CN118118258A - Network security monitoring and responding system - Google Patents
Network security monitoring and responding system Download PDFInfo
- Publication number
- CN118118258A CN118118258A CN202410370378.4A CN202410370378A CN118118258A CN 118118258 A CN118118258 A CN 118118258A CN 202410370378 A CN202410370378 A CN 202410370378A CN 118118258 A CN118118258 A CN 118118258A
- Authority
- CN
- China
- Prior art keywords
- network
- data
- monitoring
- module
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 91
- 230000000694 effects Effects 0.000 claims abstract description 27
- 238000004458 analytical method Methods 0.000 claims abstract description 26
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 24
- 230000008859 change Effects 0.000 claims abstract description 20
- 230000006978 adaptation Effects 0.000 claims abstract description 15
- 238000011161 development Methods 0.000 claims abstract description 10
- 230000008447 perception Effects 0.000 claims abstract description 10
- 230000007774 longterm Effects 0.000 claims abstract description 9
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 5
- 230000004044 response Effects 0.000 claims description 102
- 238000004364 calculation method Methods 0.000 claims description 22
- 238000011176 pooling Methods 0.000 claims description 20
- 238000003066 decision tree Methods 0.000 claims description 19
- 238000013527 convolutional neural network Methods 0.000 claims description 18
- 238000000034 method Methods 0.000 claims description 18
- 230000007246 mechanism Effects 0.000 claims description 16
- 230000004913 activation Effects 0.000 claims description 15
- 238000007637 random forest analysis Methods 0.000 claims description 12
- 241001123248 Arma Species 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 10
- 230000006870 function Effects 0.000 claims description 10
- 230000018109 developmental process Effects 0.000 claims description 9
- 230000011218 segmentation Effects 0.000 claims description 9
- 238000012549 training Methods 0.000 claims description 9
- 230000000903 blocking effect Effects 0.000 claims description 8
- 238000010801 machine learning Methods 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 7
- 238000013135 deep learning Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000013507 mapping Methods 0.000 claims description 5
- 239000013598 vector Substances 0.000 claims description 5
- 230000003044 adaptive effect Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 4
- 239000011159 matrix material Substances 0.000 claims description 4
- 238000012935 Averaging Methods 0.000 claims description 3
- 230000003213 activating effect Effects 0.000 claims description 3
- 230000001364 causal effect Effects 0.000 claims description 3
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000013480 data collection Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 3
- 238000010606 normalization Methods 0.000 claims description 3
- 238000013450 outlier detection Methods 0.000 claims description 3
- 238000003909 pattern recognition Methods 0.000 claims description 3
- 230000000737 periodic effect Effects 0.000 claims description 3
- 238000000638 solvent extraction Methods 0.000 claims description 3
- 238000012731 temporal analysis Methods 0.000 claims description 3
- 238000000700 time series analysis Methods 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 description 5
- 230000007123 defense Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000010339 dilation Effects 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009118 appropriate response Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012886 linear function Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Evolutionary Computation (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network security, in particular to a network security monitoring and responding system, which comprises a network flow monitoring module, a threat identification module, an automatic responding module, an environment perception adaptation module and a predictive threat analysis module, wherein the network flow monitoring module is used for monitoring the network flow of a network; network traffic monitoring module: the system is responsible for monitoring and analyzing the data flow passing through the network in real time, and capturing and recording network activity data; threat identification module: identifying potential security threats and abnormal behaviors by applying an identification algorithm using network activity data collected from the network traffic monitoring module; the environment perception adaptation module: dynamically monitoring the change of the network environment; predictive threat analysis module: by analyzing the long-term network activity and the security event data, the potential security threat development trend and mode are identified, and further the future threat is predicted.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network security monitoring and responding system.
Background
In the current digital age, with rapid development of network technology and wide and deep application, network security threats are increasing, and become more complex and hidden. From basic malware, virus attacks, to highly complex phishing, distributed denial of service (DDoS) attacks, and Advanced Persistent Threat (APT), network security is not an advance of challenges. These threats may not only lead to loss or leakage of important data, but may also threaten the security of critical infrastructure.
Traditional network security solutions focus mainly on post-hoc threat identification and response, relying on known threat signatures and behavioral patterns for security protection. However, this approach often is struggling in dealing with new and complex threats. With the continuous progress of attacker technology, the requirement of modern network security is difficult to meet only by the traditional security mechanism. Furthermore, as network environments continue to change, including access to new devices, updating of network configurations, etc., network security management becomes more complex, requiring more flexible and adaptive security policies to cope with.
In this context, there is an urgent need for a new network security monitoring and response system that is not only capable of monitoring and analyzing network activity in real time, identifying potential security threats, but also capable of dynamically adjusting its monitoring and response policies according to changes in the network environment.
Disclosure of Invention
Based on the above objects, the present invention provides a network security monitoring and response system.
The network security monitoring and responding system comprises a network flow monitoring module, a threat identification module, an automatic responding module, an environment perception adaptation module and a predictive threat analysis module, wherein the network flow monitoring module is used for monitoring the network flow of the network;
Network traffic monitoring module: the system is responsible for monitoring and analyzing the data flow passing through the network in real time, and capturing and recording network activity data;
threat identification module: identifying potential security threats and abnormal behaviors by applying an identification algorithm using network activity data collected from the network traffic monitoring module;
And an automatic response module: according to the recognition result of the threat recognition module, automatically implementing response measures, including isolating threats, blocking malicious communication or automatically repairing vulnerabilities;
the environment perception adaptation module: dynamically monitoring the change of the network environment, including equipment configuration update and network topology change, and further adjusting monitoring parameters and response mechanisms;
predictive threat analysis module: by analyzing the long-term network activity and the security event data, potential security threat development trends and modes are identified, and future threats are predicted.
Further, the network traffic monitoring module includes a data capturing unit, which is responsible for monitoring the data traffic on the network interface in real time, and through being deployed on a key node of the network, including a gateway, a switch or a router, the data capturing unit uses Deep Packet Inspection (DPI) technology to comprehensively scan the passing data packets so as to capture detailed information including a source address, a destination address, a transmission protocol, a port number and the content of the data packets contained in the data stream.
Further, the recognition algorithm in the threat recognition module comprises a convolutional neural network CNN and a random forest, wherein;
the convolutional neural network CNN includes:
convolution layer: for extracting features of input data, given an input data And a convolution kernel (or filter)Output of convolution operation/>The calculation formula of (2) is as follows:
Wherein/> Is the input data is in positionValue of/>Is the relative position/>, of the convolution kernelValue of/>Is to output the characteristic diagram at the positionIs a value of (2);
An activation layer: the nonlinear conversion function ReLU is adopted, and the calculation formula is as follows:
;
pooling layer: the method is used for reducing the dimension of the feature map, reducing the calculated amount, adopting the maximum pooling in the pooling operation, and adopting the calculation formula:
Wherein/> Is at input/>Above/>Is a central pooled window,/>Is the output of the pooling operation;
Full tie layer: mapping the output characteristics of the convolution layer, the activation layer and the pooling layer to the final classification result, and the weight matrix of the full connection layer And bias vector/>Output of fully connected layer/>The calculation formula of (2) is as follows:
;
prediction of the random forest Based on/>A set of decision trees, each tree/>For a single data point/>Is predicted as (1)The prediction of random forests is calculated by averaging (regression problem) or majority voting (classification problem):
Classification: ;
regression: 。
further, the automatic response module specifically includes:
And a response decision unit: the response decision unit is responsible for analyzing the recognition result transmitted by the threat recognition module, including threat types, severity levels, affected network resources and recommended response measures;
The response executor: according to the instruction of the response decision unit, the response executor is responsible for implementing response measures, including isolating the network segment which is threatened, blocking malicious communication, automatically applying security patches or updating security rules and notifying an administrator of manual intervention;
Response policy library: a series of predefined response policies are stored, each associated with a corresponding type of security threat, and the policy library allows for quick adjustment and updating of the response measures to accommodate the emerging security threats and attack means.
Further, the environment awareness adaptation module specifically includes:
Network environment monitor: the network environment data collection method comprises the steps of collecting network environment data in real time, including network topology change, newly accessed equipment, equipment configuration change, network traffic mode change and security policy update;
Parameter adjustment decision engine: receiving real-time data from a network environment monitor, analyzing the real-time data by adopting a predefined algorithm, and identifying monitoring parameters and response mechanisms to be adjusted by a parameter adjustment decision engine according to analysis results so as to adapt to the change of the network environment, wherein the monitoring parameters and the response mechanisms comprise modifying the data capturing rule of a network flow monitoring module, updating a security strategy in a threat identification module or adjusting response measures of an automatic response module;
an adaptive adjustment actuator: specific adjustment operations are performed according to instructions of the parameter adjustment decision engine, including updating configuration settings of the monitoring and response system, dynamically adjusting monitoring thresholds, activating or deactivating specific security rules, and adjusting response priorities and policies.
Further, the predefined algorithm includes a decision tree algorithm, and the decision tree algorithm specifically includes:
selecting the best attribute: the decision tree algorithm selects an optimal attribute from the data set to divide the data, so that the divided sub-data set continuously tends to be 'pure' (i.e. the probability that the data in the same sub-set belongs to the same category is high), and the information gain is adopted for selecting the optimal attribute Standard, information gain/>The calculation formula of (2) is as follows:
Wherein/> Is the dataset/>Is used as a reference to the entropy of (a),Is an attribute/>All possible values,/>Is an attribute/>The upper value is/>Data subset of/>Is/>Entropy of (2);
segmentation data: partitioning the data set into small subsets according to the selected attributes and their values;
Recursively constructing a decision tree: the selection of the best attributes and segmentation data is repeated for each small subset after segmentation until each subset is sufficiently "clean" or a predefined stop condition is reached.
Further, the predictive threat analysis module specifically includes:
Data preprocessing: collecting network activity and security event data, and preprocessing, including data cleaning, normalization and feature extraction;
time series analysis: using an improved autoregressive moving average ARMA model to analyze time dependence and periodic variation of network activity data;
Training and predicting a machine learning model: modeling and predicting the development trend of the security event by using a deep learning network;
trend analysis and pattern recognition: analyzing the output of the machine learning model, identifying potential security threat trends and patterns, including identifying emerging threat types, predicting future attack targets and opportunities, and evaluating potential security risks.
Further, the improved autoregressive moving average ARMA model introduces nonlinear characteristics and an outlier detection mechanism, and the improved ARMA model formula is as follows:
Wherein/> Is at the time point/>Network security event (e.g., number of attack attempts) or network traffic indicator,/>Is a parameter of the Autoregressive (AR) part,/>Is a parameter of the Moving Average (MA) part,/>Is a nonlinear function for modeling nonlinear characteristics of network security event data, where/>Including external intervention variables or outlier indicators,/>Is an error term representing the time point/>Is a random disturbance of (c).
Further, the deep learning network adopts a time convolution network TCN, and the calculating steps include:
Causal convolution: the method ensures that only the current time and the previous information are used in prediction, future information is not revealed, and a calculation formula is as follows:
Wherein/> Is an input sequence,/>Is a convolution kernel,/>Is the size of the convolution kernel,/>Is time/>An output of (2);
Expansion convolution: increasing the receptive field by increasing the spacing (dilation factor) between each element in the convolution kernel allows the model to capture long-term dependencies, calculated as:
Wherein/> Representing an expansion factor for controlling the spacing between input elements;
Residual connection: the method helps to alleviate the gradient vanishing problem in the depth network, improves the training efficiency and stability of the model by adding the input to the convolution output, and comprises the following calculation formula:
Wherein/> Is the output after adding the residual connection,/>Is an activation function, such as ReLU.
Further, a user interface module is included that provides an intuitive graphical interface allowing an administrator to configure monitoring parameters, view real-time alarms and analysis reports, and manually adjust responsive measures.
The invention has the beneficial effects that:
According to the invention, long-term network activity and security event data can be effectively analyzed through the time convolution network TCN, and through the analysis, potential security threat development trend and mode can be identified, so that possible future threats can be accurately predicted, the prediction capability not only improves the response speed to novel and complex threats, but also enables security response measures to be deployed more timely, and potential security risks and losses are greatly reduced.
The invention can dynamically monitor the change of network environment, such as network topology, equipment access, configuration update and the like, and automatically adjust monitoring parameters and response mechanisms through the environment perception adaptation module, and the self-adaptation capability ensures that the invention can still keep high-efficiency and effective operation in the dynamically changed network environment. The decision tree algorithm used by the self-adaptive module further enhances the flexibility of the system, so that the system can quickly make adjustment according to the real-time change of the network environment, and the security policy is ensured to be in an optimal state all the time.
According to the invention, a series of predefined response measures can be automatically executed through the recognition result of the threat recognition module, dependency on manual intervention is obviously reduced from threat isolation to malicious communication blocking and the like, in addition, the accuracy of threat prediction and the effectiveness and efficiency of the response measures can be continuously improved by the system through continuous learning and optimization of the machine learning model, and the highly-automatic security monitoring and response mechanism not only improves the network security defense capability, but also releases resources of network administrators, so that the network administrators can concentrate on advanced tasks such as strategy formulation and system optimization.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only of the invention and that other drawings can be obtained from them without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a system functional module according to an embodiment of the present invention.
Detailed Description
The present invention will be further described in detail with reference to specific embodiments in order to make the objects, technical solutions and advantages of the present invention more apparent.
It is to be noted that unless otherwise defined, technical or scientific terms used herein should be taken in a general sense as understood by one of ordinary skill in the art to which the present invention belongs. The terms "first," "second," and the like, as used herein, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
As shown in fig. 1, the network security monitoring and response system comprises a network traffic monitoring module, a threat identification module, an automatic response module, an environment perception adaptation module and a predictive threat analysis module, wherein;
Network traffic monitoring module: the system is responsible for monitoring and analyzing the data flow passing through the network in real time, and capturing and recording network activity data;
threat identification module: identifying potential security threats and abnormal behaviors by applying an identification algorithm using network activity data collected from the network traffic monitoring module;
And an automatic response module: according to the recognition result of the threat recognition module, automatically implementing response measures, including isolating threats, blocking malicious communication or automatically repairing vulnerabilities, wherein the automatic response module ensures that the system can rapidly alleviate potential safety risks and reduce dependence on manual intervention;
The environment perception adaptation module: dynamically monitoring the change of the network environment, including equipment configuration update and network topology change, further adjusting monitoring parameters and response mechanisms, and ensuring that the system keeps effective and efficient running in the dynamically changed network environment by an environment sensing adaptation module;
predictive threat analysis module: by analyzing the long-term network activity and the security event data, the potential security threat development trend and mode are identified, future threats are predicted, and the predictive threat analysis module helps the system to prepare and strengthen defense measures in advance, so that the influence of the future security events is reduced.
The network traffic monitoring module comprises a data capturing unit, wherein the data capturing unit is responsible for monitoring data traffic on a network interface in real time, and is deployed on a key node of a network, including a gateway, a switch or a router, and the data capturing unit comprehensively scans the passed data packets by utilizing a Deep Packet Inspection (DPI) technology so as to capture detailed information contained in the data stream, including a source address, a destination address, a transmission protocol, a port number and data packet content, and can also process encrypted traffic, and ensure the visibility and monitoring capability of the encrypted data by negotiating with the existing encryption protocol or decrypting by using a key management system.
The recognition algorithm in the threat recognition module comprises a convolutional neural network CNN and a random forest, wherein;
the convolutional neural network CNN includes:
convolution layer: for extracting features of input data, given an input data And a convolution kernel (or filter)Output of convolution operation/>The calculation formula of (2) is as follows:
Wherein/> Is the input data is in positionValue of/>Is the relative position/>, of the convolution kernelValue of/>Is to output the characteristic diagram at the positionIs a value of (2);
An activation layer: the nonlinear conversion function ReLU is adopted, and the calculation formula is as follows:
;
pooling layer: the method is used for reducing the dimension of the feature map, reducing the calculated amount, adopting the maximum pooling in the pooling operation, and adopting the calculation formula:
Wherein/> Is at input/>Above/>Is a central pooled window,/>Is the output of the pooling operation;
Full tie layer: mapping the output characteristics of the convolution layer, the activation layer and the pooling layer to the final classification result, and the weight matrix of the full connection layer And bias vector/>Output of fully connected layer/>The calculation formula of (2) is as follows:
;
In a network security monitoring and response system, CNNs may be used to identify security threats, such as malware signatures, abnormal network traffic patterns, and the like. Input data May be a representation of the characteristics of the data stream captured from the network traffic monitoring module, for example, encoding the network traffic into images or vectors containing information about the size of the data packets, time intervals, protocol type, etc.
The convolution layer is responsible for extracting valuable features from these inputs, such as specific traffic patterns or packet distributions, which may be indicative of malicious behavior. Through multi-layer convolution and pooling operations, CNNs can learn a feature hierarchy from simple to complex, ultimately mapping these features through the fully connected layers onto the classification of security threats.
For example, for a particular type of network attack, the CNN may identify a unique traffic pattern associated with the attack, even if an attacker attempts to avoid detection using slightly varying techniques. Through training, the CNN model can improve the recognition capability of novel and complex threats, thereby providing strong support for a network security monitoring and response system.
The convolutional neural network CNN is applied to the present invention, and the parameters are defined as follows:
Convolutional layer parameter definition:
Input data : This is a digital representation of the data stream captured from the network traffic monitoring module, which may be converted into a one-dimensional or two-dimensional array form based on time-series network traffic characteristics (e.g., packet size, inter-packet arrival time, etc.);
convolution kernel (or filter) : This is a filter parameter used to extract network traffic characteristics, each convolution kernel focusing on a particular pattern in the captured data, such as traffic characteristics of a particular protocol or abnormal packet distribution;
Outputting a feature map : The result after convolution operation represents the convolution kernel/>At input data/>The intensity or activation level of the identified feature;
Activation layer parameter definition:
: the value of each pixel point output by the convolution layer represents the activation intensity of a certain characteristic of the network traffic data;
ReLU function : For increasing the non-linear capability of the network, allowing the model to learn a more complex security threat identification mode, for the activation value of the network traffic feature, if positive, it remains unchanged, indicating the importance of the feature in identifying security threats, if negative, it is set to 0, indicating that the feature is not important or activated;
Pooling layer parameter definition:
Input device : The output characteristic diagram after the activation layer contains the network flow characteristics after nonlinear transformation;
Pooling window : A window moving on the input feature map for reducing the dimension of the feature map and retaining important information;
Output of : The result after pooling operation represents the compressed characteristic information, reduces the parameter quantity and the calculated quantity of the model, and simultaneously maintains the key characteristics;
full connection layer parameter definition:
Weight matrix : The weight of the full connection layer is used for mapping the characteristics output by the pooling layer to final classification results, and in a network security monitoring and response system, the weight means that the network traffic characteristics are converted into the prediction probability of specific security threats;
Offset vector : The bias item of the full-connection layer is used for adjusting the output activation value of each node;
Output of : The final output of the fully connected layer is expressed as a classification result of the security threat, such as normal traffic, DDoS attack, malware transmission, etc.
Random forests are an integrated learning method that contains multiple decision trees. Each tree independently classifies or regression predicts the samples, and the final output is the average or majority vote of all tree predictions, the random forest predictionsBased on/>A set of decision trees, each tree/>For a single data point/>Is predicted as/>The prediction of random forests is calculated by averaging (regression problem) or majority voting (classification problem):
Classification: ;
regression: ;
Random forests are then used to analyze the features collected from the network traffic monitoring module, such as IP address, port number, transport protocol type, and traffic size and frequency, to identify abnormal behavior and potential security risks. Random forests provide a robust way to evaluate whether network activity is normal or not through their multi-tree structure, maintaining high accuracy even in cases of highly non-linear and complex interactions of data features.
The automatic response module specifically comprises:
And a response decision unit: the response decision unit is responsible for analyzing the recognition result transmitted by the threat recognition module, including threat types, severity levels, affected network resources and recommended response measures;
The response executor: according to the instruction of the response decision unit, the response executor is responsible for implementing response measures, including isolating the network segment which is threatened, blocking malicious communication, automatically applying security patches or updating security rules and notifying an administrator of manual intervention;
Response policy library: storing a series of predefined response policies, each associated with a corresponding type of security threat, the policy library allowing quick adjustment and updating of the response measures to accommodate emerging security threats and attack means;
the response policy library specifically comprises:
blocking malicious communication:
The applicable threat: distributed denial of service (DDoS) attacks, botnet communications, malware communications.
Policy description: network firewall or intrusion prevention system (IDS) rules are automatically configured to block traffic from known malicious IP addresses or data packets containing malware signatures.
Quarantining infected systems:
The applicable threat: malware infection, luxury software attack.
Policy description: the system for detecting the malicious software activity is automatically isolated from the network, so that further spread of the malicious software or data leakage is prevented.
Automatically applying a security patch:
the applicable threat: and (5) utilizing the software loopholes.
Policy description: when an attack attempt is found against a known software vulnerability, a security patch is automatically deployed or the configuration of the affected system is updated to fix the vulnerability.
Limiting access rights:
The applicable threat: unauthorized access, internal threat.
Policy description: for detected unauthorized access attempts or abnormal user behavior, access Control Lists (ACLs) or user permissions are automatically adjusted to limit access to sensitive resources.
Strengthening identity verification:
the applicable threat: identity theft and session hijacking.
Policy description: when a possible identity authentication attack is detected, secondary authentication or temporary locking of the affected account is automatically required, and the difficulty of successfully stealing the identity by an attacker is increased.
System and data backup:
The applicable threat: and (5) luxing software attack and data destruction.
Policy description: when signs of encrypted or destroyed data are found, a system and a backup flow of the data are automatically triggered to reduce the risk of data loss.
Generating security alarms and notifications:
The applicable threat: all types of security threats.
Policy description: for all detected security threats, detailed security alarms are automatically generated and the network administrator and security analyst are notified by means of e-mail, text message or system notification, etc.
The design of the response policy repository aims to provide a flexible, automated security response capability for the network security monitoring and response system. By predefining policies for various security threats, the system is able to quickly take measures to mitigate or prevent the effects of security events while maintaining normal operation of the network. The automatic response mechanism greatly improves the efficiency and effect of network security defense and reduces the dependence on manual intervention;
In a network security monitoring and response system, an automatic response module is a key component of a system defense strategy that ensures that the system is able to quickly and effectively fight against security threats. For example, when the threat identification module identifies a distributed denial of service (DDoS) attack, it passes this information and its details to the automated response module. The response decision unit analyzes the information and selects the most appropriate response measure, such as automatically adjusting firewall rules to block attack traffic while maintaining access to normal traffic. The response executor then performs these measures and continuously monitors its effect, making adjustments as necessary to ensure network security.
The environment perception adaptation module specifically comprises:
Network environment monitor: the network environment monitor uses various network scanning and data collection techniques to maintain a comprehensive real-time view of the network environment, including network topology changes, newly accessed devices, device configuration changes, network traffic pattern changes, and security policy updates;
Parameter adjustment decision engine: receiving real-time data from a network environment monitor, analyzing the real-time data by adopting a predefined algorithm, and identifying monitoring parameters and response mechanisms to be adjusted by a parameter adjustment decision engine according to analysis results so as to adapt to the change of the network environment, wherein the monitoring parameters and the response mechanisms comprise modifying the data capturing rule of a network flow monitoring module, updating a security strategy in a threat identification module or adjusting response measures of an automatic response module;
An adaptive adjustment actuator: according to the instruction of the parameter adjustment decision engine, specific adjustment operations are executed, including updating configuration settings of the monitoring and response system, dynamically adjusting monitoring thresholds, activating or disabling specific security rules, and adjusting response priorities and policies;
In a network security monitoring and response system, an environment-aware adaptation module is a key to ensure that the system can adapt to network environment changes and maintain efficient operation. For example, when a network environment monitor detects a significant change in newly accessed devices or network topology, the parameter adjustment decision engine may decide to adjust the capture rules of the network traffic monitoring module to ensure that the new network structure and devices are effectively monitored. At the same time, if a new or changed network traffic pattern is detected, the engine may update the behavior analysis algorithm in the threat identification module to better identify potential security threats.
The predefined algorithm comprises a decision tree algorithm, which specifically comprises:
selecting the best attribute: the decision tree algorithm selects an optimal attribute from the data set to divide the data, so that the divided sub-data set continuously tends to be 'pure' (i.e. the probability that the data in the same sub-set belongs to the same category is high), and the information gain is adopted for selecting the optimal attribute Standard, information gain/>The calculation formula of (2) is as follows:
Wherein/> Is the dataset/>Is used as a reference to the entropy of (a),Is an attribute/>All possible values,/>Is an attribute/>The upper value is/>Data subset of/>Is/>Entropy of (2);
segmentation data: partitioning the data set into small subsets according to the selected attributes and their values;
Recursively constructing a decision tree: repeatedly selecting the optimal attribute and the segmentation data for each small subset after segmentation until each subset is sufficiently pure or reaches a predefined stop condition;
In the context aware adaptation module of the present invention, the decision tree algorithm may analyze a variety of real-time data including network topology changes, new device accesses, configuration changes, etc. For example, if the decision tree analysis finds a sudden increase in the number of newly accessed devices, which may indicate that the network is expanding or that there are unauthorized devices accessing, the output of the decision tree will recommend an increase in the strength of monitoring of the newly accessed devices.
The predictive threat analysis module specifically includes:
Data preprocessing: collecting network activity and security event data, and preprocessing, including data cleaning, normalization and feature extraction;
time series analysis: using an improved autoregressive moving average ARMA model to analyze time dependence and periodic variation of network activity data;
Training and predicting a machine learning model: modeling and predicting the development trend of the security event by using a deep learning network, wherein model training is based on the characteristics extracted from the data preprocessing stage, and historical security event data is used as a training set;
Trend analysis and pattern recognition: analyzing the output of the machine learning model, identifying potential security threat trends and patterns, including identifying emerging threat types, predicting future likely attack targets and opportunities, and evaluating potential security risks;
In this way, the predictive threat analysis module provides a prospective perspective for the network security monitoring and response system, enabling the system to not only cope with current security threats, but also predict and prepare threats that may occur in the future.
The improved autoregressive moving average ARMA model introduces nonlinear characteristics and an outlier detection mechanism, and the improved ARMA model formula is as follows:
Wherein/> Is at the time point/>Network security event (e.g., number of attack attempts) or network traffic indicator,/>Is a parameter of the Autoregressive (AR) part,/>Is a parameter of the Moving Average (MA) part,/>Is a nonlinear function for modeling nonlinear characteristics of network security event data, where/>Including external intervention variables or outlier indicators,/>Is an error term representing the time point/>Random perturbations of (a);
In a network security monitoring and response system, the improved ARMA model may be used to analyze historical network activity and security event data to identify potential security threat trends and patterns. For example, by analyzing past intrusion attempt data, the model may help predict future attack patterns or traffic anomalies that may occur.
Nonlinear feature processing: since the data of network security events may exhibit significant non-linear trends (e.g., attack activity increases dramatically after a particular event), by introducing a non-linear functionThe model is able to capture these characteristics more accurately.
Abnormal value detection: by adding external intervention variables (such as outlier indicators based on previously detected attack event markers) to the model, sudden changes in the data can be effectively handled, improving the predictive power of the model for future anomalies.
The improved ARMA model provides a more flexible and accurate method for analyzing network security monitoring data, identifying potential threats and predicting future security trends, thereby providing scientific basis for network security management and response decisions.
The deep learning network adopts a time convolution network TCN, processes time sequence data through a series of one-dimensional convolution layers, each layer is provided with a receptive field, a model is allowed to capture long-term dependency, and the calculation steps comprise:
Causal convolution: the method ensures that only the current time and the previous information are used in prediction, future information is not revealed, and a calculation formula is as follows:
Wherein/> Is an input sequence,/>Is a convolution kernel,/>Is the size of the convolution kernel,/>Is time/>An output of (2);
Expansion convolution: increasing the receptive field by increasing the spacing (dilation factor) between each element in the convolution kernel allows the model to capture long-term dependencies, calculated as:
Wherein/> Representing an expansion factor for controlling the spacing between input elements;
Residual connection: the method helps to alleviate the gradient vanishing problem in the depth network, improves the training efficiency and stability of the model by adding the input to the convolution output, and comprises the following calculation formula:
Wherein/> Is the output after adding the residual connection,/>Is an activation function, such as ReLU;
In the network security monitoring and response system, the TCN may be used to analyze historical network security events and traffic data, learn to identify potential security threat trends and patterns. Through analysis of the historical data, the TCN model can predict future security events that may occur, such as abnormal traffic growth, point in time of attack initiation, and the like.
For example, the system may learn a time series pattern associated with a particular type of attack using TCN to analyze past Intrusion Detection System (IDS) alarms and network traffic logs. These patterns may include traffic anomalies before attack, increased alarm frequency over a particular period of time, etc. Based on the learned modes, the TCN model can predict future security threat development trend, and provides basis for deploying defense measures in advance.
The system also comprises a user interface module, wherein the user interface module provides an intuitive graphical interface, allows an administrator to configure monitoring parameters, view real-time alarms and analysis reports, and manually adjust response measures.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the invention is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the invention, the steps may be implemented in any order and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.
The present invention is intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Therefore, any omission, modification, equivalent replacement, improvement, etc. of the present invention should be included in the scope of the present invention.
Claims (10)
1. The network security monitoring and responding system is characterized by comprising a network flow monitoring module, a threat identification module, an automatic responding module, an environment perception adaptation module and a predictive threat analysis module, wherein the network flow monitoring module is used for monitoring the network flow;
Network traffic monitoring module: the system is responsible for monitoring and analyzing the data flow passing through the network in real time, and capturing and recording network activity data;
threat identification module: identifying potential security threats and abnormal behaviors by applying an identification algorithm using network activity data collected from the network traffic monitoring module;
And an automatic response module: according to the recognition result of the threat recognition module, automatically implementing response measures, including isolating threats, blocking malicious communication or automatically repairing vulnerabilities;
the environment perception adaptation module: dynamically monitoring the change of the network environment, including equipment configuration update and network topology change, and further adjusting monitoring parameters and response mechanisms;
predictive threat analysis module: by analyzing the long-term network activity and the security event data, potential security threat development trends and modes are identified, and future threats are predicted.
2. The network security monitoring and response system of claim 1, wherein the network traffic monitoring module comprises a data capturing unit, the data capturing unit is responsible for monitoring data traffic on the network interface in real time, and through being deployed on key nodes of the network, including gateways, switches or routers, the data capturing unit uses deep packet inspection technology to comprehensively scan the passing data packets to capture detailed information contained in the data stream, including source address, destination address, transmission protocol, port number and data packet content.
3. The network security monitoring and response system of claim 2, wherein the recognition algorithm in the threat recognition module comprises a convolutional neural network CNN and a random forest, wherein;
the convolutional neural network CNN includes:
convolution layer: for extracting features of input data, given an input data And a convolution kernel/>Output of convolution operation/>The calculation formula of (2) is as follows:
Wherein/> Is the input data at location/>Value of/>Is the relative position/>, of the convolution kernelValue of/>Is the output feature map at position/>Is a value of (2);
An activation layer: the nonlinear conversion function ReLU is adopted, and the calculation formula is as follows: ;
pooling layer: the method is used for reducing the dimension of the feature map, reducing the calculated amount, adopting the maximum pooling in the pooling operation, and adopting the calculation formula:
Wherein/> Is at input/>Above/>Is a central pooled window,/>Is the output of the pooling operation;
Full tie layer: mapping the output characteristics of the convolution layer, the activation layer and the pooling layer to the final classification result, and the weight matrix of the full connection layer And bias vector/>Output of fully connected layer/>The calculation formula of (2) is as follows:
;
prediction of the random forest Based on/>A set of decision trees, each tree/>For a single data point/>Is predicted as (1)The prediction of random forests is calculated by averaging or majority voting:
Classification: ;
regression: 。
4. The network security monitoring and response system of claim 3, wherein the automatic response module specifically comprises:
And a response decision unit: the response decision unit is responsible for analyzing the recognition result transmitted by the threat recognition module, including threat types, severity levels, affected network resources and recommended response measures;
The response executor: according to the instruction of the response decision unit, the response executor is responsible for implementing response measures, including isolating the network segment which is threatened, blocking malicious communication, automatically applying security patches or updating security rules and notifying an administrator of manual intervention;
Response policy library: a series of predefined response policies are stored, each associated with a corresponding type of security threat, and the policy library allows for quick adjustment and updating of the response measures to accommodate the emerging security threats and attack means.
5. The network security monitoring and response system of claim 4, wherein the context aware adaptation module specifically comprises:
Network environment monitor: the network environment data collection method comprises the steps of collecting network environment data in real time, including network topology change, newly accessed equipment, equipment configuration change, network traffic mode change and security policy update;
Parameter adjustment decision engine: receiving real-time data from a network environment monitor, analyzing the real-time data by adopting a predefined algorithm, and identifying monitoring parameters and response mechanisms to be adjusted by a parameter adjustment decision engine according to analysis results so as to adapt to the change of the network environment, wherein the monitoring parameters and the response mechanisms comprise modifying the data capturing rule of a network flow monitoring module, updating a security strategy in a threat identification module or adjusting response measures of an automatic response module;
An adaptive adjustment actuator: specific adjustment operations are performed according to instructions of the parameter adjustment decision engine, including updating configuration settings of the monitoring and response system, dynamically adjusting monitoring thresholds, activating or deactivating security rules, and adjusting response priorities and policies.
6. The network security monitoring and response system of claim 5, wherein the predefined algorithm comprises a decision tree algorithm, the decision tree algorithm comprising:
Selecting the best attribute: the decision tree algorithm selects an optimal attribute from the data set to divide the data, so that the divided sub-data set continuously tends to be 'pure', and the optimal attribute is selected by adopting information gain Standard, information gain/>The calculation formula of (2) is as follows:
Wherein/> Is the dataset/>Entropy of/>Is an attribute/>All possible values,/>Is an attribute/>The upper value is/>Data subset of/>Is/>Entropy of (2);
segmentation data: partitioning the data set into small subsets according to the selected attributes and their values;
Recursively constructing a decision tree: the selection of the best attributes and segmentation data is repeated for each small subset after segmentation until each subset is sufficiently "clean" or a predefined stop condition is reached.
7. The network security monitoring and response system of claim 6, wherein the predictive threat analysis module specifically comprises:
Data preprocessing: collecting network activity and security event data, and preprocessing, including data cleaning, normalization and feature extraction;
time series analysis: using an improved autoregressive moving average ARMA model to analyze time dependence and periodic variation of network activity data;
Training and predicting a machine learning model: modeling and predicting the development trend of the security event by using a deep learning network;
Trend analysis and pattern recognition: analyzing the output of the machine learning model, identifying potential security threat trends and patterns, including identifying emerging threat types, predicting future attack targets and opportunities, and evaluating potential security risks.
8. The network security monitoring and response system of claim 7, wherein the improved autoregressive moving average ARMA model incorporates nonlinear features and outlier detection mechanisms, and the improved ARMA model formula is:
Wherein, the method comprises the steps of, wherein, Is at the time point/>Network security event or network traffic indicator,/>Is a parameter of the autoregressive portion,Is a parameter of the moving average part,/>Is a nonlinear function for modeling nonlinear characteristics of network security event data, where/>Including external intervention variables or outlier indicators,/>Is an error term representing the time point/>Is a random disturbance of (c).
9. The network security monitoring and response system of claim 8, wherein the deep learning network employs a time convolutional network TCN, the calculating step comprising:
Causal convolution: the method ensures that only the current time and the previous information are used in prediction, future information is not revealed, and a calculation formula is as follows:
Wherein/> Is an input sequence,/>Is a convolution kernel,/>Is the size of the convolution kernel,/>Is time/>An output of (2);
Expansion convolution: increasing the receptive field by increasing the spacing between each element in the convolution kernel allows the model to capture long-term dependencies, calculated as:
Wherein/> Representing an expansion factor for controlling the spacing between input elements;
Residual connection: the method helps to alleviate the gradient vanishing problem in the depth network, improves the training efficiency and stability of the model by adding the input to the convolution output, and comprises the following calculation formula:
Wherein/> Is the output after adding the residual connection,/>Is an activation function.
10. The network security monitoring and response system of claim 1, further comprising a user interface module that provides an intuitive graphical interface allowing an administrator to configure monitoring parameters, view real-time alarms and analysis reports, and manually adjust response measures.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410370378.4A CN118118258A (en) | 2024-03-29 | 2024-03-29 | Network security monitoring and responding system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410370378.4A CN118118258A (en) | 2024-03-29 | 2024-03-29 | Network security monitoring and responding system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118118258A true CN118118258A (en) | 2024-05-31 |
Family
ID=91210662
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410370378.4A Pending CN118118258A (en) | 2024-03-29 | 2024-03-29 | Network security monitoring and responding system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118118258A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118316741A (en) * | 2024-06-11 | 2024-07-09 | 贵州亿博通科技发展有限公司 | Cross-network security situation sensing and early warning notification system |
-
2024
- 2024-03-29 CN CN202410370378.4A patent/CN118118258A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118316741A (en) * | 2024-06-11 | 2024-07-09 | 贵州亿博通科技发展有限公司 | Cross-network security situation sensing and early warning notification system |
| CN118316741B (en) * | 2024-06-11 | 2024-08-16 | 贵州亿博通科技发展有限公司 | Cross-network security situation sensing and early warning notification system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ozkan-Okay et al. | A comprehensive systematic literature review on intrusion detection systems | |
| US11522887B2 (en) | Artificial intelligence controller orchestrating network components for a cyber threat defense | |
| CN109314698B (en) | Preemptive response security system for protecting computer networks and systems | |
| Inayat et al. | Intrusion response systems: Foundations, design, and challenges | |
| US9197652B2 (en) | Method for detecting anomalies in a control network | |
| US9369484B1 (en) | Dynamic security hardening of security critical functions | |
| CN109639634B (en) | Self-adaptive safety protection method and system for Internet of things | |
| Repalle et al. | Intrusion detection system using ai and machine learning algorithm | |
| US20130269033A1 (en) | Method and system for classifying traffic | |
| CN117081868B (en) | Network security operation method based on security policy | |
| CN118118258A (en) | Network security monitoring and responding system | |
| Akbar et al. | Intrusion detection system methodologies based on data analysis | |
| CN111970300A (en) | Network intrusion prevention system based on behavior inspection | |
| CN117692223A (en) | Multi-layer machine learning driven server security system | |
| CN117692251A (en) | Processor network security defense system and method | |
| Chakir et al. | An efficient method for evaluating alerts of Intrusion Detection Systems | |
| Möller | Intrusion detection and prevention | |
| Ramamoorthi | Anomaly detection and automated mitigation for microservices security with AI | |
| CN117319090A (en) | Intelligent network safety protection system | |
| Visumathi et al. | A computational intelligence for evaluation of intrusion detection system | |
| Kumar et al. | Security patterns for intrusion detection systems | |
| Bakshi et al. | WSN Security: Intrusion Detection Approaches Using Machine Learning | |
| Suresh et al. | Detection of malicious activities by AI-Supported Anomaly-Based IDS | |
| Chatterjee | An efficient intrusion detection system on various datasets using machine learning techniques | |
| CN111338297A (en) | Industrial control safety framework system based on industrial cloud |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |