CN117938554B - Prediction system based on network security intrusion - Google Patents
Prediction system based on network security intrusion Download PDFInfo
- Publication number
- CN117938554B CN117938554B CN202410338203.5A CN202410338203A CN117938554B CN 117938554 B CN117938554 B CN 117938554B CN 202410338203 A CN202410338203 A CN 202410338203A CN 117938554 B CN117938554 B CN 117938554B
- Authority
- CN
- China
- Prior art keywords
- intrusion
- data
- unit
- module
- defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 claims abstract description 76
- 230000007123 defense Effects 0.000 claims abstract description 55
- 238000004088 simulation Methods 0.000 claims abstract description 30
- 230000004044 response Effects 0.000 claims abstract description 27
- 238000012544 monitoring process Methods 0.000 claims abstract description 21
- 238000001514 detection method Methods 0.000 claims description 74
- 230000002159 abnormal effect Effects 0.000 claims description 28
- 239000013598 vector Substances 0.000 claims description 27
- 239000000463 material Substances 0.000 claims description 26
- 238000002360 preparation method Methods 0.000 claims description 24
- 230000009545 invasion Effects 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 12
- 238000013523 data management Methods 0.000 claims description 9
- 238000000034 method Methods 0.000 claims description 9
- 230000008859 change Effects 0.000 claims description 8
- 238000004364 calculation method Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 7
- 230000004913 activation Effects 0.000 claims description 5
- 238000012216 screening Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 abstract description 2
- 238000003012 network analysis Methods 0.000 abstract description 2
- 230000003213 activating effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 230000001915 proofreading effect Effects 0.000 description 4
- 230000011218 segmentation Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a prediction system based on network security intrusion, which relates to the field of network analysis or design and comprises an intrusion simulation statistics module, a characteristic analysis matching module, a network intrusion prediction module and a response defense module, wherein the intrusion simulation statistics module is used for simulating network intrusion and counting data, the characteristic analysis matching module is used for analyzing the counted data and matching analysis results, the network intrusion prediction module is used for monitoring real-time network data and predicting intrusion conditions based on the analysis results, and the response defense module builds instant defense measures based on the matching information and the intrusion conditions; according to the system, a large amount of intrusion data are simulated and analyzed to obtain the characteristic data before the targets are damaged by different intrusion types, prediction is carried out based on the characteristic data, then the defense is carried out pertinently according to the prediction result, and the utilization rate of the defending resources is effectively improved.
Description
Technical Field
The invention relates to the field of network analysis or design, in particular to a prediction system based on network security intrusion.
Background
Since the internet is born, the network security problem always exists, various network defense systems are continuously improved in capability, in the existing defense systems, a comprehensive defense strategy is generally adopted, various known invasion modes can be defended, but resources used by the defense strategy are inflexible and can sometimes interfere with the normal operation of the system, so that an invasion prediction system is needed, defense measures are built in a targeted mode according to prediction results, and the utilization rate of the defense resources is improved.
The foregoing discussion of the background art is intended to facilitate an understanding of the present invention only. This discussion is not an admission or admission that any of the material referred to was common general knowledge.
A number of intrusion prediction systems have been developed and found, through extensive searching and reference, to have a system as disclosed in publication No. CN117240629B, which generally includes an acquisition component: the method comprises the steps of obtaining initial data through a search engine; classifying and summarizing the initial data to obtain summarized data; and (3) a detection component: for receiving data to be detected; identifying the received data to be detected and classifying the data to obtain classified data; constructing a virtual computer environment, judging whether the classified data is network intrusion data, and obtaining a judging result; and a processing component: the early warning popup window is used for sending an early warning popup window to the user based on the judging result; interception unit: the method is used for establishing interception of network intrusion data in the judging result through the network firewall. However, the system predicts by running the network data in advance in the virtual environment, and slows down the normal flow though having higher prediction capability.
Disclosure of Invention
The invention aims to provide a prediction system based on network security intrusion aiming at the defects.
The invention adopts the following technical scheme:
a prediction system based on network security intrusion comprises an intrusion simulation statistics module, a characteristic analysis matching module, a network intrusion prediction module and a response defense module;
The intrusion simulation statistics module is used for simulating network intrusion and counting data, the characteristic analysis matching module is used for analyzing the counted data and matching analysis results, the network intrusion prediction module is used for monitoring real-time network data and predicting intrusion conditions based on the analysis results, and the response defense module builds immediate defense measures based on the matching information and the intrusion conditions;
the intrusion simulation statistical module comprises a data management unit, a simulation operation unit and a detection statistical unit, wherein the data management unit is used for managing intrusion data and statistical data, the simulation operation unit is used for providing operation conditions of the virtual environment simulation intrusion data, and the detection statistical unit is used for detecting data change conditions in the virtual environment and carrying out statistics;
The feature analysis matching module comprises a limit dividing unit, a feature analysis unit and a feature matching unit, wherein the limit dividing unit is used for dividing statistical data into two parts before and after invasion, the feature analysis unit is used for analyzing the statistical data to obtain feature information of each invasion data type, and the feature matching unit is used for matching the feature information before invasion with the feature information after invasion;
The network intrusion prediction module comprises a real-time monitoring unit and a checking prediction unit, wherein the real-time monitoring unit is used for monitoring the data change condition in a network system, and the checking prediction unit is used for checking monitoring information and characteristic information and predicting intrusion types;
Further, the feature analysis unit comprises a preparation analysis processor and a similar analysis processor, wherein the preparation analysis processor is used for analyzing and processing a preparation number sequence of one sample to obtain sample features, and the similar analysis processor is used for analyzing and processing the sample features of similar intrusion data to obtain type features;
the process of analyzing the preliminary sequence by the preliminary analysis processor includes the steps of:
S1, calculating the difference value of two adjacent numbers in a preparation number sequence;
s2, screening out a difference continuous section with the standard deviation smaller than the fluctuation threshold and the maximum length;
s3, calculating a characteristic value z according to the following formula:
;
Wherein, Representing the ith difference in the continuous segment, N being the number of differences in the continuous segment;
s4, repeating the steps S1 to S3 until the characteristic values of all the detection items are obtained;
s5, generating a feature vector And transmitting the characteristic value of the ith detection item to the same-type analysis processor, wherein z i represents the characteristic value of the ith detection item, and n is the number of elements in the prepared number sequence;
further, the same class analysis processor judges and filters the first m elements in the feature vectors, when the ith element value of all the feature vectors is in a normal interval, the ith detection item is a normal item, otherwise, the ith detection item is an abnormal item, and an effective feature vector is generated according to the normal item and the abnormal item E i corresponding to the normal item is 0, and E i corresponding to the abnormal item is 1;
The same class analysis processor calculates the judgment value Pd of each feature vector according to the following formula:
;
Wherein M is the number of abnormal items, Z (i) represents a characteristic value corresponding to the ith abnormal item, and k i is the adjustment coefficient of the ith abnormal item;
The similar analysis processor adjusts the adjustment coefficient to ensure that the standard deviation of all the eigenvector judgment values is smaller than the fluctuation threshold value, calculates the average value of the judgment values, and marks the average value as ;
The type characteristic is formed by an effective characteristic vector, an adjusting coefficient set and a judging mean value;
Further, the proofreading prediction unit comprises a proofreading prediction register and a prediction calculation processor, wherein the proofreading prediction register is used for receiving material packet data and storing type characteristic information of each type of intrusion data, and the prediction calculation processor is used for calculating the material data based on each type characteristic information and judging whether network intrusion occurs or not;
The predictive computation processor computes a predicted value Yc for each material packet according to the following equation:
;
Wherein n' is the maximum sequence number of the object values in the material packet, and Vb (i, j) represents the j-th object value of the i-th abnormal item;
vb (i, j) screens out the object value of the corresponding detection item according to the type characteristic information;
when the predicted value is larger than the judgment average value, the intrusion type corresponding to the type characteristic information is used as the predicted intrusion type to be sent to the response defense module;
Further, the response defense module comprises a defense preparation unit, a response activation unit and a defense implementation unit, wherein the defense preparation unit creates a corresponding defense generation package for the characteristic information after each intrusion, the response activation unit is used for responding to the predicted intrusion type and activating the corresponding defense generation package, and the defense implementation unit is used for executing the defense generation package to defend.
The beneficial effects obtained by the invention are as follows:
According to the system, a large amount of intrusion data are simulated and analyzed to obtain the characteristic data before damage to the target is caused by different intrusion types, the collected real-time information is predicted based on the characteristic data, the prediction process and the workflow are mutually independent, the normal use network cannot be influenced, meanwhile, the defense is performed pertinently based on the prediction result, compared with the comprehensive defense, the system can reduce the defense resources, ensure the defense quality and improve the utilization rate of the defense resources.
For a further understanding of the nature and the technical aspects of the present invention, reference should be made to the following detailed description of the invention and the accompanying drawings, which are provided for purposes of reference only and are not intended to limit the invention.
Drawings
FIG. 1 is a schematic diagram of the overall structural framework of the present invention;
FIG. 2 is a schematic diagram of an intrusion simulation statistics module according to the present invention;
FIG. 3 is a schematic diagram of a feature analysis matching module according to the present invention;
FIG. 4 is a schematic diagram of a network intrusion prediction module according to the present invention;
Fig. 5 is a schematic diagram of the response defending module of the present invention.
Detailed Description
The following embodiments of the present invention are described in terms of specific examples, and those skilled in the art will appreciate the advantages and effects of the present invention from the disclosure herein. The invention is capable of other and different embodiments and its several details are capable of modification and variation in various respects, all without departing from the spirit of the present invention. The drawings of the present invention are merely schematic illustrations, and are not intended to be drawn to actual dimensions. The following embodiments will further illustrate the related art content of the present invention in detail, but the disclosure is not intended to limit the scope of the present invention.
Embodiment one: the embodiment provides a prediction system based on network security intrusion, which comprises an intrusion simulation statistics module, a feature analysis matching module, a network intrusion prediction module and a response defense module, and is combined with fig. 1;
The intrusion simulation statistics module is used for simulating network intrusion and counting data, the characteristic analysis matching module is used for analyzing the counted data and matching analysis results, the network intrusion prediction module is used for monitoring real-time network data and predicting intrusion conditions based on the analysis results, and the response defense module builds immediate defense measures based on the matching information and the intrusion conditions;
the intrusion simulation statistical module comprises a data management unit, a simulation operation unit and a detection statistical unit, wherein the data management unit is used for managing intrusion data and statistical data, the simulation operation unit is used for providing operation conditions of the virtual environment simulation intrusion data, and the detection statistical unit is used for detecting data change conditions in the virtual environment and carrying out statistics;
The feature analysis matching module comprises a limit dividing unit, a feature analysis unit and a feature matching unit, wherein the limit dividing unit is used for dividing statistical data into two parts before and after invasion, the feature analysis unit is used for analyzing the statistical data to obtain feature information of each invasion data type, and the feature matching unit is used for matching the feature information before invasion with the feature information after invasion;
The network intrusion prediction module comprises a real-time monitoring unit and a checking prediction unit, wherein the real-time monitoring unit is used for monitoring the data change condition in a network system, and the checking prediction unit is used for checking monitoring information and characteristic information and predicting intrusion types;
The characteristic analysis unit comprises a preparation analysis processor and a similar analysis processor, wherein the preparation analysis processor is used for analyzing and processing a preparation number sequence of one sample to obtain sample characteristics, and the similar analysis processor is used for analyzing and processing sample characteristics of similar intrusion data to obtain type characteristics;
the process of analyzing the preliminary sequence by the preliminary analysis processor includes the steps of:
S1, calculating the difference value of two adjacent numbers in a preparation number sequence;
s2, screening out a difference continuous section with the standard deviation smaller than the fluctuation threshold and the maximum length;
s3, calculating a characteristic value z according to the following formula:
;
Wherein, Representing the ith difference in the continuous segment, N being the number of differences in the continuous segment;
s4, repeating the steps S1 to S3 until the characteristic values of all the detection items are obtained;
