WO2023077617A1 - Network security situation adaptive active defense system and method - Google Patents

Network security situation adaptive active defense system and method Download PDF

Info

Publication number
WO2023077617A1
WO2023077617A1 PCT/CN2021/137767 CN2021137767W WO2023077617A1 WO 2023077617 A1 WO2023077617 A1 WO 2023077617A1 CN 2021137767 W CN2021137767 W CN 2021137767W WO 2023077617 A1 WO2023077617 A1 WO 2023077617A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
data
network security
situation
security situation
Prior art date
Application number
PCT/CN2021/137767
Other languages
French (fr)
Chinese (zh)
Inventor
游志勇
陶源
李末岩
胡巍
Original Assignee
公安部第三研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 公安部第三研究所 filed Critical 公安部第三研究所
Publication of WO2023077617A1 publication Critical patent/WO2023077617A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the invention relates to network security technology, in particular to a network security protection system and self-adaptive active defense.
  • Network security technology mainly prevents potential network security risks and prevents malicious code attacks on network resources.
  • a complete network system needs comprehensive application protection, detection, response and recovery.
  • the traditional network security protection system can be combined with modern artificial intelligence algorithms, and the static network protection strategy can be transformed into a dynamic adaptive learning network protection system, it can not only predict the attacks that occur in the network system, but also carry out autonomous learning of such attack behaviors. , greatly improving the capabilities of the network security protection system.
  • the existing network security protection system solutions cannot be organically integrated with artificial intelligence algorithms to achieve a good dynamic adaptive learning effect, and the active defense capabilities are weak, and the requirements cannot be greatly expected.
  • the object of the present invention is to provide a network security situation adaptive active defense system, and a method for realizing adaptive active network defense based on the system.
  • the solution provided by the invention can give early warning to the risks of network security hidden dangers, and complete the active defense and self-adaptive network defense of the network.
  • the network security situation self-adaptive active defense system includes a network security situation awareness unit, a network security situation understanding unit and a network security situation mapping unit that are linked together,
  • the network security situational awareness unit collects network data information in real time, analyzes and processes based on the collected information, judges that the network attack behavior is abnormal, and forms corresponding situational awareness data;
  • the network security situation understanding unit analyzes the relevance of the situation awareness data formed by the network security situation awareness unit, analyzes and understands the attack behavior, and forms network security situation understanding data;
  • the network security situation mapping unit analyzes and fuses the network security situation understanding data formed by the network security situation understanding unit, evaluates the network security situation, forms network security situation evaluation data, and then uses the BP neural network model based on network security Situation assessment data for quantitative prediction of network security situation.
  • the adaptive active defense system is also linked with the network expert decision-making system, and the quantified network security situation prediction results are transmitted to the network expert decision-making system.
  • the network security situation awareness unit includes a network situation information collection module, a data preprocessing module, a data modeling module, and an analysis and judgment module;
  • the network situation information collection module collects network situation information in real time, and the network situation information is information that can indicate the current network situation;
  • the data preprocessing module classifies and verifies the network situation information collected by the network situation information collection module
  • the data modeling module models the data processed by the data preprocessing module, extracts data features and performs factor analysis
  • the analysis and judgment module performs qualitative and quantitative analysis according to the data features extracted by the data modeling module and the results of factor analysis, and judges abnormal behavior according to the analysis results.
  • the network security situation understanding unit includes an associated attack analysis module and an attack behavior understanding module
  • the associated attack analysis module analyzes the data association of the situational awareness data
  • the attack behavior understanding module analyzes and understands the attack behavior based on the association analysis data formed by the association attack analysis module, and identifies attack intentions and attack targets to form network security situation understanding data.
  • attack behavior understanding module conducts analysis through big data analysis, so as to perform network situation assessment, network threat assessment and network situation prediction.
  • the network security situation mapping unit includes a situation assessment module and a quantitative prediction module
  • the situation assessment module performs network threat assessment and security assessment based on situation understanding data to form network security situation assessment data
  • the quantitative prediction module quantifies and predicts the development trend of the network security situation based on the BP neural network combined with the ant colony algorithm for the network security situation assessment data formed by the situation assessment module.
  • the quantitative prediction module uses the network security situation assessment data as the neuron input of the BP neural network, determines the number of nodes in the input layer and the number of nodes in the output layer, establishes a network model, generates a sample database, and determines the number of nodes in the hidden layer. The number of nodes, using the ant colony algorithm to update the weights and thresholds of the BP neural network.
  • the network security situation adaptive active defense method provided by the present invention includes:
  • Analyze and fuse the network security situation understanding data evaluate the network security situation, form the network security situation assessment data, and then use the BP neural network model to make quantitative predictions of the network security situation based on the network security situation assessment data.
  • the method further includes the step of linking with the network expert decision-making system according to the quantitatively predicted network security situation development trend results to form active defense measures.
  • the method includes:
  • Network situation information is information that can indicate current network conditions
  • the method forms network security situation understanding data, it includes:
  • the method performs quantitative prediction of the network security situation, it includes:
  • the network security situation assessment data is quantified to predict the development trend of the network security situation.
  • the network security situation assessment data is used as the neuron input of the BP neural network, the number of input layer nodes and the number of output layer nodes are determined, a network model is established, and samples are generated. database, and determine the number of nodes in the hidden layer, and use the ant colony algorithm to update the weights and thresholds of the BP neural network.
  • the network security situation self-adaptive active defense scheme provided by the present invention can actively defend against network security problems and self-adaptive network learning protection, and perform active protection and self-improvement, thereby effectively improving the security capability of the network.
  • This network security situation adaptive active defense scheme also uses BP neural network combined with ant colony algorithm to process network security situation data, which has good convergence for processing situation assessment data and is not sensitive to initial data.
  • BP neural network combined with ant colony algorithm is adopted, based on the good self-learning ability and nonlinear adaptive model of BP neural network, it can adapt to different network models.
  • Figure 1 is a schematic diagram of the network security situational awareness adaptive active defense system in this example
  • Fig. 2 is a schematic diagram of situation prediction of network security situation awareness in this example.
  • the invention provides a scheme of self-adaptive and active defense of the network security situation.
  • This network security situation adaptive active defense scheme organically integrates network security situation assessment, BP neural network, ant colony algorithm, network security situation prediction and expert decision-making system.
  • the organic integration and close cooperation of these four technical means realizes network security issues.
  • Active monitoring, situational awareness, comprehensive analysis, and self-adaptive learning active defense can continuously learn from network security risks and network attack behaviors, and further enhance the active defense capabilities of network security.
  • the present invention provides a network security situation awareness adaptive active defense system to realize network security situation adaptive active defense.
  • FIG. 1 shows an example of the composition of a network security situation awareness adaptive active defense system provided by the present invention.
  • the network security situation awareness self-adaptive active defense system 100 is a network model mainly composed of the network security situation awareness unit 110, the network security situation understanding unit 120 and the network security situation mapping unit 130.
  • the development trend is accurately predicted.
  • the network security situation awareness self-adaptive active defense system 100 collects information corresponding to the network system to be defended, then analyzes and integrates the collected data information, correlates data correlations, analyzes attacking network status behaviors, and finally The output data of the situation assessment, based on which the network situation assessment results are used to predict the network security status.
  • the network security situational awareness unit 110 in the defense system is used to collect network data information in real time, analyze and process based on the collected information, and determine abnormal behavior to form corresponding situational awareness data.
  • the behaviors targeted here mainly include a series of network attacks such as denial of service attacks, ransomware, vulnerability attacks, and phishing.
  • the abnormal behavior here refers to the security behavior of the entire network system, such as a series of network attack behaviors such as denial of service attacks, ransomware, vulnerability attacks, and phishing.
  • the current network operating status can be used to determine whether the network has been attacked.
  • the network security situation awareness unit 110 can be used to collect multi-source network situation information in real time, and analyze and process the data information to form situation awareness data, which can be used as a data source for the network security situation understanding unit 120 to perform correlation analysis.
  • FIG. 1 it provides an example configuration scheme of a network security situational awareness unit 110 .
  • the network security situation awareness unit 110 is mainly composed of a network situation information collection module 111, a data preprocessing module 112, a data modeling module 113, and an analysis and judgment module 114 in cooperation with each other.
  • the network situation information collecting module 111 collects the network situation information in real time.
  • the network situation information is mainly information that can be used to indicate the current network status and the current state of the network. As an example, how many times the network system has defended against network attacks, or what kind of attacks are being suffered, as well as the type, method, status, etc. of the attacks.
  • the collection of network situation information including important clues or elements such as network topology information, vulnerability information, and network vulnerability, is detected and obtained, as an important source of network system security assessment, and network security can be evaluated before these elements are attacked. situation, even if necessary defensive measures are taken to ensure the security of information property.
  • the collected network situation information is not limited to the above-mentioned network topology information, vulnerability information, and network vulnerability information.
  • information data collected including security, event, network structure data, network service data, vulnerability data, vulnerability data, threat and intrusion data, user abnormal behavior data, etc.
  • this example extracts network data information based on the elements of network perception.
  • the data acquisition methods mainly include host configuration detection tools, firewall intrusion detection tools, password cracking tools, network device configuration detection tools, anti-virus software, database security detection tools, Network scanning tools and system vulnerability detection tools; or through asset lists, event reports, log information, etc. to obtain network data information from detected vulnerabilities and vulnerabilities, and conduct security situation assessment and analysis data.
  • the data preprocessing module 112 in this unit performs data interaction with the network situation information collection module 111 and preprocesses the network situation information collected by the network situation information collection module 111 .
  • the data preprocessing module 112 completes preprocessing by classifying and verifying corresponding data information.
  • the network perception data obtained by intrusion detection systems, scanning tools, or hardware devices can be verified manually, or automatically verified by the verification system, or a combination of the two.
  • the data modeling module 113 in this unit performs data interaction with the data preprocessing module 112, models the data processed by the data preprocessing module 112, extracts data features and performs factor analysis.
  • the data modeling module 113 constructs a corresponding data analysis model based on a corresponding data analysis algorithm.
  • the algorithms and model construction methods used in this solution are not limited here, and the details can be determined according to actual needs.
  • the data analysis model constructed by the data modeling module 113 analyzes three major types of elements by invoking corresponding detection tools, including traffic information, vulnerability information, and log alarm information analysis, to obtain the current network layer Data volume change rate, vulnerability data, threat and intrusion data, abnormal user behavior data, etc.
  • the analysis and judgment module 114 in this unit performs data interaction with the data modeling module 113, and is used to perform qualitative and quantitative analysis based on the data features extracted by the data modeling module 113 and the results of factor analysis, and to judge behaviors based on the analysis results Abnormalities and analysis of potential network security risks.
  • the data analysis and synthesis can be completed by constructing corresponding qualitative and quantitative analysis models; the specific analysis model is not limited here and can be determined according to actual needs.
  • the qualitative and quantitative analysis and synthesis of data can also be completed through subjective judgment and logical reasoning.
  • the corresponding network characteristics, change trends, etc. are obtained, and based on the results obtained from the analysis, we cooperate with the communication between the systems, reading databases, log information, network traffic, etc. to judge abnormal behavior and analyze potential network security risks.
  • the network security situation understanding unit 120 in this defense system is used to cooperate with the network security situation awareness unit 110 to analyze the correlation of the situation awareness data formed by it, and then analyze and understand the attack behavior to form network security situation understanding data.
  • FIG. 1 it provides an example configuration scheme of the network security situation understanding unit 120 .
  • the network security situation understanding unit 120 in this example is mainly composed of an associated attack analysis module 121 and an attack behavior understanding module 122 in cooperation with each other.
  • the associated attack analysis module 121 takes the situational awareness data formed by the network security situational awareness unit 110 as input, and analyzes the data relevance of the situational awareness data.
  • the data correlation analyzed here for situational awareness data mainly refers to the analysis of all kinds of data attributes, rule matching, behavior detection, etc., to determine the correlation between these information.
  • the associated attack analysis module 121 evaluates and analyzes the situation awareness data, based on multi-source data, it performs data processing and event association on security incidents, response reports, historical data, etc. generated by the network system. Analyze the security situation of the data generated by the network system. This enables linkage with the defense of the network system itself for comprehensive analysis.
  • the attack behavior understanding module 122 in this unit which interacts with the associated attack analysis module 121 data, based on the associated analysis data formed by the associated attack analysis module 121, analyzes and understands the attack behavior, identifies attack intentions and attack targets, and forms a network security situation Make sense of the data.
  • the attack behavior understanding module 122 uses a big data analysis method to analyze the associated analysis data formed by the associated attack analysis module 121, thereby realizing network situation assessment, network threat assessment and network situation prediction.
  • the big data analysis methods include but not limited to correlation analysis, data classification, induction, behavior detection, machine learning and other big data analysis methods.
  • the attack behavior understanding module 122 identifies the network attack behavior and characteristics existing in the network system according to the static or dynamic network security configuration elements of situational awareness, analyzes and understands the attack behavior by analyzing the correlation of data, and determines the attacker Targets and intentions of the network, locate network vulnerabilities, formulate system defense strategies, and carry out active defense. In this way, it can further realize the linkage with the defense of the network system itself, and carry out all-round analysis.
  • the network security situation mapping unit 130 in this system which cooperates with the network security situation understanding unit 120, analyzes and fuses the network security situation understanding data formed by the network security situation understanding unit 120, evaluates the network security situation, and forms a network The security situation assessment data, and then use the BP neural network model to make quantitative predictions of the network security situation based on the network security situation assessment data.
  • FIG. 1 it provides an example configuration scheme of the network security situation mapping unit 130 .
  • the network security situation mapping unit 130 is mainly composed of a situation assessment module 131 and a quantitative prediction module 132 in cooperation with each other.
  • the situation assessment module 131 performs data interaction with the network security situation understanding unit 120, analyzes and fuses the data based on the situation understanding formed by the network security situation understanding unit 120, to perform network threat assessment and security assessment, and form a network security situation Evaluation data.
  • this situation assessment module 131 evaluates the business security, data security, infrastructure security and overall security status of the network system by evaluating multiple layers and multiple angles, and can target different application backgrounds and different Network size chooses different evaluation methods.
  • network security situation assessment data can be formed for OODA models, JDL models, and RPD models.
  • the quantitative prediction module 132 in this unit performs data interaction with the situation assessment module 131 and the network expert decision-making system. It builds a situation assessment prediction model based on the BP neural network combined with the ant colony algorithm, and uses the situation assessment prediction model to evaluate the situation.
  • the network security situation assessment data formed by the module is quantified to predict the development trend of the network security situation.
  • the quantitative prediction module 132 also predictably activates the network expert decision-making system based on the result of the quantitative prediction of the development trend of the network security situation, thereby improving the system's self-adaptive active defense capability.
  • the processed network security situation assessment data is used as the data input layer of the BP neural network, and the weights and thresholds of the neural network are continuously trained and updated, combined with the ant colony algorithm Quickly search for optimization, so as to realize the quantitative prediction of the development trend.
  • the network security situation assessment data is used as the input of the BP neural network algorithm data, the network topology structure is built, and information such as the number of BP neural network neurons, weights and thresholds of each layer is initialized.
  • the initial ant colony algorithm parameters are used to construct the solution space in the hidden layer of the BP neural network. If any ant selects the path node, the weight and threshold of the previous layer at the path point are selected from the traversed set; otherwise , select another waypoint to jump.
  • the ant jumps to each path and updates the pheromone concentration of the path in real time.
  • the ant judges whether the expected value of the output is within the set error range. If it meets the expected result, it will be sent to the BP neural network. Learning; if the expected value of the output is not within the set error range, accumulatively add 1 current traversal times, clear the path record table, and repeatedly search for the optimal solution of the system.
  • the optimal solution is sent to the BP neural network for repeated learning and training to obtain the weight and threshold of the optimal data, and calculate the error with the optimal output result until the algorithm termination condition is satisfied .
  • the resulting network security situation mapping unit 130 when running, analyzes and fuses the situation understanding data, uses the situation assessment data as the input data of the BP neural network model, and uses the ant colony algorithm to further search for data
  • the weight of the data that is, the weight of the data affecting the optimal result, find the initial value that is most suitable for the BP neural network model, and use it as the optimal data source input.
  • the BP neural network model conducts correlation analysis on events, data sources, log data, etc., evaluates the security situation, vulnerability and potential threats of the network, comprehensively evaluates the hidden dangers of the network system, and reports
  • the network expert decision-making system provides an active defense emergency plan.
  • the network security situation mapping unit 130 when the network security situation mapping unit 130 performs network system perception mapping, it can realize the construction of a multi-field perception mapping information system, including security situation analysis of network systems such as artificial intelligence, Internet of Things, cloud computing, and big data.
  • the technical means of this system realize the inspection and comprehensive analysis of network risks, and according to the analysis results and the defense measures given by the expert system, evaluate the current risk status of the network, and take active defense measures in time.
  • the network security situation mapping unit 130 first uses the situation evaluation module 131 to analyze the results of the data output of the entire network system, thereby improving the security of the network system;
  • the ant colony algorithm is used to improve the evaluation method of the network system, further improve the accuracy of the network system security prediction, and send the prediction results to the expert decision-making system to realize the active defense of the network system.
  • the network security situation awareness self-adaptive active defense system thus constituted, it adapts to the network, has active learning and memory capabilities, can predict hidden dangers existing in the network, realizes active defense, and at the same time can monitor hidden safety hazards existing in the network Analyze and predict the development trend of the future network security status, provide preventive measures and emergency response plans, and continuously improve the ability of active defense.
  • the following is an example to illustrate the process of this network security situational awareness adaptive active defense system dynamically managing the network, giving early warning to the risks of hidden dangers in network security, and realizing the process of active defense and adaptive defense of the network.
  • the network security situational awareness adaptive active defense system is divided into three stages when it dynamically manages the network and proactively and predictably warns and protects the network: situational awareness, situational understanding and situational mapping.
  • the system collects network data information in real time, analyzes and processes the collected network data, and then judges abnormal behaviors to form corresponding situation awareness data.
  • the network situation information here includes information such as asset business data, log data, network traffic, firewall information, vulnerability information, and various vulnerability scanning device information.
  • the collected network situation information is preprocessed by classifying and verifying; here, the collected data can be preprocessed specifically by data processing methods such as data classification, regression, and clustering.
  • model the preprocessed data extract data features, and perform element analysis; here, the analysis mainly focuses on the characteristics, data attributes, data quantity, data proportion, etc. of the data.
  • the system denormalizes and processes the situation awareness data formed by situation awareness, and analyzes and understands the attack behavior through the association analysis of situation awareness data to form network security situation understanding data.
  • the situational awareness data is first analyzed for data correlation; the data correlation analysis here includes multi-dimensional data analysis such as network environment security, management, traffic data, and asset information to achieve a comprehensive assessment of network risks. .
  • the system analyzes and fuses the network security situation understanding data, evaluates the network security situation, forms network security situation assessment data, and then conducts quantitative prediction of network security situation based on the network security situation assessment data through the BP neural network model.
  • the system when the system performs quantitative forecasting of the network security situation, first, it conducts network threat assessment and security assessment based on the data of situation understanding to form network security situation assessment data;
  • OODA model JDL model, and RPD model form network security situation assessment data.
  • the data of the network situation assessment is comprehensively analyzed and processed through the BP neural network combined with the ant colony algorithm model to complete the assessment, analysis, and speculation of the network security situation, predict the future network security situation, and drive the network expert decision-making system to give corresponding results.
  • the BP neural network is combined with the ant colony algorithm, and the ant colony algorithm is used to optimize the network weights as a whole, which solves the defect that the BP neural network model is easy to fall into a local optimal solution, and can find the initial value that fits the system.
  • the prediction accuracy of network training and system security is enhanced, ensuring that potential risks can be accurately judged before the network system is attacked.
  • BP neural network and ant colony algorithm have powerful parallel distributed computing capabilities, and the security situation of the network is related to each other at different times.
  • the algorithm has the ability of global optimization, analyzes the internal change rules of the network system, and effectively predicts possible attacks. wait.
  • the system forms the data into a data log and saves it.
  • the system performs event correlation analysis based on the data processed by the algorithm to predict potential problems in the network security system. Report the final processing results to the network expert decision-making system.
  • the network expert decision-making system implements the built-in emergency response and defense measures of the network security system based on the network prediction results, provides users with preventive methods that can be taken, issues security disposal strategies to the entire network system, and actively protects the network system , and quantitatively evaluate emergency events, gradually improve the response capabilities for events, save log data, and improve the system's adaptive and active defense capabilities.
  • the above-mentioned method of the present invention or specific system units, or some units thereof, are pure software architectures, and can be deployed on physical media through program codes, such as hard disks, optical discs, or any electronic devices (such as smart phone, computer-readable storage medium), when the machine loads and executes the program code (such as a smart phone loads and executes), the machine becomes a device for implementing the present invention.
  • the above-mentioned method and device of the present invention can also be transmitted in the form of program code through some transmission media, such as cables, optical fibers, or any transmission mode.
  • a machine such as a smart phone
  • a machine is a means for carrying out the invention.

Abstract

Disclosed are a network security situation adaptive active defense system and method. In the solution, the network security development trend can be accurately predicted on the basis of a network model built by means of network security situation awareness, situation understanding, and situation mapping. First, information on security elements is collected; next, the collected data information is analyzed and integrated to determine data correlation, and analyze a network attack behavior; and finally, on the basis of data outputted by situation assessment, a network security status is predicted according to the result of network situation assessment. In the solution provided by the present invention, dynamic management of a network is achieved by predicting the network security situation in future development, so as to protect the network predictably.

Description

一种网络安全态势自适应主动防御系统及方法A network security situation adaptive active defense system and method 技术领域technical field
本发明涉及网络安全技术,具体涉及网络安全防护系统与自适应主动防御。The invention relates to network security technology, in particular to a network security protection system and self-adaptive active defense.
背景技术Background technique
网络安全技术主要防范潜在的网络安全隐患、防止网络资源发生恶意代码攻击的安全技术。一个完整的网络系统需要对综合应用防护、检测、响应及恢复,网络攻击防护形式种类较多,如安全路由器、防火墙技术、容灾与恢复和网络生存等技术。Network security technology mainly prevents potential network security risks and prevents malicious code attacks on network resources. A complete network system needs comprehensive application protection, detection, response and recovery. There are many types of network attack protection, such as security routers, firewall technology, disaster recovery and recovery, and network survival technologies.
然而当前的网络安全技术在网络检测预警及网络安全态势感知方面无法做到有效的监测预警,且网络攻击手段变化无常,大多数的网络安全防护系统也没有自主学习能力去应对复杂多变的突发事件。However, the current network security technology cannot achieve effective monitoring and early warning in terms of network detection and early warning and network security situation awareness, and network attack methods are volatile. Most network security protection systems do not have the ability to learn independently to deal with complex and changeable emergencies event.
因此,如果能够将传统网络安全防护系统结合现代人工智能算法,将静态网络防护策略转变为动态自适应学习的网络防护系统,不仅可以预知网络系统发生的攻击,且将这种攻击行为进行自主学习,大大提升网络安全防护系统的能力。然后现有的网络安全防护系统方案无法与人工智能算法进行有机的整合,达到良好的动态自适应学习效果,主动防御能力弱,无法大大预期要求。Therefore, if the traditional network security protection system can be combined with modern artificial intelligence algorithms, and the static network protection strategy can be transformed into a dynamic adaptive learning network protection system, it can not only predict the attacks that occur in the network system, but also carry out autonomous learning of such attack behaviors. , greatly improving the capabilities of the network security protection system. However, the existing network security protection system solutions cannot be organically integrated with artificial intelligence algorithms to achieve a good dynamic adaptive learning effect, and the active defense capabilities are weak, and the requirements cannot be greatly expected.
由此可见,如何将网络安全系统由被动防护变为主动防护,由动态预警转变为自主学习预警,以此提高网络系统的安全性和可靠性为本领域亟需解决的问题。It can be seen that how to change the network security system from passive protection to active protection, from dynamic early warning to self-learning early warning, so as to improve the security and reliability of the network system is an urgent problem in this field.
发明内容Contents of the invention
针对现有网络防御方式主要存在被动防御或主动防御能力弱的问题,本领域需要一种防御能力强的自适应主动网络防御方案。Aiming at the problem that the existing network defense methods mainly have weak passive defense or active defense capabilities, an adaptive active network defense solution with strong defense capabilities is needed in this field.
为此,本发明的目的在于提供一种网络安全态势自适应主动防御系统,并基于该系统实现自适应主动网络防御的方法。本发明提供的方案能够对网络安全隐患存在的风险进行预警,完成对网络主动防御和自适应网络防御。Therefore, the object of the present invention is to provide a network security situation adaptive active defense system, and a method for realizing adaptive active network defense based on the system. The solution provided by the invention can give early warning to the risks of network security hidden dangers, and complete the active defense and self-adaptive network defense of the network.
为了达到上述目的,本发明提供的网络安全态势自适应主动防御系统,包括相互联动的网络安全态势感知单元、网络安全态势理解单元以及网络安全态势映射单元,In order to achieve the above purpose, the network security situation self-adaptive active defense system provided by the present invention includes a network security situation awareness unit, a network security situation understanding unit and a network security situation mapping unit that are linked together,
所述网络安全态势感知单元实时采集网络数据信息,基于采集到的信息进行分析处理,判断网络攻击行为异常,形成对应的态势感知数据;The network security situational awareness unit collects network data information in real time, analyzes and processes based on the collected information, judges that the network attack behavior is abnormal, and forms corresponding situational awareness data;
所述网络安全态势理解单元对所述网络安全态势感知单元形成的态势感知数据分析关联性,对攻击行为分析理解,形成网络安全态势理解数据;The network security situation understanding unit analyzes the relevance of the situation awareness data formed by the network security situation awareness unit, analyzes and understands the attack behavior, and forms network security situation understanding data;
所述网络安全态势映射单元,对所述网络安全态势理解单元形成的网络安全态势理解数据进行分析融合,对网络安全态势进行评估,形成网络安全态势评估数据,再通过BP神经网络模型基于网络安全态势评估数据进行网络安全态势量化预测。The network security situation mapping unit analyzes and fuses the network security situation understanding data formed by the network security situation understanding unit, evaluates the network security situation, forms network security situation evaluation data, and then uses the BP neural network model based on network security Situation assessment data for quantitative prediction of network security situation.
进一步的,所述自适应主动防御系统还与网络专家决策系统联动,将量化的网络安全态势预测结果传至网络专家决策系统。Further, the adaptive active defense system is also linked with the network expert decision-making system, and the quantified network security situation prediction results are transmitted to the network expert decision-making system.
进一步的,所述网络安全态势感知单元包括网络态势信息采集模块、数据预处理模块、数据建模模块以及分析判断模块;Further, the network security situation awareness unit includes a network situation information collection module, a data preprocessing module, a data modeling module, and an analysis and judgment module;
所述网络态势信息采集模块实时采集网络态势信息,所述网络态势信息为能够表明当前网络状况的信息;The network situation information collection module collects network situation information in real time, and the network situation information is information that can indicate the current network situation;
所述数据预处理模块对所述网络态势信息采集模块所采集的网络态势信息进行分类与验证的预处理;The data preprocessing module classifies and verifies the network situation information collected by the network situation information collection module;
所述数据建模模块对经过所述数据预处理模块处理后的数据进行建模,提取数据特征并进行要素分析;The data modeling module models the data processed by the data preprocessing module, extracts data features and performs factor analysis;
所述分析判断模块根据所述数据建模模块提取的数据特征以及要素分析的结果进行定性、定量分析,并依据分析的结果来判断行为异常。The analysis and judgment module performs qualitative and quantitative analysis according to the data features extracted by the data modeling module and the results of factor analysis, and judges abnormal behavior according to the analysis results.
进一步的,所述网络安全态势理解单元包括关联攻击分析模块和攻击行为理解模块,Further, the network security situation understanding unit includes an associated attack analysis module and an attack behavior understanding module,
所述关联攻击分析模块对态势感知数据分析数据关联性;The associated attack analysis module analyzes the data association of the situational awareness data;
所述攻击行为理解模块基于所述关联攻击分析模块形成的关联分析数据,对攻击行为分析理解,识别攻击意图、攻击目标,以形成网络安全态势理解数据。The attack behavior understanding module analyzes and understands the attack behavior based on the association analysis data formed by the association attack analysis module, and identifies attack intentions and attack targets to form network security situation understanding data.
进一步的,所述攻击行为理解模块通过大数据分析方式进行分析,以进行网络态势评估、网络威胁评估和网络态势预测。Further, the attack behavior understanding module conducts analysis through big data analysis, so as to perform network situation assessment, network threat assessment and network situation prediction.
进一步的,所述网络安全态势映射单元包括态势评估模块和量化预测模块,Further, the network security situation mapping unit includes a situation assessment module and a quantitative prediction module,
所述态势评估模块基于态势理解的数据进行网络威胁评估、安全评估,形成网络安全态势评估数据;The situation assessment module performs network threat assessment and security assessment based on situation understanding data to form network security situation assessment data;
所述量化预测模块基于BP神经网络结合蚁群算法对所述态势评估模块形成的网络安全态势评估数据进行量化预测网络安全态势发展趋势。The quantitative prediction module quantifies and predicts the development trend of the network security situation based on the BP neural network combined with the ant colony algorithm for the network security situation assessment data formed by the situation assessment module.
进一步的,所述量化预测模块将网络安全态势评估数据作为BP神经网络的神经元输入,确定输入层节点个数和输出层节点个数,建立网络模型,生成样本数据库,并确定隐含层的节点个数,采用蚁群算法更新BP神经网络的权值、阈值。Further, the quantitative prediction module uses the network security situation assessment data as the neuron input of the BP neural network, determines the number of nodes in the input layer and the number of nodes in the output layer, establishes a network model, generates a sample database, and determines the number of nodes in the hidden layer. The number of nodes, using the ant colony algorithm to update the weights and thresholds of the BP neural network.
为了达到上述目的,本发明提供的网络安全态势自适应主动防御方法,包括:In order to achieve the above object, the network security situation adaptive active defense method provided by the present invention includes:
实时采集网络数据信息,基于采集到的信息进行分析处理,判断网络攻击行为异常,形成对应的态势感知数据;Collect network data information in real time, analyze and process based on the collected information, judge abnormal network attack behavior, and form corresponding situational awareness data;
分析态势感知数据的关联性,对攻击行为分析理解,形成网络安全态势理解数据;Analyze the correlation of situational awareness data, analyze and understand attack behaviors, and form network security situational understanding data;
对网络安全态势理解数据进行分析融合,对网络安全态势进行评估,形成网络安全态势评估数据,再通过BP神经网络模型基于网络安全态势评估数据进行网络安全态势量化预测。Analyze and fuse the network security situation understanding data, evaluate the network security situation, form the network security situation assessment data, and then use the BP neural network model to make quantitative predictions of the network security situation based on the network security situation assessment data.
进一步的,所述方法还包括根据量化预测的网络安全态势发展趋势结果与网络专家决策系统进行联动,形成主动防御措施的步骤。Further, the method further includes the step of linking with the network expert decision-making system according to the quantitatively predicted network security situation development trend results to form active defense measures.
进一步的,所述方法在形成对应的态势感知数据时,包括:Further, when forming the corresponding situational awareness data, the method includes:
实时采集网络态势信息,所述网络态势信息为能够表明当前网络状况的信息;Collecting network situation information in real time, where the network situation information is information that can indicate current network conditions;
对采集的网络态势信息进行分类与验证的预处理;Preprocessing of classification and verification of collected network situation information;
对经过处理后的数据进行建模,提取数据特征并进行要素分析;Model the processed data, extract data features and perform factor analysis;
根据提取的数据特征以及要素分析的结果进行定性、定量分析,并依据分析的结果来判断行为异常。Perform qualitative and quantitative analysis according to the extracted data characteristics and the results of factor analysis, and judge abnormal behavior based on the analysis results.
进一步的,所述方法在形成网络安全态势理解数据时,包括:Further, when the method forms network security situation understanding data, it includes:
对态势感知数据分析数据关联性;Analyzing data correlation for situational awareness data;
基于形成的关联分析数据,对攻击行为分析理解,识别攻击意图、攻击目标,以形成网络安全态势理解数据。Based on the formed association analysis data, analyze and understand the attack behavior, identify the attack intention and attack target, and form the network security situation understanding data.
进一步的,所述方法在进行网络安全态势量化预测时,包括:Further, when the method performs quantitative prediction of the network security situation, it includes:
基于态势理解的数据进行网络威胁评估、安全评估;Network threat assessment and security assessment based on situational understanding data;
基于BP神经网络结合蚁群算法对网络安全态势评估数据进行量化预测网络安全态势发展趋势。Based on the BP neural network combined with the ant colony algorithm, the network security situation assessment data is quantified to predict the development trend of the network security situation.
进一步的,所述方法在量化预测网络安全态势发展趋势时,以网络安全态势评估数据作为BP神经网络的神经元输入,确定输入层节点个数和输出层节点个数,建立网络模型,生成样本数据库,并确定隐含层的节点个数,采用蚁群算法更新BP神经网络的权值、阈值。Further, when the method quantitatively predicts the development trend of the network security situation, the network security situation assessment data is used as the neuron input of the BP neural network, the number of input layer nodes and the number of output layer nodes are determined, a network model is established, and samples are generated. database, and determine the number of nodes in the hidden layer, and use the ant colony algorithm to update the weights and thresholds of the BP neural network.
本发明提供的网络安全态势自适应主动防御方案,能够主动防御网络安全问题和自适应网络学习防护,并进行主动防护及自主完善,从而可有效提升网络的安全能力。The network security situation self-adaptive active defense scheme provided by the present invention can actively defend against network security problems and self-adaptive network learning protection, and perform active protection and self-improvement, thereby effectively improving the security capability of the network.
本网络安全态势自适应主动防御方案还采用BP神经网络结合蚁群算法处理网络安全态势数据,对处理态势评估数据具有良好的收敛性,且对初始数据不敏感。This network security situation adaptive active defense scheme also uses BP neural network combined with ant colony algorithm to process network security situation data, which has good convergence for processing situation assessment data and is not sensitive to initial data.
进一步地,本网络安全态势自适应主动防御方案中,采用BP神经网络结合蚁群算法,基于BP神经网络良好的自学习能力和非线性自适应模型,可以适应不同的网络模型。Furthermore, in this network security situation self-adaptive active defense scheme, BP neural network combined with ant colony algorithm is adopted, based on the good self-learning ability and nonlinear adaptive model of BP neural network, it can adapt to different network models.
附图说明Description of drawings
以下结合附图和具体实施方式来进一步说明本发明。The present invention will be further described below in conjunction with the accompanying drawings and specific embodiments.
图1为本实例中网络安全态势感知自适应主动防御系统的原理图;Figure 1 is a schematic diagram of the network security situational awareness adaptive active defense system in this example;
图2为本实例中网络安全态势感知态势预测的原理图。Fig. 2 is a schematic diagram of situation prediction of network security situation awareness in this example.
具体实施方式Detailed ways
为了使本发明实现的技术手段、创作特征、达成目的与功效易于明白了解, 下面结合具体图示,进一步阐述本发明。In order to make the technical means, creative features, goals and effects achieved by the present invention easy to understand, the present invention will be further described below in conjunction with specific illustrations.
本发明针对网络系统的安全性给出网络安全态势自适应主动防御的方案。本网络安全态势自适应主动防御方案有机整合网络安全态势评估、BP神经网络、蚁群算法、网络安全态势预测及专家决策系统,这四种技术手段的有机整合和紧密协作,实现对网络安全问题的主动监测、态势感知、综合分析及自适应学习主动防御,可对网络存在的安全隐患、网络攻击行为不断学习,进一步提升网络安全的主动防御能力。Aiming at the security of the network system, the invention provides a scheme of self-adaptive and active defense of the network security situation. This network security situation adaptive active defense scheme organically integrates network security situation assessment, BP neural network, ant colony algorithm, network security situation prediction and expert decision-making system. The organic integration and close cooperation of these four technical means realizes network security issues. Active monitoring, situational awareness, comprehensive analysis, and self-adaptive learning active defense can continuously learn from network security risks and network attack behaviors, and further enhance the active defense capabilities of network security.
据此,本发明给出网络安全态势感知自适应主动防御系统来实现网络安全态势自适应主动防御。参见图1,其所示本发明给出的一种网络安全态势感知自适应主动防御系统的构成示例。Accordingly, the present invention provides a network security situation awareness adaptive active defense system to realize network security situation adaptive active defense. Referring to FIG. 1 , it shows an example of the composition of a network security situation awareness adaptive active defense system provided by the present invention.
由图可知,本网络安全态势感知自适应主动防御系统100为主要由网络安全态势感知单元110、网络安全态势理解单元120及网络安全态势映射单元130相互配合搭建的网络模型,实现对网络安全状况发展趋势准确预测。As can be seen from the figure, the network security situation awareness self-adaptive active defense system 100 is a network model mainly composed of the network security situation awareness unit 110, the network security situation understanding unit 120 and the network security situation mapping unit 130. The development trend is accurately predicted.
本网络安全态势感知自适应主动防御系统100通过对待防御的网络系统相应的数据进行信息采集,其次对采集到的数据信息分析整合,关联数据相关性,对攻击网络状况行为解析,最后是对通过态势评估输出的数据,据此数据对网络态势评估结果,预测网络安全状况。The network security situation awareness self-adaptive active defense system 100 collects information corresponding to the network system to be defended, then analyzes and integrates the collected data information, correlates data correlations, analyzes attacking network status behaviors, and finally The output data of the situation assessment, based on which the network situation assessment results are used to predict the network security status.
具体的,本防御系统中的网络安全态势感知单元110用于实时采集网络数据信息,基于采集到的信息进行分析处理,判断行为异常,以形成对应的态势感知数据。Specifically, the network security situational awareness unit 110 in the defense system is used to collect network data information in real time, analyze and process based on the collected information, and determine abnormal behavior to form corresponding situational awareness data.
这里针对的行为主要包括,如拒绝服务攻击、勒索病毒、漏洞攻击、网络钓鱼等一系列的网络攻击行为。The behaviors targeted here mainly include a series of network attacks such as denial of service attacks, ransomware, vulnerability attacks, and phishing.
这里的行为异常是整个网络系统安全行为状况,比如拒绝服务攻击、勒索病毒、漏洞攻击、网络钓鱼等一系列的网络攻击行为,通过当前的网络运行状况,来判断网络是否遭受了攻击。The abnormal behavior here refers to the security behavior of the entire network system, such as a series of network attack behaviors such as denial of service attacks, ransomware, vulnerability attacks, and phishing. The current network operating status can be used to determine whether the network has been attacked.
本网络安全态势感知单元110在具体实现时,可用于实时采集多源网络态势信息,并对数据信息进行分析处理,以形成态势感知数据,作为网络安全态势理解单元120进行关联分析的数据源。The network security situation awareness unit 110 can be used to collect multi-source network situation information in real time, and analyze and process the data information to form situation awareness data, which can be used as a data source for the network security situation understanding unit 120 to perform correlation analysis.
如图1所示,其给出了网络安全态势感知单元110的一种构成示例方案。As shown in FIG. 1 , it provides an example configuration scheme of a network security situational awareness unit 110 .
由图可知,本实例给出的网络安全态势感知单元110主要由网络态势信息采集模块111、数据预处理模块112、数据建模模块113以及分析判断模块114相互配合构成。As can be seen from the figure, the network security situation awareness unit 110 given in this example is mainly composed of a network situation information collection module 111, a data preprocessing module 112, a data modeling module 113, and an analysis and judgment module 114 in cooperation with each other.
其中,网络态势信息采集模块111实时采集网络态势信息。Wherein, the network situation information collecting module 111 collects the network situation information in real time.
这里的网络态势信息主要是可用于表明当前的网络状况,网络现在所处的状态的信息。作为举例,网络系统防御了多少次网络攻击,或者正在遭受哪种攻击,以及攻击的种类、方式、状态等等。The network situation information here is mainly information that can be used to indicate the current network status and the current state of the network. As an example, how many times the network system has defended against network attacks, or what kind of attacks are being suffered, as well as the type, method, status, etc. of the attacks.
这里对网络态势信息的采集,包括网络拓扑信息、漏洞信息及网络脆弱性等重要线索或元素进行检测获取,作为网络系统安全评估的重要来源,实现在在这些要素被攻击之前进行,评估网络安全状况,即使采取必要的防御手段,确保信息财产安全。Here, the collection of network situation information, including important clues or elements such as network topology information, vulnerability information, and network vulnerability, is detected and obtained, as an important source of network system security assessment, and network security can be evaluated before these elements are attacked. situation, even if necessary defensive measures are taken to ensure the security of information property.
这里需要说明的,采集的网络态势信息,并不限于上述的网络拓扑信息、漏洞信息及网络脆弱性等信息。在实际操作时,所采集的信息数据种类很多,具体包括安全的、事件的,网络结构数据、网络服务数据、漏洞数据、脆弱性数据、威胁与入侵数据、用户异常行为数据等等,由此来尽可能的丰富网络安全数据来源,继而来提高态势评估结果的准确性。It should be noted here that the collected network situation information is not limited to the above-mentioned network topology information, vulnerability information, and network vulnerability information. In actual operation, there are many types of information data collected, including security, event, network structure data, network service data, vulnerability data, vulnerability data, threat and intrusion data, user abnormal behavior data, etc. To enrich the source of network security data as much as possible, and then to improve the accuracy of situation assessment results.
作为举例,本实例在网络感知的要素提取网络数据信息,其数据获取手段主要包括主机配置检测工具、防火墙入侵检测工具、密码破解工具、网络设备配置检测工具、防病毒软件、数据库安全检测工具、网络扫描工具和系统脆弱性检测工具;或通过资产列表、事件报告、日志信息等方式将检测到的漏洞和脆弱性得到网络数据信息,进行安全态势评估分析数据。As an example, this example extracts network data information based on the elements of network perception. The data acquisition methods mainly include host configuration detection tools, firewall intrusion detection tools, password cracking tools, network device configuration detection tools, anti-virus software, database security detection tools, Network scanning tools and system vulnerability detection tools; or through asset lists, event reports, log information, etc. to obtain network data information from detected vulnerabilities and vulnerabilities, and conduct security situation assessment and analysis data.
本单元中数据预处理模块112,其与网络态势信息采集模块111进行数据交互,对网络态势信息采集模块111所采集的网络态势信息进行预处理。The data preprocessing module 112 in this unit performs data interaction with the network situation information collection module 111 and preprocesses the network situation information collected by the network situation information collection module 111 .
作为举例,本数据预处理模块112通过对相应的数据信息进行分类与验证来完成预处理。As an example, the data preprocessing module 112 completes preprocessing by classifying and verifying corresponding data information.
这里对分类与验证处理实现方式不加以限定,可根据实际需求而定,由此保证数据信息处理的高效性。Here, there is no limitation on the implementation methods of classification and verification processing, which can be determined according to actual needs, thereby ensuring the efficiency of data information processing.
如,针对侵检测系统、扫描工具或硬件设备等获取到的网络感知数据,可通过人工方式,或验证系统自动验证的方式,或者两者相结合的方式来进行验 证处理。For example, the network perception data obtained by intrusion detection systems, scanning tools, or hardware devices can be verified manually, or automatically verified by the verification system, or a combination of the two.
本单元中数据建模模块113,其与数据预处理模块112进行数据交互,对经过数据预处理模块112处理后的数据进行建模,提取数据特征并进行要素分析。The data modeling module 113 in this unit performs data interaction with the data preprocessing module 112, models the data processed by the data preprocessing module 112, extracts data features and performs factor analysis.
这里数据建模模块113,其基于相应的数据分析算法构建相应的数据分析模型。本方案对于所采用的算法,模型构建的方式,此处不加以限定,具体可根据实际需求而定。Here, the data modeling module 113 constructs a corresponding data analysis model based on a corresponding data analysis algorithm. The algorithms and model construction methods used in this solution are not limited here, and the details can be determined according to actual needs.
再者,数据建模模块113所构建的数据分析模型,其通过调取相应的检测工具来对3大类的要素进行分析,包括流量信息、漏洞信息以及日志报警信息分析,得到当前网络层的数据量变化率、脆弱性数据、威胁与入侵数据、用户异常行为数据等。Furthermore, the data analysis model constructed by the data modeling module 113 analyzes three major types of elements by invoking corresponding detection tools, including traffic information, vulnerability information, and log alarm information analysis, to obtain the current network layer Data volume change rate, vulnerability data, threat and intrusion data, abnormal user behavior data, etc.
本单元中的分析判断模块114,与数据建模模块113进行数据交互,用于根据数据建模模块113提取的数据特征以及要素分析的结果进行定性、定量分析,并依据分析的结果来判断行为异常、分析潜在的网络安全隐患。The analysis and judgment module 114 in this unit performs data interaction with the data modeling module 113, and is used to perform qualitative and quantitative analysis based on the data features extracted by the data modeling module 113 and the results of factor analysis, and to judge behaviors based on the analysis results Abnormalities and analysis of potential network security risks.
这里在进行定性、定量分析时,可通过构建相应的定性、定量分析模型来完成对数据分析与综合;对于具体的分析模型,此处不加以限定,可根据实际需求而定。When conducting qualitative and quantitative analysis here, the data analysis and synthesis can be completed by constructing corresponding qualitative and quantitative analysis models; the specific analysis model is not limited here and can be determined according to actual needs.
作为替代方案,也可通过主观判断、逻辑推理等方式来完成对数据的定性、定量分析与综合。As an alternative, the qualitative and quantitative analysis and synthesis of data can also be completed through subjective judgment and logical reasoning.
通过相应的定性、定量分析,得到相应的网络特征,变化趋势等,并基于分析得到的结果来配合系统内部间的通信、读数据库、日志信息、网络流量等情况,来判断行为异常、分析潜在的网络安全隐患。Through the corresponding qualitative and quantitative analysis, the corresponding network characteristics, change trends, etc. are obtained, and based on the results obtained from the analysis, we cooperate with the communication between the systems, reading databases, log information, network traffic, etc. to judge abnormal behavior and analyze potential network security risks.
本防御系统中的网络安全态势理解单元120,用于网络安全态势感知单元110进行配合,对其形成的态势感知数据分析关联性,继而对攻击行为分析理解,形成网络安全态势理解数据。The network security situation understanding unit 120 in this defense system is used to cooperate with the network security situation awareness unit 110 to analyze the correlation of the situation awareness data formed by it, and then analyze and understand the attack behavior to form network security situation understanding data.
如图1所示,其给出了网络安全态势理解单元120的一种构成示例方案。As shown in FIG. 1 , it provides an example configuration scheme of the network security situation understanding unit 120 .
本实例中的网络安全态势理解单元120主要由关联攻击分析模块121和攻击行为理解模块122相互配合构成。The network security situation understanding unit 120 in this example is mainly composed of an associated attack analysis module 121 and an attack behavior understanding module 122 in cooperation with each other.
这里的,关联攻击分析模块121以网络安全态势感知单元110形成的态势 感知数据为输入,对态势感知数据分析数据关联性。Here, the associated attack analysis module 121 takes the situational awareness data formed by the network security situational awareness unit 110 as input, and analyzes the data relevance of the situational awareness data.
这里的针对态势感知数据所分析数据关联性,主要指对所有种类的数据属性、规则匹配、行为检测等进行分析,由确定这些信息之间的关联性。The data correlation analyzed here for situational awareness data mainly refers to the analysis of all kinds of data attributes, rule matching, behavior detection, etc., to determine the correlation between these information.
作为举例,本关联攻击分析模块121在对势感知数据进行评估分析时,基于多源化的数据,对网络系统产生的安全事件、响应报告、历史数据等进行数据处理与事件关联,全方位的对网络系统产生的数据进行安全态势分析。由此能够实现与网络系统自身的防御进行联动,进行全方位分析。As an example, when the associated attack analysis module 121 evaluates and analyzes the situation awareness data, based on multi-source data, it performs data processing and event association on security incidents, response reports, historical data, etc. generated by the network system. Analyze the security situation of the data generated by the network system. This enables linkage with the defense of the network system itself for comprehensive analysis.
本单元中的攻击行为理解模块122,其与关联攻击分析模块121数据交互,基于关联攻击分析模块121形成的关联分析数据,对攻击行为分析理解,识别攻击意图、攻击目标,以形成网络安全态势理解数据。The attack behavior understanding module 122 in this unit, which interacts with the associated attack analysis module 121 data, based on the associated analysis data formed by the associated attack analysis module 121, analyzes and understands the attack behavior, identifies attack intentions and attack targets, and forms a network security situation Make sense of the data.
具体的,本攻击行为理解模块122采用大数据分析方法来对关联攻击分析模块121形成的关联分析数据进行分析,进而实现网络态势评估、网络威胁评估和网络态势预测。Specifically, the attack behavior understanding module 122 uses a big data analysis method to analyze the associated analysis data formed by the associated attack analysis module 121, thereby realizing network situation assessment, network threat assessment and network situation prediction.
作为举例,这里的大数据分析方法包括但不限于关联分析、数据分类、归纳、行为检测、机器学习等大数据分析方式。As an example, the big data analysis methods here include but not limited to correlation analysis, data classification, induction, behavior detection, machine learning and other big data analysis methods.
作为举例,本攻击行为理解模块122根据态势感知的静态或动态的网络安全配置要素,明确网络系统种存在的网络攻击行为及特征,通过分析数据的相关性,对攻击行为分析理解,确定攻击者的目标和意图,定位网络的脆弱点,制定系统防范策略,进行主动防御。由此能够进一步实现与网络系统自身的防御进行联动,进行全方位分析。As an example, the attack behavior understanding module 122 identifies the network attack behavior and characteristics existing in the network system according to the static or dynamic network security configuration elements of situational awareness, analyzes and understands the attack behavior by analyzing the correlation of data, and determines the attacker Targets and intentions of the network, locate network vulnerabilities, formulate system defense strategies, and carry out active defense. In this way, it can further realize the linkage with the defense of the network system itself, and carry out all-round analysis.
本系统中的网络安全态势映射单元130,其与网络安全态势理解单元120进行配合,针对网络安全态势理解单元120所形成的网络安全态势理解数据进行分析融合,对网络安全态势进行评估,形成网络安全态势评估数据,再通过BP神经网络模型基于网络安全态势评估数据进行网络安全态势量化预测。The network security situation mapping unit 130 in this system, which cooperates with the network security situation understanding unit 120, analyzes and fuses the network security situation understanding data formed by the network security situation understanding unit 120, evaluates the network security situation, and forms a network The security situation assessment data, and then use the BP neural network model to make quantitative predictions of the network security situation based on the network security situation assessment data.
如图1所示,其给出了网络安全态势映射单元130的一种构成示例方案。As shown in FIG. 1 , it provides an example configuration scheme of the network security situation mapping unit 130 .
由图可知,本网络安全态势映射单元130主要由态势评估模块131和量化预测模块132相互配合构成。As can be seen from the figure, the network security situation mapping unit 130 is mainly composed of a situation assessment module 131 and a quantitative prediction module 132 in cooperation with each other.
其中,态势评估模块131,其与网络安全态势理解单元120进行数据交互,基于网络安全态势理解单元120所形成的态势理解的数据进行分析融合,以进 行网络威胁评估、安全评估,形成网络安全态势评估数据。Among them, the situation assessment module 131 performs data interaction with the network security situation understanding unit 120, analyzes and fuses the data based on the situation understanding formed by the network security situation understanding unit 120, to perform network threat assessment and security assessment, and form a network security situation Evaluation data.
具体的,本态势评估模块131通过对多个层次、多个角度进行评估,以实现评估网络系统的业务安全、数据安全、基础设施安全和整体安全状况,并且能够针对不同的应用背景和不同的网络规模选择不同的评估方法。作为举例,可针对OODA模型、JDL模型、RPD模型形成网络安全态势评估数据。Specifically, this situation assessment module 131 evaluates the business security, data security, infrastructure security and overall security status of the network system by evaluating multiple layers and multiple angles, and can target different application backgrounds and different Network size chooses different evaluation methods. As an example, network security situation assessment data can be formed for OODA models, JDL models, and RPD models.
本单元中的量化预测模块132与态势评估模块131以及网络专家决策系统进行数据交互,其基于BP神经网络结合蚁群算法来搭建态势评估预测模型,并通过该态势评估预测模型对所述态势评估模块形成的网络安全态势评估数据进行量化预测网络安全态势发展趋势。The quantitative prediction module 132 in this unit performs data interaction with the situation assessment module 131 and the network expert decision-making system. It builds a situation assessment prediction model based on the BP neural network combined with the ant colony algorithm, and uses the situation assessment prediction model to evaluate the situation. The network security situation assessment data formed by the module is quantified to predict the development trend of the network security situation.
本量化预测模块132还基于量化预测网络安全态势发展趋势结果来有预见性的启动网络专家决策系统,从而提高系统自适应的主动防御能力。The quantitative prediction module 132 also predictably activates the network expert decision-making system based on the result of the quantitative prediction of the development trend of the network security situation, thereby improving the system's self-adaptive active defense capability.
具体的,本方案在进行量化预测网络安全态势发展趋势时,将处理后的络安全态势评估数据作为BP神经网络的数据输入层,并不断训练更新神经网络的权值和阈值,结合蚁群算法快速寻优,由此来实现发展趋势的量化预测。Specifically, when this program quantitatively predicts the development trend of the network security situation, the processed network security situation assessment data is used as the data input layer of the BP neural network, and the weights and thresholds of the neural network are continuously trained and updated, combined with the ant colony algorithm Quickly search for optimization, so as to realize the quantitative prediction of the development trend.
作为举例,在具体实现时,将络安全态势评估数据作为BP神经网络算法数据的输入量,搭建网络拓扑结构,初始化BP神经网络神经元数量、各层的权值和阈值等信息。As an example, in the specific implementation, the network security situation assessment data is used as the input of the BP neural network algorithm data, the network topology structure is built, and information such as the number of BP neural network neurons, weights and thresholds of each layer is initialized.
接着,初始蚁群算法参数,在BP神经网络的隐含层构造解空间,若任意一只蚂蚁选取该路径节点,通过遍历的集合中选择上一层在该路径点的权值、阈值;否则,选择另一路径点跳转。Next, the initial ant colony algorithm parameters are used to construct the solution space in the hidden layer of the BP neural network. If any ant selects the path node, the weight and threshold of the previous layer at the path point are selected from the traversed set; otherwise , select another waypoint to jump.
蚂蚁跳转每一条路径中实时更新该路径的信息素浓度,当蚂蚁遍历完全部的路径集合后,判断输出的期望值是否在设定的误差范围内,如果符合将期望结果发送至BP神经网络进行学习;如果输出的期望值不在设定的误差范围内,累计加1次当前的遍历次数,并清空路径记录表,反复寻找系统的最优解。The ant jumps to each path and updates the pheromone concentration of the path in real time. When the ant traverses all the path sets, it judges whether the expected value of the output is within the set error range. If it meets the expected result, it will be sent to the BP neural network. Learning; if the expected value of the output is not within the set error range, accumulatively add 1 current traversal times, clear the path record table, and repeatedly search for the optimal solution of the system.
当输出的最优解符合预期的目标函数后,将最优解发送至BP神经网络进行反复学习训练,获取最优数据的权值、阈值,计算与最优输出结果误差,直至满足算法终止条件。When the output optimal solution meets the expected objective function, the optimal solution is sent to the BP neural network for repeated learning and training to obtain the weight and threshold of the optimal data, and calculate the error with the optimal output result until the algorithm termination condition is satisfied .
由此形成的网络安全态势映射单元130,其在运行时,通过对态势理解的数据进行分析融合,将态势评估后的数据作为BP神经网络模型的输入数据, 并通过蚁群算法去进一步搜寻数据的权重,即该数据影响最优结果的权重,找到最适合BP神经网络模型的初值,作为最优的数据源输入。BP神经网络模型基于相应的学习和记忆能力,对事件、数据源、日志数据等进行关联分析,评估网络的安全态势、脆弱性和网络潜在的威胁,综合评估网络系统存在的安全隐患,并上报给网络专家决策系统,由网络专家决策系统提供主动防御应急预案。The resulting network security situation mapping unit 130, when running, analyzes and fuses the situation understanding data, uses the situation assessment data as the input data of the BP neural network model, and uses the ant colony algorithm to further search for data The weight of the data, that is, the weight of the data affecting the optimal result, find the initial value that is most suitable for the BP neural network model, and use it as the optimal data source input. Based on the corresponding learning and memory capabilities, the BP neural network model conducts correlation analysis on events, data sources, log data, etc., evaluates the security situation, vulnerability and potential threats of the network, comprehensively evaluates the hidden dangers of the network system, and reports For the network expert decision-making system, the network expert decision-making system provides an active defense emergency plan.
作为举例,本网络安全态势映射单元130进行网络系统感知映射时,可以实现搭建多领域的感知映射信息系统,包括人工智能、物联网、云计算和大数据等网络系统的安全态势分析,借助于本系统的技术手段实现对网络风险的检查和综合分析,并根据分析结果和专家系统给出的防御措施,评估当前网络的风险状态,及时采取主动防御措施。As an example, when the network security situation mapping unit 130 performs network system perception mapping, it can realize the construction of a multi-field perception mapping information system, including security situation analysis of network systems such as artificial intelligence, Internet of Things, cloud computing, and big data. The technical means of this system realize the inspection and comprehensive analysis of network risks, and according to the analysis results and the defense measures given by the expert system, evaluate the current risk status of the network, and take active defense measures in time.
具体的,本网络安全态势映射单元130首先通过态势评估模块131来对整个网络系统数据输出的结果进行的分析,据此可改进网络系统安全性;接着通过量化预测模块132中的BP神经网络结合蚁群算法去改进网络系统的评估方法,进一步提高网络系统安全预测的准确度,根据预测结果发送至专家决策系统,实现对网络系统的主动防御。Specifically, the network security situation mapping unit 130 first uses the situation evaluation module 131 to analyze the results of the data output of the entire network system, thereby improving the security of the network system; The ant colony algorithm is used to improve the evaluation method of the network system, further improve the accuracy of the network system security prediction, and send the prediction results to the expert decision-making system to realize the active defense of the network system.
由此构成的网络安全态势感知自适应主动防御系统,其自适应网络、具有主动的学习和记忆能力、能够进行对网络存在的隐患进行预测,实现主动防御,同时能够对网络存在的安全隐患进行分析,预测未来网络安全状态的发展趋势,能够给出防范措施和应急响应方案,不断提高主动防御能力。The network security situation awareness self-adaptive active defense system thus constituted, it adapts to the network, has active learning and memory capabilities, can predict hidden dangers existing in the network, realizes active defense, and at the same time can monitor hidden safety hazards existing in the network Analyze and predict the development trend of the future network security status, provide preventive measures and emergency response plans, and continuously improve the ability of active defense.
以下举例说明一下本网络安全态势感知自适应主动防御系统动态管理网络,对网络安全隐患存在的风险进行预警,实现对网络主动防御和自适应防御的过程。The following is an example to illustrate the process of this network security situational awareness adaptive active defense system dynamically managing the network, giving early warning to the risks of hidden dangers in network security, and realizing the process of active defense and adaptive defense of the network.
参见图1,本网络安全态势感知自适应主动防御系统在对网络的动态管理,主动且预见性地对网络进行预警和防护时,分为三个阶段:态势感知、态势理解和态势映射。Referring to Figure 1, the network security situational awareness adaptive active defense system is divided into three stages when it dynamically manages the network and proactively and predictably warns and protects the network: situational awareness, situational understanding and situational mapping.
阶段一:态势感知。Phase One: Situational Awareness.
首先在网络安全态势感知阶段,本系统实时采集网络数据信息,对采集的网络数据进行分析处理,由此判断行为异常,形成对应的态势感知数据。First of all, in the network security situation awareness stage, the system collects network data information in real time, analyzes and processes the collected network data, and then judges abnormal behaviors to form corresponding situation awareness data.
即通过分析整个网络系统安全行为状况,如分析拒绝服务攻击、勒索病毒、漏洞攻击、网络钓鱼等一系列的网络攻击行为,根据当前的网络运行状况,来判断网络是否遭受了攻击,继而来形成对应的态势感知数据。That is, by analyzing the security behavior of the entire network system, such as a series of network attack behaviors such as denial of service attacks, ransomware, vulnerability attacks, and phishing, according to the current network operating conditions, it is judged whether the network has been attacked, and then the formation of Corresponding situational awareness data.
该阶段进行网络安全态势感知时,首先,实时采集网络态势信息;这里的网络态势信息包含如资产业务数据、日志数据、网络流量、防火墙信息、漏洞信息及各种漏洞扫描设备信息等信息。When performing network security situation awareness at this stage, first, collect network situation information in real time; the network situation information here includes information such as asset business data, log data, network traffic, firewall information, vulnerability information, and various vulnerability scanning device information.
接着,对采集的网络态势信息进行分类与验证的预处理;这里具体可通过对数据分类、回归、聚类等数据处理方法,来实现对采集到的数据进行预处理。Next, the collected network situation information is preprocessed by classifying and verifying; here, the collected data can be preprocessed specifically by data processing methods such as data classification, regression, and clustering.
接着,对经过预处理后的数据进行建模,提取数据特征并进行要素分析;这里的进行分析时,主要针对数据的特征、数据属性、数据数量、数据占比等等进行分析。Then, model the preprocessed data, extract data features, and perform element analysis; here, the analysis mainly focuses on the characteristics, data attributes, data quantity, data proportion, etc. of the data.
接着,根据提取的数据特征以及要素分析的结果进行定性、定量分析,并依据分析的结果来判断行为异常。这里通过分析,得到网络特征,变化趋势等数据信息,再结合网络系统内部间的通信、读数据库、日志信息、网络流量等情况,来判断行为异常。Then, perform qualitative and quantitative analysis according to the extracted data characteristics and the results of factor analysis, and judge abnormal behavior according to the analysis results. Here, through analysis, data information such as network characteristics and changing trends are obtained, and then combined with internal communication between network systems, database reading, log information, network traffic, etc., to judge abnormal behavior.
阶段二:态势理解。Phase 2: Situational understanding.
在态势理解阶段,本系统解归一化处理态势感知形成的态势感知数据,通过态势感知数据关联分析,对攻击行为分析理解,形成网络安全态势理解数据。In the situation understanding stage, the system denormalizes and processes the situation awareness data formed by situation awareness, and analyzes and understands the attack behavior through the association analysis of situation awareness data to form network security situation understanding data.
该阶段在具体实施时,首先对态势感知数据分析数据关联性;这里的数据关联性分析包括网络环境安全类、管理类、流量数据以及资产信息等多维度的数据分析,以实现全面评估网络风险。During the specific implementation of this stage, the situational awareness data is first analyzed for data correlation; the data correlation analysis here includes multi-dimensional data analysis such as network environment security, management, traffic data, and asset information to achieve a comprehensive assessment of network risks. .
接着,基于形成的关联分析数据,对攻击行为分析理解,识别攻击意图、攻击目标,以形成网络安全态势理解数据。Then, based on the formed association analysis data, analyze and understand the attack behavior, identify the attack intention and attack target, and form the network security situation understanding data.
阶段三:态势映射。Phase 3: Situation Mapping.
在态势映射阶段,本系统对网络安全态势理解数据进行分析融合,对网络安全态势进行评估,形成网络安全态势评估数据,再通过BP神经网络模型基于网络安全态势评估数据进行网络安全态势量化预测。In the situation mapping stage, the system analyzes and fuses the network security situation understanding data, evaluates the network security situation, forms network security situation assessment data, and then conducts quantitative prediction of network security situation based on the network security situation assessment data through the BP neural network model.
参见图2,本系统在进行网络安全态势量化预测时,首先,基于态势理解的数据进行网络威胁评估、安全评估,形成网络安全态势评估数据;Referring to Figure 2, when the system performs quantitative forecasting of the network security situation, first, it conducts network threat assessment and security assessment based on the data of situation understanding to form network security situation assessment data;
这里在进行评估时,通过对多个层次、多个角度进行评估,实现评估网络的业务安全、数据安全、基础设施安全和整体安全状况,并且针对不同的应用背景和不同的网络规模选择不同的评估方法。如OODA模型、JDL模型、RPD模型形成网络安全态势评估数据。When evaluating here, by evaluating multiple levels and multiple angles, the business security, data security, infrastructure security and overall security status of the network can be evaluated, and different application backgrounds and different network scales can be selected according to different application backgrounds. assessment method. For example, OODA model, JDL model, and RPD model form network security situation assessment data.
接着,将网络态势评估的数据,通过BP神经网络结合蚁群算法模型,进行综合分析处理,完成对网络安全态势评估、分析、推测,预测未来网络安全态势,驱动网络专家决策系统给出对应的应急处置措施,响应安全策略,主动防御。Then, the data of the network situation assessment is comprehensively analyzed and processed through the BP neural network combined with the ant colony algorithm model to complete the assessment, analysis, and speculation of the network security situation, predict the future network security situation, and drive the network expert decision-making system to give corresponding results. Emergency response measures, response security strategy, active defense.
本阶段中,将BP神经网络与蚁群算法结合,采用蚁群算法对网络权值进行整体寻优化,解决了BP神经网络模型容易陷入局部最优解的缺陷,能够找到符合系统的初值,增强了网络训练和系统安全的预测精度,保证了在网络系统在遭受攻击之前,能够准确判断潜在的风险。In this stage, the BP neural network is combined with the ant colony algorithm, and the ant colony algorithm is used to optimize the network weights as a whole, which solves the defect that the BP neural network model is easy to fall into a local optimal solution, and can find the initial value that fits the system. The prediction accuracy of network training and system security is enhanced, ensuring that potential risks can be accurately judged before the network system is attacked.
同时,BP神经网络与蚁群算法具有强大的并行分布式计算能力,在不同时刻网络的安全态势彼此相关,算法具有全局寻优能力,分析网络系统内部的变化规律,有效预测可能发生的攻击行为等。At the same time, BP neural network and ant colony algorithm have powerful parallel distributed computing capabilities, and the security situation of the network is related to each other at different times. The algorithm has the ability of global optimization, analyzes the internal change rules of the network system, and effectively predicts possible attacks. wait.
本阶段中,在态势评估数据经过算法处理后,本系统将数据形成数据日志,并进行保存,同时本系统根据算法处理后的数据,进行事件关联分析,预测潜在的网络安全系统存在的问题,将最终的处理结果上报网络专家决策系统。In this stage, after the situation assessment data is processed by the algorithm, the system forms the data into a data log and saves it. At the same time, the system performs event correlation analysis based on the data processed by the algorithm to predict potential problems in the network security system. Report the final processing results to the network expert decision-making system.
与此同时,网络专家决策系统根据网络预测后的结果,进行网络安全系统内置的应急响应防御措施,给用户提供可采取的防范方式,下达安全处置策略至整个网络系统,主动对网络系统进行防护,并对应急事件进行量化评估,针对事件的响应能力逐步完善,保存日志数据,提高系统的自适应主动防御的能力。At the same time, the network expert decision-making system implements the built-in emergency response and defense measures of the network security system based on the network prediction results, provides users with preventive methods that can be taken, issues security disposal strategies to the entire network system, and actively protects the network system , and quantitatively evaluate emergency events, gradually improve the response capabilities for events, save log data, and improve the system's adaptive and active defense capabilities.
最后需要指出的,上述本发明的方法,或特定系统单元、或其部份单元,为纯软件架构,可以透过程序代码布设于实体媒体,如硬盘、光盘片、或是任何电子装置(如智能型手机、计算机可读取的储存媒体),当机器加载程序代码 且执行(如智能型手机加载且执行),机器成为用以实行本发明的装置。上述本发明的方法与装置亦可以程序代码型态透过一些传送媒体,如电缆、光纤、或是任何传输型态进行传送,当程序代码被机器(如智能型手机)接收、加载且执行,机器成为用以实行本发明的装置。Finally, it should be pointed out that the above-mentioned method of the present invention, or specific system units, or some units thereof, are pure software architectures, and can be deployed on physical media through program codes, such as hard disks, optical discs, or any electronic devices (such as smart phone, computer-readable storage medium), when the machine loads and executes the program code (such as a smart phone loads and executes), the machine becomes a device for implementing the present invention. The above-mentioned method and device of the present invention can also be transmitted in the form of program code through some transmission media, such as cables, optical fibers, or any transmission mode. When the program code is received, loaded and executed by a machine (such as a smart phone), A machine is a means for carrying out the invention.
以上显示和描述了本发明的基本原理、主要特征和本发明的优点。本行业的技术人员应该了解,本发明不受上述实施例的限制,上述实施例和说明书中描述的只是说明本发明的原理,在不脱离本发明精神和范围的前提下,本发明还会有各种变化和改进,这些变化和改进都落入要求保护的本发明范围内。本发明要求保护范围由所附的权利要求书及其等效物界定。The basic principles, main features and advantages of the present invention have been shown and described above. Those skilled in the industry should understand that the present invention is not limited by the above-mentioned embodiments. What are described in the above-mentioned embodiments and the description only illustrate the principle of the present invention. Without departing from the spirit and scope of the present invention, the present invention will also have Variations and improvements are possible, which fall within the scope of the claimed invention. The protection scope of the present invention is defined by the appended claims and their equivalents.

Claims (13)

  1. 网络安全态势自适应主动防御系统,其特征在于,包括相互联动的网络安全态势感知单元、网络安全态势理解单元以及网络安全态势映射单元,The network security situation self-adaptive active defense system is characterized in that it includes a network security situation awareness unit, a network security situation understanding unit and a network security situation mapping unit linked together,
    所述网络安全态势感知单元实时采集网络数据信息,基于采集到的信息进行分析处理,判断网络攻击行为异常,形成对应的态势感知数据;The network security situational awareness unit collects network data information in real time, analyzes and processes based on the collected information, judges that the network attack behavior is abnormal, and forms corresponding situational awareness data;
    所述网络安全态势理解单元对所述网络安全态势感知单元形成的态势感知数据分析关联性,对攻击行为分析理解,形成网络安全态势理解数据;The network security situation understanding unit analyzes the relevance of the situation awareness data formed by the network security situation awareness unit, analyzes and understands the attack behavior, and forms network security situation understanding data;
    所述网络安全态势映射单元,对所述网络安全态势理解单元形成的网络安全态势理解数据进行分析融合,对网络安全态势进行评估,形成网络安全态势评估数据,再通过BP神经网络模型基于网络安全态势评估数据进行网络安全态势量化预测。The network security situation mapping unit analyzes and fuses the network security situation understanding data formed by the network security situation understanding unit, evaluates the network security situation, forms network security situation evaluation data, and then uses the BP neural network model based on network security Situation assessment data for quantitative prediction of network security situation.
  2. 根据权利要求1所述的网络安全态势自适应主动防御系统,其特征在于,所述自适应主动防御系统还与网络专家决策系统联动,将量化的网络安全态势预测结果传至网络专家决策系统。The network security situation adaptive active defense system according to claim 1, wherein the adaptive active defense system is also linked with the network expert decision-making system, and the quantified network security situation prediction results are transmitted to the network expert decision-making system.
  3. 根据权利要求1所述的网络安全态势自适应主动防御系统,其特征在于,所述网络安全态势感知单元包括网络态势信息采集模块、数据预处理模块、数据建模模块以及分析判断模块;The network security situation adaptive active defense system according to claim 1, wherein the network security situation awareness unit includes a network situation information collection module, a data preprocessing module, a data modeling module, and an analysis and judgment module;
    所述网络态势信息采集模块实时采集网络态势信息,所述网络态势信息为能够表明当前网络状况的信息;The network situation information collection module collects network situation information in real time, and the network situation information is information that can indicate the current network situation;
    所述数据预处理模块对所述网络态势信息采集模块所采集的网络态势信息进行分类与验证的预处理;The data preprocessing module classifies and verifies the network situation information collected by the network situation information collection module;
    所述数据建模模块对经过所述数据预处理模块处理后的数据进行建模,提取数据特征并进行要素分析;The data modeling module models the data processed by the data preprocessing module, extracts data features and performs factor analysis;
    所述分析判断模块根据所述数据建模模块提取的数据特征以及要素分析的结果进行定性、定量分析,并依据分析的结果来判断行为异常。The analysis and judgment module performs qualitative and quantitative analysis according to the data features extracted by the data modeling module and the results of factor analysis, and judges abnormal behavior according to the analysis results.
  4. 根据权利要求1所述的网络安全态势自适应主动防御系统,其特征在于,所述网络安全态势理解单元包括关联攻击分析模块和攻击行为理解模块,The network security situation adaptive active defense system according to claim 1, wherein the network security situation understanding unit includes an associated attack analysis module and an attack behavior understanding module,
    所述关联攻击分析模块对态势感知数据分析数据关联性;The associated attack analysis module analyzes the data association of the situational awareness data;
    所述攻击行为理解模块基于所述关联攻击分析模块形成的关联分析数据, 对攻击行为分析理解,识别攻击意图、攻击目标,以形成网络安全态势理解数据。Based on the association analysis data formed by the association attack analysis module, the attack behavior understanding module analyzes and understands the attack behavior, identifies attack intentions and attack targets, and forms network security situation understanding data.
  5. 根据权利要求4所述的网络安全态势自适应主动防御系统,其特征在于,所述攻击行为理解模块通过大数据分析方式进行分析,以进行网络态势评估、网络威胁评估和网络态势预测。The network security situation adaptive active defense system according to claim 4, wherein the attack behavior understanding module conducts analysis through big data analysis to perform network situation assessment, network threat assessment and network situation prediction.
  6. 根据权利要求1所述的网络安全态势自适应主动防御系统,其特征在于,所述网络安全态势映射单元包括态势评估模块和量化预测模块,The network security situation adaptive active defense system according to claim 1, wherein the network security situation mapping unit includes a situation assessment module and a quantitative prediction module,
    所述态势评估模块基于态势理解的数据进行网络威胁评估、安全评估,形成网络安全态势评估数据;The situation assessment module performs network threat assessment and security assessment based on situation understanding data to form network security situation assessment data;
    所述量化预测模块基于BP神经网络结合蚁群算法对所述态势评估模块形成的网络安全态势评估数据进行量化预测网络安全态势发展趋势。The quantitative prediction module quantifies and predicts the development trend of the network security situation based on the BP neural network combined with the ant colony algorithm for the network security situation assessment data formed by the situation assessment module.
  7. 根据权利要求6所述的网络安全态势自适应主动防御系统,其特征在于,所述量化预测模块将网络安全态势评估数据作为BP神经网络的神经元输入,确定输入层节点个数和输出层节点个数,建立网络模型,生成样本数据库,并确定隐含层的节点个数,采用蚁群算法更新BP神经网络的权值、阈值。The network security situation self-adaptive active defense system according to claim 6, wherein the quantization prediction module uses the network security situation evaluation data as the neuron input of the BP neural network to determine the number of input layer nodes and output layer nodes number, establish a network model, generate a sample database, and determine the number of nodes in the hidden layer, and use the ant colony algorithm to update the weights and thresholds of the BP neural network.
  8. 网络安全态势自适应主动防御方法,其特征在于,包括:The network security situation self-adaptive active defense method is characterized in that it includes:
    实时采集网络数据信息,基于采集到的信息进行分析处理,判断网络攻击行为异常,形成对应的态势感知数据;Collect network data information in real time, analyze and process based on the collected information, judge abnormal network attack behavior, and form corresponding situational awareness data;
    分析态势感知数据的关联性,对攻击行为分析理解,形成网络安全态势理解数据;Analyze the correlation of situational awareness data, analyze and understand attack behaviors, and form network security situational understanding data;
    对网络安全态势理解数据进行分析融合,对网络安全态势进行评估,形成网络安全态势评估数据,再通过BP神经网络模型基于网络安全态势评估数据进行网络安全态势量化预测。Analyze and fuse the network security situation understanding data, evaluate the network security situation, form the network security situation assessment data, and then use the BP neural network model to make quantitative predictions of the network security situation based on the network security situation assessment data.
  9. 根据权利要求8所述的网络安全态势自适应主动防御方法,其特征在于,所述方法还包括根据量化预测的网络安全态势发展趋势结果与网络专家决策系统进行联动,形成主动防御措施的步骤。The network security situation self-adaptive active defense method according to claim 8, characterized in that the method further comprises the step of linking with the network expert decision-making system based on the quantitatively predicted development trend of the network security situation to form active defense measures.
  10. 根据权利要求8所述的网络安全态势自适应主动防御方法,其特征在于,所述方法在形成对应的态势感知数据时,包括:The network security situation adaptive active defense method according to claim 8, characterized in that, when the method forms corresponding situational awareness data, it comprises:
    实时采集网络态势信息,所述网络态势信息为能够表明当前网络状况的信 息;Collect network situation information in real time, and described network situation information is the information that can show current network condition;
    对采集的网络态势信息进行分类与验证的预处理;Preprocessing of classification and verification of collected network situation information;
    对经过处理后的数据进行建模,提取数据特征并进行要素分析;Model the processed data, extract data features and perform factor analysis;
    根据提取的数据特征以及要素分析的结果进行定性、定量分析,并依据分析的结果来判断行为异常。Perform qualitative and quantitative analysis according to the extracted data characteristics and the results of factor analysis, and judge abnormal behavior based on the analysis results.
  11. 根据权利要求8所述的网络安全态势自适应主动防御方法,其特征在于,所述方法在形成网络安全态势理解数据时,包括:The network security situation adaptive active defense method according to claim 8, characterized in that, when the method forms network security situation understanding data, it includes:
    对态势感知数据分析数据关联性;Analyzing data correlation for situational awareness data;
    基于形成的关联分析数据,对攻击行为分析理解,识别攻击意图、攻击目标,以形成网络安全态势理解数据。Based on the formed association analysis data, analyze and understand the attack behavior, identify the attack intention and attack target, and form the network security situation understanding data.
  12. 根据权利要求8所述的网络安全态势自适应主动防御方法,其特征在于,所述方法在进行网络安全态势量化预测时,包括:The network security situation adaptive active defense method according to claim 8, characterized in that, when the method performs quantitative prediction of the network security situation, it includes:
    基于态势理解的数据进行网络威胁评估、安全评估;Network threat assessment and security assessment based on situational understanding data;
    基于BP神经网络结合蚁群算法对网络安全态势评估数据进行量化预测网络安全态势发展趋势。Based on the BP neural network combined with the ant colony algorithm, the network security situation assessment data is quantified to predict the development trend of the network security situation.
  13. 根据权利要求12所述的网络安全态势自适应主动防御方法,其特征在于,所述方法在量化预测网络安全态势发展趋势时,以网络安全态势评估数据作为BP神经网络的神经元输入,确定输入层节点个数和输出层节点个数,建立网络模型,生成样本数据库,并确定隐含层的节点个数,采用蚁群算法更新BP神经网络的权值、阈值。The network security situation adaptive active defense method according to claim 12, characterized in that, when said method quantitatively predicts the development trend of the network security situation, the network security situation evaluation data is used as the neuron input of the BP neural network to determine the input The number of layer nodes and the number of output layer nodes, establish a network model, generate a sample database, and determine the number of nodes in the hidden layer, and use the ant colony algorithm to update the weights and thresholds of the BP neural network.
PCT/CN2021/137767 2021-11-02 2021-12-14 Network security situation adaptive active defense system and method WO2023077617A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111289950.7A CN113965404B (en) 2021-11-02 2021-11-02 Network security situation self-adaptive active defense system and method
CN202111289950.7 2021-11-02

Publications (1)

Publication Number Publication Date
WO2023077617A1 true WO2023077617A1 (en) 2023-05-11

Family

ID=79468990

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/137767 WO2023077617A1 (en) 2021-11-02 2021-12-14 Network security situation adaptive active defense system and method

Country Status (2)

Country Link
CN (1) CN113965404B (en)
WO (1) WO2023077617A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471124A (en) * 2023-06-19 2023-07-21 长通智能(深圳)有限公司 Computer network safety prediction system for analyzing based on big data information
CN116566729A (en) * 2023-06-15 2023-08-08 广州谦益科技有限公司 Network security operation analysis method and device based on security cloud, electronic equipment and storage medium
CN116668194A (en) * 2023-07-27 2023-08-29 北京弘明复兴信息技术有限公司 Network security situation assessment system based on Internet centralized control platform
CN116827658A (en) * 2023-07-17 2023-09-29 青岛启弘信息科技有限公司 AI intelligent application security situation awareness prediction system and method
CN116886582A (en) * 2023-08-21 2023-10-13 扬州大自然网络信息有限公司 Network security assessment recording method and system based on BP neural network
CN117014230A (en) * 2023-10-07 2023-11-07 天云融创数据科技(北京)有限公司 Network security situation awareness method and system based on big data
CN117040912A (en) * 2023-09-13 2023-11-10 湖南新生命网络科技有限公司 Network security operation and maintenance management method and system based on data analysis
CN117395166A (en) * 2023-12-11 2024-01-12 四海良田(天津)智能科技有限公司 Intelligent agricultural management platform based on Internet of things
CN117614741A (en) * 2024-01-18 2024-02-27 中诚华隆计算机技术有限公司 Network security vulnerability position detection method and system
CN117478363B (en) * 2023-10-11 2024-04-19 新疆能源(集团)哈密清洁能源有限责任公司 Photovoltaic power network safety monitoring system and method based on industrial Internet situation awareness

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001940A (en) * 2022-05-27 2022-09-02 北京双湃智安科技有限公司 Association security situation analysis method based on artificial intelligence
CN115296873A (en) * 2022-07-26 2022-11-04 北京科能腾达信息技术股份有限公司 Computer network safety controller, medium, equipment and terminal
CN115348067A (en) * 2022-08-09 2022-11-15 广东电力发展股份有限公司沙角A电厂 Intelligent network security detection system and method
CN115664697B (en) * 2022-09-01 2023-06-13 国网河南省电力公司信息通信公司 Multistage cascade Internet of things situation awareness system
CN115189970B (en) * 2022-09-13 2022-12-20 珠海市鸿瑞信息技术股份有限公司 Network security analysis system and method of security situation awareness system
CN116015903A (en) * 2022-12-29 2023-04-25 南京仁可科技有限公司 Network security situation awareness comprehensive analysis system and method thereof
CN116340749A (en) * 2023-02-10 2023-06-27 中建照明有限公司 Building energy abnormality monitoring system and method based on big data
CN116192520A (en) * 2023-03-02 2023-05-30 湖北盈隆腾辉科技有限公司 Secure communication management method and system based on big data
CN116389148B (en) * 2023-04-14 2023-12-29 深圳市众云网有限公司 Network security situation prediction system based on artificial intelligence
CN117097569B (en) * 2023-10-19 2023-12-19 南京怡晟安全技术研究院有限公司 Network security situation diagnosis method and system based on multi-node relevance

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110261710A1 (en) * 2008-09-26 2011-10-27 Nsfocus Information Technology (Beijing) Co., Ltd. Analysis apparatus and method for abnormal network traffic
CN107122869A (en) * 2017-05-11 2017-09-01 中国人民解放军装备学院 The analysis method and device of Network Situation
CN110380897A (en) * 2019-07-04 2019-10-25 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on improved BP
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108494810B (en) * 2018-06-11 2021-01-26 中国人民解放军战略支援部队信息工程大学 Attack-oriented network security situation prediction method, device and system
CN110381013A (en) * 2019-05-28 2019-10-25 三明学院 A kind of network safety situation sensing control method, apparatus, equipment and storage medium
CN111628981B (en) * 2020-05-21 2022-09-23 公安部第三研究所 Network security system and method capable of being linked with application system
CN113486337A (en) * 2021-06-18 2021-10-08 北京电子科技学院 Network security situation element identification system and method based on particle swarm optimization

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110261710A1 (en) * 2008-09-26 2011-10-27 Nsfocus Information Technology (Beijing) Co., Ltd. Analysis apparatus and method for abnormal network traffic
CN107122869A (en) * 2017-05-11 2017-09-01 中国人民解放军装备学院 The analysis method and device of Network Situation
CN110380897A (en) * 2019-07-04 2019-10-25 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on improved BP
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116566729A (en) * 2023-06-15 2023-08-08 广州谦益科技有限公司 Network security operation analysis method and device based on security cloud, electronic equipment and storage medium
CN116566729B (en) * 2023-06-15 2024-02-13 广州谦益科技有限公司 Network security operation analysis method and device based on security cloud, electronic equipment and storage medium
CN116471124B (en) * 2023-06-19 2023-11-21 国信金宏(成都)检验检测技术研究院有限责任公司 Computer network safety prediction system for analyzing based on big data information
CN116471124A (en) * 2023-06-19 2023-07-21 长通智能(深圳)有限公司 Computer network safety prediction system for analyzing based on big data information
CN116827658A (en) * 2023-07-17 2023-09-29 青岛启弘信息科技有限公司 AI intelligent application security situation awareness prediction system and method
CN116827658B (en) * 2023-07-17 2024-01-16 青岛启弘信息科技有限公司 AI intelligent application security situation awareness prediction system and method
CN116668194B (en) * 2023-07-27 2023-10-10 北京弘明复兴信息技术有限公司 Network security situation assessment system based on Internet centralized control platform
CN116668194A (en) * 2023-07-27 2023-08-29 北京弘明复兴信息技术有限公司 Network security situation assessment system based on Internet centralized control platform
CN116886582A (en) * 2023-08-21 2023-10-13 扬州大自然网络信息有限公司 Network security assessment recording method and system based on BP neural network
CN116886582B (en) * 2023-08-21 2024-01-30 扬州大自然网络信息有限公司 Network security assessment recording method and system based on BP neural network
CN117040912A (en) * 2023-09-13 2023-11-10 湖南新生命网络科技有限公司 Network security operation and maintenance management method and system based on data analysis
CN117040912B (en) * 2023-09-13 2024-01-05 湖南新生命网络科技有限公司 Network security operation and maintenance management method and system based on data analysis
CN117014230A (en) * 2023-10-07 2023-11-07 天云融创数据科技(北京)有限公司 Network security situation awareness method and system based on big data
CN117478363B (en) * 2023-10-11 2024-04-19 新疆能源(集团)哈密清洁能源有限责任公司 Photovoltaic power network safety monitoring system and method based on industrial Internet situation awareness
CN117395166A (en) * 2023-12-11 2024-01-12 四海良田(天津)智能科技有限公司 Intelligent agricultural management platform based on Internet of things
CN117395166B (en) * 2023-12-11 2024-02-13 四海良田(天津)智能科技有限公司 Intelligent agricultural management platform based on Internet of things
CN117614741A (en) * 2024-01-18 2024-02-27 中诚华隆计算机技术有限公司 Network security vulnerability position detection method and system
CN117614741B (en) * 2024-01-18 2024-04-02 中诚华隆计算机技术有限公司 Network security vulnerability position detection method and system

Also Published As

Publication number Publication date
CN113965404B (en) 2023-06-02
CN113965404A (en) 2022-01-21

Similar Documents

Publication Publication Date Title
WO2023077617A1 (en) Network security situation adaptive active defense system and method
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
US9807109B2 (en) Profiling cyber threats detected in a target environment and automatically generating one or more rule bases for an expert system usable to profile cyber threats detected in a target environment
Sarker Machine learning for intelligent data analysis and automation in cybersecurity: current and future prospects
CN110620759B (en) Multi-dimensional association-based network security event hazard index evaluation method and system
Elshoush et al. Alert correlation in collaborative intelligent intrusion detection systems—A survey
Al-Janabi et al. A neural network based anomaly intrusion detection system
Maza et al. Feature selection algorithms in intrusion detection system: A survey
Ibrahim et al. The challenges of leveraging threat intelligence to stop data breaches
Tao et al. The future of artificial intelligence in cybersecurity: A comprehensive survey
Kotenko et al. Systematic literature review of security event correlation methods
Babiker et al. Web application attack detection and forensics: A survey
US20230011004A1 (en) Cyber security sandbox environment
Thames et al. Cybersecurity for Industry 4.0 and advanced manufacturing environments with ensemble intelligence
Panahnejad et al. APT-Dt-KC: advanced persistent threat detection based on kill-chain model
Gonaygunta Machine learning algorithms for detection of cyber threats using logistic regression
Nour et al. A survey on threat hunting in enterprise networks
Alshammari Design of capability maturity model integration with cybersecurity risk severity complex prediction using bayesian-based machine learning models
Sangaiah et al. Towards data security assessments using an IDS security model for cyber-physical smart cities
Hariprasad et al. Detection of DDoS Attack in IoT Networks Using Sample Selected RNN-ELM.
CN115987544A (en) Network security threat prediction method and system based on threat intelligence
Britel Big data analytic for intrusion detection system
Sallay An Integrated Multilayered Framework for IoT Security Intrusion Decisions.
Mokkapati et al. Embedded Signal Artificial Neural Network Based Intelligent Non-Dependent Feature Selection for Cyber Attack Classification in Signal-Based Networks.
Shittu et al. Visual analytic agent-based framework for intrusion alert analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21963123

Country of ref document: EP

Kind code of ref document: A1