CN102821007A - Network security situation awareness system based on self-discipline computing and processing method thereof - Google Patents
Network security situation awareness system based on self-discipline computing and processing method thereof Download PDFInfo
- Publication number
- CN102821007A CN102821007A CN2012102759864A CN201210275986A CN102821007A CN 102821007 A CN102821007 A CN 102821007A CN 2012102759864 A CN2012102759864 A CN 2012102759864A CN 201210275986 A CN201210275986 A CN 201210275986A CN 102821007 A CN102821007 A CN 102821007A
- Authority
- CN
- China
- Prior art keywords
- situation
- module
- network
- attack
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a network security situation awareness system based on self-discipline computing and a processing method thereof. The network security situation awareness system comprises a managed resource, an Agent cooperation layer module, a sensor, an effector module and a self-discipline manager module, wherein the Agent cooperation layer module is connected with the managed resource and the self-discipline manager module; and the sensor and the effector module are respectively connected with the Agent cooperation layer module and the self-discipline manager module. The network security situation awareness system has the advantages that the system structure and the situation extraction for situation awareness are improved, the system environment is adjusted autonomously to adapt to the environment change dynamically, so that dynamic allocation of resources, dynamic synthesis of services and dynamic correction of system parameters are realized.
Description
Technical field
It is specifically network security situation sensing system and its technical scheme based on Autonomic computing the present invention relates to technical field of network security.
Background technology
With the popularization of network, the threat that it faces is increasing, and computer virus, trojan horse program, DoS/DDoS attacks are becoming increasingly rampant.For guarantee Cybersecurity Operation, the technology such as the intrusion detection used at present, fire wall, Viral diagnosis belongs to Passive Defence means, system can only locally be detected, association is lacked between the information of acquisition.Based on such a situation, from after being suggested the concept [1] of network security situation awareness in 2000, the research of correlation model and method rapidly becomes a new study hotspot.
Network security situation awareness is a kind of new technology answered network security monitoring demand and occurred.In network safety filed, many for the fusion structure constructed by intrusion detection, the distributed multi-sensor using intruding detection system that wherein Bass [1] is proposed carries out the network security situation awareness frame structure of data fusion than generally being received more typically and by industry.The structure is divided into five layers, respectively data extraction layer, object of attack identification layer, Situation Assessment layer, threat assessment layer and resource management layer, progressive, embody by " data->Information->The process of knowledge ".Data Layer is mainly responsible for extracting useful data from the safety means such as intrusion-detection sensor and Sniffers;The various times acquired in data Layer are carried out space-time calibration by object of attack identification layer, and are associated pretreatment, realize attack recognition;Situation Assessment layer is the contact between the process of a dynamic and intelligent reasoning, the attack recognized by analytical attack Object identifying layer, assesses the current security postures of whole network;Threat assessment layer is built upon on the basis of Situation Assessment layer, and it is that the damage capability and whole network threat degree of malicious attack are estimated, its task is to assess frequency and the threat degree to network that attack occurs;Resource management layer tracks and assessed the operation conditions of whole emerging system, instructs the distribution of emerging system, receives and perform task, plan, coordination and the cooperating between other safety means of threat assessment layer.
In terms of perception and assessment strategy, document [2] proposes a kind of based on immune network security situational awareness method, this method is used based on basis of the immune IDS Framework as Situation Awareness, realizes the detection to known and unknown intrusion behavior in network;Change and the corresponding relation of pathogen intrusion rate according to Immune System antibody concentration, quantitative analysis are carried out to networks security situation assessment, and network safety situation is predicted using Grey -- Markov method.Artificial immunity technology is applied in network security situation awareness, pass through the identification to malicious attack behavior, realize real-time, the quantitative analysis and prediction to network system current safety situation and future trends, network information system and Immune System is equally had and learn by oneself habit and adaptivity, so as to the immunity and survival ability of strengthening system, alleviate the harm that network attack is caused, rationally accurate Response Decision is formulated for administrative staff foundation is provided, so as to improve the emergency response capability of network information system.Document [3] proposes a kind of based on CRFs (Conditional Random Fields condition random fields) network safety situation quantization cognitive method first, key element of this method using the warning message of intruding detection system as network security situation awareness, with reference to the leak and state of main frame, network security threats degree is defined preferably to embody the risk of network, and attack is classified, effective feature selecting has been carried out simultaneously, and this method can reflect network risks well and quantify network safety situation.Document [4] passes through having complementary incidence relation to be identified attack factors, attack factors are associated using Fuzzy Data Fusion technology, and carry out corresponding situation fusion using statistical technique in service, main frame, 3 levels of network, it is proposed that the Evaluation for Security Situation of Networked Systems method based on Fuzzy Data Fusion.Document [5] proposes the method that internet security Situation Assessment is carried out using Honeynets, and this method is collected into a large amount of network intrusions information using Honeynets, the security postures situation of current network can be analyzed.
2. prior art one related to the present invention
The technical scheme of 2.1 prior arts one
Document [6] proposes a network safety situation sense and technical scheme based on Markov betting models.Markov games are by game theory and Markov decision processes(MDP)It is comprehensive, consider the decision-making of multiple participants.By to FUSION WITH MULTISENSOR DETECTION to secure data merge, obtain the normalized number evidence of assets, threat and fragility, to it is each threaten, analyze its propagation law, set up corresponding threat propagation network;By to threatening, keeper and common eternal behavior analyze, set up the Markov betting models that tripartite participates in, and optimize to related algorithm analysis so that evaluation process being capable of real time execution.Markov betting models can dynamic evaluation system security postures, and provide for keeper optimal Scheme of Strengthening, and effectively suppress the diffusion that threatens.
The system framework that the program is proposed according to the security postures and its variation tendency of Situation Awareness model evaluation system, and provides security hardening scheme, mainly including following module by the various security information of FUSION WITH MULTISENSOR DETECTION network system:
1) data acquisition:By the operation conditions of FUSION WITH MULTISENSOR DETECTION network system, substantial amounts of original security data is detected;
2) situation understands:The methods such as code requirement analysis, redundancy detection and collision detection, analyze initial data, the data set standardized;
3) Situation Assessment:Using Situation Assessment algorithm, the data of situation Understanding Module, the security postures of quantitative description system are analyzed;
4) Tendency Prediction:Using Tendency Prediction algorithm, the changing rule of situation, forecasting system security postures variation tendency are analyzed;
5) Scheme of Strengthening is generated:Analysis system most weak node, provides Scheme of Strengthening, and guidance management person improves security of system.
The program gives Situation Awareness flow according to system frame structure, and Situation Awareness process is divided into two parts:Situation quantitative evaluation based on Markov game theory analysis and the Tendency Prediction based on time series analysis.
Situation quantitative evaluation part is the core of Situation Awareness.First, the secure data of data acquisition module detection, which is fused, to be referred to a pool of assets, threatens set, fragility set and network structure information, these data are stored in database with the form for the data set that standardizes, it can be accessed and be changed in real time, then to threatening each threat in set to set up TPN;Then, the behavior to threat, keeper and domestic consumer carries out Markov game theory analysis, assesses the confidentiality situation of single threat, and provides optimal Scheme of Strengthening;Finally, system security situation is gone out to the confidentiality situation synthesis analysis and evaluation for threatening all threats in set;Assessment system integrality situation and system availability situation, according to different application background and demand, weight to confidentiality, integrality, availability situation, assess the security postures of whole system current state in the same way.
Tendency Prediction part is based on Situation Assessment result, and system is not security postures are relative to each other in the same time, it is possible to use this correlation is predicted using time series analysis method analysis situation changing rule to system security postures.
The shortcoming of 2.2 prior arts one
The security hardening scheme that network security situation awareness technical scheme based on Markov betting models is provided can be found for the maximum node of some threat extent of injury and path well, be restrained effectively the diffusion of threat, improved the security of system.But the program has the following disadvantages:
1) complexity of threat propagation network causes state space very big, and the assessment efficiency to large scale network is low, it is necessary to which certain approximate processing, approximate processing may cause the accuracy of assessment result.
2 } due to the polytropy and crafty plot of attacker's means, so that attack strategies and Defense Countermeasure inconvenience are controlled when carrying out Situation Assessment using this method, it is difficult to be achieved in practice.
3) influence of the defense mechanism to overall network safe condition is not considered, and only whole network security postures are estimated from attack or fragility angle.And whole Situation Awareness process lacks adaptivity.
3. prior art two related to the present invention
The technical scheme of 3.1 prior arts two
Document [7] proposes hierarchical network security threat situation quantitative evaluation technical scheme.The program utilizes IDS warning messages and network performance index, according to the institutional framework of service, main frame importance in itself and network system, propose using from bottom to top, after first part total evaluation strategy hierarchical network security threat situation quantitative appraisement model and its corresponding computational methods.In the statistical basis of alarm occurrence frequency, alarm seriousness and its network bandwidth use rate, service, the importance factor of main frame in itself are weighted, the threat index of service, main frame and whole network system, and then analysis and assessment security threat situation is calculated.Thus it is possible, on the one hand, keeper is freed there is provided a kind of intuitively security threat situation map from the log analysis of magnanimity, keeper is set to have the understanding of macroscopic view to the security threat condition of system;On the other hand, system Security Trend and rule can be found from situation map, to adjust the security strategy of system, the security performance of network system is preferably improved.
Real system can be analyzed to system, main frame, 3 levels of service by scale and hierarchical relationship, and most of attacks are for a certain service on main frame in system.The program utilizes system decomposition technology, according to system organization structure, proposes a hierarchical network system security threat situation quantitative appraisement model as shown in Figure 1.It is divided into network system, main frame, 4 levels of service and attack/leak from top to bottom, takes the assessment strategy of " from top to bottom, overall after first part ".Using IDS alarms and vulnerability information as initial data, consumed with reference to Internet resources, it was found that the threat situation of each main frame service provided, in the attack layer statistical analysis supply order of severity, frequency and network bandwidth occupancy, and then assesses the security threat condition of respective services.On this basis, in comprehensive assessment network system main frame safe condition.The security threat situation of whole LAN system is assessed finally according to network architecture.
In Fig. 4, attack layer includes the attack that classical network IDS is able to detect that, mainly by detection, privilege-escalation and DoS three major types.Wherein, DoS attack(A1, ..., Am)Using the defect on Protocol Design, Internet resources are exhausted by continuously transmitting mass data report to destination host, cause service unavailable, i.e., DoS attack threatens the safety of all services of system.
The shortcoming of 3.2 prior arts two
The hierarchical network security threat situation qualitative assessment model that the program is proposed can directly provide whole network system, main frame and the security threat situation for servicing 3 levels, network manager is set to understand system security postures in time, the reason for searching safety change, adjust security strategy, it is ensured that system maximizing safety.And the system is applied well in Net-Keeper systems.But, the program still suffers from following deficiency:
1) analysis of security threat situation assessment system is to be based on the daily record of network invasion monitoring sensor alarm and network bandwidth occupancy, but these information can't reflect the attack of hacker comprehensively.
2) establishment of the analytic hierarchy process (AHP) of use more or less in the presence of such as index weights is excessively subjective and absolute, consistent correction excessively relies on extraneous participation.
3) how according to system current state, security and ambient parameter etc. situation of change, fusion self-discipline feature, configuration and corresponding operational factor to network security situation sensing system enter Mobile state adjustment to realize real self adaptation, then without reference to.
The content of the invention
The present invention is solution above-mentioned technical problem, a kind of testing machine of energy accurate measurement lubricating oil drawing force of design, system architecture and situation for Situation Awareness, which are extracted, to be improved, autonomous regulating system environment, can dynamic adapting environment change, with realize resource dynamic configuration, service dynamic synthesis, systematic parameter dynamic calibration.
The present invention is for the not enough technical scheme that uses for solving above-mentioned technical problem:A kind of network security situation sensing system based on Autonomic computing, including Managed Resource, Agent collaboration layers module, sensor and effector module and self-discipline manager's module, Agent collaboration layer module connection Managed Resources and self-discipline manager's module, sensor and effector module connect Agent collaboration layer modules and self-discipline manager's module respectively
Agent collaboration layer module capture Managed Resource information is simultaneously pre-processed, remove redundancy, finally self-discipline manager's module is given information, it is received from the feedback of the information of rule manager's module, and autonomous regulating system environment, can dynamic adapting environment change, with realize resource dynamic configuration, service dynamic synthesis, systematic parameter dynamic calibration;
Sensor and effector module, the described Agent collaboration layer modules of connection are, it is necessary to define unified standard interface to realize the communication of the software and hardware provided by different suppliers, the isomerism that shielding is produced due to the difference of internal structure.
Self-discipline manager module of the present invention includes base module, situation extraction module, Tendency Prediction module and autonomous respond module,
Base module includes state and judges knowledge, plan knowledge, problem solving knowledge and pattern match knowledge, and knowledge support is provided to situation extraction module, Tendency Prediction module and autonomous respond module;
Situation extraction module, for extracting effective situation information, i.e. attack factors;
Situation Assessment module, the described situation extraction module of connection, by recognizing the security incident in situation information, according to the incidence relation between them, calculates the threat suffered by service, main frame and network, and then realize the analysis to current network safety situation;
Tendency Prediction module, the described Situation Assessment module of connection, for according to past and current network security situation situation, being predicted to future network security postures;
Autonomous respond module, for the plan knowledge and problem solving knowledge in knowledge base, is responded, the situation value drawn to Situation Assessment is carried out from main regulation in real time to the behavioural characteristic that situation extraction module is extracted.
Situation extraction module of the present invention includes network security data source integrated platform module, anomaly module and self-discipline associative learning module,
Network security data source integrated platform module, the integrated processing for realizing multi-source heterogeneous data provides data for upper layer module and supported;
Anomaly module, using mode-matching technique, all kinds of attacks that may be present in network is detected according to abnormal behaviour storehouse, and carry out real-time update to abnormal behaviour storehouse;
Self-discipline associative learning module, for being associated, integrating and integrated analysis according to the record of attack signature and original attack feature in abnormal behaviour storehouse, finds out formation and the rule of development of potential safety hazard;Predict there may be abnormal condition and abnormal in early stage sign, the self-discipline associative learning of attack feature is realized using the method for diagnosis prediction and intelligent decision, and learning outcome is added into abnormal behaviour storehouse;So as to realize the associative learning to unknown attack behavior, the effective situation information of rapid extraction;
Cluster Analysis module, the described self-discipline associative learning module of connection calculates (DSimC) clustering method to self-discipline associative learning result progress cluster and discriminant analysis using distinctiveness ratio;The characteristic attribute wherein considered mainly has source/destination IP, source/destination port, detection time, attack classification etc., and its distinctiveness ratio is calculated respectively, finally calculates comprehensive different degree;
Convergence analysis module, the described Cluster Analysis module of connection carries out convergence analysis using exponential weighting DS evidence theories (EWDS) to the security information after polymerization, further simplifies security information quantity and identification attack.
It is of the present invention that self-discipline associative learning result progress cluster is specifically included using DSimC clustering methods:
Step 1:The method calculated using association attributes distance is clustered to alarm;Assuming that there is two alarms
With utilize formula
Calculate the distinctiveness ratio between the two alarms;Wherein, n is the number of attribute in the two alarms, and k represents some in n attribute,
Weights of the attribute k in accordingly alarm distinctiveness ratio is represented,
Represent alarm
With
Distinctiveness ratio on attribute k;
Step 2:Calculated according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.
It is of the present invention that cluster result is merged using EWDS, specifically include:
Step 1:Using the result after cluster as evidence, and confidence level is distributed according to the verification and measurement ratio of different sensors, according to attack condition, obtain the weights of each sensor;
Step 2:Evidence is combined using DS evidences;
Step 3:Decision-making judgement is carried out to the basic probability assignment value after combination using the fusion decision rule of basic probability function, situation key element is extracted.
The specific appraisal procedure of Situation Assessment module of the present invention is as follows:
Step 1:Network system is layered, then quantum chemical method is carried out to layering index, network system is divided into Internet, host layer and attacking and defending layer, Internet is made up of different main frames, host layer is made up of service, safety measure for being run etc., and attacking and defending layer mainly considers service and the security factor two parts run on main frame;
Step 2:Network safety situation value at all levels is calculated, the service safe situation situation for defining t objective network is:
Wherein,
For service safe situation value, s represents certain currently provided service of objective network;K represents the attack species that the service is subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents that t attacks number of times occurred;D (t) represents the order of severity of t attack;The threat degree of attack is used
Calculated, reflect influence degree of the high attack of threat degree to service safe situation,
It is bigger, illustrate that the threat degree that service s is subject to is bigger;
The defensive strength of main frame for defining t objective network is:
Wherein,
For the defensive strength value on main frame,
Weights of importance of the security attribute on main frame is represented, SM represents the safety measure run on main frame, and ed represents disturbance degrees of the SM relative to security attribute, whenValue it is bigger, illustrate that main frame Host Prevention-Security ability is stronger;
Define t objective network Host Security situation situation be:
Wherein,
For the security postures value of main frame, H represents the main frame in objective network,
Service weight shared in all services that main frame is opened is represented,For service safe situation value,The defensive strength on main frame is represented, when
Value it is bigger, illustrate that the threat degree suffered by main frame Host is bigger, safety officer should draw attention, in time adjustment defence policies tackled;
Define t objective network security postures situation be:
Wherein,
For network safety situation value,
The weight of main frame shared importance in evaluated LAN is represented,
For the security postures value of main frame;WhenValue it is bigger, illustrate that the threat degree suffered by network system is bigger, when
Value is above standard state, and autonomous response component can be responded, autonomous regulating system environment, can dynamic adapting environment change.
The specific prediction steps of Tendency Prediction module of the present invention are as follows:
Step 1:According to history and current situation value information, the Tendency Prediction function of the multiple input single output on service, main frame and network system is defined
With corresponding error function G (V):
Wherein, k represents to service the attack species being subject to;
With
The reality output and desired output of pth m-th of neuron of layer are represented respectively, corresponding to Tendency Prediction value;The flow parameter inputted for each single-point in communication process, V represents attack order of severity d in Situation Assessment hierarchical model, service weight respectively in formula
With main frame weights of importance
;
Step 2:The neutral net is trained, makes fitness bias
Go to zero, self study adjustment is carried out to the weights for specifying parameter, optimal parameter combination is found, the Tendency Prediction curve after finally output training.
A kind of processing method of the network security situation sensing system based on Autonomic computing
Step one, Agent cooperates with layer to handle the data that Managed Resource is provided using multi-Attribute Auction method, finally gives self-discipline manager's module information;
Step 2, self-discipline manager processing is cooperateed with the data message that layer is provided by Agent;
Step 3, situation extracting parts extracting attack behavioural characteristic, if having and the unmatched abnormal behaviour of attack feature in knowledge base, autonomous response component is then called to respond, pattern match knowledge and plan knowledge of the autonomous response component in knowledge base, autonomous regulating system environment, can dynamic adapting environment change, with realize resource dynamic configuration, service dynamic synthesis, systematic parameter dynamic calibration, subsequently into Situation Assessment stage, i.e. step 4;If there is no unknown attack behavior, Situation Assessment stage, i.e. step 4 are directly entered;
Step 4, information is extracted according to the situation, and network system is layered using analytic hierarchy process (AHP), and then realizes that the analysis to current network security situation is estimated;If situation value information does not meet the plan knowledge in situation knowledge base, automated toing respond to part can respond, autonomous regulating system environment, can dynamic adapting environment change, subsequently into step 5;If meeting, step 5 is directly entered;
Future network security postures are predicted by step 5 according to the historical information and current state of the network safety situation;Optimal parameter combination is found, the Tendency Prediction curve after finally output training.
Multi-Attribute Auction method of the present invention solves the problems such as resource distribution, task are distributed, and to optimize systematic function, its method is:
Define multi-Attribute Auction Model
In auction, B is only buyer, and B needs to buy commodity;
S is the set being made up of the seller, comprising the m seller,
, each seller can provide the article of different attribute;
V: 
For B attribute weight function(R is real number set), i.e.,
Represent evaluations of the seller B according to attribute a to article;
Result is conclusion of the business scheme,, wherein
It is expressed as the price struck a bargain, conclusion of the business attribute vector
;Now buyer B income is
, the sellerIncome be
;
Auction flow is divided into four steps:
Step 1:Evaluation function is announced by the seller
(Can be otherwise varied with V);
Step 2:Each seller i carries out dark mark asked price
;
Step 3:It is determined that the conclusion of the business seller;Buyer determines alternative conclusion of the business seller set first
Step 4:Conclusion of the business scheme is proposed by the conclusion of the business seller, legal motion need meet, the conclusion of the business seller is with buyer with this strike a bargain scheme conclusion of the business, End of Auction.
The present invention has the beneficial effect that:
1st, this patent, which is created, makes system possess preferable adaptivity, situation information can effectively be obtained, the current safety situation of accurate awareness network, fast prediction future network security postures can adapt to complex environment dynamic and intelligent and effectively instruct following make decisions on one's own.So as to alleviate the burden of keeper, management cost is reduced, network security management complexity problem is further solved.
2nd, defense mechanism is high, has very strong control property in the Situation Assessment stage, whole network security postures can be estimated in all directions, with soft good adaptivity.
Brief description of the drawings
Fig. 1 is structural representation of the invention;
Fig. 2 extracts flow chart for the situation of the present invention;
Fig. 3 is the structural representation of the network system layering of the present invention;
Fig. 4 is the structural representation of hierarchical network system security threat Situation Evaluation Model of the present invention;
Embodiment
The system includes such as lower module:
Managed Resource (Managed Resource, MR) module, mainly including the various multiple and distributing sources such as database, application module, router, server and host log, Firewall Alerts information and network packet.MR carries out United Dispatching and management by Agent collaboration layers.
Agent cooperates with layer module, and the described MR modules of connection, for different types of MR, use different intelligent Agents to provide data for self-discipline manager and support that these Agent are the entities for being capable of independent operating.Agent entities capture MR information and pre-processed, and remove redundancy, finally give self-discipline manager (Autonomic Manager, AM) information.Meanwhile, Agent collaboration layers receive AM feedback of the information, and autonomous regulating system environment, can dynamic adapting environment change, to realize the dynamic calibration of the dynamic configuration of resource, the dynamic synthesis of service, systematic parameter.
Sensor and effector module, the described Agent collaboration layer modules of connection are, it is necessary to define unified standard interface to realize the communication of the software and hardware provided by different suppliers, the isomerism that shielding is produced due to the difference of internal structure.
Situation extraction module, for extracting effective situation information, i.e. attack factors.
Situation Assessment module, the described situation extraction module of connection, by recognizing the security incident in situation information, according to the incidence relation between them, calculates the threat suffered by service, main frame and network, and then realize the analysis to current network safety situation.
Tendency Prediction module, the described Situation Assessment module of connection, for according to past and current network security situation situation, being predicted to future network security postures.
Autonomous respond module, for the Kp and Ks in knowledge base, responds, the situation value after assessment is carried out from main regulation in real time to the behavioural characteristic that situation extraction module is extracted.
As illustrated, being the situation extraction flow chart of the present invention, the situation extraction module is included with lower module:
Network security data source integrated platform module, for realizing the integrated processing of multi-source heterogeneous data and being collectively expressed as XML, provides data for upper layer module and supports.These data mainly include warning message, the system log messages of safety means such as intruding detection system (IDS), fire wall (Firewall) etc..
Anomaly module uses mode-matching technique, all kinds of attacks that may be present in network is detected according to abnormal behaviour storehouse, and carry out real-time update to abnormal behaviour storehouse.
Self-discipline associative learning module is used to be associated according to the record of attack signature and original attack feature in abnormal behaviour storehouse, integrated and integrated analysis, finds out formation and the rule of development of potential safety hazard;Predict there may be abnormal condition and abnormal in early stage sign, the self-discipline associative learning of attack feature is realized using the method for diagnosis prediction and intelligent decision, and learning outcome is added into abnormal behaviour storehouse.So as to realize the associative learning to unknown attack behavior, the effective situation information of rapid extraction.
Cluster Analysis module, the described self-discipline associative learning module of connection calculates (DSimC) clustering method to self-discipline associative learning result progress cluster and discriminant analysis using distinctiveness ratio.The characteristic attribute wherein considered mainly has source/destination IP, source/destination port, detection time, attack classification etc., and its distinctiveness ratio is calculated respectively, finally calculates comprehensive different degree.
Convergence analysis module, the described Cluster Analysis module of connection carries out convergence analysis using exponential weighting DS evidence theories (EWDS) to the security information after polymerization, further simplifies security information quantity and identification attack.
Situation extraction process comprises the following steps:
Step A:Data source is integrated, integrated processing to multi-source heterogeneous data is simultaneously collectively expressed as XML, data are provided for upper layer module to support, these data mainly include warning message, the system log messages of safety means such as intruding detection system (IDS), fire wall (Firewall) etc..
Step B:Anomaly, using mode-matching technique, all kinds of attacks that may be present in network is detected according to abnormal behaviour storehouse, and carry out real-time update to abnormal behaviour storehouse.
Step C:Self-discipline associative learning, is associated according to the record of attack signature and original attack feature in abnormal behaviour storehouse, integrates and integrated analysis, find out formation and the rule of development of potential safety hazard;Predict there may be abnormal condition and abnormal in early stage sign, the self-discipline associative learning of attack feature is realized using the method for diagnosis prediction and intelligent decision, and learning outcome is added into abnormal behaviour storehouse.So as to realize the associative learning to unknown attack behavior, the effective situation information of rapid extraction.
Step D:Cluster analysis is carried out to self-discipline associative learning result, comprised the following steps that:
Step D1:The method calculated using association attributes distance is clustered to alarm.Assuming that there is two alarms
With
, utilize formula
Calculate the distinctiveness ratio between the two alarms;Wherein, n is the number of attribute in the two alarms, and k represents some in n attribute,
Weights of the attribute k in accordingly alarm distinctiveness ratio is represented,
Represent alarmWith
Distinctiveness ratio on attribute k.
Step D2:Calculated according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.
Step E:Cluster result is merged using EWDS, specifically included:
Step E1:Using the result after cluster as evidence, and confidence level is distributed according to the verification and measurement ratio of different sensors, according to attack condition, obtain the weights of each sensor.
Step E2:Evidence is combined using DS evidences.
Step E3:Decision-making judgement is carried out to the basic probability assignment value after combination using the fusion decision rule of basic probability function, situation key element is extracted.
As illustrated, being the hierarchical diagram of network system, the quantum chemical method step to each layer is as follows:
Step A:Network system is layered, quantum chemical method then is carried out to layering index.Network system is divided into Internet, host layer and attacking and defending layer.Internet is made up of different main frames, and host layer is made up of service, safety measure for being run etc., and attacking and defending layer mainly considers service and the security factor two parts run on main frame
Step B:Calculate network safety situation value at all levels.
Step B1:Calculate the service safe situation situation of objective network.The security postures of service are relevant with the normal visit capacity serviced, attack strength and attack Threat, and quantitative formula is as follows:
Wherein,For service safe situation value, s represents certain currently provided service of objective network;K represents the attack species that the service is subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents that t attacks number of times occurred;D (t) represents the order of severity of t attack.The threat degree of attack is used
Calculated, it is intended to preferably reflect influence degree of the high attack of threat degree to service safe situation.
It is bigger, illustrate that the threat degree that service s is subject to is bigger.
Step B2:Calculate the Host Security situation situation of objective network.
Step B21:Calculate the defensive strength of objective network.Defensive strength is relevant in the importance of the main frame to the disturbance degree and security attribute of the full attribute of main frame with the safety measure run on main frame, and computing formula is as follows:
Wherein,
For the defensive strength value on main frame,
Weights of importance of the security attribute on main frame is represented, SM represents the safety measure run on main frame, and ed represents disturbance degrees of the SM relative to security attribute.When
Value it is bigger, illustrate that main frame Host Prevention-Security ability is stronger.
Step B22:The Host Security situation situation of objective network is calculated, the service safe situation and the defensive strength of main frame being subjected to according to the operation service of t institute carry out quantum chemical method, formula is as follows to it:
Wherein,
For the security postures value of main frame, H represents the main frame in objective network,
Service weight shared in all services that main frame is opened is represented,
For service safe situation value,
Represent the defensive strength on main frame.When
Value it is bigger, illustrate that the threat degree suffered by main frame Host is bigger, safety officer should draw attention, in time adjustment defence policies tackled.
Step C:Calculate the security postures situation of t objective network.The network safety situation of t is relevant with the Host Security situation at the moment, and quantitative formula is as follows:
Wherein,
For network safety situation value,The weight of main frame shared importance in evaluated LAN is represented,
For the security postures value of main frame.When
Value it is bigger, illustrate that the threat degree suffered by network system is bigger, now, autonomous response component can be responded, autonomous regulating system environment, can dynamic adapting environment change.
The security postures of network are predicted, comprised the following steps that:
Step 1:According to history and current situation value information, the Tendency Prediction function of the multiple input single output on service, main frame and network system is defined
With corresponding error function G (V):
Wherein, k represents to service the attack species being subject to;
With
The reality output and desired output of pth m-th of neuron of layer are represented respectively, corresponding to Tendency Prediction value;The flow parameter inputted for each single-point in communication process, V represents attack order of severity d in Situation Assessment hierarchical model, service weight respectively in formula
With main frame weights of importance
。
Step 2:The neutral net is trained, makes fitness bias
Go to zero, self study adjustment is carried out to the weights for specifying parameter, optimal parameter combination is found, the Tendency Prediction curve after finally output training.
To achieve these goals, the present invention provides a kind of network security situational awareness method based on Autonomic computing, it is characterised in that including:
Step A, Agent collaboration layer handle the data that Managed Resource is provided using multi-Attribute Auction method;
Described multi-Attribute Auction method solves the problems such as resource distribution, task are distributed, and to optimize systematic function, its method is:
Define multi-Attribute Auction Model
In auction, B is only buyer, and B needs to buy commodity.
S is the set being made up of the seller, comprising the m seller,
, each seller can provide the article of different attribute.
V: 
For B attribute weight function(R is real number set), i.e.,
Represent evaluations of the seller B according to attribute a to article.
Result is conclusion of the business scheme,
, whereinIt is expressed as the price struck a bargain, conclusion of the business attribute vector .Now buyer B income is
, the seller
Income be
。
Auction flow is divided into four steps:
Step 1:Evaluation function is announced by the seller(
Can be otherwise varied with V);
Step 2:Each seller i carries out dark mark asked price
;
Step 3:It is determined that the conclusion of the business seller.Buyer determines alternative conclusion of the business seller set first
Step 4:Conclusion of the business scheme is proposed by the conclusion of the business seller
, legal motion need meet
, the conclusion of the business seller is with buyer with this strike a bargain scheme conclusion of the business, End of Auction.
Step B, self-discipline manager (AM) processing is cooperateed with the data message that layer is provided by Agent.
The described network security situational awareness method based on Autonomic computing, wherein, the step B further comprises:
Step B1, situation extracting parts extracting attack behavioural characteristic, if having and the unmatched abnormal behaviour of attack feature in knowledge base, autonomous response component is then called to respond, autonomous pattern match knowledge and plan knowledge of the response component in knowledge base, autonomous regulating system environment, can dynamic adapting environment change, to realize the dynamic calibration of the dynamic configuration of resource, the dynamic synthesis of service, systematic parameter.Subsequently into Situation Assessment stage, i.e. step B2;If there is no unknown attack behavior, Situation Assessment stage, i.e. step B2 are directly entered;
Step B2, information is extracted according to the situation, and network system is layered using analytic hierarchy process (AHP), and then realizes that the analysis to current network security situation is estimated.If situation value information does not meet the plan knowledge in situation knowledge base, automated toing respond to part can respond, autonomous regulating system environment, can dynamic adapting environment change.Subsequently into step B3;If meeting, step B3 is directly entered;
Future network security postures are predicted by step B3 according to the historical information and current state of the network safety situation.
The described network security situational awareness method based on Autonomic computing, wherein,
The B1 steps further comprise:
Step B11, data source is integrated, and multi-source heterogeneous data integration is handled and XML is collectively expressed as, and providing data for upper layer module supports.These data mainly include warning message, the system log messages of safety means such as intruding detection system (IDS), fire wall (Firewall) etc.;
Step B12, anomaly, using mode-matching technique, all kinds of attacks that may be present in network is detected according to abnormal behaviour storehouse, and carry out real-time update to abnormal behaviour storehouse;
Step B13, associative learning of restraining oneself, is associated according to the record of attack signature and original attack feature in abnormal behaviour storehouse, integrates and integrated analysis, find out formation and the rule of development of potential safety hazard;Predict there may be abnormal condition and abnormal in early stage sign, the self-discipline associative learning of attack feature is realized using the method for diagnosis prediction and intelligent decision, and learning outcome is added into abnormal behaviour storehouse.So as to realize the associative learning to unknown attack behavior, the effective situation information of rapid extraction;
Step B14, cluster analysis is carried out to self-discipline associative learning result;
Step B15, convergence analysis is carried out to cluster result.
The described network security situational awareness method based on Autonomic computing, wherein,
The step B14 steps further comprise:
B141, the method calculated using association attributes distance is clustered to alarm.Distinctiveness ratio between alarm is calculated with equation below, so that the alarm with identical sources, purpose and attack type is divided into same alarm set.
Wherein:
N is the number of attribute in the two alarms, and k represents some in n attribute,
Weights of the attribute k in accordingly alarm distinctiveness ratio is represented,
Represent alarmWith
Distinctiveness ratio on attribute k.
B142, is calculated according to association attributes distance, according to the respective threshold being previously set, carries out clustering and discriminant judgement.
The described network security situational awareness method based on Autonomic computing, wherein,
The step B15 further comprises:
B151, using the result after cluster as evidence, and distributes confidence level according to the verification and measurement ratio of different sensors, according to attack condition, obtains the weights of each sensor.
B152, is combined using DS evidences to evidence.
B153, carries out decision-making judgement to the basic probability assignment value after combination using the fusion decision rule of basic probability function, extracts situation key element.
The described network security situational awareness method based on Autonomic computing, wherein,
The step B2 further comprises:
Step B21, is layered to network system,;Network system is divided into Internet, host layer and attacking and defending layer;
Step B22, calculates network safety situation value at all levels.
The described network security situational awareness method based on Autonomic computing, wherein,
Described B22 steps further comprise:
B221, calculates the service safe situation situation of objective network.The security postures of service are relevant with the normal visit capacity serviced, attack strength and attack Threat, and quantitative formula is as follows:
Wherein,
For service safe situation value, s represents certain currently provided service of objective network;K represents the attack species that the service is subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents that t attacks number of times occurred;D (t) represents the order of severity of t attack.The threat degree of attack is used
Calculated, it is intended to preferably reflect influence degree of the high attack of threat degree to service safe situation.
It is bigger, illustrate that the threat degree that service s is subject to is bigger.
B222, calculates the defensive strength of objective network.Defensive strength is relevant in the importance of the main frame to the disturbance degree and security attribute of the full attribute of main frame with the safety measure run on main frame, and computing formula is as follows:
Wherein,
For the defensive strength value on main frame,
Weights of importance of the security attribute on main frame is represented, SM represents the safety measure run on main frame, and ed represents disturbance degrees of the SM relative to security attribute.When
Value it is bigger, illustrate that main frame Host Prevention-Security ability is stronger.
B223, calculates the Host Security situation situation of objective network, and the service safe situation and the defensive strength of main frame being subjected to according to the operation service of t institute carry out quantum chemical method, formula is as follows to it:
Wherein,
For the security postures value of main frame, H represents the main frame in objective network,
Service weight shared in all services that main frame is opened is represented,For service safe situation value,
Represent the defensive strength on main frame.When
Value it is bigger, illustrate that the threat degree suffered by main frame Host is bigger, safety officer should draw attention, in time adjustment defence policies tackled.
B224, calculates the security postures situation of t objective network.The network safety situation of t is relevant with the Host Security situation at the moment, and quantitative formula is as follows:
Wherein,
For network safety situation value,
The weight of main frame shared importance in evaluated LAN is represented,For the security postures value of main frame.When
Value it is bigger, illustrate that the threat degree suffered by network system is bigger, now, autonomous response component can be responded, autonomous regulating system environment, can dynamic adapting environment change.
The described network security situational awareness method based on Autonomic computing, wherein, the step B3 further comprises:
Step B31, according to history and current situation value information, defines the Tendency Prediction function of the multiple input single output on service, main frame and network system
With corresponding error function G (V):
Wherein, k represents to service the attack species being subject to;
With
The reality output and desired output of pth m-th of neuron of layer are represented respectively, corresponding to Tendency Prediction value;The flow parameter inputted for each single-point in communication process, V represents attack order of severity d in Situation Assessment hierarchical model, service weight respectively in formula
With main frame weights of importance
。
Step B32, trains the neutral net, makes fitness biasGo to zero, self study adjustment is carried out to the weights for specifying parameter, optimal parameter combination is found, the Tendency Prediction curve after finally output training.
Claims (9)
1. a kind of network security situation sensing system based on Autonomic computing, it is characterised in that:Including Managed Resource, Agent collaboration layers module, sensor and effector module and self-discipline manager's module, Agent collaboration layer module connection Managed Resources and self-discipline manager's module, sensor and effector module connect Agent collaboration layer modules and self-discipline manager's module respectively
Agent collaboration layer module capture Managed Resource information is simultaneously pre-processed, remove redundancy, finally self-discipline manager's module is given information, it is received from the feedback of the information of rule manager's module, and autonomous regulating system environment, can dynamic adapting environment change, with realize resource dynamic configuration, service dynamic synthesis, systematic parameter dynamic calibration;
Sensor and effector module, the described Agent collaboration layer modules of connection are, it is necessary to define unified standard interface to realize the communication of the software and hardware provided by different suppliers, the isomerism that shielding is produced due to the difference of internal structure.
2. a kind of network security situation sensing system based on Autonomic computing as claimed in claim 1, it is characterised in that:Described self-discipline manager module includes base module, situation extraction module, Tendency Prediction module and autonomous respond module,
Base module includes state and judges knowledge, plan knowledge, problem solving knowledge and pattern match knowledge, and knowledge support is provided to situation extraction module, Tendency Prediction module and autonomous respond module;
Situation extraction module, for extracting effective situation information, i.e. attack factors;
Situation Assessment module, the described situation extraction module of connection, by recognizing the security incident in situation information, according to the incidence relation between them, calculates the threat suffered by service, main frame and network, and then realize the analysis to current network safety situation;
Tendency Prediction module, the described Situation Assessment module of connection, for according to past and current network security situation situation, being predicted to future network security postures;
Autonomous respond module, for the plan knowledge and problem solving knowledge in knowledge base, is responded, the situation value drawn to Situation Assessment is carried out from main regulation in real time to the behavioural characteristic that situation extraction module is extracted.
3. a kind of network security situation sensing system based on Autonomic computing as claimed in claim 2, it is characterised in that:Described situation extraction module includes network security data source integrated platform module, anomaly module and self-discipline associative learning module,
Network security data source integrated platform module, the integrated processing for realizing multi-source heterogeneous data provides data for upper layer module and supported;
Anomaly module, using mode-matching technique, all kinds of attacks that may be present in network is detected according to abnormal behaviour storehouse, and carry out real-time update to abnormal behaviour storehouse;
Self-discipline associative learning module, for being associated, integrating and integrated analysis according to the record of attack signature and original attack feature in abnormal behaviour storehouse, finds out formation and the rule of development of potential safety hazard;Predict there may be abnormal condition and abnormal in early stage sign, the self-discipline associative learning of attack feature is realized using the method for diagnosis prediction and intelligent decision, and learning outcome is added into abnormal behaviour storehouse;
So as to realize the associative learning to unknown attack behavior, the effective situation information of rapid extraction;
Cluster Analysis module, the described self-discipline associative learning module of connection calculates (DSimC) clustering method to self-discipline associative learning result progress cluster and discriminant analysis using distinctiveness ratio;
The characteristic attribute wherein considered mainly has source/destination IP, source/destination port, detection time, attack classification etc., and its distinctiveness ratio is calculated respectively, finally calculates comprehensive different degree;
Convergence analysis module, the described Cluster Analysis module of connection carries out convergence analysis using exponential weighting DS evidence theories (EWDS) to the security information after polymerization, further simplifies security information quantity and identification attack.
4. a kind of network security situation sensing system based on Autonomic computing as claimed in claim 3, it is characterised in that:Described is specifically included using DSimC clustering methods to self-discipline associative learning result progress cluster:
Step 1:The method calculated using association attributes distance is clustered to alarm;
Assuming that there is two alarms
With
, utilize formula
Calculate the distinctiveness ratio between the two alarms;Wherein, n is the number of attribute in the two alarms, and k represents some in n attribute,
Weights of the attribute k in accordingly alarm distinctiveness ratio is represented,
Represent alarm
With
Distinctiveness ratio on attribute k;
Step 2:Calculated according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.
5. a kind of network security situation sensing system based on Autonomic computing described in claim 3, it is characterised in that:Described is merged using EWDS to cluster result, is specifically included:
Step 1:Using the result after cluster as evidence, and confidence level is distributed according to the verification and measurement ratio of different sensors, according to attack condition, obtain the weights of each sensor;
Step 2:Evidence is combined using DS evidences;
Step 3:Decision-making judgement is carried out to the basic probability assignment value after combination using the fusion decision rule of basic probability function, situation key element is extracted.
6. a kind of network security situation sensing system based on Autonomic computing as claimed in claim 2, it is characterised in that:The specific appraisal procedure of described Situation Assessment module is as follows:
Step 1:Network system is layered, then quantum chemical method is carried out to layering index, network system is divided into Internet, host layer and attacking and defending layer, Internet is made up of different main frames, host layer is made up of service, safety measure for being run etc., and attacking and defending layer mainly considers service and the security factor two parts run on main frame;
Step 2:Network safety situation value at all levels is calculated, the service safe situation situation for defining t objective network is:
Wherein,For service safe situation value, s represents certain currently provided service of objective network;K represents the attack species that the service is subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents that t attacks number of times occurred;D (t) represents the order of severity of t attack;The threat degree of attack is used
Calculated, reflect influence degree of the high attack of threat degree to service safe situation,
It is bigger, illustrate that the threat degree that service s is subject to is bigger;
The defensive strength of main frame for defining t objective network is:
Wherein,
For the defensive strength value on main frame,Weights of importance of the security attribute on main frame is represented, SM represents the safety measure run on main frame, and ed represents disturbance degrees of the SM relative to security attribute, whenValue it is bigger, illustrate that main frame Host Prevention-Security ability is stronger;
Define t objective network Host Security situation situation be:
Wherein,
For the security postures value of main frame, H represents the main frame in objective network,
Service weight shared in all services that main frame is opened is represented,
For service safe situation value,
The defensive strength on main frame is represented, whenValue it is bigger, illustrate that the threat degree suffered by main frame Host is bigger, safety officer should draw attention, in time adjustment defence policies tackled;
Define t objective network security postures situation be:
Wherein,
For network safety situation value,
The weight of main frame shared importance in evaluated LAN is represented,
For the security postures value of main frame;
When
Value it is bigger, illustrate that the threat degree suffered by network system is bigger, when
Value is above standard state, and autonomous response component can be responded, autonomous regulating system environment, can dynamic adapting environment change.
7. a kind of network security situation sensing system based on Autonomic computing as claimed in claim 2, it is characterised in that:The specific prediction steps of described Tendency Prediction module are as follows:
Step 1:According to history and current situation value information, the Tendency Prediction function of the multiple input single output on service, main frame and network system is defined
With corresponding error function G (V):
Wherein, k represents to service the attack species being subject to;
With
The reality output and desired output of pth m-th of neuron of layer are represented respectively, corresponding to Tendency Prediction value;The flow parameter inputted for each single-point in communication process, V represents attack order of severity d in Situation Assessment hierarchical model, service weight respectively in formula
With main frame weights of importance
;
Step 2:The neutral net is trained, makes fitness bias
Go to zero, self study adjustment is carried out to the weights for specifying parameter, optimal parameter combination is found, the Tendency Prediction curve after finally output training.
8. a kind of processing method of network security situation sensing system based on Autonomic computing as described in claim 1,2,3,4,5,6 and 7, it is characterised in that:
Step one, Agent cooperates with layer to handle the data that Managed Resource is provided using multi-Attribute Auction method, finally gives self-discipline manager's module information;
Step 2, self-discipline manager processing is cooperateed with the data message that layer is provided by Agent;
Step 3, situation extracting parts extracting attack behavioural characteristic, if having and the unmatched abnormal behaviour of attack feature in knowledge base, autonomous response component is then called to respond, pattern match knowledge and plan knowledge of the autonomous response component in knowledge base, autonomous regulating system environment, can dynamic adapting environment change, with realize resource dynamic configuration, service dynamic synthesis, systematic parameter dynamic calibration, subsequently into Situation Assessment stage, i.e. step 4;If there is no unknown attack behavior, Situation Assessment stage, i.e. step 4 are directly entered;
Step 4, information is extracted according to the situation, and network system is layered using analytic hierarchy process (AHP), and then realizes that the analysis to current network security situation is estimated;If situation value information does not meet the plan knowledge in situation knowledge base, automated toing respond to part can respond, autonomous regulating system environment, can dynamic adapting environment change, subsequently into step 5;If meeting, step 5 is directly entered;
Future network security postures are predicted by step 5 according to the historical information and current state of the network safety situation;
Optimal parameter combination is found, the Tendency Prediction curve after finally output training.
9. a kind of processing method of the network security situation sensing system based on Autonomic computing as claimed in claim 8, it is characterised in that:Described multi-Attribute Auction method solves the problems such as resource distribution, task are distributed, and to optimize systematic function, its method is:
Define multi-Attribute Auction Model
In auction, B is only buyer, and B needs to buy commodity;
S is the set being made up of the seller, comprising the m seller,
, each seller can provide the article of different attribute;
V: For B attribute weight function(R is real number set), i.e.,
Represent evaluations of the seller B according to attribute a to article;
Result is conclusion of the business scheme,
, wherein
It is expressed as the price struck a bargain, conclusion of the business attribute vector;
Now buyer B income is
, the seller
Income be
;
Auction flow is divided into four steps:
Step 1:Evaluation function is announced by the seller
(
Can be otherwise varied with V);
Step 2:Each seller i carries out dark mark asked price
;
Step 3:It is determined that the conclusion of the business seller, first buyer determine alternative conclusion of the business seller set
(
,For
Asked price)If,
, then do not strike a bargain the seller, End of Auction;If
, then randomly generate as the conclusion of the business seller, and make, wherein
,
,
, it is apparent from
, wherein
,
,
Implication directly perceived to remove the maximum after a maximum element in surplus element, for example
,
,
Implication directly perceived be except the conclusion of the business seller
Outside other sellers highest price;
Step 4:Conclusion of the business scheme is proposed by the conclusion of the business seller
, legal motion need meet
, the conclusion of the business seller is with buyer with this strike a bargain scheme conclusion of the business, End of Auction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210275986.4A CN102821007B (en) | 2012-08-06 | 2012-08-06 | A kind of network security situation sensing system based on Autonomic computing and processing method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210275986.4A CN102821007B (en) | 2012-08-06 | 2012-08-06 | A kind of network security situation sensing system based on Autonomic computing and processing method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102821007A true CN102821007A (en) | 2012-12-12 |
| CN102821007B CN102821007B (en) | 2016-12-21 |
Family
ID=47304878
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210275986.4A Active CN102821007B (en) | 2012-08-06 | 2012-08-06 | A kind of network security situation sensing system based on Autonomic computing and processing method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102821007B (en) |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104113544A (en) * | 2014-07-18 | 2014-10-22 | 重庆大学 | Fuzzy hidden conditional random field model based network intrusion detection method and system |
| CN104239725A (en) * | 2014-09-19 | 2014-12-24 | 电子科技大学 | Dynamic optimal managing method for multisource sensor |
| CN104270372A (en) * | 2014-10-11 | 2015-01-07 | 国家电网公司 | Parameter self-adaption network security posture quantitative evaluation method |
| CN104318078A (en) * | 2014-10-10 | 2015-01-28 | 中国人民解放军总参谋部第五十四研究所 | Target situation judging method based on schema theory and network level analysis |
| CN104680028A (en) * | 2015-03-13 | 2015-06-03 | 河南群智信息技术有限公司 | Medical system case information optimal storage method on basis of cloud platform |
| CN106453404A (en) * | 2016-11-23 | 2017-02-22 | 北京邮电大学 | Network intrusion detection method and device |
| CN106790295A (en) * | 2017-03-16 | 2017-05-31 | 西安电子科技大学 | The method that distributed denial of service network attack is detected based on grey forecasting model |
| CN107302517A (en) * | 2016-04-15 | 2017-10-27 | 任子行网络技术股份有限公司 | The LDoS attack detection method and device of Internet Autonomous Domain |
| CN107832578A (en) * | 2017-11-07 | 2018-03-23 | 四川大学 | Data processing method and device based on situation variation model |
| CN107979601A (en) * | 2017-11-30 | 2018-05-01 | 广州凡数信息科技有限公司 | Security Situation Awareness Systems based on social networks |
| CN108494801A (en) * | 2018-05-18 | 2018-09-04 | 广西电网有限责任公司 | Guard system is perceived based on the security postures of artificial intelligence and block chain technology |
| CN108646623A (en) * | 2018-05-18 | 2018-10-12 | 深圳明创自控技术有限公司 | A kind of intelligent domestic system based on block chain |
| CN108881110A (en) * | 2017-05-10 | 2018-11-23 | 全球能源互联网研究院 | A kind of safety situation evaluation and defence policies joint decision method and system |
| CN108881250A (en) * | 2018-06-28 | 2018-11-23 | 广东电网有限责任公司 | Powerline network security postures prediction technique, device, equipment and storage medium |
| CN108898010A (en) * | 2018-06-25 | 2018-11-27 | 北京计算机技术及应用研究所 | A method of establishing the attacking and defending Stochastic Game Model towards malicious code defending |
| CN109274689A (en) * | 2018-11-06 | 2019-01-25 | 江苏怡通数码科技有限公司 | Multi-Source Events network safety evaluation method based on filtering and average value processing |
| CN109379322A (en) * | 2018-05-16 | 2019-02-22 | 中国人民解放军战略支援部队信息工程大学 | The decision-making technique and its system that network dynamic converts under the conditions of a kind of Complete Information |
| CN109558966A (en) * | 2018-10-28 | 2019-04-02 | 西南电子技术研究所(中国电子科技集团公司第十研究所) | Intelligence sentences the processing system that card predicted events occur |
| CN109962916A (en) * | 2019-03-19 | 2019-07-02 | 国家计算机网络与信息安全管理中心 | One kind being based on multiattribute industry internet security postures evaluation method |
| CN110381013A (en) * | 2019-05-28 | 2019-10-25 | 三明学院 | A kind of network safety situation sensing control method, apparatus, equipment and storage medium |
| CN110392048A (en) * | 2019-07-04 | 2019-10-29 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on CE-RBF |
| CN110445801A (en) * | 2019-08-16 | 2019-11-12 | 武汉思普崚技术有限公司 | A kind of Situation Awareness method and system of Internet of Things |
| CN110471975A (en) * | 2019-08-16 | 2019-11-19 | 武汉思普崚技术有限公司 | A kind of Internet of Things Situation Awareness call method and device |
| CN110493217A (en) * | 2019-08-16 | 2019-11-22 | 武汉思普崚技术有限公司 | A kind of distributed Situation Awareness method and system |
| CN110493043A (en) * | 2019-08-16 | 2019-11-22 | 武汉思普崚技术有限公司 | A kind of distribution Situation Awareness call method and device |
| CN110855467A (en) * | 2019-08-19 | 2020-02-28 | 中国电子科技集团公司第三十研究所 | Network comprehensive situation prediction method based on computer vision technology |
| CN111464568A (en) * | 2020-06-17 | 2020-07-28 | 广东电网有限责任公司佛山供电局 | Method and system for enhancing network attack prevention capability of multiple network ports |
| CN112380514A (en) * | 2020-11-13 | 2021-02-19 | 支付宝(杭州)信息技术有限公司 | Biological identification security situation prediction method and device and electronic equipment |
| CN113364812A (en) * | 2021-08-09 | 2021-09-07 | 南京聚铭网络科技有限公司 | Security situation perception response method and device based on multiple iterative verification |
| CN113721569A (en) * | 2021-08-25 | 2021-11-30 | 上海电力大学 | Attack intrusion detection device and method for distributed control system |
| CN115063058A (en) * | 2022-08-19 | 2022-09-16 | 东方电子股份有限公司 | Comprehensive energy situation perception system based on model driving and data driving |
| CN115242502A (en) * | 2022-07-21 | 2022-10-25 | 广东电网有限责任公司 | Power system network security risk evaluation method, device, equipment and medium |
| CN116389174A (en) * | 2023-06-07 | 2023-07-04 | 北京全路通信信号研究设计院集团有限公司 | Network security control method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040059966A1 (en) * | 2002-09-20 | 2004-03-25 | International Business Machines Corporation | Adaptive problem determination and recovery in a computer system |
| CN101650684A (en) * | 2009-09-23 | 2010-02-17 | 哈尔滨工程大学 | Method and device for measuring self-discipline capability of self-discipline calculating system based on stability probability |
| CN102186204A (en) * | 2011-05-03 | 2011-09-14 | 哈尔滨工程大学 | Heterogeneous wireless sensor network and special self-recovery method thereof |
-
2012
- 2012-08-06 CN CN201210275986.4A patent/CN102821007B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040059966A1 (en) * | 2002-09-20 | 2004-03-25 | International Business Machines Corporation | Adaptive problem determination and recovery in a computer system |
| CN101650684A (en) * | 2009-09-23 | 2010-02-17 | 哈尔滨工程大学 | Method and device for measuring self-discipline capability of self-discipline calculating system based on stability probability |
| CN102186204A (en) * | 2011-05-03 | 2011-09-14 | 哈尔滨工程大学 | Heterogeneous wireless sensor network and special self-recovery method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 吴庆涛: "基于自律计算的入侵容忍模型", 《计算机应用》, vol. 30, no. 9, 30 September 2010 (2010-09-30), pages 2386 - 2388 * |
Cited By (54)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104113544A (en) * | 2014-07-18 | 2014-10-22 | 重庆大学 | Fuzzy hidden conditional random field model based network intrusion detection method and system |
| CN104113544B (en) * | 2014-07-18 | 2017-10-31 | 重庆大学 | Network inbreak detection method and system based on fuzzy hidden conditional random fields model |
| CN104239725B (en) * | 2014-09-19 | 2017-04-12 | 电子科技大学 | Dynamic optimal managing method for multisource sensor |
| CN104239725A (en) * | 2014-09-19 | 2014-12-24 | 电子科技大学 | Dynamic optimal managing method for multisource sensor |
| CN104318078B (en) * | 2014-10-10 | 2018-06-19 | 中国人民解放军总参谋部第五十四研究所 | A kind of target status identity method based on schema theory and Analytic Network Process |
| CN104318078A (en) * | 2014-10-10 | 2015-01-28 | 中国人民解放军总参谋部第五十四研究所 | Target situation judging method based on schema theory and network level analysis |
| CN104270372B (en) * | 2014-10-11 | 2017-07-14 | 国家电网公司 | A kind of network safety situation quantitative estimation method of parameter adaptive |
| CN104270372A (en) * | 2014-10-11 | 2015-01-07 | 国家电网公司 | Parameter self-adaption network security posture quantitative evaluation method |
| CN104680028B (en) * | 2015-03-13 | 2017-07-21 | 河南群智信息技术有限公司 | Medical system case information optimization storage method based on cloud platform |
| CN104680028A (en) * | 2015-03-13 | 2015-06-03 | 河南群智信息技术有限公司 | Medical system case information optimal storage method on basis of cloud platform |
| CN107302517A (en) * | 2016-04-15 | 2017-10-27 | 任子行网络技术股份有限公司 | The LDoS attack detection method and device of Internet Autonomous Domain |
| CN107302517B (en) * | 2016-04-15 | 2020-05-05 | 任子行网络技术股份有限公司 | LDoS attack detection method and device for Internet autonomous domain |
| CN106453404B (en) * | 2016-11-23 | 2019-09-10 | 北京邮电大学 | A kind of network inbreak detection method and device |
| CN106453404A (en) * | 2016-11-23 | 2017-02-22 | 北京邮电大学 | Network intrusion detection method and device |
| CN106790295A (en) * | 2017-03-16 | 2017-05-31 | 西安电子科技大学 | The method that distributed denial of service network attack is detected based on grey forecasting model |
| CN106790295B (en) * | 2017-03-16 | 2019-10-11 | 西安电子科技大学 | Method based on grey forecasting model detection distributed denial of service network attack |
| CN108881110B (en) * | 2017-05-10 | 2022-05-31 | 全球能源互联网研究院 | Security situation assessment and defense strategy combined decision method and system |
| CN108881110A (en) * | 2017-05-10 | 2018-11-23 | 全球能源互联网研究院 | A kind of safety situation evaluation and defence policies joint decision method and system |
| CN107832578A (en) * | 2017-11-07 | 2018-03-23 | 四川大学 | Data processing method and device based on situation variation model |
| CN107979601A (en) * | 2017-11-30 | 2018-05-01 | 广州凡数信息科技有限公司 | Security Situation Awareness Systems based on social networks |
| CN109379322A (en) * | 2018-05-16 | 2019-02-22 | 中国人民解放军战略支援部队信息工程大学 | The decision-making technique and its system that network dynamic converts under the conditions of a kind of Complete Information |
| CN108494801A (en) * | 2018-05-18 | 2018-09-04 | 广西电网有限责任公司 | Guard system is perceived based on the security postures of artificial intelligence and block chain technology |
| CN108494801B (en) * | 2018-05-18 | 2019-05-03 | 广西电网有限责任公司 | Security postures perceive guard system |
| CN108646623A (en) * | 2018-05-18 | 2018-10-12 | 深圳明创自控技术有限公司 | A kind of intelligent domestic system based on block chain |
| CN108898010A (en) * | 2018-06-25 | 2018-11-27 | 北京计算机技术及应用研究所 | A method of establishing the attacking and defending Stochastic Game Model towards malicious code defending |
| CN108881250A (en) * | 2018-06-28 | 2018-11-23 | 广东电网有限责任公司 | Powerline network security postures prediction technique, device, equipment and storage medium |
| CN108881250B (en) * | 2018-06-28 | 2020-07-07 | 广东电网有限责任公司 | Power communication network security situation prediction method, device, equipment and storage medium |
| CN109558966A (en) * | 2018-10-28 | 2019-04-02 | 西南电子技术研究所(中国电子科技集团公司第十研究所) | Intelligence sentences the processing system that card predicted events occur |
| CN109558966B (en) * | 2018-10-28 | 2022-05-17 | 西南电子技术研究所(中国电子科技集团公司第十研究所) | Processing system for intelligently judging evidence and predicting occurrence of event |
| CN109274689A (en) * | 2018-11-06 | 2019-01-25 | 江苏怡通数码科技有限公司 | Multi-Source Events network safety evaluation method based on filtering and average value processing |
| CN109962916A (en) * | 2019-03-19 | 2019-07-02 | 国家计算机网络与信息安全管理中心 | One kind being based on multiattribute industry internet security postures evaluation method |
| CN109962916B (en) * | 2019-03-19 | 2021-11-05 | 国家计算机网络与信息安全管理中心 | Multi-attribute-based industrial internet security situation evaluation method |
| CN110381013A (en) * | 2019-05-28 | 2019-10-25 | 三明学院 | A kind of network safety situation sensing control method, apparatus, equipment and storage medium |
| CN110392048A (en) * | 2019-07-04 | 2019-10-29 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on CE-RBF |
| CN110493217B (en) * | 2019-08-16 | 2022-04-12 | 武汉思普崚技术有限公司 | Distributed situation perception method and system |
| CN110493217A (en) * | 2019-08-16 | 2019-11-22 | 武汉思普崚技术有限公司 | A kind of distributed Situation Awareness method and system |
| CN110471975A (en) * | 2019-08-16 | 2019-11-19 | 武汉思普崚技术有限公司 | A kind of Internet of Things Situation Awareness call method and device |
| CN110493043A (en) * | 2019-08-16 | 2019-11-22 | 武汉思普崚技术有限公司 | A kind of distribution Situation Awareness call method and device |
| CN110445801B (en) * | 2019-08-16 | 2022-04-12 | 武汉思普崚技术有限公司 | Situation sensing method and system of Internet of things |
| CN110493043B (en) * | 2019-08-16 | 2022-05-03 | 武汉思普崚技术有限公司 | Distributed situation awareness calling method and device |
| CN110445801A (en) * | 2019-08-16 | 2019-11-12 | 武汉思普崚技术有限公司 | A kind of Situation Awareness method and system of Internet of Things |
| CN110855467A (en) * | 2019-08-19 | 2020-02-28 | 中国电子科技集团公司第三十研究所 | Network comprehensive situation prediction method based on computer vision technology |
| CN110855467B (en) * | 2019-08-19 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Network comprehensive situation prediction method based on computer vision technology |
| CN111464568A (en) * | 2020-06-17 | 2020-07-28 | 广东电网有限责任公司佛山供电局 | Method and system for enhancing network attack prevention capability of multiple network ports |
| CN112380514A (en) * | 2020-11-13 | 2021-02-19 | 支付宝(杭州)信息技术有限公司 | Biological identification security situation prediction method and device and electronic equipment |
| CN112380514B (en) * | 2020-11-13 | 2022-11-22 | 支付宝(杭州)信息技术有限公司 | Biological identification security situation prediction method and device and electronic equipment |
| CN113364812A (en) * | 2021-08-09 | 2021-09-07 | 南京聚铭网络科技有限公司 | Security situation perception response method and device based on multiple iterative verification |
| CN113721569A (en) * | 2021-08-25 | 2021-11-30 | 上海电力大学 | Attack intrusion detection device and method for distributed control system |
| CN115242502A (en) * | 2022-07-21 | 2022-10-25 | 广东电网有限责任公司 | Power system network security risk evaluation method, device, equipment and medium |
| CN115242502B (en) * | 2022-07-21 | 2024-03-08 | 广东电网有限责任公司 | Method, device, equipment and medium for evaluating network security risk of power system |
| CN115063058A (en) * | 2022-08-19 | 2022-09-16 | 东方电子股份有限公司 | Comprehensive energy situation perception system based on model driving and data driving |
| CN115063058B (en) * | 2022-08-19 | 2022-12-09 | 东方电子股份有限公司 | Comprehensive energy situation perception system based on model driving and data driving |
| CN116389174A (en) * | 2023-06-07 | 2023-07-04 | 北京全路通信信号研究设计院集团有限公司 | Network security control method and device |
| CN116389174B (en) * | 2023-06-07 | 2023-09-12 | 北京全路通信信号研究设计院集团有限公司 | Network security control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102821007B (en) | 2016-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102821007A (en) | Network security situation awareness system based on self-discipline computing and processing method thereof | |
| CN113965404B (en) | Network security situation self-adaptive active defense system and method | |
| Li et al. | Machine learning‐based IDS for software‐defined 5G network | |
| Zhao et al. | Study on network security situation awareness based on particle swarm optimization algorithm | |
| US10051349B2 (en) | Sensor based system and method for premises safety and operational profiling based on drift analysis | |
| CN108881110B (en) | Security situation assessment and defense strategy combined decision method and system | |
| Domb et al. | Lightweight adaptive Random-Forest for IoT rule generation and execution | |
| CN101459537A (en) | Network security situation sensing system and method based on multi-layer multi-angle analysis | |
| Abdlhamed et al. | Intrusion prediction systems | |
| CN105681298A (en) | Data security abnormity monitoring method and system in public information platform | |
| CN109818798A (en) | A kind of wireless sensor network intruding detection system and method merging KPCA and ELM | |
| Stampar et al. | Artificial intelligence in network intrusion detection | |
| Li et al. | A machine learning based intrusion detection system for software defined 5G network | |
| Gonaygunta | Machine learning algorithms for detection of cyber threats using logistic regression | |
| CN109871711B (en) | Ocean big data sharing and distributing risk control model and method | |
| CN102195975A (en) | Intelligent NIPS (Network Intrusion Prevention System) framework for quantifying neural network based on mobile agent (MA) and learning vector | |
| Venkateswaran et al. | An efficient neuro deep learning intrusion detection system for mobile adhoc networks | |
| Pampapathi et al. | Towards an effective deep learning-based intrusion detection system in the internet of things | |
| Manavi et al. | A new intrusion detection system based on gated recurrent unit (GRU) and genetic algorithm | |
| Xue | Construction of low carbon city economic security management system based on BP artificial neural network | |
| Alazab et al. | An effective networks intrusion detection approach based on hybrid Harris Hawks and multi-layer perceptron | |
| Zbakh et al. | A multi-criteria analysis of intrusion detection architectures in cloud environments | |
| Charanarur et al. | Design optimization-based software-defined networking scheme for detecting and preventing attacks | |
| Elshoush | An innovative framework for collaborative intrusion alert correlation | |
| Krundyshev | Neural network approach to assessing cybersecurity risks in large-scale dynamic networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20191106 Address after: Room 202, building 3-1, Science Park, Luoyang National University, Longyu Road, Jianxi District, Luoyang area, China (Henan) pilot free trade zone 471000 Patentee after: Henan gunz Information Technology Co., Ltd Address before: 471000 Xiyuan Road, Jianxi District, Henan, No. 48, No. Patentee before: Henan University of Science and Technology |
|
| TR01 | Transfer of patent right |