s5, generating a feature vector And transmitting the characteristic value of the ith detection item to the same-type analysis processor, wherein z i represents the characteristic value of the ith detection item, and n is the number of elements in the prepared number sequence;
The same class analysis processor judges and screens the first m elements in the feature vectors, when the ith element value of all the feature vectors is in a normal interval, the ith detection item is a conventional item, otherwise, the ith detection item is an abnormal item, and an effective feature vector is generated according to the conventional item and the abnormal item E i corresponding to the normal item is 0, and E i corresponding to the abnormal item is 1;
The same class analysis processor calculates the judgment value Pd of each feature vector according to the following formula:
;
Wherein M is the number of abnormal items, Z (i) represents a characteristic value corresponding to the ith abnormal item, and k i is the adjustment coefficient of the ith abnormal item;
The similar analysis processor adjusts the adjustment coefficient to ensure that the standard deviation of all the eigenvector judgment values is smaller than the fluctuation threshold value, calculates the average value of the judgment values, and marks the average value as ;
The type characteristic is formed by an effective characteristic vector, an adjusting coefficient set and a judging mean value;
The checking and predicting unit comprises a checking and predicting register and a predicting and calculating processor, wherein the checking and predicting register is used for receiving material packet data and storing type characteristic information of each type of intrusion data, and the predicting and calculating processor is used for calculating and processing the material data based on each type of characteristic information and judging whether network intrusion occurs;
The predictive computation processor computes a predicted value Yc for each material packet according to the following equation:
;
Wherein n' is the maximum sequence number of the object values in the material packet, and Vb (i, j) represents the j-th object value of the i-th abnormal item;
vb (i, j) screens out the object value of the corresponding detection item according to the type characteristic information;
when the predicted value is larger than the judgment average value, the intrusion type corresponding to the type characteristic information is used as the predicted intrusion type to be sent to the response defense module;
The response defense module comprises a defense preparation unit, a response activation unit and a defense implementation unit, wherein the defense preparation unit creates a corresponding defense generation package for the characteristic information after each intrusion, the response activation unit is used for responding to the predicted intrusion type and activating the corresponding defense generation package, and the defense implementation unit is used for executing the defense generation package to defend.
Embodiment two: the embodiment comprises the whole content of the first embodiment, and provides a prediction system based on network security intrusion, which comprises an intrusion simulation statistics module, a feature analysis matching module, a network intrusion prediction module and a response defense module;
The intrusion simulation statistics module is used for simulating network intrusion and counting data, the characteristic analysis matching module is used for analyzing the counted data and matching analysis results, the network intrusion prediction module is used for monitoring real-time network data and predicting intrusion conditions based on the analysis results, and the response defense module builds immediate defense measures based on the matching information and the intrusion conditions;
Referring to fig. 2, the intrusion simulation statistics module includes a data management unit, a simulation operation unit, and a detection statistics unit, where the data management unit is used to manage intrusion data and statistics data, the simulation operation unit is used to provide operation conditions of the virtual environment for simulating intrusion data, and the detection statistics unit is used to detect data change conditions in the virtual environment and perform statistics;
Referring to fig. 3, the feature analysis matching module includes a boundary dividing unit, a feature analysis unit and a feature matching unit, where the boundary dividing unit is used to divide the statistical data into two parts before and after intrusion, the feature analysis unit is used to analyze the statistical data to obtain feature information of each intrusion data type, and the feature matching unit is used to match the feature information before intrusion with the feature information after intrusion;
referring to fig. 4, the network intrusion prediction module includes a real-time monitoring unit for monitoring a data change condition in the network system and a calibration prediction unit for calibrating monitoring information and feature information and predicting intrusion types;
Referring to fig. 5, the response defending module includes a defending preparation unit, a response activating unit and a defending implementation unit, wherein the defending preparation unit creates a corresponding defending generation packet for each feature information after intrusion, the response activating unit is used for responding to the predicted intrusion type and activating the corresponding defending generation packet, and the defending implementation unit is used for executing the defending generation packet to defend;
The data management unit comprises an intrusion data memory, a statistical data memory and a data transmission controller, wherein the intrusion data memory is used for storing intrusion data packets with different intrusion types, the statistical data memory is used for storing statistical data packets with different intrusion types, and the data transmission controller is used for sending the intrusion data packets to the simulation operation unit and receiving the statistical data, and selecting a corresponding storage area in the statistical data memory for storage;
the simulation running unit comprises an intrusion execution processor, a virtual environment simulation processor and a virtual environment reset processor, wherein the intrusion execution processor is used for receiving an intrusion data packet and expanding intrusion to the virtual environment based on information in the intrusion data packet, the virtual environment simulation processor is used for simulating a virtual environment, and the virtual environment reset processor is used for resetting the virtual environment to an initial state;
The detection statistics unit comprises a detection item register, a detection execution processor and a statistics calculation processor, wherein the detection item register is used for storing the content of detection items and corresponding detection paths, the detection execution processor is used for detecting the corresponding detection items based on the detection paths, and the statistics calculation processor is used for carrying out statistics calculation on detection results;
The statistical calculation processor calculates a statistical value V (T i) of a detection item at an ith detection point according to the following formula:
;
Wherein, T i represents the ith detection time point after the intrusion execution processor runs, N (T i) represents the detection value of the detection item at T i, and N 0 represents the initial value of the detection item;
The statistical data of each detection item is a statistical value sequence, the statistical data corresponding to each intrusion data is m statistical value sequences, m is the number of the detection items, and the m statistical value sequences are called a sample;
The limit dividing unit comprises a damage checking processor and a data segmentation processor, wherein the damage checking processor checks the time point of damage to the virtual environment according to the statistic value of the detection item, and the data segmentation processor is used for dividing the statistic value sequence into a preparation sequence and a result sequence;
The damage detection processor processes one sample each time, the time point which reaches the damage value of the detection item first is taken as a real damage time point, the damage values of different detection items are different, and the damage detection processor pushes the real damage time point forward by a plurality of detection time points, and the detection time point is taken as a demarcation time point;
For example, the damage detection processor detects that the 50 th detection time point is a real damage time point, pushes forward 5 detection time points, takes the 45 th detection time point as a demarcation time point, and sets the number of the pushed detection time points by itself;
The data segmentation processor divides the statistical value data of all detection items in the sample into two sections according to the demarcation time points, and reorders and names according to the following formula:
;
;
Wherein, Representing the preparatory number column,/>Representing a result sequence, n being the number of elements in the preliminary sequence;
The characteristic analysis unit comprises a preparation analysis processor and a similar analysis processor, wherein the preparation analysis processor is used for analyzing and processing a preparation number sequence of one sample to obtain sample characteristics, and the similar analysis processor is used for analyzing and processing sample characteristics of similar intrusion data to obtain type characteristics;
the process of analyzing the preliminary sequence by the preliminary analysis processor includes the steps of:
S1, calculating the difference value of two adjacent numbers in a preparation number sequence;
s2, screening out a difference continuous section with the standard deviation smaller than the fluctuation threshold and the maximum length;
s3, calculating a characteristic value z according to the following formula:
;
Wherein, Representing the ith difference in the continuous segment, N being the number of differences in the continuous segment;
s4, repeating the steps S1 to S3 until the characteristic values of all the detection items are obtained;
s5, generating a feature vector And sending the characteristic value of the ith detection item to the same-class analysis processor, wherein z i represents the characteristic value of the ith detection item;
The same class analysis processor judges and screens the first m elements in the feature vectors, when the ith element value of all the feature vectors is in a normal interval, the ith detection item is a conventional item, otherwise, the ith detection item is an abnormal item, and an effective feature vector is generated according to the conventional item and the abnormal item E i corresponding to the normal item is 0, and E i corresponding to the abnormal item is 1;
The same class analysis processor calculates the judgment value Pd of each feature vector according to the following formula:
;
Wherein M is the number of abnormal items, Z (i) represents a characteristic value corresponding to the ith abnormal item, and k i is the adjustment coefficient of the ith abnormal item;
The similar analysis processor adjusts the adjustment coefficient to ensure that the standard deviation of all the eigenvector judgment values is smaller than the fluctuation threshold value, calculates the average value of the judgment values, and marks the average value as ;
The type characteristic is formed by an effective characteristic vector, an adjusting coefficient set and a judging mean value;
The feature matching unit comprises a result analysis processor and a matching mapping processor, wherein the result analysis processor is used for analyzing and processing a result array to obtain protection item information, and the matching mapping processor is used for establishing a mapping relation between an effective feature vector and a protection item;
The result analysis processor screens out detection items reaching the damage value from the result array, and converts the detection items to obtain protection items;
The matching mapping processor acquires effective feature vector information, and generates a lookup table according to the mapping relation between the effective feature vector and the protection item and sends the lookup table to the response defense module;
The real-time monitoring unit comprises a data acquisition processor and a material information processor, wherein the data acquisition processor is used for acquiring detection item information in an actual environment and preprocessing the detection item information, and the material information processor is used for finishing the preprocessed data into predicted material information and sending the predicted material information to the proofreading prediction unit;
the data acquisition processor processes the acquired data of the detection item according to the following formula to obtain an object value Vb:
;
Wherein N now represents the current detection value, and N pst represents the last detection value;
When the material information processor identifies that the object value of at least one detection item is not in a normal interval, a material packet is created, and the object values of all detection items from the current moment are acquired from the data acquisition processor;
when the data in the material package is updated, the material package data is copied and then sent to the checking and predicting unit, and when the object values of all the detection items are in the range, all the material packages are deleted;
The checking and predicting unit comprises a checking and predicting register and a predicting and calculating processor, wherein the checking and predicting register is used for receiving material packet data and storing type characteristic information of each type of intrusion data, and the predicting and calculating processor is used for calculating and processing the material data based on each type of characteristic information and judging whether network intrusion occurs;
The predictive computation processor computes a predicted value Yc for each material packet according to the following equation:
;
Wherein n' is the maximum sequence number of the object values in the material packet, and Vb (i, j) represents the j-th object value of the i-th abnormal item;
vb (i, j) screens out the object value of the corresponding detection item according to the type characteristic information;
when the predicted value is larger than the judgment average value, the intrusion type corresponding to the type characteristic information is used as the predicted intrusion type to be sent to the response defense module;
both i and j appearing above are ordinals used to represent sequence numbers.
The foregoing disclosure is only a preferred embodiment of the present invention and is not intended to limit the scope of the invention, so that all equivalent technical changes made by applying the description of the present invention and the accompanying drawings are included in the scope of the present invention, and in addition, elements in the present invention can be updated as the technology develops.
Claims (3)
1. The prediction system based on the network security intrusion is characterized by comprising an intrusion simulation statistics module, a characteristic analysis matching module, a network intrusion prediction module and a response defense module;
The intrusion simulation statistics module is used for simulating network intrusion and counting data, the characteristic analysis matching module is used for analyzing the counted data and matching analysis results, the network intrusion prediction module is used for monitoring real-time network data and predicting intrusion conditions based on the analysis results, and the response defense module builds immediate defense measures based on the matching information and the intrusion conditions;
the intrusion simulation statistical module comprises a data management unit, a simulation operation unit and a detection statistical unit, wherein the data management unit is used for managing intrusion data and statistical data, the simulation operation unit is used for providing operation conditions of the virtual environment simulation intrusion data, and the detection statistical unit is used for detecting data change conditions in the virtual environment and carrying out statistics;
The feature analysis matching module comprises a limit dividing unit, a feature analysis unit and a feature matching unit, wherein the limit dividing unit is used for dividing statistical data into two parts before and after invasion, the feature analysis unit is used for analyzing the statistical data to obtain type feature information of each invasion data, and the feature matching unit is used for matching the feature information before invasion with the feature information after invasion;
the network intrusion prediction module comprises a real-time monitoring unit and a checking prediction unit, wherein the real-time monitoring unit is used for monitoring the data change condition in a network system, and the checking prediction unit is used for checking the monitoring information and the type characteristic information of each intrusion data and predicting the intrusion type;
The characteristic analysis unit comprises a preparation analysis processor and a similar analysis processor, wherein the preparation analysis processor is used for analyzing and processing a preparation number sequence of one sample to obtain sample characteristics, and the similar analysis processor is used for analyzing and processing sample characteristics of similar intrusion data to obtain type characteristics;
the process of analyzing the preliminary sequence by the preliminary analysis processor includes the steps of:
S1, calculating the difference value of two adjacent numbers in a preparation number sequence;
s2, screening out a difference continuous section with the standard deviation smaller than the fluctuation threshold and the maximum length;
s3, calculating a characteristic value z according to the following formula:
;
Wherein, Representing the ith difference in the continuous segment, N being the number of differences in the continuous segment;
s4, repeating the steps S1 to S3 until the characteristic values of all the detection items are obtained;
s5, generating a feature vector And transmitting the characteristic value of the ith detection item to the same-type analysis processor, wherein z i represents the characteristic value of the ith detection item, and n is the number of elements in the prepared number sequence;
The same class analysis processor judges and screens the first m elements in the feature vectors, when the ith element value of all the feature vectors is in a normal interval, the ith detection item is a conventional item, otherwise, the ith detection item is an abnormal item, and an effective feature vector is generated according to the conventional item and the abnormal item E i corresponding to the normal item is 0, and E i corresponding to the abnormal item is 1;
The same class analysis processor calculates the judgment value Pd of each feature vector according to the following formula:
;
Wherein M is the number of abnormal items, Z (i) represents a characteristic value corresponding to the ith abnormal item, and k i is the adjustment coefficient of the ith abnormal item;
The similar analysis processor adjusts the adjustment coefficient to ensure that the standard deviation of all the eigenvector judgment values is smaller than the fluctuation threshold value, calculates the average value of the judgment values, and marks the average value as ;
The type feature is composed of an effective feature vector, an adjusting coefficient set and a judging mean value.
2. The network security intrusion-based prediction system according to claim 1, wherein the collation prediction unit includes a collation prediction register for receiving the material packet data and storing type feature information of each type of intrusion data, and a prediction calculation processor for calculating the material data based on each type feature information and judging whether or not a network intrusion occurs;
The predictive computation processor computes a predicted value Yc for each material packet according to the following equation:
;
Wherein n' is the maximum sequence number of the object values in the material packet, and Vb (i, j) represents the j-th object value of the i-th abnormal item;
Vb (i, j) is the object value of the corresponding detection item screened out according to the type characteristic information;
And when the predicted value is larger than the judgment average value, the intrusion type corresponding to the type characteristic information is used as the predicted intrusion type to be sent to the response defense module.
3. The network security intrusion-based prediction system according to claim 2, wherein the response defense module includes a defense preparation unit that creates a corresponding defense generation package for each of the post-intrusion feature information, a response activation unit that responds to the predicted intrusion type and activates the corresponding defense generation package, and a defense implementation unit that performs defense by executing the defense generation package.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410338203.5A CN117938554B (en) | 2024-03-25 | 2024-03-25 | Prediction system based on network security intrusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410338203.5A CN117938554B (en) | 2024-03-25 | 2024-03-25 | Prediction system based on network security intrusion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117938554A CN117938554A (en) | 2024-04-26 |
| CN117938554B true CN117938554B (en) | 2024-06-11 |
Family
ID=90761442
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410338203.5A Active CN117938554B (en) | 2024-03-25 | 2024-03-25 | Prediction system based on network security intrusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117938554B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| CN111212064A (en) * | 2019-12-31 | 2020-05-29 | 北京安码科技有限公司 | Method, system, equipment and storage medium for simulating attack behavior of shooting range |
| CN112578761A (en) * | 2021-02-03 | 2021-03-30 | 山东云天安全技术有限公司 | Industrial control honey pot safety protection device and method |
| CN115412314A (en) * | 2022-08-16 | 2022-11-29 | 国网河北省电力有限公司电力科学研究院 | Power system network attack prediction system and prediction method thereof |
| CN116108202A (en) * | 2023-01-16 | 2023-05-12 | 国网上海市电力公司 | Mining system data attack behavior modeling method based on relational graph |
| CN116760572A (en) * | 2023-05-23 | 2023-09-15 | 厦门快快网络科技有限公司 | Cloud security simulation detection method and system |
| CN117040664A (en) * | 2023-09-05 | 2023-11-10 | 南京华熹科技有限公司 | Computer system detection method based on network operation safety |
| CN117614745A (en) * | 2024-01-23 | 2024-02-27 | 中诚华隆计算机技术有限公司 | Cooperative defense method and system for processor network protection |
-
2024
- 2024-03-25 CN CN202410338203.5A patent/CN117938554B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| CN111212064A (en) * | 2019-12-31 | 2020-05-29 | 北京安码科技有限公司 | Method, system, equipment and storage medium for simulating attack behavior of shooting range |
| CN112578761A (en) * | 2021-02-03 | 2021-03-30 | 山东云天安全技术有限公司 | Industrial control honey pot safety protection device and method |
| CN115412314A (en) * | 2022-08-16 | 2022-11-29 | 国网河北省电力有限公司电力科学研究院 | Power system network attack prediction system and prediction method thereof |
| CN116108202A (en) * | 2023-01-16 | 2023-05-12 | 国网上海市电力公司 | Mining system data attack behavior modeling method based on relational graph |
| CN116760572A (en) * | 2023-05-23 | 2023-09-15 | 厦门快快网络科技有限公司 | Cloud security simulation detection method and system |
| CN117040664A (en) * | 2023-09-05 | 2023-11-10 | 南京华熹科技有限公司 | Computer system detection method based on network operation safety |
| CN117614745A (en) * | 2024-01-23 | 2024-02-27 | 中诚华隆计算机技术有限公司 | Cooperative defense method and system for processor network protection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117938554A (en) | 2024-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110516609B (en) | Fire disaster video detection and early warning method based on image multi-feature fusion | |
| CN111107102A (en) | Real-time network flow abnormity detection method based on big data | |
| NL2002694C2 (en) | Method and system for alert classification in a computer network. | |
| CN110493179B (en) | Network security situation awareness system and method based on time sequence | |
| CN108650065B (en) | Window-based streaming data missing processing method | |
| CN115691026A (en) | Intelligent early warning monitoring management method for forest fire prevention | |
| CN108900486B (en) | Scanner fingerprint identification method and system thereof | |
| CN111782484B (en) | Anomaly detection method and device | |
| CN109067722A (en) | A kind of LDoS detection method based on two steps cluster and detection lug analysis joint algorithm | |
| CN110460622A (en) | A kind of network anomaly detection method based on Situation Awareness prediction technique | |
| CN111314910B (en) | Wireless sensor network abnormal data detection method for mapping isolation forest | |
| CN109639734B (en) | Abnormal flow detection method with computing resource adaptivity | |
| CN112165471A (en) | Industrial control system flow abnormity detection method, device, equipment and medium | |
| CN113269327A (en) | Flow anomaly prediction method based on machine learning | |
| CN113630419A (en) | Data classification and data safety monitoring method and system based on API flow | |
| CN108830204A (en) | The method for detecting abnormality in the monitor video of target | |
| CN114531283A (en) | Method, system, storage medium and terminal for measuring robustness of intrusion detection model | |
| CN111460026A (en) | Network flow abnormity detection method based on intuitive fuzzy time series diagram mining | |
| CN114973065A (en) | Method and system for detecting article moving and leaving based on video intelligent analysis | |
| CN117938554B (en) | Prediction system based on network security intrusion | |
| CN115706671A (en) | Network security defense method, device and storage medium | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| CN111865899B (en) | Threat-driven cooperative acquisition method and device | |
| CN112637224A (en) | DDoS attack detection method based on subspace and relative entropy in autonomous system | |
| CN111787002A (en) | Method and system for analyzing service data network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |