CN118555139A - Network security situation analysis system based on Internet of things - Google Patents
Network security situation analysis system based on Internet of things Download PDFInfo
- Publication number
- CN118555139A CN118555139A CN202411017556.1A CN202411017556A CN118555139A CN 118555139 A CN118555139 A CN 118555139A CN 202411017556 A CN202411017556 A CN 202411017556A CN 118555139 A CN118555139 A CN 118555139A
- Authority
- CN
- China
- Prior art keywords
- analysis
- situation
- synchronization
- value
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002159 abnormal effect Effects 0.000 claims abstract description 51
- 238000012545 processing Methods 0.000 claims abstract description 26
- 238000000034 method Methods 0.000 claims description 21
- 230000001360 synchronised effect Effects 0.000 claims description 19
- 238000012163 sequencing technique Methods 0.000 claims description 15
- 238000004364 calculation method Methods 0.000 claims description 10
- 238000013433 optimization analysis Methods 0.000 claims 1
- 238000012549 training Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a network security situation analysis system based on the Internet of things, which relates to the technical field of network security, and discloses a node analysis module, a situation synchronization module and a synchronization analysis module, wherein the node analysis module and the situation synchronization module are arranged in the system, the system can control the nodes of the Internet of things to periodically conduct multi-dimensional and three-dimensional network security situation analysis on network equipment, conduct accurate security situation grading processing on network equipment with abnormal network security situations, facilitate the system to take corresponding measures on network equipment with different security situation grades, and efficiently and accurately judge the network equipment range needing to synchronously conduct network security situation analysis when the network equipment has abnormal network security situations, and do not need to conduct one-to-one analysis on all the network equipment.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network security situation analysis system based on the Internet of things.
Background
The network security situation analysis is to mine out real threats by means of collecting, storing, association analysis, statistical analysis, index calculation and the like of network security data, reduce false alarm and false alarm rate of a system, assist a user to master global network security situations, and facilitate the user to know network security situations of all network devices. At present, a network security situation analysis system can regularly detect and analyze network equipment, and when the security situation is abnormal, the network security situation analysis range cannot be accurately determined, so that the system needs to perform security screening on a large number of network equipment.
Disclosure of Invention
Aiming at the defects existing in the prior art, the invention aims to provide a network security situation analysis system based on the Internet of things.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a network security situation analysis system based on the Internet of things comprises a node analysis module, a situation synchronization module and a synchronization analysis module;
The node analysis module is used for controlling the node of the Internet of things to conduct network security situation analysis on analysis equipment in the security situation analysis range, generating situation analysis records, and judging whether the analysis equipment is marked as analysis core equipment or not based on situation analysis values of the situation analysis records and comparison results of threshold values of the situation analysis values;
The situation synchronization module analyzes the analysis associated equipment based on the analysis core equipment and judges whether the analysis associated equipment is marked as the situation synchronization equipment or not based on a situation synchronization difference value and a threshold comparison result thereof;
the synchronous analysis module is used for analyzing the nodes of the Internet of things in the synchronous analysis range and controlling the optimal analysis node to analyze the network security situation of the situation synchronous equipment.
Further, the node of the internet of things is controlled to analyze the network security situation of analysis equipment in the security situation analysis range, and situation analysis records are generated, specifically: and drawing a circle by taking the position of the node of the Internet of things as the circle center and the preset radius length y to obtain a security situation analysis range, marking network equipment with the position within the security situation analysis range as analysis equipment, and generating situation analysis records, wherein each m time length of the node of the Internet of things, m is the numerical value representing the time length, and the situation analysis records comprise the node number of the Internet of things, the number of the analysis equipment, the situation comprehensive analysis value and the situation analysis time.
Further, based on the situation analysis recorded situation comprehensive analysis value and the threshold comparison result, whether the analysis device is marked as the analysis core device is judged, specifically: setting a situation analysis threshold, marking the number analysis equipment as analysis core equipment when the situation analysis value of the situation analysis record is larger than the situation analysis threshold, calculating the ratio of the situation analysis threshold to the situation analysis value to obtain a situation analysis index, marking the situation analysis index as TS, and based on the analysis core equipmentThe time length is obtained, situation analysis records of the numbering analysis equipment are obtained, the situation comprehensive analysis value and the situation comprehensive analysis threshold value are subjected to difference value calculation, a situation classification value is obtained, and the situation classification value is marked as Cj; setting a situation analysis grade corresponding to the range of each situation grading value Cj, wherein the range of the situation grading values Cj comprises (0, C1), (C1, C2), (…, (Cj-1, cj) and the situation analysis grade comprises a situation analysis grade 1, a situation analysis grade 2, …, a situation analysis grade j-1 and a situation analysis grade j, the higher the situation analysis grade is, the network security state of the numbering analysis equipment is not in accordance with normal expectation and security standard, and a situation abnormal record of the analysis core equipment is generated, wherein the situation abnormal record comprises the situation analysis grade;
When the situation analysis value of the situation analysis record is smaller than or equal to the situation analysis threshold, no corresponding processing is carried out.
Further, the situation analysis value of the situation analysis record is obtained by the following method: acquiring various types of network security data of analysis equipment in m time length, acquiring situation analysis models of the various types of network security data, taking the various types of network security data as input data of the corresponding situation analysis models, obtaining situation analysis values of the various types of network security data, acquiring situation analysis thresholds of the various types of network security data, comparing the situation analysis values of the various types of network security data with the situation analysis thresholds, marking the various types of network security data as situation abnormal data of the analysis equipment when the situation analysis values are greater than or equal to the situation analysis thresholds, not performing corresponding processing when the situation analysis values are smaller than the situation analysis thresholds, acquiring all situation abnormal data of the analysis equipment, acquiring a situation superposition total number TSG, marking the total number of situation abnormal data of the analysis equipment as EZK, summing all situation analysis differences and taking an average value to obtain an average situation analysis difference value, marking the average situation analysis difference value as DHY, and utilizing a formulaAnd obtaining a situation analysis value ZXB of the situation analysis record, wherein a1 is a situation superposition total number coefficient, a2 is a situation abnormal data total number coefficient, and a3 is an average situation analysis difference coefficient.
Further, the total situation overlapping times are obtained by the following steps: the method comprises the steps of constructing a knowledge graph of all types of network security data, comparing all situation abnormal data pairwise, increasing situation superposition times once when the two situation abnormal data are associated, calculating a difference value of situation analysis values of the two situation abnormal data and taking an absolute value to obtain a situation analysis difference value, and summing the situation superposition times of the analysis equipment to obtain a total situation superposition times and marking the total situation superposition times as TSG when the two situation abnormal data are not associated.
Further, analyzing the analysis associated equipment based on the analysis core equipment, and judging whether the analysis associated equipment is marked as the situation synchronous equipment or not based on a situation synchronous difference value and a threshold comparison result thereof, wherein the method specifically comprises the following steps: the method comprises the steps of constructing knowledge graphs of all network devices, acquiring the relation between analysis core devices and other network devices, marking the network devices with the relation with the analysis core devices as analysis association devices, acquiring situation synchronization values of the analysis core devices and situation synchronization values of the analysis association devices, carrying out difference calculation on the situation synchronization values of the analysis core devices and the situation synchronization values of the analysis association devices to obtain situation synchronization difference values, setting situation synchronization threshold difference values, not carrying out corresponding processing when the situation synchronization difference values are larger than or equal to the situation synchronization threshold difference values, and marking the analysis association devices as the situation synchronization devices when the situation synchronization difference values are smaller than the situation synchronization threshold difference values.
Further, the situation synchronization value is obtained by the following method: acquiring all situation analysis records and all situation abnormal records of the network equipment before the current time of the system, summing situation analysis values of all situation abnormal records and taking an average value to obtain an average situation analysis value, marking the average situation analysis value as LST, sequencing all situation abnormal records according to time sequence, calculating differences of situation analysis grades of two adjacent situation abnormal records after sequencing and taking absolute values to obtain situation grade differences, summing all situation grade differences and taking an average value to obtain an average situation grade difference, marking the average situation grade difference as SWB, and utilizing a formulaAnd obtaining a situation synchronization value TBP of the network equipment, wherein b1 is an average situation analysis value coefficient, and b2 is an average situation grade difference coefficient.
Further, the nodes of the internet of things in the synchronous analysis range are analyzed, and the optimal analysis node is controlled to analyze the network security situation of the situation synchronization equipment, specifically: and drawing a circle by taking the position of the situation synchronization equipment as the circle center and the length x of the preset radius to obtain a synchronization analysis range, marking the nodes of the internet of things which are in the synchronization analysis range and have idle states as synchronization analysis nodes, obtaining the synchronization analysis values of the synchronization analysis nodes, marking the synchronization analysis node with the largest synchronization analysis value as a preferable analysis node, carrying out network security situation analysis on the situation synchronization equipment by the preferable analysis node, and generating situation analysis records of the situation synchronization equipment by the preferable analysis node.
Further, the synchronization analysis value is obtained by the following method: acquiring all situation analysis records of an Internet of things node before the current time of the system, sequencing all situation analysis records according to the situation analysis time sequence, comparing the serial numbers of analysis devices of two adjacent situation analysis records after sequencing, when the serial numbers of the analysis devices of the two adjacent situation analysis records are identical, not performing corresponding processing, when the serial numbers of the analysis devices of the two adjacent situation analysis records are different, increasing the analysis times of different devices once, carrying out summation processing on the analysis times of all different devices to obtain the total analysis times of different devices, marking the total analysis times as ZMR, carrying out difference calculation on the situation analysis time of the two adjacent situation analysis records after sequencing to obtain a situation analysis interval, carrying out summation processing on all the situation analysis intervals and taking an average value to obtain an average situation analysis interval, marking the average situation analysis interval as SPY, and utilizing a formulaAnd obtaining a synchronous analysis value HDF of the node of the Internet of things, wherein c1 is a total number of times coefficient of analysis of different equipment, and c2 is an average situation analysis interval coefficient.
Compared with the prior art, the invention has the following beneficial effects:
1. The system can control the nodes of the Internet of things to periodically perform multi-dimensional and three-dimensional network security situation analysis on network equipment, perform accurate security situation classification processing on network equipment with abnormal network security situations, facilitate the system to take corresponding measures on network equipment with different security situation levels, and efficiently and accurately judge the range of the network equipment needing to synchronously perform the network security situation analysis when the network equipment has the abnormal network security situation, so that one-to-one analysis on all the network equipment is not needed;
2. The synchronous analysis module is arranged, so that the network equipment needing to synchronously perform network security situation analysis can be rapidly determined to be analyzed by the appropriate nodes of the Internet of things, and security situation processing tasks of the nodes of the Internet of things are reasonably distributed on the basis of rapidly guaranteeing the synchronous security situation analysis of the network equipment.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a block flow diagram of determining whether to flag an analysis-associated device as a situation synchronization device;
Fig. 3 is a flow chart for controlling a preferred analysis node to perform network security posture analysis on a posture synchronization device.
Detailed Description
Referring to fig. 1 to 3
A network security situation analysis system based on the Internet of things comprises a node analysis module, a situation synchronization module and a synchronization analysis module.
And a node analysis module: and drawing a circle by taking the position of the node of the Internet of things as the circle center and the preset radius length y to obtain a security situation analysis range, marking network equipment with the position within the security situation analysis range as analysis equipment, wherein each m time length of the node of the Internet of things, m is the numerical value of the time length, the numerical value of the time length is changed and can be 2h or 5min, a situation analysis record is generated, and the situation analysis record comprises the number of the node of the Internet of things (all the nodes of the Internet of things in the network security situation analysis system correspond to one independent and unique number), the number of the analysis equipment (all the network equipment in the network security situation analysis system correspond to one independent and unique number), the situation analysis value and the situation analysis time (the corresponding time for generating the situation analysis record).
And setting a situation analysis threshold, wherein the situation analysis threshold is a system setting threshold and can be modified according to actual requirements.
When the situation analysis value of the situation analysis record is larger than the situation analysis threshold, marking the number analysis device as analysis core device, calculating the ratio of the situation analysis threshold to the situation analysis value to obtain a situation analysis index, marking the situation analysis index as TS, and based on the analysis core deviceThe time length is obtained, situation analysis records of the numbering analysis equipment are obtained, the situation comprehensive analysis value and the situation comprehensive analysis threshold value are subjected to difference value calculation, a situation classification value is obtained, and the situation classification value is marked as Cj; setting a situation analysis grade corresponding to the range of each situation grading value Cj, wherein the range of the situation grading values Cj comprises (0, C1), (C1, C2), (…, (Cj-1, cj) and the situation analysis grade comprises a situation analysis grade 1, a situation analysis grade 2, …, a situation analysis grade j-1 and a situation analysis grade j, when Cj belongs to (0, C1), marking the number analysis equipment as the situation analysis grade 1, and generating a situation abnormal record of the analysis core equipment, wherein the situation abnormal record comprises the situation analysis grade, and the situation analysis grade is higher and indicates that the network security state of the number analysis equipment does not meet the normal expectations and the security standards.
When the situation analysis value of the situation analysis record is smaller than or equal to the situation analysis threshold, no corresponding processing is carried out.
The situation analysis value of the situation analysis record is obtained by the following steps: acquiring various types of network security data of analysis equipment in m time length, acquiring situation analysis models of the various types of network security data, taking the various types of network security data as input data of the corresponding situation analysis models, acquiring situation analysis values of the various types of network security data, acquiring situation analysis threshold values of the various types of network security data, comparing the situation analysis values of the various types of network security data with the situation analysis threshold values, marking the various types of network security data as situation abnormal data of the analysis equipment when the situation analysis values are larger than or equal to the situation analysis threshold values, and not performing corresponding processing when the situation analysis values are smaller than the situation analysis threshold values.
Acquiring all situation abnormal data of the analysis equipment, constructing a knowledge graph of all types of network security data, comparing all situation abnormal data pairwise, increasing situation stacking times once when two situation abnormal data are associated, calculating a difference value of situation analysis values of the two situation abnormal data and taking an absolute value to obtain a situation analysis difference value, when the two situation abnormal data are not associated, carrying out summation on the situation stacking times of the analysis equipment to obtain a situation stacking total times, marking the situation stacking total times as TSG, marking the total quantity of the situation abnormal data of the analysis equipment as EZK, carrying out summation processing on all situation analysis difference values and taking an average value to obtain an average situation analysis difference value, marking the average situation analysis difference value as DHY, and utilizing a formulaAnd obtaining a situation analysis value ZXB of the situation analysis record, wherein a1 is a situation superposition total frequency coefficient, a2 is a situation abnormal data total quantity coefficient, a3 is an average situation analysis difference coefficient, the value of a1 is 0.49, the value of a2 is 0.92, and the value of a3 is 0.62.
The network security data of various types are expressed in the form of a knowledge graph, and the association in the knowledge graph expresses the influence relation of the network security data of various types, if the network security data of the type is easy to change to cause the network security data of another type, the influence relation exists between the network security data of the two types.
When the network device performs network security situation analysis, various network security data of the network device need to be collected, such as log type data (the log type data records information such as network device activities, errors, warnings and the like, which are critical to identifying potential security threats), traffic type data (the traffic type data comprises network data packets entering and exiting the network device and can identify abnormal traffic patterns), performance type data (the performance type data comprises performance indexes such as a CPU (central processing unit), a memory, a disk utilization rate and the like of the network device, and the like, which are helpful for evaluating whether the device is affected by resource exhaustion type attacks), behavior type data (the behavior type data comprises behavior data such as login activities of users, file access, system operation and the like, which are helpful for identifying abnormal user behaviors) and the like.
Each type of network security data corresponds to a situation analysis model, and taking log type data as an example, the situation analysis model of the log type data is obtained by the following method: acquiring multiple groups of log type data, wherein each group of log type data is derived from the same network equipment, or derived from different network equipment, carrying out feature extraction on the multiple groups of log type data to obtain multiple groups of log feature data, constructing a neural network model, taking the log feature data as training data of the neural network model, giving situation analysis values to the training data, dividing the training data into a training set and a verification set according to a set proportion, carrying out neural network iterative training on the training set and the verification set according to actual requirements to obtain a situation analysis model of the log type data, wherein the situation analysis values are larger than 0, the larger the situation analysis values are, the fact that the log does not meet normal expectations and safety standards is shown, and the smaller the situation analysis values are, the fact that the log meets normal expectations and safety standards is shown; each type of network security data corresponds to a situation analysis threshold.
The situation synchronization module: the method comprises the steps of constructing knowledge graphs of all network devices, acquiring the relation between analysis core devices and other network devices, marking the network devices with the relation with the analysis core devices as analysis association devices, acquiring situation synchronization values of the analysis core devices and situation synchronization values of the analysis association devices, carrying out difference calculation on the situation synchronization values of the analysis core devices and the situation synchronization values of the analysis association devices to obtain situation synchronization difference values, setting situation synchronization threshold difference values, not carrying out corresponding processing when the situation synchronization difference values are larger than or equal to the situation synchronization threshold difference values, and marking the analysis association devices as the situation synchronization devices when the situation synchronization difference values are smaller than the situation synchronization threshold difference values.
The situation synchronization value is obtained by the following steps: acquiring all situation analysis records and all situation abnormal records of the network equipment before the current time of the system, summing situation analysis values of all situation abnormal records and taking an average value to obtain an average situation analysis value, marking the average situation analysis value as LST, sequencing all situation abnormal records according to time sequence, calculating differences of situation analysis grades of two adjacent situation abnormal records after sequencing and taking absolute values to obtain situation grade differences, summing all situation grade differences and taking an average value to obtain an average situation grade difference, marking the average situation grade difference as SWB, and utilizing a formulaAnd obtaining a situation synchronization value TBP of the network equipment, wherein b1 is an average situation analysis value coefficient, b2 is an average situation grade difference coefficient, b1 is 0.24, and b2 is 0.82.
The network devices of the user and the relationship between the network devices are represented in the form of a knowledge graph, and the association in the knowledge graph represents the relationship existing between the network devices, such as a data processing relationship, a membership relationship and the like.
The system can control the nodes of the Internet of things to periodically perform multidimensional and three-dimensional network security situation analysis on network equipment, perform accurate security situation classification processing on network equipment with abnormal network security situations, facilitate the system to take corresponding measures on network equipment with different security situation levels, and efficiently and accurately judge the range of the network equipment needing to synchronously perform the network security situation analysis when the network equipment has the abnormal network security situation, so that one-to-one analysis on all the network equipment is not needed.
And the synchronous analysis module is used for: and drawing a circle by taking the position of the situation synchronization equipment as the circle center and the length x of the preset radius to obtain a synchronization analysis range, marking the nodes of the internet of things which are in the synchronization analysis range and have idle states as synchronization analysis nodes, obtaining the synchronization analysis values of the synchronization analysis nodes, marking the synchronization analysis node with the largest synchronization analysis value as a preferable analysis node, carrying out network security situation analysis on the situation synchronization equipment by the preferable analysis node, and generating situation analysis records of the situation synchronization equipment by the preferable analysis node.
The synchronization analysis value is obtained by the following method: acquiring all situation analysis records of an Internet of things node before the current time of the system, sequencing all situation analysis records according to the situation analysis time sequence, comparing the serial numbers of analysis devices of two adjacent situation analysis records after sequencing, when the serial numbers of the analysis devices of the two adjacent situation analysis records are identical, not performing corresponding processing, when the serial numbers of the analysis devices of the two adjacent situation analysis records are different, increasing the analysis times of different devices once, carrying out summation processing on the analysis times of all different devices to obtain the total analysis times of different devices, marking the total analysis times as ZMR, carrying out difference calculation on the situation analysis time of the two adjacent situation analysis records after sequencing to obtain a situation analysis interval, carrying out summation processing on all the situation analysis intervals and taking an average value to obtain an average situation analysis interval, marking the average situation analysis interval as SPY, and utilizing a formulaAnd obtaining a synchronous analysis value HDF of the node of the Internet of things, wherein c1 is a total number coefficient of analysis of different equipment, c2 is an average situation analysis interval coefficient, the value of c1 is 0.65, and the value of c2 is 0.43.
The synchronous analysis module is arranged, so that the network equipment needing to synchronously perform network security situation analysis can be rapidly determined to be analyzed by the appropriate nodes of the Internet of things, and security situation processing tasks of the nodes of the Internet of things are reasonably distributed on the basis of rapidly guaranteeing the synchronous security situation analysis of the network equipment.
The above formulas are all formulas with dimensions removed and numerical values calculated, the formulas are formulas with a large amount of data collected for software simulation to obtain the latest real situation, and preset parameters in the formulas are set by those skilled in the art according to the actual situation.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired or wireless means (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (9)
1. The network security situation analysis system based on the Internet of things is characterized by comprising a node analysis module, a situation synchronization module and a synchronization analysis module;
The node analysis module is used for controlling the node of the Internet of things to conduct network security situation analysis on analysis equipment in the security situation analysis range, generating situation analysis records, and judging whether the analysis equipment is marked as analysis core equipment or not based on situation analysis values of the situation analysis records and comparison results of threshold values of the situation analysis values;
The situation synchronization module analyzes the analysis associated equipment based on the analysis core equipment and judges whether the analysis associated equipment is marked as the situation synchronization equipment or not based on a situation synchronization difference value and a threshold comparison result thereof;
the synchronous analysis module is used for analyzing the nodes of the Internet of things in the synchronous analysis range and controlling the optimal analysis node to analyze the network security situation of the situation synchronous equipment.
2. The network security situation analysis system based on the internet of things according to claim 1, wherein the network security situation analysis is performed on analysis equipment in a security situation analysis range by the nodes of the internet of things, and situation analysis records are generated, specifically: and drawing a circle by taking the position of the node of the Internet of things as the circle center and the preset radius length y to obtain a security situation analysis range, marking network equipment with the position within the security situation analysis range as analysis equipment, and generating situation analysis records, wherein each m time length of the node of the Internet of things, m is the numerical value representing the time length, and the situation analysis records comprise the node number of the Internet of things, the number of the analysis equipment, the situation comprehensive analysis value and the situation analysis time.
3. The network security situation analysis system based on the internet of things according to claim 1, wherein the determining whether to mark the analysis device as the analysis core device is based on a situation analysis result of a situation analysis record and a threshold value comparison result of the situation analysis value, specifically is: setting a situation analysis threshold, marking the number analysis equipment as analysis core equipment when the situation analysis value of the situation analysis record is larger than the situation analysis threshold, calculating the ratio of the situation analysis threshold to the situation analysis value to obtain a situation analysis index, marking the situation analysis index as TS, and based on the situation analysis indexThe time length is obtained, situation analysis records of the numbering analysis equipment are obtained, the situation comprehensive analysis value and the situation comprehensive analysis threshold value are subjected to difference value calculation, a situation classification value is obtained, and the situation classification value is marked as Cj; setting a situation analysis grade corresponding to the range of each situation grading value Cj, wherein the range of the situation grading values Cj comprises (0, C1), (C1, C2), (…, (Cj-1, cj) and the situation analysis grade comprises a situation analysis grade 1, a situation analysis grade 2, …, a situation analysis grade j-1 and a situation analysis grade j, the higher the situation analysis grade is, the network security state of the numbering analysis equipment is not in accordance with normal expectation and security standard, and a situation abnormal record of the analysis core equipment is generated, wherein the situation abnormal record comprises the situation analysis grade;
When the situation analysis value of the situation analysis record is smaller than or equal to the situation analysis threshold, no corresponding processing is carried out.
4. The network security situation analysis system based on the internet of things according to claim 2, wherein the situation analysis value of the situation analysis record is obtained by the following method: acquiring various types of network security data of analysis equipment in m time length, acquiring situation analysis models of the various types of network security data, taking the various types of network security data as input data of the corresponding situation analysis models, obtaining situation analysis values of the various types of network security data, acquiring situation analysis thresholds of the various types of network security data, comparing the situation analysis values of the various types of network security data with the situation analysis thresholds, marking the various types of network security data as situation abnormal data of the analysis equipment when the situation analysis values are greater than or equal to the situation analysis thresholds, not performing corresponding processing when the situation analysis values are smaller than the situation analysis thresholds, acquiring all situation abnormal data of the analysis equipment, acquiring a situation superposition total number TSG, marking the total number of situation abnormal data of the analysis equipment as EZK, summing all situation analysis differences and taking an average value to obtain an average situation analysis difference value, marking the average situation analysis difference value as DHY, and utilizing a formulaAnd obtaining a situation analysis value ZXB of the situation analysis record, wherein a1 is a situation superposition total number coefficient, a2 is a situation abnormal data total number coefficient, and a3 is an average situation analysis difference coefficient.
5. The network security situation analysis system based on the internet of things according to claim 4, wherein the total number of situation overlapping times is obtained by: the method comprises the steps of constructing a knowledge graph of all types of network security data, comparing all situation abnormal data pairwise, increasing situation superposition times once when the two situation abnormal data are associated, calculating a difference value of situation analysis values of the two situation abnormal data and taking an absolute value to obtain a situation analysis difference value, and summing the situation superposition times of the analysis equipment to obtain a total situation superposition times and marking the total situation superposition times as TSG when the two situation abnormal data are not associated.
6. The network security situation analysis system based on the internet of things according to claim 1, wherein the analysis associated device is analyzed based on the analysis core device, and whether the analysis associated device is marked as a situation synchronization device is determined based on a situation synchronization difference value and a threshold comparison result thereof, specifically: the method comprises the steps of constructing knowledge graphs of all network devices, acquiring the relation between analysis core devices and other network devices, marking the network devices with the relation with the analysis core devices as analysis association devices, acquiring situation synchronization values of the analysis core devices and situation synchronization values of the analysis association devices, carrying out difference calculation on the situation synchronization values of the analysis core devices and the situation synchronization values of the analysis association devices to obtain situation synchronization difference values, setting situation synchronization threshold difference values, not carrying out corresponding processing when the situation synchronization difference values are larger than or equal to the situation synchronization threshold difference values, and marking the analysis association devices as the situation synchronization devices when the situation synchronization difference values are smaller than the situation synchronization threshold difference values.
7. The network security situation analysis system based on the internet of things according to claim 6, wherein the situation synchronization value is obtained by: acquiring all situation analysis records and all situation abnormal records of the network equipment before the current time of the system, summing situation analysis values of all situation abnormal records and taking an average value to obtain an average situation analysis value, marking the average situation analysis value as LST, sequencing all situation abnormal records according to time sequence, calculating differences of situation analysis grades of two adjacent situation abnormal records after sequencing and taking absolute values to obtain situation grade differences, summing all situation grade differences and taking an average value to obtain an average situation grade difference, marking the average situation grade difference as SWB, and utilizing a formulaAnd obtaining a situation synchronization value TBP of the network equipment, wherein b1 is an average situation analysis value coefficient, and b2 is an average situation grade difference coefficient.
8. The network security situation analysis system based on the internet of things according to claim 1, wherein the analysis is performed on the nodes of the internet of things in the synchronous analysis range, and the network security situation analysis is performed on the situation synchronous equipment by the control optimization analysis node, specifically: and drawing a circle by taking the position of the situation synchronization equipment as the circle center and the length x of the preset radius to obtain a synchronization analysis range, marking the nodes of the internet of things which are in the synchronization analysis range and have idle states as synchronization analysis nodes, obtaining the synchronization analysis values of the synchronization analysis nodes, marking the synchronization analysis node with the largest synchronization analysis value as a preferable analysis node, carrying out network security situation analysis on the situation synchronization equipment by the preferable analysis node, and generating situation analysis records of the situation synchronization equipment by the preferable analysis node.
9. The network security situation analysis system based on the internet of things according to claim 8, wherein the synchronization analysis value is obtained by: acquiring all situation analysis records of an Internet of things node before the current time of the system, sequencing all situation analysis records according to the situation analysis time sequence, comparing the serial numbers of analysis devices of two adjacent situation analysis records after sequencing, when the serial numbers of the analysis devices of the two adjacent situation analysis records are identical, not performing corresponding processing, when the serial numbers of the analysis devices of the two adjacent situation analysis records are different, increasing the analysis times of different devices once, carrying out summation processing on the analysis times of all different devices to obtain the total analysis times of different devices, marking the total analysis times as ZMR, carrying out difference calculation on the situation analysis time of the two adjacent situation analysis records after sequencing to obtain a situation analysis interval, carrying out summation processing on all the situation analysis intervals and taking an average value to obtain an average situation analysis interval, marking the average situation analysis interval as SPY, and utilizing a formulaAnd obtaining a synchronous analysis value HDF of the node of the Internet of things, wherein c1 is a total number of times coefficient of analysis of different equipment, and c2 is an average situation analysis interval coefficient.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411017556.1A CN118555139B (en) | 2024-07-29 | 2024-07-29 | Network security situation analysis system based on Internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411017556.1A CN118555139B (en) | 2024-07-29 | 2024-07-29 | Network security situation analysis system based on Internet of things |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118555139A true CN118555139A (en) | 2024-08-27 |
| CN118555139B CN118555139B (en) | 2024-10-01 |
Family
ID=92446273
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411017556.1A Active CN118555139B (en) | 2024-07-29 | 2024-07-29 | Network security situation analysis system based on Internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118555139B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410992A (en) * | 2014-10-30 | 2015-03-11 | 重庆邮电大学 | Trust-based situation data fusion method of distributed sensor network |
| CN109558729A (en) * | 2018-11-28 | 2019-04-02 | 河北省科学院应用数学研究所 | A kind of intelligent system of defense of network attack |
| CN111654321A (en) * | 2020-06-01 | 2020-09-11 | 清华大学 | Satellite network management method and device and electronic equipment |
| CN114065220A (en) * | 2021-11-25 | 2022-02-18 | 国网四川省电力公司成都供电公司 | Dual-level analysis situation assessment method based on distributed system |
| CN114418462A (en) * | 2022-03-28 | 2022-04-29 | 北京安盟信息技术股份有限公司 | Principal equipment safety management method and system based on hierarchical digital twin |
| US20220283562A1 (en) * | 2021-03-08 | 2022-09-08 | Saudi Arabian Oil Company | Intelligent safety motor control center (ismcc) |
| CN117726153A (en) * | 2024-02-18 | 2024-03-19 | 中国科学院工程热物理研究所 | Real-time rescheduling method suitable for unmanned aerial vehicle cluster operation task |
| CN117761578A (en) * | 2023-12-28 | 2024-03-26 | 四川网达科技有限公司 | Rail transit signal system grounding network fault positioning method |
-
2024
- 2024-07-29 CN CN202411017556.1A patent/CN118555139B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104410992A (en) * | 2014-10-30 | 2015-03-11 | 重庆邮电大学 | Trust-based situation data fusion method of distributed sensor network |
| CN109558729A (en) * | 2018-11-28 | 2019-04-02 | 河北省科学院应用数学研究所 | A kind of intelligent system of defense of network attack |
| CN111654321A (en) * | 2020-06-01 | 2020-09-11 | 清华大学 | Satellite network management method and device and electronic equipment |
| US20220283562A1 (en) * | 2021-03-08 | 2022-09-08 | Saudi Arabian Oil Company | Intelligent safety motor control center (ismcc) |
| CN114065220A (en) * | 2021-11-25 | 2022-02-18 | 国网四川省电力公司成都供电公司 | Dual-level analysis situation assessment method based on distributed system |
| CN114418462A (en) * | 2022-03-28 | 2022-04-29 | 北京安盟信息技术股份有限公司 | Principal equipment safety management method and system based on hierarchical digital twin |
| CN117761578A (en) * | 2023-12-28 | 2024-03-26 | 四川网达科技有限公司 | Rail transit signal system grounding network fault positioning method |
| CN117726153A (en) * | 2024-02-18 | 2024-03-19 | 中国科学院工程热物理研究所 | Real-time rescheduling method suitable for unmanned aerial vehicle cluster operation task |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118555139B (en) | 2024-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108874927B (en) | Intrusion detection method based on hypergraph and random forest | |
| CN106973038B (en) | Network intrusion detection method based on genetic algorithm oversampling support vector machine | |
| CN111614491B (en) | Power monitoring system oriented safety situation assessment index selection method and system | |
| CN107493277B (en) | Large data platform online anomaly detection method based on maximum information coefficient | |
| CN113688042A (en) | Method and device for determining test scene, electronic equipment and readable storage medium | |
| Ye et al. | EWMA forecast of normal system activity for computer intrusion detection | |
| CN110336838B (en) | Account abnormity detection method, device, terminal and storage medium | |
| JP2008545343A (en) | Method and apparatus for all network anomaly diagnosis and method for detecting and classifying network anomalies using traffic feature distribution | |
| CN113269389A (en) | Network security situation assessment and situation prediction modeling method based on deep belief network | |
| CN111310139A (en) | Behavior data identification method and device and storage medium | |
| CN111898647A (en) | Clustering analysis-based low-voltage distribution equipment false alarm identification method | |
| CN109861825B (en) | Internal attack detection method based on weighting rule and consistency in CPS system | |
| CN114879613A (en) | Industrial control system information security attack risk assessment method and system | |
| CN117094184B (en) | Modeling method, system and medium of risk prediction model based on intranet platform | |
| CN112202718B (en) | XGboost algorithm-based operating system identification method, storage medium and device | |
| CN116668039A (en) | Computer remote login identification system and method based on artificial intelligence | |
| CN117614978A (en) | Information security communication management system for digital workshop | |
| CN117111568B (en) | Equipment monitoring method, device, equipment and storage medium based on Internet of things | |
| CN118555139B (en) | Network security situation analysis system based on Internet of things | |
| Agbaje et al. | A framework for consistent and repeatable controller area network ids evaluation | |
| CN117349903A (en) | Safety protection management and control system based on data analysis | |
| CN117240522A (en) | Vulnerability intelligent mining method based on attack event model | |
| CN116994336A (en) | Artificial intelligence-based construction dangerous behavior analysis method and system for building engineering | |
| CN117014193A (en) | Unknown Web attack detection method based on behavior baseline | |
| CN110765668A (en) | Concrete penetration depth test data abnormal point detection method based on deviation index |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |