CN117811824A - Network path analysis system and method for network security anomaly detection - Google Patents

Abstract

The invention discloses a network path analysis system and a network path analysis method for network security anomaly detection, which relate to the technical field of network analysis systems, wherein the analysis system performs self-checking analysis on own running condition at regular time, judges whether the current running condition supports network path security anomaly detection, acquires all special scenes in a network path running environment, acquires regression coefficients after analyzing all special scenes based on a regression analysis model, combines the regression coefficients with the running condition of the analysis system to generate a correction index, and acquires a dynamic flow threshold after adjusting an initial flow threshold through the correction index. The analysis system performs self-check in real time in the use process so as to ensure the stability of network path detection, and obtains a dynamic flow threshold after the initial flow threshold is regulated according to a special scene in an operation environment and the operation condition of the analysis system, thereby effectively avoiding the problems of frequent false alarm and the like of the analysis system in the special scene.

Description

Network path analysis system and method for network security anomaly detection

Technical Field

The invention relates to the technical field of network analysis systems, in particular to a network path analysis system and method for network security anomaly detection.

Background

With the popularization of the internet and the continuous development of technologies, network security threats become more complex and hidden, traditional security protection means may not effectively cope with new attacks and threats, so that more advanced and intelligent security technologies are needed to cope with these challenges, network security anomaly detection is a key component for protecting computer systems and networks from malicious attacks, and network path analysis systems are an important technology for network security anomaly detection, which identifies abnormal behaviors and potential security threats in networks by monitoring and analyzing network traffic, data packets, logs and other relevant information.

The prior art has the following defects:

1. in the conventional analysis system, security anomaly detection is usually performed on a network path, but in practical application, if the analysis system itself is abnormal, the security anomaly detection is overdetected or overdetected, the overdetection can cause frequent false alarm of the analysis system, and the overdetection can cause degradation of detection accuracy;

2. if the analysis system itself is not abnormal, the existing analysis system usually analyzes the flow of the network path, compares the real-time flow with a preset flow threshold after acquiring the flow of the network path in real time, and analyzes the abnormal flow of the network path when the real-time flow exceeds the flow threshold, however, when the network path encounters a special scene in use, the flow of the network path is increased at this time, and when the fixed flow threshold is used as a reference value for analysis, the analysis system frequently gives rise to false alarm.

Disclosure of Invention

The invention aims to provide a network path analysis system and a network path analysis method for network security anomaly detection, which are used for solving the defects in the background technology.

In order to achieve the above object, the present invention provides the following technical solutions: a network path analysis method for network security anomaly detection, the analysis method comprising the steps of:

s1: the method comprises the steps that an analysis system port obtains historical flow data of a network path operation environment, the historical flow data comprise normal flow data and abnormal flow data, and an initial flow threshold of the current operation environment is generated through a threshold algorithm based on the normal flow data and the abnormal flow data;

s2: the analysis system performs self-checking on timing to analyze the running condition of the analysis system, judges whether the current running condition supports the safety abnormality detection of the network path, and sends an alarm signal to a network administrator if the current running condition does not support the safety abnormality detection of the network path;

s3: if the running condition supports the security abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time;

s4: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, and combining the regression coefficients with the operation condition of an analysis system to generate a correction index;

s5: the analysis system acquires a dynamic flow threshold value after adjusting an initial flow threshold value through the correction index, compares the network flow acquired in real time with the dynamic flow threshold value, generates a corresponding management strategy when the network flow exceeds the dynamic flow threshold value, and sends a warning signal to an administrator.

In a preferred embodiment, in step S1, generating an initial traffic threshold of the current operation environment by a threshold algorithm based on the normal traffic data and the abnormal traffic data includes the steps of:

s101: acquiring the average flow and the standard deviation of the normal flow of the network path when the network path is used in the current operation environment;

s102: acquiring the average flow of abnormal flow of a network path when the network path is used in the current operation environment;

s103: calculating and obtaining an initial flow threshold value through the average flow value of the abnormal flow, the flow standard deviation of the normal flow and the average flow value of the normal flow, wherein the expression is as follows:

in yz _{Initial initiation} For initial flow threshold, Y _avg Is the average flow value of abnormal flow, Y _max The maximum flow rate value of the abnormal flow rate is represented by P, which is the average flow rate value of the normal flow rate, and LQ, which is the standard deviation of the normal flow rate.

In a preferred embodiment, the flow standard deviation LQ of the normal flow is calculated as:in (1) the->Representation ofAverage flow value of normal flow, and +.> i= {1, 2, 3,..and n }, n represents the number of normal flow sampling points, n is a positive integer, and P _i Representing the flow value at the ith normal flow sampling point;

the calculation expression of the average flow value of the abnormal flow is as follows:

where j= {1, 2, 3,..m }, m represents the number of abnormal flow sampling points, m is a positive integer, Y _j Represents the flow value at the jth abnormal flow sampling point, Y _avg Average flow value representing abnormal flow.

In a preferred embodiment, in step S2, the analysis system performs self-checking analysis on timing to analyze the operation status of the analysis system, and determines whether the current operation status supports security anomaly detection of the network path, including the following steps:

s201: acquiring a time period of calculation force early warning and a time period of error reporting early warning;

s202: integrating the time period of the calculation force early warning and the time period of the error reporting early warning to obtain a self-checking coefficient zj of the analysis system _x The expression is as follows:z (t) represents the response time variation of the analysis system, [ t ] _x ，t _y ]For the time period of early warning of calculation force, [ t ] _i ，t _j ]A time period for error warning;

s203: obtaining self-checking coefficient zj _x After that, the self-checking coefficient zj _x Comparing with a preset first self-checking threshold value and a second self-checking threshold value, wherein the second self-checking threshold value is used for judging whether the analysis system supports the safety abnormality detection of the network path, and the first self-checking threshold value is used for judging the classificationAnalyzing whether the system has slight abnormality;

s204: if self-checking coefficient zj _x Judging that the analysis system does not support the safety abnormality detection of the network path, and sending a warning signal to a network administrator;

s205: if self-checking coefficient zj _x Judging whether the analysis system supports the security anomaly detection of the network path or not by the second self-checking threshold value;

s206: if the first self-checking threshold value is less than the self-checking coefficient zj _x Judging whether the analysis system supports the safety abnormality detection of the network path or not and judging whether the analysis system has slight abnormality or not according to the second self-detection threshold value, wherein the initial threshold value is required to be dynamically adjusted;

s207: if self-checking coefficient zj _x And judging that the first self-checking threshold value is less than or equal to the first self-checking threshold value, wherein the analysis system supports the safety abnormality detection of the network path, and no abnormality exists in the analysis system.

In a preferred embodiment, the analysis system monitors the real-time computing power, when the real-time computing power is lower than the computing power threshold value, records the time period, and the longer the real-time computing power is lower than the computing power threshold value, the less the analysis system supports the safety abnormality detection of the network path, and the time period of the real-time computing power lower than the computing power threshold value is used as the time period of computing power early warning;

when the analysis system reports errors, the continuous error reporting times are recorded, and when the continuous error reporting times exceed a time threshold, the time period of the continuous error reporting times exceeding the time threshold is the error reporting early warning time period.

In a preferred embodiment, in step S4, acquiring all special scenes in the network path operation environment, and acquiring regression coefficients after analyzing all special scenes based on the regression analysis model includes the following steps:

acquiring all special scenes influencing network traffic growth in the current operation environment, wherein the special scenes comprise a main special scene and a secondary special scene, establishing and setting all the main special scenes as an s set, and respectively representing all the main special scenes in the s set as { s } ₁ 、s ₂ 、...、s _k And (2) calculating back through a Logistic regression analysis method, wherein k is the number of main special scenes in the set sThe coefficient expression is as follows:

wherein hg _z For regression coefficients, Q is a constant term, and the value of Q is 0.442, which represents the influence amplitude of the secondary special scene on the regression coefficients when the primary special scene does not exist, { s ₁ 、s ₂ 、...、s _k And } is a variable, { omega } ₁ 、ω ₂ 、...、ω _k Regression coefficient of each variable, and regression coefficient w>0。

In a preferred embodiment, in step S4, combining the regression coefficients with the operating conditions of the analysis system to generate the correction index comprises the steps of:

if the first self-checking threshold value is less than the self-checking coefficient zj _x Judging whether the analysis system supports the safety abnormality detection of the network path or not, wherein the analysis system has slight abnormality, and dynamically adjusting the initial threshold;

obtaining self-checking coefficient zj when slight abnormality exists in analysis system _x Value, self-checking coefficient zj when slight abnormality exists in analysis system _x Value and regression coefficient hg _z And generating a correction index by combining, wherein the calculation expression is as follows:wherein zj is _x As self-test coefficient hg _z As regression coefficient, xz _s To correct the index.

In a preferred embodiment, in step S4, the step of obtaining the dynamic flow threshold after adjusting the initial flow threshold by the correction index includes the steps of: the dynamic flow threshold is obtained after the initial flow threshold is corrected by the correction index, and the expression is as follows:in yz _{Dynamic state} Yz is the dynamic flow threshold _{Initial initiation} Xz is the initial flow threshold _s To correct the index.

In a preferred embodiment, in step S5, the analysis system compares the network traffic acquired in real time with the dynamic traffic threshold value, including the following steps:

s501: after the analysis system acquires the dynamic flow threshold, comparing the network flow of the network path acquired in real time with the dynamic flow threshold;

s502: if the network traffic is less than or equal to the dynamic traffic threshold, analyzing that the current network path has no security abnormality;

s503: if the network flow is greater than the dynamic flow threshold, analyzing that the current network path has safety abnormality, generating a corresponding management strategy and sending an alarm signal to an administrator.

The invention also provides a network path analysis system for network security anomaly detection, which comprises a port module, an initialization module, a self-checking module, a flow monitoring module, a scene analysis module, a threshold optimization module and a warning module:

port module: acquiring historical flow data of a network path operation environment, wherein the historical flow data comprises normal flow data and abnormal flow data, and the normal flow data and the abnormal flow data are sent to an initialization module;

an initialization module: generating an initial flow threshold of the current operation environment through a threshold algorithm based on the normal flow data and the abnormal flow data, and sending the initial flow threshold to a threshold optimization module;

and a self-checking module: the self-checking analysis is carried out at regular time to analyze the running condition of the self-checking system, and whether the current running condition supports the safety abnormality detection of the network path is judged, if the current running condition does not support the safety abnormality detection of the network path, an alarm signal is sent to a network administrator, and the network path judging result is sent to a flow monitoring module;

and a flow monitoring module: if the running condition supports the safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, and the network flow is sent to the warning module;

scene analysis module: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, combining the regression coefficients with the operation condition of an analysis system to generate a correction index, and transmitting the correction index to a threshold optimization module;

threshold optimization module: the dynamic flow threshold is obtained after the initial flow threshold is regulated through the correction index;

and the warning module is used for: and comparing the network traffic acquired in real time with a dynamic traffic threshold, and generating a corresponding management strategy and sending a warning signal to an administrator when the network traffic exceeds the dynamic traffic threshold.

In the technical scheme, the invention has the technical effects and advantages that:

1. the invention carries out self-checking analysis on the running condition of the self-checking system by the analysis system at regular time, judges whether the current running condition supports the safety abnormality detection of the network path, sends a warning signal to a network manager if the current running condition does not support the safety abnormality detection of the network path, monitors the network flow of the network path in real time by the analysis system if the running condition supports the safety abnormality detection of the network path, acquires all special scenes in the running environment of the network path, acquires regression coefficients after all special scenes are analyzed based on a regression analysis model, combines the regression coefficients with the running condition of the analysis system to generate a correction index, and acquires a dynamic flow threshold after the initial flow threshold is regulated by the correction index. The analysis system performs self-check in real time in the use process so as to ensure the stability of network path detection, and obtains a dynamic flow threshold after the initial flow threshold is regulated according to a special scene in an operation environment and the operation condition of the analysis system, thereby effectively avoiding the problems of frequent false alarm and the like of the analysis system in the special scene.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.

FIG. 1 is a flow chart of the method of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Example 1: referring to fig. 1, the network path analysis method for network security anomaly detection according to the present embodiment includes the following steps:

the method comprises the steps that an analysis system port obtains historical flow data of a network path operation environment, the historical flow data comprises normal flow data and abnormal flow data, an initial flow threshold of the current operation environment is generated through a threshold algorithm based on the normal flow data and the abnormal flow data, the analysis system conducts self-checking analysis on the operation condition of the analysis system at regular time, judges whether the current operation condition supports safety abnormality detection of a network path, sends warning signals to a network manager if the current operation condition does not support the safety abnormality detection of the network path, monitors the network flow of the network path in real time if the operation condition supports the safety abnormality detection of the network path, obtains all special scenes in the network path operation environment, obtains regression coefficients after analyzing all the special scenes based on a regression analysis model, combines the regression coefficients with the operation condition of the analysis system to generate correction indexes, obtains a dynamic flow threshold after the initial flow threshold is adjusted through the correction indexes, and compares the network flow obtained in real time with the dynamic flow threshold.

According to the method, the running condition of the self is automatically analyzed through the analysis system at regular time, whether the current running condition supports safety abnormality detection of the network path is judged, if the current running condition does not support safety abnormality detection of the network path, a warning signal is sent to a network manager, if the running condition supports safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, all special scenes in the running environment of the network path are obtained, regression coefficients are obtained after all special scenes are analyzed based on a regression analysis model, the regression coefficients are combined with the running condition of the analysis system to generate a correction index, and a dynamic flow threshold is obtained after an initial flow threshold is regulated through the correction index. The analysis system performs self-check in real time in the use process so as to ensure the stability of network path detection, and obtains a dynamic flow threshold after the initial flow threshold is regulated according to a special scene in an operation environment and the operation condition of the analysis system, thereby effectively avoiding the problems of frequent false alarm and the like of the analysis system in the special scene.

The analysis system port obtains historical flow data of a network path operation environment, wherein the historical flow data comprises normal flow data and abnormal flow data, and specifically comprises the following steps:

normal flow data: knowing the pattern of normal traffic, including peak and valley periods, common communication patterns, and periodicity of traffic, helps to establish a benchmark for normal traffic, more easily detect abnormal traffic that does not correspond to normal patterns, analyze ports involved in normal traffic, including common service ports and application ports, know the frequency of use and communication patterns of different ports so that unusual port activity can be identified in subsequent anomaly detection, analyze users and devices associated with traffic, know their normal behavior patterns, including login frequency, data transmission pattern, etc., which helps to detect anomalous activity that is different from normal behavior;

abnormal traffic data: investigation of port-related security event logs, including denial of connections, malware propagation attempts, port scanning, etc., helps identify specific port activities associated with abnormal behavior, detects illegal access behavior, e.g., using unauthorized ports, illegal port scanning, intrusion attempts, etc., which may be accomplished by examining port activity-related weblogs and security event logs, analyzing abnormal data traffic, including large-scale data transfers, abnormal data transfer patterns, abnormally frequent connections and disconnects, etc., which helps discover potential data leakage or attack behavior.

Generating an initial flow threshold of the current operation environment through a threshold algorithm based on the normal flow data and the abnormal flow data, wherein the initial flow threshold is specifically:

acquiring the average flow and the standard deviation of the normal flow (namely, the attack or abnormality is not detected by a security tool of the current operation environment) of the network path when the current operation environment is used;

wherein:

the flow standard deviation LQ of the normal flow is calculated as:in (1) the->Average flow value representing normal flow, and +.>i= {1, 2, 3..once, n }, n represents the number of normal flow sampling points (i.e. flow values acquired daily or hourly), n is a positive integer, P _i Representing the flow value at the ith normal flow sampling point;

the method comprises the steps of obtaining the average flow of abnormal flow (namely, attack or abnormality detected by a security tool of the current operation environment) of a network path when the current operation environment is used, wherein the calculation expression is as follows:

where j= {1, 2, 3,..m }, m represents the number of abnormal flow sampling points (i.e., flow values acquired every day or hour), m is a positive integer, Y _j Represents the flow value at the jth abnormal flow sampling point, Y _avg Average flow value representing abnormal flow;

average flow through abnormal trafficMagnitude Y _avg Flow standard deviation LQ of normal flow and average flow value of normal flowCalculating and acquiring an initial flow threshold, wherein the expression is as follows:

in yz _{Initial initiation} For initial flow threshold, Y _avg Is the average flow value of abnormal flow, Y _max The maximum flow rate value of the abnormal flow rate is represented by P, which is the average flow rate value of the normal flow rate, and LQ, which is the standard deviation of the normal flow rate.

The analysis system carries out self-checking analysis on the running condition of the analysis system at regular time, judges whether the current running condition supports safety abnormality detection of the network path, if the current running condition does not support the safety abnormality detection of the network path, sends a warning signal to a network administrator, if the running condition supports the safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, acquires all special scenes in the running environment of the network path, acquires regression coefficients after all the special scenes are analyzed based on a regression analysis model, combines the regression coefficients with the running condition of the analysis system to generate a correction index, acquires a dynamic flow threshold after the initial flow threshold is regulated through the correction index, compares the network flow acquired in real time with the dynamic flow threshold, and generates a corresponding management strategy and sends a warning signal to the administrator when the network flow exceeds the dynamic flow threshold.

Example 2: the analysis system carries out self-checking analysis on the running condition at regular time, judges whether the current running condition supports the safety abnormality detection of the network path, sends an alarm signal to a network administrator if the current running condition does not support the safety abnormality detection of the network path, and monitors the network flow of the network path in real time if the running condition supports the safety abnormality detection of the network path, specifically:

when the analysis system detects the safety abnormality of the network path, a certain calculation force is required to be maintained so as to avoid analysis delay and even suspension, so that the analysis system monitors real-time calculation force, when the real-time calculation force is lower than a calculation force threshold value, the time period is recorded, the longer the real-time calculation force is lower than the calculation force threshold value, the less the analysis system supports the safety abnormality detection of the network path, and therefore, the time period when the real-time calculation force is lower than the calculation force threshold value is taken as a calculation force early warning time period;

when the analysis system frequently reports errors in the operation process, the analysis system is indicated to possibly have the problems of data loss, breakdown or blocking, and the like, so when the analysis system reports errors, the continuous error reporting times of the analysis system are recorded (the time interval of the continuous error reporting is within 5min, when the time interval of the next error reporting and the last error reporting exceeds 5min, the continuous error reporting is not recorded), and when the continuous error reporting times exceed a time threshold, the analysis system can not continuously monitor network paths or the analysis system is directly disconnected, and therefore, the time period of the continuous error reporting times exceeding the time threshold is the error reporting early warning time period;

integrating the time period of the calculation force early warning and the time period of the error reporting early warning to obtain a self-checking coefficient zj of the analysis system _x The expression is as follows:z (t) represents the response time variation of the analysis system, [ t ] _x ，t _y ]For the time period of early warning of calculation force, [ t ] _i ，t _j ]A time period for error warning;

obtaining self-checking coefficient zj _x After that, the self-checking coefficient zj _x Comparing the first self-checking threshold value with a second self-checking threshold value which is preset, wherein the second self-checking threshold value is used for judging whether the analysis system supports the safety abnormality detection of the network path, and the first self-checking threshold value is used for judging whether the analysis system has slight abnormality;

if self-checking coefficient zj _x Judging that the analysis system does not support the security anomaly detection of the network path according to the second self-checking threshold value;

if self-checking coefficient zj _x Judging the security abnormality detection of the network path supported by the analysis system by the second self-checking threshold value which is less than or equal to, and real-time judging the security abnormality detection of the network path supported by the analysis systemMonitoring network traffic of the network path;

if the first self-checking threshold value is less than the self-checking coefficient zj _x Judging whether the analysis system supports the safety abnormality detection of the network path or not and judging whether the analysis system has slight abnormality or not according to the second self-detection threshold value, wherein the initial threshold value is required to be dynamically adjusted;

if self-checking coefficient zj _x And judging that the first self-checking threshold value is less than or equal to the first self-checking threshold value, wherein the analysis system supports the safety abnormality detection of the network path, and no abnormality exists in the analysis system.

Acquiring all special scenes in a network path operation environment, analyzing all special scenes based on a regression analysis model, and acquiring regression coefficients, wherein the method specifically comprises the following steps:

acquiring all special scenes influencing network traffic growth in the current operation environment, wherein the special scenes comprise a main special scene and a secondary special scene, establishing and setting all the main special scenes as an s set, and respectively representing all the main special scenes in the s set as { s } ₁ 、s ₂ 、...、s _k And (2) calculating regression coefficients by using a Logistic regression analysis method, wherein k is the number of main special scenes in the set s, and the coefficient expression is as follows:

wherein hg _z For regression coefficients, Q is a constant term, and the value of Q is 0.442, which represents the influence amplitude of the secondary special scene on the regression coefficients when the primary special scene does not exist, { s ₁ 、s ₂ 、...、s _k The variable } (number of main special scenes), { omega } ₁ 、ω ₂ 、...、ω _k Regression coefficient of each variable, and regression coefficient w>0；

To better illustrate the Logistic regression analysis method, we exemplify the following:

for example, for an e-commerce platform, when in some special scenes (for example, when the e-commerce platform is used for carrying out various large promotions, the flow of the e-commerce platform is rapidly increased at the moment), the flow of the e-commerce platform in the special scenes is rapidly increased due to the increase of the online population of users, so that the online population of the users in the special scenes for a period of time on the pre-e-commerce platform is acquired for carrying out regression analysis;

q is a constant term, and takes a value of 0.442, which indicates the influence amplitude of the secondary special scene on the regression coefficient when the primary special scene does not exist, for example, an e-commerce platform is taken as an example for analysis, and when the user is in holidays, the online number of users is usually higher than that of users in non-holidays;

regression coefficient hg when the invention is used _z Is composed of logic factors of: taking the influence of a main special scene on network traffic as an example, the first is an index, namely a factor causing the special scene to change (the invention refers to the influence of the main special scene on the network traffic growth); the weight of the indexes, namely the proportion of each main special scene; thirdly, the operation equation, i.e. the result is obtained by what mathematical operation process, the regression coefficient hg is obtained by the operation of the operation equation with the index of the respective weight _z 。

Performing data conversion and processing on the main special scene acquired from the sample, and converting the main special scene into a data language identified by computer software; secondly, carrying out Logistic regression analysis on the evaluation factors by using SPSS software, and screening out factors and weights thereof which have important correlation with the results; thirdly, carrying the evaluation factors and the weights into a Logistic regression equation for operation, thereby obtaining a result, specifically:

firstly, ensuring the integrity of a main special scene, processing missing values and abnormal values, converting data into a format which can be identified by SPSS software, generally storing the data into a format such as csv, xlsx and the like, then importing the data into the SPSS, opening the SPSS software, importing the processed data files, converting the variables according to requirements, for example, carrying out standardization or normalization on continuous variables, selecting an analysis menu, then selecting a binary Logistic option under regression, adding dependent variables (results) and independent variables (the main special scene) into corresponding boxes in a dialog box, fitting a Logistic regression model according to the selected variables, viewing information such as coefficients, standard errors, p values and the like of the model in output results, judging which variables have significant correlations with the results, generally, the p values are smaller than 0.05 and are considered to be significant, using a variable selection method, such as gradual regression, helping to screen most relevant factors, calculating the influence coefficient of the regression equation according to the magnitude of the regression coefficient, and the influence coefficient of each influence coefficient of the regression equation, and the influence coefficient of the positive and the regression coefficient of each model are calculated, and the influence coefficient of the positive and the coefficient of the result is obtained.

Combining the regression coefficient with the running condition of the analysis system to generate a correction index, and acquiring a dynamic flow threshold after adjusting an initial flow threshold through the correction index, wherein the method specifically comprises the following steps:

if the first self-checking threshold value is less than the self-checking coefficient zj _x Judging whether the analysis system supports the safety abnormality detection of the network path or not and judging whether the analysis system has slight abnormality or not according to the second self-detection threshold value, wherein the initial threshold value is required to be dynamically adjusted;

when the analysis system is slightly abnormal, the analysis efficiency of the analysis system is reduced, and at the moment, in order to ensure the timeliness of the analysis system for detecting the network path security abnormality, the initial threshold value is required to be reduced, so that the untimely detection of the analysis system is avoided;

from regression coefficient hg _z The regression coefficient hg can be found from the calculated expression of (a) _z The method is mainly used for analyzing the special scene with increased network path flow, and when the special scene appears in the operation environment, the initial threshold value is required to be enlarged, so that frequent false alarm of an analysis system is avoided;

obtaining self-checking coefficient zj when slight abnormality exists in analysis system _x Value, self-checking coefficient zj when slight abnormality exists in analysis system _x Value and regression coefficient hg _z And generating a correction index by combining, wherein the calculation expression is as follows:wherein zj is _x As self-test coefficient hg _z As regression coefficient, xz _s For the correction index, the larger the correction index is, the more the initial flow threshold is required to be increased;

the dynamic flow threshold is obtained after the initial flow threshold is corrected by the correction index, and the expression is as follows:in yz _{Dynamic state} Yz is the dynamic flow threshold _{Initial initiation} Xz is the initial flow threshold _s To correct the index.

The analysis system compares the network flow acquired in real time with a dynamic flow threshold, and when the network flow exceeds the dynamic flow threshold, a corresponding management strategy is generated and an alarm signal is sent to an administrator, specifically:

after the analysis system acquires the dynamic flow threshold, comparing the network flow of the network path acquired in real time with the dynamic flow threshold;

if the network traffic is less than or equal to the dynamic traffic threshold, analyzing that the current network path has no security abnormality;

if the network flow is greater than the dynamic flow threshold, analyzing that the current network path has security abnormality, generating a corresponding management strategy and sending a warning signal to an administrator, specifically:

based on the results of the anomaly analysis, generating a corresponding management policy, which may include blocking specific IP addresses, closing specific ports, quarantining infected systems, etc., which may also include updating firewall rules, adjusting Access Control Lists (ACLs), etc., configuring a real-time response mechanism to ensure that the system can take action quickly when anomalies are detected, which may involve automated scripts, API calls, or integration with other security devices, ensuring that the response policy is refined to minimize interference with normal business operations, taking into account overall network security;

after confirming that the security abnormality exists, generating detailed reports and warning information, including description of the abnormality, influence range, threat level and the like, sending real-time warning notification to an administrator, generating detailed security reports, including the adopted management strategy, time axis of the abnormality, influence range and the like, usually through an email, a short message, instant messaging or integration into a security information and event management System (SIEM) and the like, wherein the reports are easy to understand so as to assist the administrator in quickly understanding and handling the security event, collecting and analyzing feedback of the administrator to the warning, ensuring the accuracy and effectiveness of the system, constantly optimizing and adjusting the system so as to adapt to new threat and change of network environment, ensuring that the generated management strategy and warning meet relevant compliance and regulation requirements, and providing relevant compliance information when notifying the administrator so as to ensure that the organization meets the regulation requirements in the handling process of the security event.

Example 3: the network path analysis system for network security anomaly detection in this embodiment includes a port module, an initialization module, a self-checking module, a flow monitoring module, a scene analysis module, a threshold optimization module, and a warning module:

port module: acquiring historical flow data of a network path operation environment, wherein the historical flow data comprises normal flow data and abnormal flow data, and the normal flow data and the abnormal flow data are sent to an initialization module;

an initialization module: generating an initial flow threshold of the current operation environment through a threshold algorithm based on the normal flow data and the abnormal flow data, and sending the initial flow threshold to a threshold optimization module;

and a self-checking module: the self-checking analysis is carried out at regular time to analyze the running condition of the self-checking system, and whether the current running condition supports the safety abnormality detection of the network path is judged, if the current running condition does not support the safety abnormality detection of the network path, an alarm signal is sent to a network administrator, and the network path judging result is sent to a flow monitoring module;

and a flow monitoring module: if the running condition supports the safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, and the network flow is sent to the warning module;

scene analysis module: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, combining the regression coefficients with the operation condition of an analysis system to generate a correction index, and transmitting the correction index to a threshold optimization module;

threshold optimization module: the dynamic flow threshold is obtained after the initial flow threshold is regulated through the correction index;

and the warning module is used for: and comparing the network traffic acquired in real time with a dynamic traffic threshold, and generating a corresponding management strategy and sending a warning signal to an administrator when the network traffic exceeds the dynamic traffic threshold.

The above formulas are all formulas with dimensions removed and numerical values calculated, the formulas are formulas with a large amount of data collected for software simulation to obtain the latest real situation, and preset parameters in the formulas are set by those skilled in the art according to the actual situation.

It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.

It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. The network path analysis method for network security anomaly detection is characterized in that: the analysis method comprises the following steps:

s1: the method comprises the steps that an analysis system port obtains historical flow data of a network path operation environment, the historical flow data comprise normal flow data and abnormal flow data, and an initial flow threshold of the current operation environment is generated through a threshold algorithm based on the normal flow data and the abnormal flow data;

s2: the analysis system performs self-checking on timing to analyze the running condition of the analysis system, judges whether the current running condition supports the safety abnormality detection of the network path, and sends an alarm signal to a network administrator if the current running condition does not support the safety abnormality detection of the network path;

s3: if the running condition supports the security abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time;

s4: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, and combining the regression coefficients with the operation condition of an analysis system to generate a correction index;

s5: the analysis system acquires a dynamic flow threshold value after adjusting an initial flow threshold value through the correction index, compares the network flow acquired in real time with the dynamic flow threshold value, generates a corresponding management strategy when the network flow exceeds the dynamic flow threshold value, and sends a warning signal to an administrator.

2. The network path analysis method for network security anomaly detection of claim 1, wherein: in step S1, generating an initial traffic threshold of the current operation environment by a threshold algorithm based on the normal traffic data and the abnormal traffic data includes the following steps:

s101: acquiring the average flow and the standard deviation of the normal flow of the network path when the network path is used in the current operation environment;

s102: acquiring the average flow of abnormal flow of a network path when the network path is used in the current operation environment;

s103: calculating and obtaining an initial flow threshold value through the average flow value of the abnormal flow, the flow standard deviation of the normal flow and the average flow value of the normal flow, wherein the expression is as follows:

in yz _{Initial initiation} For initial flow threshold, Y _avg Is the average flow value of abnormal flow, Y _max Maximum flow value for abnormal flow, +.>The average flow value of the normal flow is represented, and LQ represents the flow standard deviation of the normal flow.

3. The network path analysis method for network security anomaly detection according to claim 2, wherein: the flow standard deviation LQ calculation expression of the normal flow is as follows: in (1) the->Average flow value representing normal flow, and +.> n represents the number of normal flow sampling points, n is a positive integer, P _i Representing the flow value at the ith normal flow sampling point;

the calculation expression of the average flow value of the abnormal flow is as follows:

where j= {1, 2, 3,..m }, m represents the number of abnormal flow sampling points, m is a positive integer, Y _j Represents the flow value at the jth abnormal flow sampling point, Y _avg Average flow value representing abnormal flow.

4. A network path analysis method for network security anomaly detection according to claim 3 wherein: in step S2, the analysis system performs self-checking on timing to analyze the running condition of the analysis system, and determines whether the current running condition supports security anomaly detection of the network path, including the following steps:

s201: acquiring a time period of calculation force early warning and a time period of error reporting early warning;

s202: integrating the time period of the calculation force early warning and the time period of the error reporting early warning to obtain a self-checking coefficient zj of the analysis system _x The expression is as follows:z (t) represents the response time variation of the analysis system, [ t ] _x ，t _y ]For the time period of early warning of calculation force, [ t ] _i ，t _j ]A time period for error warning;

s203: obtaining self-checking coefficient zj _x After that, the self-checking coefficient zj _x And a preset first self-checking threshold value and a second self-checking threshold valueComparing the detection threshold values, wherein the second self-detection threshold value is used for judging whether the analysis system supports the safety abnormality detection of the network path, and the first self-detection threshold value is used for judging whether the analysis system has slight abnormality;

s204: if self-checking coefficient zj _x Judging that the analysis system does not support the safety abnormality detection of the network path, and sending a warning signal to a network administrator;

s205: if self-checking coefficient zj _x Judging whether the analysis system supports the security anomaly detection of the network path or not by the second self-checking threshold value;

s206: if the first self-checking threshold value is less than the self-checking coefficient zj _x Judging whether the analysis system supports the safety abnormality detection of the network path or not and judging whether the analysis system has slight abnormality or not according to the second self-detection threshold value, wherein the initial threshold value is required to be dynamically adjusted;

s207: if self-checking coefficient zj _x And judging that the first self-checking threshold value is less than or equal to the first self-checking threshold value, wherein the analysis system supports the safety abnormality detection of the network path, and no abnormality exists in the analysis system.

5. The network path analysis method for network security anomaly detection of claim 4, wherein: the analysis system monitors real-time computing power, when the real-time computing power is lower than a computing power threshold value, the time period is recorded, the longer the real-time computing power is lower than the computing power threshold value, the less the analysis system supports the safety abnormality detection of the network path, and the time period of the real-time computing power lower than the computing power threshold value is used as the time period of computing power early warning;

when the analysis system reports errors, the continuous error reporting times are recorded, and when the continuous error reporting times exceed a time threshold, the time period of the continuous error reporting times exceeding the time threshold is the error reporting early warning time period.

6. The network path analysis method for network security anomaly detection of claim 5, wherein: in step S4, obtaining all special scenes in the network path operation environment, and obtaining regression coefficients after analyzing all special scenes based on the regression analysis model includes the following steps:

acquiring all special scenes influencing network traffic growth in the current operation environment, wherein the special scenes comprise a main special scene and a secondary special scene, establishing and setting all the main special scenes as an s set, and respectively representing all the main special scenes in the s set as { s } ₁ 、s ₂ 、...、s _k And (2) calculating regression coefficients by using a Logistic regression analysis method, wherein k is the number of main special scenes in the set s, and the coefficient expression is as follows:

wherein hg _z For regression coefficients, Q is a constant term, and the value of Q is 0.442, which represents the influence amplitude of the secondary special scene on the regression coefficients when the primary special scene does not exist, { s ₁ 、s ₂ 、...、s _k And } is a variable, { omega } ₁ 、ω ₂ 、...、ω _k Regression coefficient of each variable, and regression coefficient w>0。

7. The network path analysis method for network security anomaly detection of claim 6, wherein: in step S4, the step of combining the regression coefficient with the operation condition of the analysis system to generate the correction index includes the steps of:

if the first self-checking threshold value is less than the self-checking coefficient zj _x Judging whether the analysis system supports the safety abnormality detection of the network path or not, wherein the analysis system has slight abnormality, and dynamically adjusting the initial threshold;

obtaining self-checking coefficient zj when slight abnormality exists in analysis system _x Value, self-checking coefficient zj when slight abnormality exists in analysis system _x Value and regression coefficient hg _z And generating a correction index by combining, wherein the calculation expression is as follows:wherein zj is _x As self-test coefficient hg _z As regression coefficient, xz _s To correct the index.

8. The network path analysis method for network security anomaly detection of claim 7, wherein: in step S4, the step of obtaining the dynamic flow threshold after adjusting the initial flow threshold by correcting the index includes the following steps: the dynamic flow threshold is obtained after the initial flow threshold is corrected by the correction index, and the expression is as follows:in yz _{Dynamic state} Yz is the dynamic flow threshold _{Initial initiation} Xz is the initial flow threshold _s To correct the index.

9. The network path analysis method for network security anomaly detection of claim 8, wherein: in step S5, the comparison between the network traffic acquired in real time and the dynamic traffic threshold by the analysis system includes the following steps:

s501: after the analysis system acquires the dynamic flow threshold, comparing the network flow of the network path acquired in real time with the dynamic flow threshold;

s502: if the network traffic is less than or equal to the dynamic traffic threshold, analyzing that the current network path has no security abnormality;

s503: if the network flow is greater than the dynamic flow threshold, analyzing that the current network path has safety abnormality, generating a corresponding management strategy and sending an alarm signal to an administrator.

10. A network path analysis system for network security anomaly detection for implementing the analysis method of any one of claims 1 to 9, characterized in that: the system comprises a port module, an initialization module, a self-checking module, a flow monitoring module, a scene analysis module, a threshold optimization module and a warning module:

port module: acquiring historical flow data of a network path operation environment, wherein the historical flow data comprises normal flow data and abnormal flow data, and the normal flow data and the abnormal flow data are sent to an initialization module;

an initialization module: generating an initial flow threshold of the current operation environment through a threshold algorithm based on the normal flow data and the abnormal flow data, and sending the initial flow threshold to a threshold optimization module;

and a self-checking module: the self-checking analysis is carried out at regular time to analyze the running condition of the self-checking system, and whether the current running condition supports the safety abnormality detection of the network path is judged, if the current running condition does not support the safety abnormality detection of the network path, an alarm signal is sent to a network administrator, and the network path judging result is sent to a flow monitoring module;

and a flow monitoring module: if the running condition supports the safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, and the network flow is sent to the warning module;

scene analysis module: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, combining the regression coefficients with the operation condition of an analysis system to generate a correction index, and transmitting the correction index to a threshold optimization module;

threshold optimization module: the dynamic flow threshold is obtained after the initial flow threshold is regulated through the correction index;

and the warning module is used for: and comparing the network traffic acquired in real time with a dynamic traffic threshold, and generating a corresponding management strategy and sending a warning signal to an administrator when the network traffic exceeds the dynamic traffic threshold.