present invention may be implemented in hardware, firmware, software, or a combination thereof in any computing device (including processors, storage media, etc.) or network of computing devices, as would be apparent to one of ordinary skill in the art after reading this description of the invention.
The object of the invention can thus also be achieved by running a program or a set of programs on any computing device. The computing device may be a well-known general purpose device. The object of the invention can thus also be achieved by merely providing a program product containing program code for implementing said method or apparatus. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is apparent that the storage medium may be any known storage medium or any storage medium developed in the future. It should also be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. The steps of executing the series of processes may naturally be executed in chronological order in the order described, but are not necessarily executed in chronological order. Some steps may be performed in parallel or independently of each other.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (4)
1. An intelligent early warning method for network potential risks is characterized by comprising the following steps:
acquiring a data stream generated by security equipment in a network;
Dynamically extracting key features from the data stream;
Dynamically adjusting the classification model according to the key features so that the classification model classifies the events according to preset priority to obtain classification results;
fuzzifying the classification result through a membership function so as to map each event to a corresponding fuzzy set to form fuzzified data;
performing fuzzy logic operation according to the fuzzy data and a preset condition library to calculate the matching degree and operation result of each condition;
converting the operation result into a specific numerical value and generating fusion data;
Constructing a dynamic risk assessment model according to the fusion data;
According to the dynamic network state and the dynamic risk assessment model, a risk assessment result is obtained;
According to the risk assessment result, predicting the risk level;
Dynamically extracting key features in a data stream, comprising:
Calculating entropy of the current data set;
According to each feature, calculating a conditional entropy corresponding to each feature value under the current data set;
Calculating an information gain result of each feature according to the conditional entropy;
Determining final distinguishing features according to the information gain result of each feature;
according to the key characteristics, dynamically adjusting a classification model to enable the classification model to classify the event according to a preset priority so as to obtain a classification result, wherein the method comprises the following steps:
determining priorities of different events according to application scenes and requirements;
Determining a classification model according to the data characteristics and the classification requirements, and training the classification model by using the marked training data set;
dynamically adjusting the classification model according to the change of the real-time data stream and the priority of the event;
classifying the new event according to the dynamically adjusted classification model, and generating a classification result;
blurring the classification result by membership functions to map each event onto a corresponding fuzzy set to form blurred data, comprising:
Classifying the events according to the classification model to obtain a determined classification result;
Mapping deterministic results onto one or more fuzzy sets using membership functions to reflect fuzzy relationships between events and different categories or priorities;
For each determined classification result, mapping the classification result onto a corresponding fuzzy set by using a membership function, wherein the mapped result is a fuzzy membership value which indicates the degree of the event belonging to different categories or priorities;
Combining fuzzy membership values obtained after mapping all events by membership functions to form fuzzy data;
performing fuzzy logic operation according to the fuzzy data and a preset condition library to calculate the matching degree and operation result of each condition, wherein the fuzzy logic operation comprises the following steps:
Presetting a condition library, comprising descriptions of different conditions and fuzzy logic conditions corresponding to the different conditions, wherein each condition is associated with one or more input variables, and determining a fuzzy set and a membership function of the fuzzy set;
for each condition, according to each input variable, comparing the fuzzy value of the input variable with fuzzy sets in the condition, and calculating the matching degree of each condition;
Combining the matching degree of each input variable, and calculating the result of fuzzy logic operation according to the fuzzy logic activation condition;
Summarizing the fuzzy logic operation results of all conditions to obtain final fuzzy output;
converting the operation result into a specific numerical value, and generating fusion data, wherein the method comprises the following steps:
For each fuzzy output, through Calculating a weighted average of membership of each fuzzy set, wherein/>Representing the defuzzification result of the fuzzy set,/>Representing membership of fuzzy sets,/>Weights representing fuzzy sets,/>The defuzzification result of the weighted average is represented, and n represents the number of fuzzy sets;
Taking the weighted average result as a defuzzification result;
For each fuzzy output, through The center of gravity of each fuzzy set is calculated, wherein,Representing the center of gravity of the fuzzy set,/>Membership function representing fuzzy set,/>Representing a correction factor;
taking the weighted average of the gravity centers as a de-blurring result;
Combining the obtained specific numerical results to generate fusion data;
according to the fusion data, a dynamic risk assessment model is constructed, which comprises the following steps:
Determining an index for evaluating risk according to the application scene and the requirement;
Determining a data set for constructing a dynamic risk assessment model, wherein the data set comprises fusion data and corresponding risk assessment indexes;
And constructing a dynamic risk assessment model through a decision tree model according to the data characteristics and the risk assessment requirements.
2. The intelligent early warning device for network potential risks is characterized by being applied to the method as claimed in claim 1, and comprising the following steps:
The acquisition module is used for acquiring a data stream generated by the security equipment in the network; dynamically extracting key features from the data stream; dynamically adjusting the classification model according to the key features so that the classification model classifies the events according to preset priority to obtain classification results; fuzzifying the classification result through a membership function so as to map each event to a corresponding fuzzy set to form fuzzified data;
The processing module is used for carrying out fuzzy logic operation according to the fuzzy data and a preset condition library so as to calculate the matching degree and operation result of each condition; converting the operation result into a specific numerical value and generating fusion data; constructing a dynamic risk assessment model according to the fusion data; according to the dynamic network state and the dynamic risk assessment model, a risk assessment result is obtained; and predicting the risk level according to the risk assessment result.
3. A computing device, comprising:
one or more processors;
storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method of claim 1.
4. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a program which, when executed by a processor, implements the method according to claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311682893.8A CN117749448B (en) | 2023-12-08 | 2023-12-08 | Intelligent early warning method and device for network potential risk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311682893.8A CN117749448B (en) | 2023-12-08 | 2023-12-08 | Intelligent early warning method and device for network potential risk |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117749448A CN117749448A (en) | 2024-03-22 |
| CN117749448B true CN117749448B (en) | 2024-05-17 |
Family
ID=90250004
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311682893.8A Active CN117749448B (en) | 2023-12-08 | 2023-12-08 | Intelligent early warning method and device for network potential risk |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117749448B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106411854A (en) * | 2016-09-06 | 2017-02-15 | 中国电子技术标准化研究院 | Network security risk assessment method based on fuzzy Bayes |
| CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
| CN107835982A (en) * | 2015-05-04 | 2018-03-23 | 赛义德·卡姆兰·哈桑 | Method and apparatus for management security in a computer network |
| CN110661781A (en) * | 2019-08-22 | 2020-01-07 | 中科创达软件股份有限公司 | DDoS attack detection method, device, electronic equipment and storage medium |
| KR102247188B1 (en) * | 2019-12-30 | 2021-05-04 | 가천대학교 산학협력단 | System and method for beach risk assessment based on situation awareness and fuzzy logic and computer program for the same |
| CN114499956A (en) * | 2021-12-24 | 2022-05-13 | 广州电力设计院有限公司 | Network information security risk assessment system and method thereof |
| CN115766068A (en) * | 2022-09-27 | 2023-03-07 | 杭州安恒信息技术股份有限公司 | Network security event grade classification method, device, equipment and medium |
| CN116614287A (en) * | 2023-05-29 | 2023-08-18 | 华能国际电力股份有限公司 | Network security event evaluation processing method, device, equipment and medium |
| CN116703335A (en) * | 2023-08-04 | 2023-09-05 | 山东创恩信息科技股份有限公司 | Engineering supervision method and system based on Internet of things data sharing |
| CN117081868A (en) * | 2023-10-17 | 2023-11-17 | 山东源鲁信息科技有限公司 | Network security operation method based on security policy |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7880909B2 (en) * | 2003-05-20 | 2011-02-01 | Bukowski Mark A | Extensible framework for parsing varying formats of print stream data |
| WO2015016869A1 (en) * | 2013-07-31 | 2015-02-05 | Hewlett-Packard Development Company, L.P. | Determining a level of risk for making a change using a neuro fuzzy expert system |
| US20210360017A1 (en) * | 2020-05-14 | 2021-11-18 | Cynomi Ltd | System and method of dynamic cyber risk assessment |
-
2023
- 2023-12-08 CN CN202311682893.8A patent/CN117749448B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107835982A (en) * | 2015-05-04 | 2018-03-23 | 赛义德·卡姆兰·哈桑 | Method and apparatus for management security in a computer network |
| CN106411854A (en) * | 2016-09-06 | 2017-02-15 | 中国电子技术标准化研究院 | Network security risk assessment method based on fuzzy Bayes |
| CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
| CN110661781A (en) * | 2019-08-22 | 2020-01-07 | 中科创达软件股份有限公司 | DDoS attack detection method, device, electronic equipment and storage medium |
| KR102247188B1 (en) * | 2019-12-30 | 2021-05-04 | 가천대학교 산학협력단 | System and method for beach risk assessment based on situation awareness and fuzzy logic and computer program for the same |
| CN114499956A (en) * | 2021-12-24 | 2022-05-13 | 广州电力设计院有限公司 | Network information security risk assessment system and method thereof |
| CN115766068A (en) * | 2022-09-27 | 2023-03-07 | 杭州安恒信息技术股份有限公司 | Network security event grade classification method, device, equipment and medium |
| CN116614287A (en) * | 2023-05-29 | 2023-08-18 | 华能国际电力股份有限公司 | Network security event evaluation processing method, device, equipment and medium |
| CN116703335A (en) * | 2023-08-04 | 2023-09-05 | 山东创恩信息科技股份有限公司 | Engineering supervision method and system based on Internet of things data sharing |
| CN117081868A (en) * | 2023-10-17 | 2023-11-17 | 山东源鲁信息科技有限公司 | Network security operation method based on security policy |
Non-Patent Citations (1)
| Title |
|---|
| LTE/SAE网络中一种基于网络安全评估的切换策略;杨森;汤红波;朱可云;柏溢;;信息工程大学学报;20101015(第05期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117749448A (en) | 2024-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113965404B (en) | Network security situation self-adaptive active defense system and method | |
| Maza et al. | Feature selection algorithms in intrusion detection system: A survey | |
| CN111181939A (en) | Network intrusion detection method and device based on ensemble learning | |
| CN111782484B (en) | Anomaly detection method and device | |
| CN111092862A (en) | Method and system for detecting abnormal communication flow of power grid terminal | |
| Alghuried | A model for anomalies detection in internet of things (IoT) using inverse weight clustering and decision tree | |
| CN111669385B (en) | Malicious traffic monitoring system fusing deep neural network and hierarchical attention mechanism | |
| CN113762377B (en) | Network traffic identification method, device, equipment and storage medium | |
| CN110830467A (en) | Network suspicious asset identification method based on fuzzy prediction | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN111506710A (en) | Information sending method and device based on rumor prediction model and computer equipment | |
| CN117478441B (en) | Dynamic access control method and system based on intelligent analysis of user behaviors | |
| CN118041661A (en) | Abnormal network flow monitoring method, device and equipment based on deep learning and readable storage medium | |
| CN115811440A (en) | Real-time flow detection method based on network situation awareness | |
| CN113434857A (en) | User behavior safety analysis method and system applying deep learning | |
| CN115085948A (en) | Network security situation assessment method based on improved D-S evidence theory | |
| CN109871711B (en) | Ocean big data sharing and distributing risk control model and method | |
| CN117749448B (en) | Intelligent early warning method and device for network potential risk | |
| CN117014193A (en) | Unknown Web attack detection method based on behavior baseline | |
| CN115514581B (en) | Data analysis method and equipment for industrial internet data security platform | |
| Bahjat et al. | Anomaly Based Intrusion Detection System Using Hierarchical Classification and Clustering Techniques | |
| CN112804247A (en) | Industrial control system network intrusion detection method and system based on ternary concept analysis | |
| CN111475380A (en) | Log analysis method and device | |
| CN114386496B (en) | Data processing method, device, equipment and storage medium | |
| CN117540372B (en) | Database intrusion detection and response system for intelligent learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |