CN102821007B - A kind of network security situation sensing system based on Autonomic computing and processing method thereof - Google Patents

Abstract

A kind of network security situation sensing system based on Autonomic computing and processing method thereof, including Managed Resource, Agent works in coordination with layer module, sensor and effector module and manager's module of restraining oneself, Agent works in coordination with layer module and connects Managed Resource and self-discipline manager's module, sensor and effector module connect Agent respectively and work in coordination with layer module and self-discipline manager's module, system structure and situation for Situation Awareness are extracted and are improved, from main regulation system environments, can change by dynamic adapting environment, to realize the dynamic configuration of resource, the dynamic synthesis of service, the dynamic calibration of systematic parameter.

Description

A kind of network security situation sensing system based on Autonomic computing and processing method thereof

Technical field

The present invention relates to technical field of network security, specifically based on Autonomic computing network security situation sensing system and Its technical scheme.

Background technology

Along with popularizing of network, its threat faced is increasing, and computer virus, trojan horse program, DoS/DDoS attack It is becoming increasingly rampant.For ensureing Cybersecurity Operation, the technology such as the intrusion detection used at present, fire wall, Viral diagnosis belongs to passive Mean of defense, can only detect system local, lack association between the information of acquisition.Based on this kind of situation, from 2000 After the concept [1] of network security situation awareness is suggested, correlation model rapidly becomes a new research with the research of method Focus.

Network security situation awareness is to answer network security monitoring demand and a kind of new technique of occurring.Lead in network security Territory, a lot of for the fusion structure constructed by intrusion detection, what wherein Bass [1] proposed utilizes the distributed of intruding detection system Multisensor carries out the network security situation awareness frame structure ratio of data fusion and more typically and generally by industry accepts.This knot Structure is divided into five layers, respectively data extraction layer, object of attack identification layer, Situation Assessment layer, threat assessment layer and resource management Layer, progressive, embody by the process of " data-> information-> knowledge ".Data Layer be mainly responsible for from intrusion-detection sensor and The safety equipment such as Sniffers extract useful data；The various times acquired in data Layer are carried out by object of attack identification layer Space-time is calibrated, and is associated pretreatment, it is achieved attack recognition；Situation Assessment layer is the process of a dynamic and intelligent reasoning, logical Cross the contact analyzed between the attack that object of attack identification layer is identified, assess the security postures that whole network is current；Prestige Side of body assessment layer is built upon on the basis of Situation Assessment layer, and it is the damage capability to malicious attack and whole Cyberthreat journey Degree is estimated, its task is the frequency assessing attack appearance and the threat degree to network；Resource management layer follow the tracks of and Assess the operation conditions of whole emerging system, instruct the distribution of emerging system, accept and perform the task of threat assessment layer, meter Draw, coordinate and cooperating between other safety equipment.

In terms of perception with assessment strategy, document [2] proposes a kind of network security situational awareness method based on immunity, The method uses IDS Framework based on immunity as the basis of Situation Awareness, it is achieved to known in network and unknown invasion The detection of behavior；According to change and the corresponding relation of pathogen intrusion rate of Immune System antibody concentration, network is pacified Full Situation Assessment carries out quantitative analysis, and uses Grey--Markov method to be predicted network safety situation.To manually exempt from Epidemic disease technology is applied in network security situation awareness, by the identification to malicious attack behavior, it is achieved peace current to network system Full situation and future trends real-time, determine quantitative analysis and prediction, make network information system and Immune System same There is self-study habit and adaptivity, thus strengthen immunity and the survival ability of system, alleviate the harm that network attack causes, Formulate Response Decision the most accurately for management personnel and foundation is provided, thus improve the emergency response capability of network information system. Document [3] proposes a kind of based on CRFs (Conditional Random Fields condition random field) network safety situation first Quantifying cognitive method, the method, using the warning message of intruding detection system as the key element of network security situation awareness, combines and leads The leak of machine and state, definition network security threats degree preferably embodies the risk of network, and classifies attack, simultaneously Having carried out effective feature selection, the method can reflect network risks well and quantify network safety situation.Document [4] leads to Cross and be identified having complementary incidence relation between attack factors, use Fuzzy Data Fusion technology that attack factors is entered Row association, and use statistical technique to carry out corresponding situation fusion at service, main frame, 3 levels of network, it is proposed that based on fuzzy The Evaluation for Security Situation of Networked Systems method of information fusion.Document [5] proposes and utilizes Honeynets to carry out the Internet peace The method of full Situation Assessment, the method utilizes Honeynets to collect a large amount of network intrusions information, it is possible to the peace to current network Full situation situation is analyzed.

Prior art one the most related to the present invention

The technical scheme of 2.1 prior aries one

Document [6] proposes a network safety situation sense based on Markov betting model and technical scheme.Markov Game is comprehensive by game theory and Markov decision making process (MDP), considers the decision-making of multiple participant.By to many The secure data that sensor detects merges, and obtains the normalized number evidence of assets, threat and vulnerability, to each threat, Analyze its propagation law, set up corresponding threat propagation network；By to threatening, manager and the most eternal behavior carry out point Analysis, sets up the Markov betting model that tripartite participates in, and related algorithm is optimized analysis so that evaluation process can be real-time Run.Markov betting model can dynamic evaluation system security postures, and provide optimal Scheme of Strengthening for manager, and have The diffusion that effect suppression threatens.

The system framework that the program the proposes various safety information by FUSION WITH MULTISENSOR DETECTION network system, according to situation sense The perception model assessment security postures of system and variation tendency thereof, and provide security hardening scheme, mainly include following module:

1) data acquisition: by the operation conditions of FUSION WITH MULTISENSOR DETECTION network system, detects substantial amounts of raw security number According to；

2) situation understands: the methods such as code requirement fractional analysis, redundancy detection and collision detection, analyzes initial data, obtains Normalized data set；

3) Situation Assessment: use Situation Assessment algorithm, analyzes the data of situation Understanding Module, the peace of quantitative description system Full situation；

4) Tendency Prediction: use Tendency Prediction algorithm, analyzes the Changing Pattern of situation, it was predicted that security of system situation changes Trend；

5) Scheme of Strengthening generates: analyzing the node that system is the weakest, provide Scheme of Strengthening, guidance management person improves system Safety.

The program, according to system frame structure, gives Situation Awareness flow process, and Situation Awareness process is divided into two parts: based on The situation quantitative evaluation of Markov game theory analysis and Tendency Prediction based on time series analysis.

Situation quantitative evaluation part is the core of Situation Awareness.First, the secure data of data acquisition module detection is melted Conjunction is referred to a pool of assets, threatens set, vulnerability set and network structure information, and these data are with the lattice of the data set that standardizes Formula is saved in data base, can be accessed in real time and revise, then to threatening each threat in set to set up TPN；So After, the behavior to threat, manager and domestic consumer carries out Markov game theory analysis, assesses the confidentiality situation of single threat, And provide optimal Scheme of Strengthening；Finally, the confidentiality situation synthesis analysis and evaluation of all threats threatened in set is gone out system Confidentiality situation；Assessment system integrity situation and system availability situation in the same way, according to different application backgrounds And demand, to confidentiality, integrity, the weighting of availability situation, the security postures of assessment whole system current state.

Tendency Prediction part is based on Situation Assessment result, and system is relative to each other at security postures the most in the same time, permissible Utilize this dependency to use time series analysis method to analyze situation Changing Pattern security of system situation is predicted.

The shortcoming of 2.2 prior aries one

The security hardening scheme that network security situation awareness technical scheme based on Markov betting model provides can be very well Be found for certain and threaten the maximum node of the extent of injury and path, restrained effectively the diffusion of threat, improve system Safety.But the program has the disadvantage that

1) complexity of threat propagation network causes state space very big, low to the assessment efficiency of large scale network, needs Certain approximate processing, approximate processing may cause the accuracy of assessment result.

2} is due to the polytropy of assailant's means and crafty plot, so that using the method to carry out attack during Situation Assessment Strategy and Defense Countermeasure inconvenience are controlled, it is difficult to be achieved in practice.

3) defense mechanism impact on overall network safe condition is not considered, and only from attacking or vulnerability angle is to whole Individual network safety situation is estimated.And whole Situation Awareness process lacks adaptivity.

Prior art two the most related to the present invention

The technical scheme of 3.1 prior aries two

Document [7] proposes hierarchical network security threat situation quantitative evaluation technical scheme.The program utilizes IDS to report to the police Information and network performance index, according to service, the importance of main frame itself and the organizational structure of network system, under proposing to use certainly And go up, first the hierarchical network security threat situation quantitative appraisement model of total evaluation strategy and the side of calculating accordingly thereof behind local Method.In the statistical basis of warning occurrence frequency, warning seriousness and network bandwidth use rate thereof, to service, main frame itself Importance factor is weighted, and calculates service, main frame and the threat index of whole network system, and then the safe prestige of analysis and assessment Side of body situation.Thus it is possible, on the one hand, manager is freed from the log analysis of magnanimity, it is provided that one security threat intuitively Situation map, makes manager have the understanding of macroscopic view to the security threat condition of system；On the other hand, system can be found from situation map Security Trend and rule, in order to adjust the security strategy of system, preferably improve the security performance of network system.

Real system can be analyzed to system, main frame, service 3 level by scale and hierarchical relationship, and great majority are attacked and are For service a certain on main frame in system.The program utilizes system decomposition technology, according to system organization structure, proposes one such as Hierarchical network security of system threat situation quantitative appraisement model shown in Fig. 1.It is divided into network system, main frame, clothes from top to bottom Business and 4 levels of attack/leak, take the assessment strategy of " from top to bottom, overall behind first local ".Report to the police with IDS and leak is believed Breath is initial data, consumes in conjunction with Internet resources, finds the threat situation of the provided service of each main frame, is attacking layer statistical The analysis supply order of severity, frequency and network bandwidth occupancy, and then the security threat condition of assessment respective services.At this On the basis of, the safe condition of a main frame in comprehensive assessment network system.Whole LAN is assessed finally according to network architecture The security threat situation of system.

In Fig. 4, attack layer and comprise the attack that classical network IDS is able to detect that, mainly by detection, privilege-escalation and DoS Three major types.Wherein, and DoS attack (A1 ..., Am) utilize the defect on Protocol Design, by continuously transmitting greatly to destination host Amount datagram exhausts Internet resources, causes service unavailable, i.e. DoS attack threatens the safety of all services of system.

The shortcoming of 3.2 prior aries two

The hierarchical network security threat situation qualitative assessment model that the program proposes can directly provide whole network System, main frame and the security threat situation of 3 levels of service, enable network manager to understand security of system situation in time, look into Look for the reason of safety change, adjust security strategy, it is ensured that security of system maximizes.And this system is in Net-Keeper system Well applied.But, the program still suffers from following deficiency:

1) analysis of security threat situation assessment system is based on network invasion monitoring sensor alarm daily record and Netowrk tape Wide occupancy, but these information can't reflect the aggressive behavior of hacker comprehensively.

2) establishment that the analytic hierarchy process (AHP) used more or less exists such as index weights is excessively subjective and absolute, consistent Property correction excessively rely on extraneous participation.

3) how to obtain situation of change according to system current state, safety and ambient parameter etc., merge self-discipline feature, Network security situation sensing system is configured and corresponding operational factor dynamically adjusts to realize real self adaptation, then do not have Relate to.

Summary of the invention

The present invention solves above-mentioned technical problem, design a kind of testing machine that can accurately measure lubricating oil drawing force, for The system structure of Situation Awareness and situation are extracted and are improved, from main regulation system environments so that it is can become by dynamic adapting environment Change, to realize dynamically synthesis, the dynamic calibration of systematic parameter of the dynamically configuration of resource, service.

The present invention solves that the deficiency of above-mentioned technical problem the technical scheme is that a kind of net based on Autonomic computing Network Security Situation Awareness Systems, works in coordination with layer module, sensor and effector module and self-discipline management including Managed Resource, Agent Person's module, Agent works in coordination with layer module and connects Managed Resource and self-discipline manager's module, and sensor and effector module connect respectively Agent works in coordination with layer module and self-discipline manager's module,

Agent works in coordination with layer module capture Managed Resource information and does pretreatment, removes redundancy, finally information is given Self-discipline manager's module, is received from the information feedback of rule manager's module, and from main regulation system environments so that it is can dynamically fit Answer environmental change, to realize dynamically synthesis, the dynamic calibration of systematic parameter of the dynamically configuration of resource, service；

Sensor and effector module, the Agent described in connection works in coordination with layer module, needs to define unified standard interface The communication of the software and hardware provided by different suppliers, the isomerism that shielding produces due to the difference of internal structure are provided.

Of the present invention self-discipline manager's module include base module, situation extraction module, Tendency Prediction module and Autonomous respond module,

Base module includes that state judges knowledge, plan knowledge, problem solving knowledge and pattern match knowledge, to situation Extraction module, Tendency Prediction module and autonomous respond module provide knowledge support；

Situation extraction module, is used for extracting effective situation information, i.e. attack factors；

Situation Assessment module, the situation extraction module described in connection, by identifying the security incident in situation information, foundation Incidence relation between them, calculates service, main frame and the threat suffered by network, and then realizes current network security The analysis of situation；

Tendency Prediction module, the Situation Assessment module described in connection, for according to past and current network security situation shape Condition, is predicted future network security postures；

Autonomous respond module, for according to the plan knowledge in knowledge base and problem solving knowledge, to situation extraction module The behavior characteristics extracted responds in real time, and the situation value drawing Situation Assessment is carried out from main regulation.

Situation extraction module of the present invention include network security data source integrated platform module, anomaly module and Self-discipline learning by association module,

Network security data source integrated platform module, for realizing the integrated process of multi-source heterogeneous data, for upper layer module Offer data are supported；

Anomaly module, use mode-matching technique, according to Deviant Behavior storehouse detect in network that may be present respectively Class aggressive behavior, and Deviant Behavior storehouse is carried out real-time update；

Self-discipline learning by association module, for the record according to attack signature Yu original aggressive behavior feature in Deviant Behavior storehouse It is associated, integrates and integrated analysis, find out formation and the law of development of potential safety hazard；Prediction may produce abnormal condition and Abnormal in early stage sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will Learning outcome adds Deviant Behavior storehouse；Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction；

Cluster Analysis module, the self-discipline learning by association module described in connection, use distinctiveness ratio to calculate (DSimC) clustering method Self-discipline learning by association result is carried out cluster and discriminant analysis；The characteristic attribute wherein considered mainly has source/destination IP, source/mesh Port, detection time, attack classification etc., calculate its distinctiveness ratio respectively, finally calculate comprehensive different degree；

Convergence analysis module, the Cluster Analysis module described in connection, use exponential weighting DS evidence theory (EWDS) to poly- Safety information after conjunction carries out convergence analysis, simplifies safety information quantity further and identifies aggressive behavior.

The DSimC of utilization clustering method of the present invention carries out cluster to self-discipline learning by association result and specifically includes:

Step 1: warning is clustered by the method using association attributes distance to calculate；Assume there are two warningsWith, profit Use formulaCalculate the distinctiveness ratio between the two warning；Wherein, n is to belong to during the two is reported to the police The number of property, k represents some in n attribute,Represent attribute k weight in corresponding warning distinctiveness ratio,Represent report AlertWithDistinctiveness ratio on attribute k；

Step 2: calculate according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.

Cluster result is merged by the EWDS of utilization of the present invention, specifically includes:

Step 1: using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, foundation Attack condition, obtains the weights of each sensor；

Step 2: use DS evidence that evidence is combined；

Step 3: use the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making Judge, extract situation key element.

The concrete appraisal procedure of Situation Assessment module of the present invention is as follows:

Step 1: be layered network system, then carries out quantum chemical method to layering index, network system is divided into net Network layers, host layer and attacking and defending layer, Internet is made up of different main frames, and host layer is by institutes such as the service run, safety measures Constituting, attacking and defending layer mainly considers service and the security factor two parts running on main frame；

Step 2: calculate network safety situation value at all levels, the service safe situation shape of definition t objective network Condition is:

Wherein,For service safe situation value, s represents certain service that objective network is currently provided；K represents this The attack kind that service is subject to；N represents the number of times of the attack suffered by service；D represents the order of severity of attack；N (t) represents t Moment attacks the number of times occurred；D (t) represents the order of severity that t is attacked；The threat degree attacked is usedCounted Calculating, what reflection threat degree was high attacks the influence degree to service safe situation,The biggest, illustrate to service the threat that s is subject to Degree is the biggest；

The defensive strength of the main frame of definition t objective network is:

Wherein,For the defensive strength value on main frame,Represent security attribute weights of importance on main frame, SM Representing the safety measure run on main frame, ed represents the SM disturbance degree relative to security attribute, whenValue the biggest, explanation The Prevention-Security ability of main frame Host is the strongest；

The Host Security situation situation of definition t objective network is:

Wherein,For the security postures value of main frame, H represents the main frame in objective network,Represent that service is opened at main frame Weight shared in logical all services,For service safe situation value,Represent the defensive strength on main frame, whenValue the biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts in time Defence policies is tackled；

The security postures situation of definition t objective network is:

Wherein,For network safety situation value,Represent main frame power of shared importance in evaluated LAN Weight,Security postures value for main frame；WhenValue the biggest, illustrate that the threat degree suffered by network system is the biggest, WhenValue is above standard state, and autonomous response component can respond, from main regulation system environments so that it is can dynamically fit Answer environmental change.

The concrete prediction steps of Tendency Prediction module of the present invention is as follows:

Step 1: according to history and current situation value information, defines about service, main frame and the multi input list of network system The Tendency Prediction function of outputWith corresponding error function G (V):

Wherein, k represents the attack kind that service is subject to；WithThe reality representing pth layer m-th neuron respectively is defeated Go out and desired output, corresponding to Tendency Prediction value；For the flow parameter in each single-point input communication process, in formula, V is respectively Represent attack order of severity d in Situation Assessment hierarchical model, service weightWith main frame weights of importance；

Step 2: train this neutral net, make fitness biasGo to zero, the weights specifying parameter are carried out certainly Study adjusts, and finds optimum parameter combination, the Tendency Prediction curve after finally output training.

A kind of processing method of network security situation sensing system based on Autonomic computing

Step one, Agent works in coordination with layer and uses multi-Attribute Auction method to process the data that Managed Resource provides, finally information Give self-discipline manager's module；

Step 2, at self-discipline manager, reason Agent works in coordination with the data message that layer provides；

Step 3, situation extracting parts extracting attack behavior characteristics, if having with the aggressive behavior feature in knowledge base not The Deviant Behavior joined occurs, then call autonomous response component and respond, and autonomous response component is according to the pattern in knowledge base Join knowledge and plan knowledge, from main regulation system environments so that it is can change, to realize dynamically joining of resource by dynamic adapting environment Dynamically synthesis, the dynamic calibration of systematic parameter put, serviced, subsequently into Situation Assessment stage, i.e. step 4；If there is no the unknown Aggressive behavior occurs, then be directly entered Situation Assessment stage, i.e. step 4；

Step 4, extracts information according to described situation, uses analytic hierarchy process (AHP) to be layered network system, and then realizes working as The analysis of front network safety situation is estimated；If situation value information does not meets the plan knowledge in situation knowledge base, the most automatically Response component can respond, from main regulation system environments so that it is can change, subsequently into step 5 by dynamic adapting environment； If meeting, then it is directly entered step 5；

Step 5, future network security postures is carried out by historical information and current state according to described network safety situation Prediction；Find optimum parameter combination, the Tendency Prediction curve after finally output training.

Multi-Attribute Auction method of the present invention solves the problem such as resource distribution, task distribution, to optimize systematicness Can, its method is:

Definition multi-Attribute Auction Model

, wherein, the space that the attribute that A is all items is formed,, article under the hammer have n attribute, span is；The attribute making a be article Vector, and,；

In auction, B is the only buyer, and B needs to buy commodity；

S is the set being made up of the seller, comprises m the seller,, each seller can provide different attribute Article；

V: For the Attribute Weight value function (R is real number set) of B, i.e.Represent that seller B is according to attribute a Evaluation to article；

, whereinIt is expressed as Item Cost function, thenIt is exactly that the seller is according to attribute The Item Cost value that a calculates；

Result is conclusion of the business scheme,, whereinIt is expressed as the price struck a bargain, conclusion of the business attribute vector；Now the income of buyer B is, the sellerIncome be；

Auction flow process is divided into four steps:

Step 1: announced evaluation function by the seller(Can be otherwise varied with V)；

Step 2: each seller i secretly marks asked price；

Step 3: determine the conclusion of the business seller；First the buyer determines that the alternative conclusion of the business seller gathers

(,ForAsked price), if, then Do not strike a bargain the seller, End of Auction；If, then randomly generate as the conclusion of the business seller；And make, wherein,,, it is apparent from, wherein,；Implication directly perceived be the maximum removed after a maximum element in surplus element, such as,；Implication directly perceived be except the conclusion of the business sellerOutside the highest price of other sellers；

Step 4: proposed conclusion of the business scheme by the conclusion of the business seller, legal motion needs to meet, strike a bargain The seller strikes a bargain with this scheme that strikes a bargain with the buyer, End of Auction.

Present invention have the beneficial effect that

1, this patent is created and is made system possess preferable adaptivity, it is possible to effectively obtain situation information, accurate Solve the current safety situation of network, fast prediction future network security postures, it is possible to dynamic and intelligent ground adapts to complex environment and has Effect ground instructs following making decisions on one's own.Thus alleviate the burden of manager, reduce management cost, solve network peace further Full complex management sex chromosome mosaicism.

2, defense mechanism is high, has the strongest control in the Situation Assessment stage, can be in all directions to whole network security state Gesture is estimated, and has soft good adaptivity.

Accompanying drawing explanation

Fig. 1 is the structural representation of the present invention；

Fig. 2 is that the situation of the present invention extracts flow chart；

Fig. 3 is the structural representation of the network system layering of the present invention；

Fig. 4 is the structural representation of hierarchical network security of system threat situation assessment models of the present invention；

Detailed description of the invention

This system includes such as lower module:

Managed Resource (Managed Resource, MR) module, mainly includes data base, application module, router, clothes The business various multiple and distributing sources such as device and host log, Firewall Alerts information and network packet.MR is worked in coordination with layer by Agent Carry out United Dispatching and management.

Agent works in coordination with layer module, the MR module described in connection, for different types of MR, uses different intelligent Agents For self-discipline, manager provides data support, and these Agent are all can the entity of independent operating.Agent entity capture MR information And do pretreatment, remove redundancy, finally give self-discipline manager (Autonomic Manager, AM) information.Meanwhile, Agent works in coordination with layer and receives the information feedback of AM, and from main regulation system environments so that it is can change, with reality by dynamic adapting environment The dynamically configuration of existing resource, dynamically synthesis, the dynamic calibration of systematic parameter of service.

Sensor and effector module, the Agent described in connection works in coordination with layer module, needs to define unified standard interface The communication of the software and hardware provided by different suppliers, the isomerism that shielding produces due to the difference of internal structure are provided.

Situation extraction module, is used for extracting effective situation information, i.e. attack factors.

Situation Assessment module, the situation extraction module described in connection, by identifying the security incident in situation information, foundation Incidence relation between them, calculates service, main frame and the threat suffered by network, and then realizes current network security The analysis of situation.

Tendency Prediction module, the Situation Assessment module described in connection, for according to past and current network security situation shape Condition, is predicted future network security postures.

Autonomous respond module, for according to Kp and Ks in knowledge base, the behavior characteristics extracting situation extraction module is real Time respond, to assessment after situation value carry out from main regulation.

As it can be seen, be the situation extraction flow chart of the present invention, this situation extraction module includes with lower module:

Network security data source integrated platform module, for realizing the integrated process of multi-source heterogeneous data and being collectively expressed as XML, provides data support for upper layer module.These data mainly include such as intruding detection system (IDS), fire wall (Firewall) warning message of safety equipment, the system log message etc. such as.

Anomaly module uses mode-matching technique, detects in network that may be present all kinds of according to Deviant Behavior storehouse Aggressive behavior, and Deviant Behavior storehouse is carried out real-time update.

Self-discipline learning by association module is for the record according to attack signature Yu original aggressive behavior feature in Deviant Behavior storehouse It is associated, integrates and integrated analysis, find out formation and the law of development of potential safety hazard；Prediction may produce abnormal condition and Abnormal in early stage sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will Learning outcome adds Deviant Behavior storehouse.Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction.

Cluster Analysis module, the self-discipline learning by association module described in connection, use distinctiveness ratio to calculate (DSimC) clustering method Self-discipline learning by association result is carried out cluster and discriminant analysis.The characteristic attribute wherein considered mainly has source/destination IP, source/mesh Port, detection time, attack classification etc., calculate its distinctiveness ratio respectively, finally calculate comprehensive different degree.

Convergence analysis module, the Cluster Analysis module described in connection, use exponential weighting DS evidence theory (EWDS) to poly- Safety information after conjunction carries out convergence analysis, simplifies safety information quantity further and identifies aggressive behavior.

Situation is extracted process and is comprised the following steps:

Step A: data source is integrated, to the integrated process of multi-source heterogeneous data and be collectively expressed as XML, carries for upper layer module For data support, these data mainly include the such as safety equipment such as intruding detection system (IDS), fire wall (Firewall) Warning message, system log message etc..

Step B: anomaly, uses mode-matching technique, detects in network that may be present according to Deviant Behavior storehouse All kinds of aggressive behaviors, and Deviant Behavior storehouse is carried out real-time update.

Step C: self-discipline learning by association, enters according to the record of attack signature with original aggressive behavior feature in Deviant Behavior storehouse Row association, integration and integrated analysis, find out formation and the law of development of potential safety hazard；Prediction may produce abnormal condition early Phase exception sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will learn Practise result and add Deviant Behavior storehouse.Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction.

Step D: self-discipline learning by association result is carried out cluster analysis, specifically comprises the following steps that

Step D1: warning is clustered by the method using association attributes distance to calculate.Assume there are two warningsWith , utilize formulaCalculate the distinctiveness ratio between the two warning；Wherein, n is during the two is reported to the police The number of attribute, k represents some in n attribute,Represent attribute k weight in corresponding warning distinctiveness ratio,Represent Report to the policeWithDistinctiveness ratio on attribute k.

Step D2: calculate according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.

Step E: utilize EWDS that cluster result is merged, specifically include:

Step E1: using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, foundation Attack condition, obtains the weights of each sensor.

Step E2: use DS evidence that evidence is combined.

Step E3: use the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making Judge, extract situation key element.

As it can be seen, be the hierarchical diagram of network system, as follows to the quantum chemical method step of each layer:

Step A: be layered network system, then carries out quantum chemical method to layering index.Network system is divided into net Network layers, host layer and attacking and defending layer.Internet is made up of different main frames, and host layer is by institutes such as the service run, safety measures Constituting, attacking and defending layer mainly considers service and the security factor two parts running on main frame

Step B: calculate network safety situation value at all levels.

Step B1: calculate the service safe situation situation of objective network.The security postures of service accesses with the normal of service Amount, attack strength are relevant with attack Threat, and quantitative formula is as follows:

Wherein,For service safe situation value, s represents certain service that objective network is currently provided；K represents this The attack kind that service is subject to；N represents the number of times of the attack suffered by service；D represents the order of severity of attack；N (t) represents t Moment attacks the number of times occurred；D (t) represents the order of severity that t is attacked.The threat degree attacked is usedCounted Calculate, it is intended to what preferably reflection threat degree was high attacks the influence degree to service safe situation.The biggest, illustrate to service s The threat degree being subject to is the biggest.

Step B2: calculate the Host Security situation situation of objective network.

Step B21: calculate the defensive strength of objective network.The safety measure run on defensive strength and main frame is to main frame The disturbance degree of full attribute is relevant at the importance of this main frame with security attribute, and computing formula is as follows:

Wherein,For the defensive strength value on main frame,Represent security attribute weights of importance on main frame, SM Representing the safety measure run on main frame, ed represents the SM disturbance degree relative to security attribute.WhenValue the biggest, explanation The Prevention-Security ability of main frame Host is the strongest.

Step B22: calculate the Host Security situation situation of objective network, the service suffered according to the operation service of t institute Security postures and the defensive strength of main frame, carry out quantum chemical method to it, and formula is as follows:

Wherein,For the security postures value of main frame, H represents the main frame in objective network,Represent that service is opened at main frame Weight shared in logical all services,For service safe situation value,Represent the defensive strength on main frame.WhenValue the biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts in time Defence policies is tackled.

Step C: calculate the security postures situation of t objective network.The network safety situation of t and the master in this moment Machine security postures is relevant, and quantitative formula is as follows:

Wherein,For network safety situation value,Represent main frame power of shared importance in evaluated LAN Weight,Security postures value for main frame.WhenValue the biggest, illustrate that the threat degree suffered by network system is the biggest, Now, autonomous response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.

The security postures of network is predicted, specifically comprises the following steps that

Step 1: according to history and current situation value information, defines about service, main frame and the multi input list of network system The Tendency Prediction function of outputWith corresponding error function G (V):

Wherein, k represents the attack kind that service is subject to；WithThe reality representing pth layer m-th neuron respectively is defeated Go out and desired output, corresponding to Tendency Prediction value；For the flow parameter in each single-point input communication process, in formula, V is respectively Represent attack order of severity d in Situation Assessment hierarchical model, service weightWith main frame weights of importance。

Step 2: train this neutral net, make fitness biasGo to zero, the weights specifying parameter are carried out certainly Study adjusts, and finds optimum parameter combination, the Tendency Prediction curve after finally output training.

To achieve these goals, the present invention provides a kind of network security situational awareness method based on Autonomic computing, its It is characterised by, including:

Step A, Agent works in coordination with layer and uses multi-Attribute Auction method to process the data that Managed Resource provides；

Described multi-Attribute Auction method solves the problem such as resource distribution, task distribution, to optimize systematic function, its side Method is:

Definition multi-Attribute Auction Model

, wherein, the space that the attribute that A is all items is formed,, article under the hammer have n attribute, span is.The attribute making a be article Vector, and,。

In auction, B is the only buyer, and B needs to buy commodity.

S is the set being made up of the seller, comprises m the seller,, each seller can provide different attribute Article.

V: For the Attribute Weight value function (R is real number set) of B, i.e.Represent that seller B is according to attribute a Evaluation to article.

, whereinIt is expressed as Item Cost function, thenIt is exactly that the seller is according to attribute The Item Cost value that a calculates.

Result is conclusion of the business scheme,, whereinIt is expressed as the price struck a bargain, conclusion of the business attribute vector.Now the income of buyer B is, the sellerIncome be 。

Auction flow process is divided into four steps:

Step 1: announced evaluation function by the seller(Can be otherwise varied with V)；

Step 2: each seller i secretly marks asked price；

Step 3: determine the conclusion of the business seller.First the buyer determines that the alternative conclusion of the business seller gathers

(,ForAsked price), if, then Do not strike a bargain the seller, End of Auction.If, then randomly generate as the conclusion of the business seller.And make, wherein,,, it is apparent from, wherein,。Implication directly perceived be the maximum removed after a maximum element in surplus element, such as,。Implication directly perceived be except the conclusion of the business sellerOutside other sellers At high price.

Step 4: proposed conclusion of the business scheme by the conclusion of the business seller, legal motion needs to meet, strike a bargain The seller strikes a bargain with this scheme that strikes a bargain with the buyer, End of Auction.

Step B, self-discipline manager (AM) place reason Agent works in coordination with the data message that layer provides.

Described network security situational awareness method based on Autonomic computing, wherein, described step B farther includes:

Step B1, situation extracting parts extracting attack behavior characteristics, if having with the aggressive behavior feature in knowledge base not The Deviant Behavior joined occurs, then call autonomous response component and respond, and autonomous response component is according to the pattern in knowledge base Join knowledge and plan knowledge, from main regulation system environments so that it is can change, to realize dynamically joining of resource by dynamic adapting environment Dynamically synthesis, the dynamic calibration of systematic parameter put, serviced.Subsequently into Situation Assessment stage, i.e. step B2；If there is no the unknown Aggressive behavior occurs, then be directly entered Situation Assessment stage, i.e. step B2；

Step B2, extracts information according to described situation, uses analytic hierarchy process (AHP) to be layered network system, and then realizes working as The analysis of front network safety situation is estimated.If situation value information does not meets the plan knowledge in situation knowledge base, the most automatically Response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.Subsequently into step B3； If meeting, then it is directly entered step B3；

Step B3, future network security postures is carried out by historical information and current state according to described network safety situation Prediction.

Described network security situational awareness method based on Autonomic computing, wherein,

Described B1 step farther includes:

Step B11, data source is integrated, processes multi-source heterogeneous data integration and is collectively expressed as XML, carrying for upper layer module For data support.These data mainly include the such as safety equipment such as intruding detection system (IDS), fire wall (Firewall) Warning message, system log message etc.；

Step B12, anomaly, use mode-matching technique, detect in network according to Deviant Behavior storehouse and there may be All kinds of aggressive behaviors, and Deviant Behavior storehouse is carried out real-time update；

Step B13, learning by association of restraining oneself, according to the record of attack signature Yu original aggressive behavior feature in Deviant Behavior storehouse It is associated, integrates and integrated analysis, find out formation and the law of development of potential safety hazard；Prediction may produce abnormal condition and Abnormal in early stage sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will Learning outcome adds Deviant Behavior storehouse.Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction；

Step B14, carries out cluster analysis to self-discipline learning by association result；

Step B15, carries out convergence analysis to cluster result.

Described network security situational awareness method based on Autonomic computing, wherein,

Described step B14 step farther includes:

B141, warning is clustered by the method using association attributes distance to calculate.Calculate with equation below between reporting to the police Distinctiveness ratio, thus the warning with identical sources, purpose and attack type is divided into same report to the police set in.

Wherein:

N is the number of attribute during the two is reported to the police, and k represents some in n attribute,Represent that attribute k is at corresponding report Weight in alert distinctiveness ratio,Represent and report to the policeWithDistinctiveness ratio on attribute k.

B142, calculates according to association attributes distance, according to the respective threshold being previously set, carries out clustering and discriminant judgement.

Described network security situational awareness method based on Autonomic computing, wherein,

Described step B15 farther includes:

B151, using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, according to attacking Hit situation, obtain the weights of each sensor.

B152, uses DS evidence to be combined evidence.

B153, uses the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making and sentences Disconnected, extract situation key element.

Described network security situational awareness method based on Autonomic computing, wherein,

Described step B2 farther includes:

Step B21, is layered network system,；Network system is divided into Internet, host layer and attacking and defending layer；

Step B22, calculates network safety situation value at all levels.

Described network security situational awareness method based on Autonomic computing, wherein,

Described B22 step farther includes:

B221, calculates the service safe situation situation of objective network.The normal visit capacity of security postures and the service of service, Attack strength is relevant with attacking Threat, and quantitative formula is as follows:

Wherein,For service safe situation value, s represents certain service that objective network is currently provided；K represents this The attack kind that service is subject to；N represents the number of times of the attack suffered by service；D represents the order of severity of attack；N (t) represents t Moment attacks the number of times occurred；D (t) represents the order of severity that t is attacked.The threat degree attacked is usedCounted Calculate, it is intended to what preferably reflection threat degree was high attacks the influence degree to service safe situation.The biggest, illustrate to service s The threat degree being subject to is the biggest.

B222, calculates the defensive strength of objective network.The safety measure run on defensive strength and main frame is complete to main frame The disturbance degree of attribute is relevant at the importance of this main frame with security attribute, and computing formula is as follows:

Wherein,For the defensive strength value on main frame,Represent security attribute weights of importance on main frame, SM Representing the safety measure run on main frame, ed represents the SM disturbance degree relative to security attribute.WhenValue the biggest, explanation The Prevention-Security ability of main frame Host is the strongest.

B223, calculates the Host Security situation situation of objective network, the service safe suffered according to the operation service of t institute Situation and the defensive strength of main frame, carry out quantum chemical method to it, and formula is as follows:

Wherein,For the security postures value of main frame, H represents the main frame in objective network,Represent that service is opened at main frame Weight shared in logical all services,For service safe situation value,Represent the defensive strength on main frame.WhenValue the biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts in time Defence policies is tackled.

B224, calculates the security postures situation of t objective network.The network safety situation of t and the master in this moment Machine security postures is relevant, and quantitative formula is as follows:

Wherein,For network safety situation value,Represent main frame power of shared importance in evaluated LAN Weight,Security postures value for main frame.WhenValue the biggest, illustrate that the threat degree suffered by network system is the biggest, Now, autonomous response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.

Described network security situational awareness method based on Autonomic computing, wherein, described step B3 farther includes:

Step B31, according to history and current situation value information, defines about service, main frame and the multi input of network system The Tendency Prediction function of single outputWith corresponding error function G (V):

Wherein, k represents the attack kind that service is subject to；WithThe reality representing pth layer m-th neuron respectively is defeated Go out and desired output, corresponding to Tendency Prediction value；For the flow parameter in each single-point input communication process, in formula, V is respectively Represent attack order of severity d in Situation Assessment hierarchical model, service weightWith main frame weights of importance。

Step B32, trains this neutral net, makes fitness biasGo to zero, the weights specifying parameter are carried out Self study adjusts, and finds optimum parameter combination, the Tendency Prediction curve after finally output training.

Claims (7)

1. a network security situation sensing system based on Autonomic computing, it is characterised in that: include that Managed Resource, Agent assist With layer module, sensor and effector module and self-discipline manager's module, Agent works in coordination with layer module and connects Managed Resource and self-discipline Manager's module, sensor and effector module connect Agent respectively and work in coordination with layer module and self-discipline manager's module,

Agent works in coordination with layer module capture Managed Resource information and does pretreatment, removes redundancy, finally gives self-discipline information Manager's module, is received from the information feedback of rule manager's module, and from main regulation system environments so that it is can dynamically adapting ring Border changes, to realize dynamically synthesis, the dynamic calibration of systematic parameter of the dynamically configuration of resource, service；

Sensor and effector module, the Agent described in connection works in coordination with layer module, needs to define unified standard interface and realizes The communication of the software and hardware provided by different suppliers, the isomerism that shielding produces due to the difference of internal structure；

Self-discipline manager's module includes base module, situation extraction module, Situation Assessment module, Tendency Prediction module and automatically Respond module,

Base module includes that state judges knowledge, plan knowledge, problem solving knowledge and pattern match knowledge, extracts situation Module, Tendency Prediction module and automated to respond to module provide knowledge support；

Situation extraction module, is used for extracting effective situation information, i.e. attack factors；

Situation Assessment module, the situation extraction module described in connection, by identifying the security incident in situation information, according to them Between incidence relation, calculate service, main frame and the threat suffered by network, and then realize current network safety situation Analysis；

Tendency Prediction module, the Situation Assessment module described in connection is for according to past and current network security situation situation, right Future network security postures is predicted；

Automated to respond to module, for according to the plan knowledge in base module and problem solving knowledge, to situation extraction module The behavior characteristics extracted responds in real time, and the situation value drawing Situation Assessment is carried out from main regulation.

A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described Situation extraction module include network security data source integrated platform module, anomaly module, self-discipline learning by association module, poly- Alanysis module and convergence analysis module,

Network security data source integrated platform module, for realizing the integrated process of multi-source heterogeneous data, provides for upper layer module Data are supported；

Anomaly module, uses mode-matching technique, detects that may be present in network all kinds of attack according to Deviant Behavior storehouse Hit behavior, and Deviant Behavior storehouse is carried out real-time update；

Self-discipline learning by association module, for carrying out according to the record of attack signature with original aggressive behavior feature in Deviant Behavior storehouse Association, integration and integrated analysis, find out formation and the law of development of potential safety hazard；Prediction may produce abnormal condition and early stage Abnormal sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will study Result adds Deviant Behavior storehouse；

Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction；

Cluster Analysis module, the self-discipline learning by association module described in connection, use distinctiveness ratio to calculate DSimC clustering method to self-discipline Learning by association result carries out cluster and discriminant analysis；

The characteristic attribute wherein considered mainly has source/destination IP, source/destination port, detection time, attacks classification, counts respectively Calculate its distinctiveness ratio, finally calculate comprehensive different degree；

Convergence analysis module, the Cluster Analysis module described in connection, after using exponential weighting DS evidence theory EWDS to polymerization Safety information carries out convergence analysis, simplifies safety information quantity further and identifies aggressive behavior.

A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described The DSimC clustering method that utilizes self-discipline learning by association result is carried out cluster specifically includes:

Step 1: warning is clustered by the method using association attributes distance to calculate；

Assume there are two warning A_iAnd A_j, utilize formulaCalculate between the two warning Distinctiveness ratio；Wherein, n is the number of attribute during the two is reported to the police, and k represents some in n attribute, w_kRepresent that attribute k exists Weight in corresponding warning distinctiveness ratio,Represent warning A_iAnd A_jDistinctiveness ratio on attribute k；

Step 2: calculate according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.

4. a kind of based on Autonomic computing the network security situation sensing system described in claim 2, it is characterised in that: described Utilize EWDS that cluster result is merged, specifically include:

Step 1: using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, according to attacking Situation, obtains the weights of each sensor；

Step 2: use DS evidence that evidence is combined；

Step 3: use the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making judgement, Extract situation key element.

A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described The concrete appraisal procedure of Situation Assessment module as follows:

Step 1: network system is layered, then to layering index carry out quantum chemical method, network system is divided into Internet, Host layer and attacking and defending layer, Internet is made up of different main frames, and host layer is made up of the service run, safety measure, attacks Anti-layer mainly considers service and the security factor two parts running on main frame；

Step 2: calculate network safety situation value at all levels, the service safe situation situation of definition t objective network is:

R_service(s, k, N, d, t)=N (t) 10^d(t)

Wherein, R_serviceFor service safe situation value, s represents certain service that objective network is currently provided；K represents this service The attack kind being subject to；N represents the number of times of the attack suffered by service；D represents the order of severity of attack；N (t) represents t Attack the number of times occurred；D (t) represents the order of severity that t is attacked；The threat degree attacked is with 10^d(t)Calculated, instead Reflect the threat degree high attack influence degree to service safe situation, R_serviceThe biggest, illustrate to service the threat degree that s is subject to The biggest；

The defensive strength of the main frame of definition t objective network is:

DF_Host(W_s, SM, ed, t)=W_s·ed(t)

Wherein, DF_HostFor the defensive strength value on main frame, W_sRepresenting security attribute weights of importance on main frame, SM represents main The safety measure run on machine, ed represents the SM disturbance degree relative to security attribute, works as DF_HostValue the biggest, main frame is described The Prevention-Security ability of Host is the strongest；

The Host Security situation situation of definition t objective network is:

R_Host(H, V_s, R_service, t)=V_s·R_service(t)/DF_Host

Wherein, R_HostFor the security postures value of main frame, H represents the main frame in objective network, V_sRepresent the institute that service is opened at main frame There are weight shared in service, R_serviceFor service safe situation value, DF_HostRepresent the defensive strength on main frame, work as R_HostValue The biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts defence policies in time Tackled；

The security postures situation of definition t objective network is:

R_Network(W_H, R_Host, t)=W_H·R_Host(t)

Wherein, R_NetworkFor network safety situation value, W_HRepresent main frame weight of shared importance in evaluated LAN, R_HostSecurity postures value for main frame；

Work as R_NetworkValue the biggest, illustrate that the threat degree suffered by network system is the biggest, work as R_NetworkValue is above standard state, Autonomous response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.

A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described The concrete prediction steps of Tendency Prediction module as follows:

Step 1: according to history and current situation value information, defines about service, main frame and the multiple input single output of network system Tendency Prediction functionWith corresponding error function G (V):

$F\left(\widehat{y_m^p}\right|V)={\left(2\mathrm{\π}\right|{\mathrm{ky}}_m\left|\right)}^{-1/2}\exp (-\frac{{(y_m^p-\widehat{y_m^p})}^T(y_m^p-\widehat{y_m^p})}{2{\mathrm{ky}}_m})$

$G\left(V\right)=\underset{m=1}{\overset{N_p}{\mathrm{\Σ}}}\frac{{(y_m^p-\widehat{y_m^p})}^T(y_m^p-\widehat{y_m^p})}{{\mathrm{ky}}_m}$

Wherein, k represents the attack kind that service is subject to；y_mRepresent the desired output corresponding to m-th neuron of input, m=1,2, 3,...,N_p；WithRepresent actual output and the desired output of pth layer m-th neuron respectively, corresponding to Tendency Prediction Value；For the flow parameter in each single-point input communication process, the attack during V represents Situation Assessment hierarchical model respectively in formula Order of severity d, service weight V_sWith main frame weights of importance W_H；

Step 2: the neutral net set up in training step 1, makes fitness biasGo to zero, to the power specifying parameter Value carries out self study adjustment, finds optimum parameter combination, the Tendency Prediction curve after finally output training.

The processing method of a kind of network security situation sensing system based on Autonomic computing, it is special Levy and be:

Step one, Agent works in coordination with layer module and uses multi-Attribute Auction method to process the data that Managed Resource provides, finally information Give self-discipline manager's module；

Step 2, self-discipline manager's resume module is worked in coordination with, by Agent, the data message that layer module provides；

Step 3, situation extraction module extracting attack behavior characteristics, if having with the aggressive behavior feature in base module not The Deviant Behavior joined occurs, then call and automated to respond to module and respond, automated to respond to module according to the mould in base module Formula coupling knowledge and plan knowledge, from main regulation system environments so that it is can change by dynamic adapting environment, to realize the dynamic of resource State configuration, dynamically synthesis, the dynamic calibration of systematic parameter of service, subsequently into Situation Assessment stage, i.e. step 4；If no Unknown attack behavior occurs, then be directly entered Situation Assessment stage, i.e. step 4；

Step 4, the situation key element extracted according to claim 4, use analytic hierarchy process (AHP) that network system is layered, and then realize Analysis to current network security situation is estimated；If the strategy that situation value information does not meets in situation base module is known Know, then automated toing respond to module can respond, from main regulation system environments so that it is can change by dynamic adapting environment, then enters Enter step 5；If meeting, then it is directly entered step 5；

Step 5, future network security postures is carried out pre-by historical information and current state according to described network safety situation Survey；Find optimum parameter combination, the Tendency Prediction curve after finally output training.