CN117997586A - Network security detection system based on data visualization - Google Patents

Abstract

The invention relates to the technical field of network security detection, which is used for solving the problems of data acquisition and processing, network traffic state identification, abnormal state analysis and evaluation and user behavior state analysis existing in the existing network security detection mode, in particular to a network security detection system based on data visualization.

Description

Network security detection system based on data visualization

Technical Field

The invention relates to the technical field of network security detection, in particular to a network security detection system based on data visualization.

Background

With the rapid development and popularization of the internet, network security problems are becoming more and more prominent. Hacking, malware, and data leakage have become significant threats to businesses and individuals. In order to protect network systems from these threats, network security detection systems become critical.

Traditional network security detection methods rely primarily on signature-based detection techniques that identify and intercept known threats by comparing against known malicious code libraries. However, with continued variation of malware and the advent of new attack techniques, signature-based detection methods have been struggled.

The existing network security monitoring mode has the following problems:

problem one: when the existing network security detection is used for collecting various original data related to network security, the data acquisition is incomplete and the data format is inconsistent, so that the network security condition cannot be accurately estimated;

and a second problem: when the existing network security detection is used for identifying and analyzing the flow state of the network, the problems of inaccurate data output and misjudgment exist, so that the network security abnormality is missed to be detected or misreported, and the monitoring and feedback of the network security state are influenced;

problem three: the existing network security detection is difficult to accurately evaluate the security of user behaviors, so that the network security cannot be ensured.

Disclosure of Invention

The invention aims to provide a network security detection system based on data visualization, which is used for solving the problems in the background technology.

The aim of the invention can be achieved by the following technical scheme: a network security detection system based on data visualization, comprising:

The data acquisition module is used for acquiring various original data related to network safety, wherein the original data related to the network safety comprises a log file and user behavior information, and the collected various types of information is sent to the characteristic data extraction module;

The characteristic data extraction module is used for carrying out data preprocessing on the log files in the collected original data related to the network safety, so as to extract network flow data parameters related to the network safety, and sending the network flow data parameters to the database for storage;

the characteristic data extraction module is also used for carrying out data preprocessing on the user behavior information in the collected original data related to the network safety, so as to extract the user behavior data parameters related to the network safety and send the user behavior data parameters to the database for storage;

The network flow data detection module is used for identifying and analyzing the flow state of the network safety based on the output network flow data parameters related to the network safety, outputting a flow characteristic evaluation index and a connection characteristic evaluation index of the network according to the flow state, and sending the two items of data to the network flow safety evaluation module;

The network flow safety evaluation module is used for analyzing and evaluating the abnormal state of the network based on the received flow characteristic evaluation index and the connection characteristic evaluation index of the network, generating a positive abnormal signal or a misjudgment abnormal signal according to the analysis and evaluation, and sending the positive abnormal signal or the misjudgment abnormal signal to the display terminal for visual explanation;

The network user behavior safety evaluation module is used for analyzing the user behavior states of all users in the network based on the output user behavior data parameters related to the network safety, generating user behavior abnormal signals or user behavior normal signals according to the user behavior state, and sending the user behavior abnormal signals or the user behavior normal signals to the display terminal for visual explanation.

Preferably, the data preprocessing is performed on the log file in the collected original data related to network security, and the specific processing mode is as follows:

extracting network addresses of a sender and a receiver of each data packet from the log file, thereby obtaining a source IP address and a target IP address of each data packet, converting the captured source IP address and target IP address of each data packet into a format which can be analyzed, namely converting the source IP address and the target IP address of each data packet into a digital form;

Extracting the port numbers of the transmission layers of the data packets in the network protocol stack from the log file, thereby obtaining the port numbers of the data packets, and converting the port numbers of the captured data packets from type data to numerical characterization;

Extracting the byte number of each data packet from the log file, thereby obtaining the data volume of each data packet, and carrying out standardization processing on the data volume of each captured data packet, namely linearly mapping the data volume of each data packet into the range of [0,1], wherein the specific processing process is as follows: performing minimum-maximum standardized conversion on each data packet, and according to a set model: x '= (x-min)/(max-min), wherein x' is a normalized value, x is an original value, min is a minimum value of the original value, and max is a maximum value of the original value, thereby completing the normalization process of the data amount of each data packet;

extracting the sending time and the receiving time of each data packet from the log file, thereby obtaining the sending time stamp and the receiving time stamp of each data packet, and converting the captured sending time stamp and the captured receiving time stamp of each data packet into readable time, wherein the specific conversion process is as follows: firstly, corresponding values are determined according to units of the sending time stamp and the receiving time stamp, then the sending time stamp and the receiving time stamp are converted into a date-time format by using a function built in a programming language, and then the date-time format is converted into a specific character string form, so that conversion of readable time of the sending time stamp and the receiving time stamp is completed;

Extracting actual data content carried in each data packet from a log file, wherein the carried actual data content consists of HTTP request quantity and file transmission quantity, thereby obtaining the effective load of each data packet;

The network traffic data parameters related to network security are formed by a source IP address and a target IP address in a numerical form, a port number in a numerical representation form, a standardized data volume, a sending time stamp and a receiving time stamp in a readable time form and a payload.

Preferably, the identifying and analyzing the traffic state of the network security is performed in the following specific analysis modes:

Extracting key characteristic parameters based on a source IP address, a target IP address, a port number and a data volume in network traffic data parameters related to network safety, wherein the key characteristic comprises an inflow data volume, an outflow data volume and a connection number per second;

setting a monitoring period, equally dividing the monitoring period into a plurality of monitoring time points, respectively carrying out standard deviation calculation on three key characteristic parameters extracted from each monitoring time point in the monitoring period, and according to a set formula: 、/>、/> Obtaining an inflow flow feedback value sigma 1 _i, an outflow flow feedback value sigma 2 _i and a connection feedback value sigma 3 _i of the network respectively, wherein lr _ij is represented as an inflow data amount per second of a corresponding data packet at each monitoring time point in a corresponding monitoring period, lc _ij is represented as an outflow data amount per second of the corresponding data packet at each monitoring time point in the corresponding monitoring period, lk _ij is represented as a connection number per second of the corresponding data packet at each monitoring time point in the corresponding monitoring period, mu 1 _i is represented as an average value of the inflow data amount of the corresponding data packet in the corresponding monitoring period, mu 2 _i is represented as an average value of the outflow data amount of the corresponding data packet in the corresponding monitoring period, mu 3 _i is represented as an average value of the connection number of the corresponding data packet in the corresponding monitoring period, i=1, 2, 3..n1, j is represented as a number of a plurality of monitoring time points divided by the corresponding monitoring period, j=1, 2, 3..n2, n.1, n.2 are all positive integers;

Based on the output inflow flow feedback value and the output flow feedback value of the network, comprehensively analyzing the two items of data, and according to a set data model: Thereby outputting a flow characteristic evaluation index fcx of the network, wherein a1 and a2 are expressed as normalization factors;

Comprehensive analysis is carried out based on the output network connection feedback value, and the set data model is used for: the connection characteristic evaluation index cax of the network is thus output, wherein a3 is denoted as a normalization factor.

Preferably, the analyzing and evaluating the abnormal state of the network is performed by the following specific analyzing and evaluating modes:

Setting a flow characteristic threshold of the flow characteristic evaluation index of the network according to the output flow characteristic evaluation index of the network, comparing the flow characteristic evaluation index of the network with a preset flow characteristic threshold, and if the flow characteristic evaluation index of the network exceeds the flow characteristic threshold, marking the flow state of the network as an abnormally high flow state, otherwise marking the flow state of the network as a normal flow state;

Setting a connection characteristic threshold of the connection characteristic evaluation index of the network according to the output connection characteristic evaluation index of the network, comparing the connection characteristic evaluation index of the network with a preset connection characteristic threshold, and if the connection characteristic evaluation index of the network exceeds the connection characteristic threshold, marking the connection state of the network as an abnormal frequent connection state, otherwise marking the connection state of the network as a normal connection state;

Based on the outputted abnormal high-flow state or abnormal frequent connection state, a traceable check instruction is outputted, and the abnormal state of the network is subjected to traceable check analysis, so that a positive abnormal signal or a misjudgment abnormal signal is outputted.

Preferably, the tracing verification analysis is performed on the abnormal state of the network, and the specific analysis mode is as follows:

Based on the transmission time stamp and the receiving time stamp in the output network flow data parameters related to the network safety, according to the set data model: transmission time = reception time stamp of a data packet-transmission time stamp of a data packet, thereby obtaining a transmission time of each data packet;

delay time = reception time stamp of a data packet-transmission time of a data packet in a network, thereby obtaining a delay time of each data packet;

The transmission time and the delay time of each data packet are tested for multiple times, the average value is taken as a final result, specifically, the test times are set to be m times, so that the transmission time and the delay time of each data packet under m times of test are obtained and respectively marked as TOT _i ^m、PDT_i ^m, the transmission time and the delay time of each data packet under m times of test are respectively subjected to average value calculation according to the formula: 、/> Thereby obtaining a transmission characteristic value tfv _i and a delay characteristic value dev _i of each data packet;

According to the set data model: Outputting a transmission connection comprehensive evaluation index epe of the network, wherein b1 and b2 are respectively expressed as normalization factors;

Setting a transmission connection comprehensive threshold of a transmission connection comprehensive evaluation index of the network, comparing the transmission connection comprehensive evaluation index of the network with a preset transmission connection comprehensive threshold, and if the transmission connection comprehensive evaluation index of the network is larger than a connection characteristic threshold, generating a positive abnormal signal, otherwise, generating a false judgment abnormal signal.

Preferably, the analyzing the user behavior state of each user in the network specifically includes:

Based on the output login failure times, password error times, login frequency and sensitive data access times, abnormal file uploading times and abnormal file downloading times in the user behavior data parameters related to network safety, calculating and analyzing the user behavior data parameters according to a set data model: thereby outputting a user behavior security assessment coefficient ubs of the network;

setting a user behavior comparison threshold of a user behavior safety evaluation coefficient of the network, comparing and analyzing the user behavior safety evaluation coefficient of the network with a preset user behavior comparison threshold, and generating a user behavior abnormal signal or a user behavior normal signal if the user behavior safety evaluation coefficient of the network exceeds the user behavior comparison threshold.

The invention has the beneficial effects that:

the invention can evaluate the inflow flow, the outflow flow and the connection condition of the network more accurately by extracting the key characteristic parameters and calculating the standard deviation, thereby being beneficial to monitoring the network state in real time.

By combining the network flow characteristic evaluation index and the connection characteristic evaluation index and setting a threshold value, the abnormal state is judged and marked, so that network abnormality is found in time and corresponding treatment is carried out, and the network safety and the response speed are improved.

Based on multiple tests of the transmission time and the delay time, and by combining with the average value calculation of the transmission characteristic value and the delay characteristic value, the accurate detection and evaluation of abnormal transmission connection are realized, and the network transmission problem can be found and solved in time.

The user behavior safety evaluation coefficient is calculated and analyzed and compared with the preset user behavior comparison threshold value, so that abnormal situations of the user behavior can be effectively identified and marked, and the comprehensiveness of network safety management is improved.

By visually displaying the preprocessed data, the system can intuitively present the conditions of network flow and user behaviors, and provides comprehensive information and decision support for security administrators. The administrator can timely formulate and adjust corresponding security policies and measures according to the output abnormal information.

Through the characteristics and functions of comprehensive performance, anomaly detection, data visualization, real-time performance and the like, comprehensive network security monitoring and analysis can be provided, an administrator is helped to find and respond to network security threats in time, and the security and reliability of a network are improved.

Drawings

The invention is further described below with reference to the accompanying drawings.

Fig. 1 is a system block diagram of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1, the present invention is a network security detection system based on data visualization, comprising: the system comprises a data acquisition module, a characteristic data extraction module, a network flow data detection module, a network flow security assessment module, a network user behavior security assessment module, a display terminal and a database.

The data acquisition module is used for acquiring various original data related to network safety, wherein the original data related to the network safety comprises log files and user behavior information, and the collected various types of information is sent to the characteristic data extraction module.

The characteristic data extraction module is used for carrying out data preprocessing on the log files in the collected original data related to network safety, and the specific processing mode is as follows:

extracting network addresses of a sender and a receiver of each data packet from the log file, thereby obtaining a source IP address and a target IP address of each data packet, converting the captured source IP address and target IP address of each data packet into a format which can be analyzed, namely converting the source IP address and the target IP address of each data packet into a digital form;

It should be noted that, converting an IP address into a numerical form involves converting an IPv4 or IPv6 address into an integer, for an IPv4 address: splitting an IPv4 address into four decimal numbers, converting the decimal numbers into binary forms, splicing each binary number to obtain a 32-bit binary number, and converting the 32-bit binary number into a corresponding decimal number to finish the numerical form conversion of the IPv4 address; for IPv6 addresses, because of their long length, existing libraries or tools are typically used for translation;

Extracting the port numbers of the transmission layers of the data packets in the network protocol stack from the log file, thereby obtaining the port numbers of the data packets, and using the port numbers to identify different application programs and services, converting the port numbers of the captured data packets from type data to numerical representation, namely converting the port numbers of the corresponding data packets into a binary vector, wherein only one element is 1, and the other elements are 0;

Extracting the byte number of each data packet from the log file, thereby obtaining the data volume of each data packet, and carrying out standardization processing on the data volume of each captured data packet, namely linearly mapping the data volume of each data packet into the range of [0,1], wherein the specific processing process is as follows: performing minimum-maximum standardized conversion on each data packet, and according to a set model: x '= (x-min)/(max-min), wherein x' is a normalized value, x is an original value, min is a minimum value of the original value, and max is a maximum value of the original value, thereby completing the normalization processing of the data amount of each data packet and ensuring comparability between different data packet sizes;

extracting the sending time and the receiving time of each data packet from the log file, thereby obtaining the sending time stamp and the receiving time stamp of each data packet, analyzing the time sequence characteristics of the data packet, converting the captured sending time stamp and the captured receiving time stamp of each data packet into readable time, and specifically converting the steps as follows: firstly, corresponding values are determined according to units of the sending time stamp and the receiving time stamp, then the sending time stamp and the receiving time stamp are converted into a date-time format by using a function built in a programming language, and then the date-time format is converted into a specific character string form, so that conversion of readable time of the sending time stamp and the receiving time stamp is completed;

Extracting actual data content carried in each data packet from a log file, wherein the carried actual data content consists of HTTP request quantity and file transmission quantity, thereby obtaining the effective load of each data packet;

The network traffic data parameters related to network security are formed by the source IP address and the target IP address in the numerical form, the port number in the numerical representation form, the data volume after standardized processing, the sending time stamp and the receiving time stamp in the readable time form and the payload, and are sent to a database for storage.

The feature data extraction module is also used for preprocessing the data of the user behavior information in the collected original data related to the network safety, and the specific processing mode is as follows:

acquiring login failure times, password error times and login frequencies of all users in a network by acquiring login and identity verification behaviors of the users, and sequentially marking the login failure times, the password error times and the login frequencies as lo _k、pw_k、lf_k, wherein K is the number of each user, k=1, 2, 3..K, and K is the maximum value and is a positive integer;

Acquiring data access and operation behaviors of a user, extracting the access times of the user to sensitive data, the uploading times and the downloading times of the user to abnormal files from the access, reading and writing operations and file uploading and downloading behaviors of the user to a system, an application program or a database, obtaining the sensitive data access times, the abnormal file uploading times and the abnormal file downloading times of each user in a network, and sequentially recording the sensitive data access times, the abnormal file uploading times and the abnormal file downloading times as sv _k、fu_k、fd_k;

The user behavior data parameters related to network security are formed by login failure times, password error times, login frequency, sensitive data access times, abnormal file uploading times and abnormal file downloading times, and are sent to a database for storage.

The network flow data detection module is used for identifying and analyzing the flow state of the network safety based on the output network flow data parameters related to the network safety, and the specific analysis mode is as follows:

Extracting key characteristic parameters based on a source IP address, a target IP address, a port number and a data volume in network traffic data parameters related to network safety, wherein the key characteristic comprises an inflow data volume, an outflow data volume and a connection number per second;

setting a monitoring period, equally dividing the monitoring period into a plurality of monitoring time points, respectively carrying out standard deviation calculation on three key characteristic parameters extracted from each monitoring time point in the monitoring period, and according to a set formula: 、/>、/> Obtaining an inflow flow feedback value sigma 1 _i, an outflow flow feedback value sigma 2 _i and a connection feedback value sigma 3 _i of the network respectively, wherein lr _ij is represented as an inflow data amount per second of a corresponding data packet at each monitoring time point in a corresponding monitoring period, lc _ij is represented as an outflow data amount per second of the corresponding data packet at each monitoring time point in the corresponding monitoring period, lk _ij is represented as a connection number per second of the corresponding data packet at each monitoring time point in the corresponding monitoring period, mu 1 _i is represented as an average value of the inflow data amount of the corresponding data packet in the corresponding monitoring period, mu 2 _i is represented as an average value of the outflow data amount of the corresponding data packet in the corresponding monitoring period, mu 3 _i is represented as an average value of the connection number of the corresponding data packet in the corresponding monitoring period, i=1, 2, 3..n1, j is represented as a number of a plurality of monitoring time points divided by the corresponding monitoring period, j=1, 2, 3..n2, n.1, n.2 are all positive integers;

Based on the output inflow flow feedback value and the output flow feedback value of the network, comprehensively analyzing the two items of data, and according to a set data model: Thereby outputting a flow characteristic evaluation index fcx of the network, wherein a1 and a2 are expressed as normalization factors;

Comprehensive analysis is carried out based on the output network connection feedback value, and the set data model is used for: outputting a connection characteristic evaluation index cax of the network, wherein a3 is expressed as a normalization factor;

And outputting the flow characteristic evaluation index and the connection characteristic evaluation index of the network according to the flow characteristic evaluation index and the connection characteristic evaluation index of the network, and sending the two items of data to a network flow safety evaluation module.

The network flow safety evaluation module is used for analyzing and evaluating the abnormal state of the network based on the received flow characteristic evaluation index and the connection characteristic evaluation index of the network, and the specific analysis and evaluation mode is as follows:

Setting a flow characteristic threshold of the flow characteristic evaluation index of the network according to the output flow characteristic evaluation index of the network, comparing the flow characteristic evaluation index of the network with a preset flow characteristic threshold, and if the flow characteristic evaluation index of the network exceeds the flow characteristic threshold, marking the flow state of the network as an abnormally high flow state, otherwise marking the flow state of the network as a normal flow state;

Setting a connection characteristic threshold of the connection characteristic evaluation index of the network according to the output connection characteristic evaluation index of the network, comparing the connection characteristic evaluation index of the network with a preset connection characteristic threshold, and if the connection characteristic evaluation index of the network exceeds the connection characteristic threshold, marking the connection state of the network as an abnormal frequent connection state, otherwise marking the connection state of the network as a normal connection state;

Based on the outputted abnormal high-flow state or abnormal frequent connection state, outputting a traceable check instruction, and carrying out traceable check analysis on the abnormal state of the network, wherein the specific analysis mode is as follows:

Based on the transmission time stamp and the receiving time stamp in the output network flow data parameters related to the network safety, according to the set data model: transmission time = reception time stamp of a data packet-transmission time stamp of a data packet, thereby obtaining a transmission time of each data packet;

delay time = reception time stamp of a data packet-transmission time of a data packet in a network, thereby obtaining a delay time of each data packet;

The transmission time and the delay time of each data packet are tested for multiple times, the average value is taken as a final result, specifically, the test times are set to be m times, so that the transmission time and the delay time of each data packet under m times of test are obtained and respectively marked as TOT _i ^m、PDT_i ^m, the transmission time and the delay time of each data packet under m times of test are respectively subjected to average value calculation according to the formula: 、/> Thereby obtaining a transmission characteristic value tfv _i and a delay characteristic value dev _i of each data packet;

According to the set data model: Outputting a transmission connection comprehensive evaluation index epe of the network, wherein b1 and b2 are respectively expressed as normalization factors;

Setting a transmission connection comprehensive threshold of a transmission connection comprehensive evaluation index of the network, comparing the transmission connection comprehensive evaluation index of the network with a preset transmission connection comprehensive threshold, and if the transmission connection comprehensive evaluation index of the network is larger than a connection characteristic threshold, generating a positive abnormal signal, otherwise, generating a misjudgment abnormal signal;

And the generated positive abnormal signal or erroneous judgment abnormal signal is sent to a display terminal for visual explanation.

The network user behavior safety evaluation module is used for analyzing the user behavior states of all users in the network based on the output user behavior data parameters related to the network safety, and the specific analysis mode is as follows:

Based on the output login failure times, password error times, login frequency and sensitive data access times, abnormal file uploading times and abnormal file downloading times in the user behavior data parameters related to network safety, calculating and analyzing the user behavior data parameters according to a set data model: thereby outputting a user behavior security assessment coefficient ubs of the network;

Setting a user behavior comparison threshold of a user behavior safety evaluation coefficient of the network, comparing and analyzing the user behavior safety evaluation coefficient of the network with a preset user behavior comparison threshold, and generating a user behavior abnormal signal or a user behavior normal signal if the user behavior safety evaluation coefficient of the network exceeds the user behavior comparison threshold;

And sending the generated abnormal user behavior signals or normal user behavior signals to a display terminal for visual explanation.

The foregoing is merely illustrative of the structures of this invention and various modifications, additions and substitutions for those skilled in the art can be made to the described embodiments without departing from the scope of the invention or from the scope of the invention as defined in the accompanying claims.

Claims (7)

1. A network security inspection system based on data visualization, comprising:

The data acquisition module is used for acquiring various original data related to network safety, wherein the original data related to the network safety comprises a log file and user behavior information, and the collected various types of information is sent to the characteristic data extraction module;

The characteristic data extraction module is used for carrying out data preprocessing on the log files in the collected original data related to the network safety, so as to extract network flow data parameters related to the network safety; the system is also used for preprocessing the data of the user behavior information in the collected original data related to the network safety, so as to extract the user behavior data parameters related to the network safety;

The network flow data detection module is used for identifying and analyzing the flow state of the network safety based on the output network flow data parameters related to the network safety, outputting a flow characteristic evaluation index and a connection characteristic evaluation index of the network according to the flow state, and sending the two items of data to the network flow safety evaluation module;

The network flow safety evaluation module is used for analyzing and evaluating the abnormal state of the network based on the received flow characteristic evaluation index and the connection characteristic evaluation index of the network, generating a positive abnormal signal or a misjudgment abnormal signal according to the analysis and evaluation, and sending the positive abnormal signal or the misjudgment abnormal signal to the display terminal for visual explanation;

The network user behavior safety evaluation module is used for analyzing the user behavior states of all users in the network based on the output user behavior data parameters related to the network safety, generating user behavior abnormal signals or user behavior normal signals according to the user behavior state, and sending the user behavior abnormal signals or the user behavior normal signals to the display terminal for visual explanation.

2. The network security detection system based on data visualization according to claim 1, wherein the data preprocessing is performed on the log file in the collected original data related to network security, and the specific processing manner is as follows:

extracting network addresses of a sender and a receiver of each data packet from the log file, thereby obtaining a source IP address and a target IP address of each data packet, converting the captured source IP address and target IP address of each data packet into a format which can be analyzed, namely converting the source IP address and the target IP address of each data packet into a digital form;

Extracting the port numbers of the transmission layers of the data packets in the network protocol stack from the log file, thereby obtaining the port numbers of the data packets, and converting the port numbers of the captured data packets from type data to numerical characterization;

Extracting the byte number of each data packet from the log file, thereby obtaining the data volume of each data packet, and carrying out standardization processing on the data volume of each captured data packet, namely linearly mapping the data volume of each data packet into the range of [0,1], wherein the specific processing process is as follows: performing minimum-maximum standardized conversion on each data packet, and according to a set model: x '= (x-min)/(max-min), wherein x' is a normalized value, x is an original value, min is a minimum value of the original value, and max is a maximum value of the original value, thereby completing the normalization process of the data amount of each data packet;

extracting the sending time and the receiving time of each data packet from the log file, thereby obtaining the sending time stamp and the receiving time stamp of each data packet, and converting the captured sending time stamp and the captured receiving time stamp of each data packet into readable time, wherein the specific conversion process is as follows: firstly, corresponding values are determined according to units of the sending time stamp and the receiving time stamp, then the sending time stamp and the receiving time stamp are converted into a date-time format by using a function built in a programming language, and then the date-time format is converted into a specific character string form, so that conversion of readable time of the sending time stamp and the receiving time stamp is completed;

Extracting actual data content carried in each data packet from a log file, wherein the carried actual data content consists of HTTP request quantity and file transmission quantity, thereby obtaining the effective load of each data packet;

The network traffic data parameters related to network security are formed by a source IP address and a target IP address in a numerical form, a port number in a numerical representation form, a standardized data volume, a sending time stamp and a receiving time stamp in a readable time form and a payload.

3. The network security detection system based on data visualization according to claim 1, wherein the data preprocessing is performed on the user behavior information in the collected original data related to network security, and the specific processing manner is as follows:

acquiring login failure times, password error times and login frequencies of all users in a network by acquiring login and identity verification behaviors of the users, and sequentially marking the login failure times, the password error times and the login frequencies as lo _k、pw_k、lf_k, wherein K is the number of each user, k=1, 2, 3..K, and K is the maximum value and is a positive integer;

Acquiring data access and operation behaviors of a user, extracting the access times of the user to sensitive data, the uploading times and the downloading times of the user to abnormal files from the access, reading and writing operations and file uploading and downloading behaviors of the user to a system, an application program or a database, obtaining the sensitive data access times, the abnormal file uploading times and the abnormal file downloading times of each user in a network, and sequentially recording the sensitive data access times, the abnormal file uploading times and the abnormal file downloading times as sv _k、fu_k、fd_k;

The user behavior data parameters related to network security are formed by login failure times, password error times, login frequency and sensitive data access times, abnormal file uploading times and abnormal file downloading times.

4. The network security detection system based on data visualization according to claim 1, wherein the identifying and analyzing the traffic status of the network security is performed by the following specific analysis modes:

Extracting key characteristic parameters based on a source IP address, a target IP address, a port number and a data volume in network traffic data parameters related to network safety, wherein the key characteristic comprises an inflow data volume, an outflow data volume and a connection number per second;

setting a monitoring period, equally dividing the monitoring period into a plurality of monitoring time points, respectively carrying out standard deviation calculation on three key characteristic parameters extracted from each monitoring time point in the monitoring period, and according to a set formula: 、/>、/> Obtaining an inflow flow feedback value sigma 1 _i, an outflow flow feedback value sigma 2 _i and a connection feedback value sigma 3 _i of the network respectively, wherein lr _ij is represented as an inflow data amount per second of a corresponding data packet at each monitoring time point in a corresponding monitoring period, lc _ij is represented as an outflow data amount per second of the corresponding data packet at each monitoring time point in the corresponding monitoring period, lk _ij is represented as a connection number per second of the corresponding data packet at each monitoring time point in the corresponding monitoring period, mu 1 _i is represented as an average value of the inflow data amount of the corresponding data packet in the corresponding monitoring period, mu 2 _i is represented as an average value of the outflow data amount of the corresponding data packet in the corresponding monitoring period, mu 3 _i is represented as an average value of the connection number of the corresponding data packet in the corresponding monitoring period, i=1, 2, 3..n1, j is represented as a number of a plurality of monitoring time points divided by the corresponding monitoring period, j=1, 2, 3..n2, n.1, n.2 are all positive integers;

Based on the output inflow flow feedback value and the output flow feedback value of the network, comprehensively analyzing the two items of data, and according to a set data model: Thereby outputting a flow characteristic evaluation index fcx of the network, wherein a1 and a2 are expressed as normalization factors;

Comprehensive analysis is carried out based on the output network connection feedback value, and the set data model is used for: the connection characteristic evaluation index cax of the network is thus output, wherein a3 is denoted as a normalization factor.

5. The network security detection system based on data visualization according to claim 1, wherein the analysis and evaluation are performed on the abnormal state of the network by the following specific analysis and evaluation modes:

Setting a flow characteristic threshold of the flow characteristic evaluation index of the network according to the output flow characteristic evaluation index of the network, comparing the flow characteristic evaluation index of the network with a preset flow characteristic threshold, and if the flow characteristic evaluation index of the network exceeds the flow characteristic threshold, marking the flow state of the network as an abnormally high flow state, otherwise marking the flow state of the network as a normal flow state;

Setting a connection characteristic threshold of the connection characteristic evaluation index of the network according to the output connection characteristic evaluation index of the network, comparing the connection characteristic evaluation index of the network with a preset connection characteristic threshold, and if the connection characteristic evaluation index of the network exceeds the connection characteristic threshold, marking the connection state of the network as an abnormal frequent connection state, otherwise marking the connection state of the network as a normal connection state;

Based on the outputted abnormal high-flow state or abnormal frequent connection state, a traceable check instruction is outputted, and the abnormal state of the network is subjected to traceable check analysis, so that a positive abnormal signal or a misjudgment abnormal signal is outputted.

6. The network security detection system based on data visualization according to claim 5, wherein the tracing verification analysis is performed on the abnormal state of the network, and the specific analysis mode is as follows:

Based on the transmission time stamp and the receiving time stamp in the output network flow data parameters related to the network safety, according to the set data model: transmission time = reception time stamp of a data packet-transmission time stamp of a data packet, thereby obtaining a transmission time of each data packet;

delay time = reception time stamp of a data packet-transmission time of a data packet in a network, thereby obtaining a delay time of each data packet;

The transmission time and the delay time of each data packet are tested for multiple times, the average value is taken as a final result, specifically, the test times are set to be m times, so that the transmission time and the delay time of each data packet under m times of test are obtained and respectively marked as TOT _i ^m、PDT_i ^m, the transmission time and the delay time of each data packet under m times of test are respectively subjected to average value calculation according to the formula: 、/> Thereby obtaining a transmission characteristic value tfv _i and a delay characteristic value dev _i of each data packet;

According to the set data model: Outputting a transmission connection comprehensive evaluation index epe of the network, wherein b1 and b2 are respectively expressed as normalization factors;

Setting a transmission connection comprehensive threshold of a transmission connection comprehensive evaluation index of the network, comparing the transmission connection comprehensive evaluation index of the network with a preset transmission connection comprehensive threshold, and if the transmission connection comprehensive evaluation index of the network is larger than a connection characteristic threshold, generating a positive abnormal signal, otherwise, generating a false judgment abnormal signal.

7. The network security detection system based on data visualization according to claim 1, wherein the analysis of the user behavior state of each user in the network is performed by:

Based on the output login failure times, password error times, login frequency and sensitive data access times, abnormal file uploading times and abnormal file downloading times in the user behavior data parameters related to network safety, calculating and analyzing the user behavior data parameters according to a set data model: thereby outputting a user behavior security assessment coefficient ubs of the network;

setting a user behavior comparison threshold of a user behavior safety evaluation coefficient of the network, comparing and analyzing the user behavior safety evaluation coefficient of the network with a preset user behavior comparison threshold, and generating a user behavior abnormal signal or a user behavior normal signal if the user behavior safety evaluation coefficient of the network exceeds the user behavior comparison threshold.