CN102821007B - A kind of network security situation sensing system based on Autonomic computing and processing method thereof - Google Patents
A kind of network security situation sensing system based on Autonomic computing and processing method thereof Download PDFInfo
- Publication number
- CN102821007B CN102821007B CN201210275986.4A CN201210275986A CN102821007B CN 102821007 B CN102821007 B CN 102821007B CN 201210275986 A CN201210275986 A CN 201210275986A CN 102821007 B CN102821007 B CN 102821007B
- Authority
- CN
- China
- Prior art keywords
- module
- situation
- network
- service
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
A kind of network security situation sensing system based on Autonomic computing and processing method thereof, including Managed Resource, Agent works in coordination with layer module, sensor and effector module and manager's module of restraining oneself, Agent works in coordination with layer module and connects Managed Resource and self-discipline manager's module, sensor and effector module connect Agent respectively and work in coordination with layer module and self-discipline manager's module, system structure and situation for Situation Awareness are extracted and are improved, from main regulation system environments, can change by dynamic adapting environment, to realize the dynamic configuration of resource, the dynamic synthesis of service, the dynamic calibration of systematic parameter.
Description
Technical field
The present invention relates to technical field of network security, specifically based on Autonomic computing network security situation sensing system and
Its technical scheme.
Background technology
Along with popularizing of network, its threat faced is increasing, and computer virus, trojan horse program, DoS/DDoS attack
It is becoming increasingly rampant.For ensureing Cybersecurity Operation, the technology such as the intrusion detection used at present, fire wall, Viral diagnosis belongs to passive
Mean of defense, can only detect system local, lack association between the information of acquisition.Based on this kind of situation, from 2000
After the concept [1] of network security situation awareness is suggested, correlation model rapidly becomes a new research with the research of method
Focus.
Network security situation awareness is to answer network security monitoring demand and a kind of new technique of occurring.Lead in network security
Territory, a lot of for the fusion structure constructed by intrusion detection, what wherein Bass [1] proposed utilizes the distributed of intruding detection system
Multisensor carries out the network security situation awareness frame structure ratio of data fusion and more typically and generally by industry accepts.This knot
Structure is divided into five layers, respectively data extraction layer, object of attack identification layer, Situation Assessment layer, threat assessment layer and resource management
Layer, progressive, embody by the process of " data-> information-> knowledge ".Data Layer be mainly responsible for from intrusion-detection sensor and
The safety equipment such as Sniffers extract useful data;The various times acquired in data Layer are carried out by object of attack identification layer
Space-time is calibrated, and is associated pretreatment, it is achieved attack recognition;Situation Assessment layer is the process of a dynamic and intelligent reasoning, logical
Cross the contact analyzed between the attack that object of attack identification layer is identified, assess the security postures that whole network is current;Prestige
Side of body assessment layer is built upon on the basis of Situation Assessment layer, and it is the damage capability to malicious attack and whole Cyberthreat journey
Degree is estimated, its task is the frequency assessing attack appearance and the threat degree to network;Resource management layer follow the tracks of and
Assess the operation conditions of whole emerging system, instruct the distribution of emerging system, accept and perform the task of threat assessment layer, meter
Draw, coordinate and cooperating between other safety equipment.
In terms of perception with assessment strategy, document [2] proposes a kind of network security situational awareness method based on immunity,
The method uses IDS Framework based on immunity as the basis of Situation Awareness, it is achieved to known in network and unknown invasion
The detection of behavior;According to change and the corresponding relation of pathogen intrusion rate of Immune System antibody concentration, network is pacified
Full Situation Assessment carries out quantitative analysis, and uses Grey--Markov method to be predicted network safety situation.To manually exempt from
Epidemic disease technology is applied in network security situation awareness, by the identification to malicious attack behavior, it is achieved peace current to network system
Full situation and future trends real-time, determine quantitative analysis and prediction, make network information system and Immune System same
There is self-study habit and adaptivity, thus strengthen immunity and the survival ability of system, alleviate the harm that network attack causes,
Formulate Response Decision the most accurately for management personnel and foundation is provided, thus improve the emergency response capability of network information system.
Document [3] proposes a kind of based on CRFs (Conditional Random Fields condition random field) network safety situation first
Quantifying cognitive method, the method, using the warning message of intruding detection system as the key element of network security situation awareness, combines and leads
The leak of machine and state, definition network security threats degree preferably embodies the risk of network, and classifies attack, simultaneously
Having carried out effective feature selection, the method can reflect network risks well and quantify network safety situation.Document [4] leads to
Cross and be identified having complementary incidence relation between attack factors, use Fuzzy Data Fusion technology that attack factors is entered
Row association, and use statistical technique to carry out corresponding situation fusion at service, main frame, 3 levels of network, it is proposed that based on fuzzy
The Evaluation for Security Situation of Networked Systems method of information fusion.Document [5] proposes and utilizes Honeynets to carry out the Internet peace
The method of full Situation Assessment, the method utilizes Honeynets to collect a large amount of network intrusions information, it is possible to the peace to current network
Full situation situation is analyzed.
Prior art one the most related to the present invention
The technical scheme of 2.1 prior aries one
Document [6] proposes a network safety situation sense based on Markov betting model and technical scheme.Markov
Game is comprehensive by game theory and Markov decision making process (MDP), considers the decision-making of multiple participant.By to many
The secure data that sensor detects merges, and obtains the normalized number evidence of assets, threat and vulnerability, to each threat,
Analyze its propagation law, set up corresponding threat propagation network;By to threatening, manager and the most eternal behavior carry out point
Analysis, sets up the Markov betting model that tripartite participates in, and related algorithm is optimized analysis so that evaluation process can be real-time
Run.Markov betting model can dynamic evaluation system security postures, and provide optimal Scheme of Strengthening for manager, and have
The diffusion that effect suppression threatens.
The system framework that the program the proposes various safety information by FUSION WITH MULTISENSOR DETECTION network system, according to situation sense
The perception model assessment security postures of system and variation tendency thereof, and provide security hardening scheme, mainly include following module:
1) data acquisition: by the operation conditions of FUSION WITH MULTISENSOR DETECTION network system, detects substantial amounts of raw security number
According to;
2) situation understands: the methods such as code requirement fractional analysis, redundancy detection and collision detection, analyzes initial data, obtains
Normalized data set;
3) Situation Assessment: use Situation Assessment algorithm, analyzes the data of situation Understanding Module, the peace of quantitative description system
Full situation;
4) Tendency Prediction: use Tendency Prediction algorithm, analyzes the Changing Pattern of situation, it was predicted that security of system situation changes
Trend;
5) Scheme of Strengthening generates: analyzing the node that system is the weakest, provide Scheme of Strengthening, guidance management person improves system
Safety.
The program, according to system frame structure, gives Situation Awareness flow process, and Situation Awareness process is divided into two parts: based on
The situation quantitative evaluation of Markov game theory analysis and Tendency Prediction based on time series analysis.
Situation quantitative evaluation part is the core of Situation Awareness.First, the secure data of data acquisition module detection is melted
Conjunction is referred to a pool of assets, threatens set, vulnerability set and network structure information, and these data are with the lattice of the data set that standardizes
Formula is saved in data base, can be accessed in real time and revise, then to threatening each threat in set to set up TPN;So
After, the behavior to threat, manager and domestic consumer carries out Markov game theory analysis, assesses the confidentiality situation of single threat,
And provide optimal Scheme of Strengthening;Finally, the confidentiality situation synthesis analysis and evaluation of all threats threatened in set is gone out system
Confidentiality situation;Assessment system integrity situation and system availability situation in the same way, according to different application backgrounds
And demand, to confidentiality, integrity, the weighting of availability situation, the security postures of assessment whole system current state.
Tendency Prediction part is based on Situation Assessment result, and system is relative to each other at security postures the most in the same time, permissible
Utilize this dependency to use time series analysis method to analyze situation Changing Pattern security of system situation is predicted.
The shortcoming of 2.2 prior aries one
The security hardening scheme that network security situation awareness technical scheme based on Markov betting model provides can be very well
Be found for certain and threaten the maximum node of the extent of injury and path, restrained effectively the diffusion of threat, improve system
Safety.But the program has the disadvantage that
1) complexity of threat propagation network causes state space very big, low to the assessment efficiency of large scale network, needs
Certain approximate processing, approximate processing may cause the accuracy of assessment result.
2} is due to the polytropy of assailant's means and crafty plot, so that using the method to carry out attack during Situation Assessment
Strategy and Defense Countermeasure inconvenience are controlled, it is difficult to be achieved in practice.
3) defense mechanism impact on overall network safe condition is not considered, and only from attacking or vulnerability angle is to whole
Individual network safety situation is estimated.And whole Situation Awareness process lacks adaptivity.
Prior art two the most related to the present invention
The technical scheme of 3.1 prior aries two
Document [7] proposes hierarchical network security threat situation quantitative evaluation technical scheme.The program utilizes IDS to report to the police
Information and network performance index, according to service, the importance of main frame itself and the organizational structure of network system, under proposing to use certainly
And go up, first the hierarchical network security threat situation quantitative appraisement model of total evaluation strategy and the side of calculating accordingly thereof behind local
Method.In the statistical basis of warning occurrence frequency, warning seriousness and network bandwidth use rate thereof, to service, main frame itself
Importance factor is weighted, and calculates service, main frame and the threat index of whole network system, and then the safe prestige of analysis and assessment
Side of body situation.Thus it is possible, on the one hand, manager is freed from the log analysis of magnanimity, it is provided that one security threat intuitively
Situation map, makes manager have the understanding of macroscopic view to the security threat condition of system;On the other hand, system can be found from situation map
Security Trend and rule, in order to adjust the security strategy of system, preferably improve the security performance of network system.
Real system can be analyzed to system, main frame, service 3 level by scale and hierarchical relationship, and great majority are attacked and are
For service a certain on main frame in system.The program utilizes system decomposition technology, according to system organization structure, proposes one such as
Hierarchical network security of system threat situation quantitative appraisement model shown in Fig. 1.It is divided into network system, main frame, clothes from top to bottom
Business and 4 levels of attack/leak, take the assessment strategy of " from top to bottom, overall behind first local ".Report to the police with IDS and leak is believed
Breath is initial data, consumes in conjunction with Internet resources, finds the threat situation of the provided service of each main frame, is attacking layer statistical
The analysis supply order of severity, frequency and network bandwidth occupancy, and then the security threat condition of assessment respective services.At this
On the basis of, the safe condition of a main frame in comprehensive assessment network system.Whole LAN is assessed finally according to network architecture
The security threat situation of system.
In Fig. 4, attack layer and comprise the attack that classical network IDS is able to detect that, mainly by detection, privilege-escalation and DoS
Three major types.Wherein, and DoS attack (A1 ..., Am) utilize the defect on Protocol Design, by continuously transmitting greatly to destination host
Amount datagram exhausts Internet resources, causes service unavailable, i.e. DoS attack threatens the safety of all services of system.
The shortcoming of 3.2 prior aries two
The hierarchical network security threat situation qualitative assessment model that the program proposes can directly provide whole network
System, main frame and the security threat situation of 3 levels of service, enable network manager to understand security of system situation in time, look into
Look for the reason of safety change, adjust security strategy, it is ensured that security of system maximizes.And this system is in Net-Keeper system
Well applied.But, the program still suffers from following deficiency:
1) analysis of security threat situation assessment system is based on network invasion monitoring sensor alarm daily record and Netowrk tape
Wide occupancy, but these information can't reflect the aggressive behavior of hacker comprehensively.
2) establishment that the analytic hierarchy process (AHP) used more or less exists such as index weights is excessively subjective and absolute, consistent
Property correction excessively rely on extraneous participation.
3) how to obtain situation of change according to system current state, safety and ambient parameter etc., merge self-discipline feature,
Network security situation sensing system is configured and corresponding operational factor dynamically adjusts to realize real self adaptation, then do not have
Relate to.
Summary of the invention
The present invention solves above-mentioned technical problem, design a kind of testing machine that can accurately measure lubricating oil drawing force, for
The system structure of Situation Awareness and situation are extracted and are improved, from main regulation system environments so that it is can become by dynamic adapting environment
Change, to realize dynamically synthesis, the dynamic calibration of systematic parameter of the dynamically configuration of resource, service.
The present invention solves that the deficiency of above-mentioned technical problem the technical scheme is that a kind of net based on Autonomic computing
Network Security Situation Awareness Systems, works in coordination with layer module, sensor and effector module and self-discipline management including Managed Resource, Agent
Person's module, Agent works in coordination with layer module and connects Managed Resource and self-discipline manager's module, and sensor and effector module connect respectively
Agent works in coordination with layer module and self-discipline manager's module,
Agent works in coordination with layer module capture Managed Resource information and does pretreatment, removes redundancy, finally information is given
Self-discipline manager's module, is received from the information feedback of rule manager's module, and from main regulation system environments so that it is can dynamically fit
Answer environmental change, to realize dynamically synthesis, the dynamic calibration of systematic parameter of the dynamically configuration of resource, service;
Sensor and effector module, the Agent described in connection works in coordination with layer module, needs to define unified standard interface
The communication of the software and hardware provided by different suppliers, the isomerism that shielding produces due to the difference of internal structure are provided.
Of the present invention self-discipline manager's module include base module, situation extraction module, Tendency Prediction module and
Autonomous respond module,
Base module includes that state judges knowledge, plan knowledge, problem solving knowledge and pattern match knowledge, to situation
Extraction module, Tendency Prediction module and autonomous respond module provide knowledge support;
Situation extraction module, is used for extracting effective situation information, i.e. attack factors;
Situation Assessment module, the situation extraction module described in connection, by identifying the security incident in situation information, foundation
Incidence relation between them, calculates service, main frame and the threat suffered by network, and then realizes current network security
The analysis of situation;
Tendency Prediction module, the Situation Assessment module described in connection, for according to past and current network security situation shape
Condition, is predicted future network security postures;
Autonomous respond module, for according to the plan knowledge in knowledge base and problem solving knowledge, to situation extraction module
The behavior characteristics extracted responds in real time, and the situation value drawing Situation Assessment is carried out from main regulation.
Situation extraction module of the present invention include network security data source integrated platform module, anomaly module and
Self-discipline learning by association module,
Network security data source integrated platform module, for realizing the integrated process of multi-source heterogeneous data, for upper layer module
Offer data are supported;
Anomaly module, use mode-matching technique, according to Deviant Behavior storehouse detect in network that may be present respectively
Class aggressive behavior, and Deviant Behavior storehouse is carried out real-time update;
Self-discipline learning by association module, for the record according to attack signature Yu original aggressive behavior feature in Deviant Behavior storehouse
It is associated, integrates and integrated analysis, find out formation and the law of development of potential safety hazard;Prediction may produce abnormal condition and
Abnormal in early stage sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will
Learning outcome adds Deviant Behavior storehouse;Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction;
Cluster Analysis module, the self-discipline learning by association module described in connection, use distinctiveness ratio to calculate (DSimC) clustering method
Self-discipline learning by association result is carried out cluster and discriminant analysis;The characteristic attribute wherein considered mainly has source/destination IP, source/mesh
Port, detection time, attack classification etc., calculate its distinctiveness ratio respectively, finally calculate comprehensive different degree;
Convergence analysis module, the Cluster Analysis module described in connection, use exponential weighting DS evidence theory (EWDS) to poly-
Safety information after conjunction carries out convergence analysis, simplifies safety information quantity further and identifies aggressive behavior.
The DSimC of utilization clustering method of the present invention carries out cluster to self-discipline learning by association result and specifically includes:
Step 1: warning is clustered by the method using association attributes distance to calculate;Assume there are two warningsWith, profit
Use formulaCalculate the distinctiveness ratio between the two warning;Wherein, n is to belong to during the two is reported to the police
The number of property, k represents some in n attribute,Represent attribute k weight in corresponding warning distinctiveness ratio,Represent report
AlertWithDistinctiveness ratio on attribute k;
Step 2: calculate according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.
Cluster result is merged by the EWDS of utilization of the present invention, specifically includes:
Step 1: using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, foundation
Attack condition, obtains the weights of each sensor;
Step 2: use DS evidence that evidence is combined;
Step 3: use the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making
Judge, extract situation key element.
The concrete appraisal procedure of Situation Assessment module of the present invention is as follows:
Step 1: be layered network system, then carries out quantum chemical method to layering index, network system is divided into net
Network layers, host layer and attacking and defending layer, Internet is made up of different main frames, and host layer is by institutes such as the service run, safety measures
Constituting, attacking and defending layer mainly considers service and the security factor two parts running on main frame;
Step 2: calculate network safety situation value at all levels, the service safe situation shape of definition t objective network
Condition is:
Wherein,For service safe situation value, s represents certain service that objective network is currently provided;K represents this
The attack kind that service is subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents t
Moment attacks the number of times occurred;D (t) represents the order of severity that t is attacked;The threat degree attacked is usedCounted
Calculating, what reflection threat degree was high attacks the influence degree to service safe situation,The biggest, illustrate to service the threat that s is subject to
Degree is the biggest;
The defensive strength of the main frame of definition t objective network is:
Wherein,For the defensive strength value on main frame,Represent security attribute weights of importance on main frame, SM
Representing the safety measure run on main frame, ed represents the SM disturbance degree relative to security attribute, whenValue the biggest, explanation
The Prevention-Security ability of main frame Host is the strongest;
The Host Security situation situation of definition t objective network is:
Wherein,For the security postures value of main frame, H represents the main frame in objective network,Represent that service is opened at main frame
Weight shared in logical all services,For service safe situation value,Represent the defensive strength on main frame, whenValue the biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts in time
Defence policies is tackled;
The security postures situation of definition t objective network is:
Wherein,For network safety situation value,Represent main frame power of shared importance in evaluated LAN
Weight,Security postures value for main frame;WhenValue the biggest, illustrate that the threat degree suffered by network system is the biggest,
WhenValue is above standard state, and autonomous response component can respond, from main regulation system environments so that it is can dynamically fit
Answer environmental change.
The concrete prediction steps of Tendency Prediction module of the present invention is as follows:
Step 1: according to history and current situation value information, defines about service, main frame and the multi input list of network system
The Tendency Prediction function of outputWith corresponding error function G (V):
Wherein, k represents the attack kind that service is subject to;WithThe reality representing pth layer m-th neuron respectively is defeated
Go out and desired output, corresponding to Tendency Prediction value;For the flow parameter in each single-point input communication process, in formula, V is respectively
Represent attack order of severity d in Situation Assessment hierarchical model, service weightWith main frame weights of importance;
Step 2: train this neutral net, make fitness biasGo to zero, the weights specifying parameter are carried out certainly
Study adjusts, and finds optimum parameter combination, the Tendency Prediction curve after finally output training.
A kind of processing method of network security situation sensing system based on Autonomic computing
Step one, Agent works in coordination with layer and uses multi-Attribute Auction method to process the data that Managed Resource provides, finally information
Give self-discipline manager's module;
Step 2, at self-discipline manager, reason Agent works in coordination with the data message that layer provides;
Step 3, situation extracting parts extracting attack behavior characteristics, if having with the aggressive behavior feature in knowledge base not
The Deviant Behavior joined occurs, then call autonomous response component and respond, and autonomous response component is according to the pattern in knowledge base
Join knowledge and plan knowledge, from main regulation system environments so that it is can change, to realize dynamically joining of resource by dynamic adapting environment
Dynamically synthesis, the dynamic calibration of systematic parameter put, serviced, subsequently into Situation Assessment stage, i.e. step 4;If there is no the unknown
Aggressive behavior occurs, then be directly entered Situation Assessment stage, i.e. step 4;
Step 4, extracts information according to described situation, uses analytic hierarchy process (AHP) to be layered network system, and then realizes working as
The analysis of front network safety situation is estimated;If situation value information does not meets the plan knowledge in situation knowledge base, the most automatically
Response component can respond, from main regulation system environments so that it is can change, subsequently into step 5 by dynamic adapting environment;
If meeting, then it is directly entered step 5;
Step 5, future network security postures is carried out by historical information and current state according to described network safety situation
Prediction;Find optimum parameter combination, the Tendency Prediction curve after finally output training.
Multi-Attribute Auction method of the present invention solves the problem such as resource distribution, task distribution, to optimize systematicness
Can, its method is:
Definition multi-Attribute Auction Model
, wherein, the space that the attribute that A is all items is formed,, article under the hammer have n attribute, span is;The attribute making a be article
Vector, and,;
In auction, B is the only buyer, and B needs to buy commodity;
S is the set being made up of the seller, comprises m the seller,, each seller can provide different attribute
Article;
V: For the Attribute Weight value function (R is real number set) of B, i.e.Represent that seller B is according to attribute a
Evaluation to article;
, whereinIt is expressed as Item Cost function, thenIt is exactly that the seller is according to attribute
The Item Cost value that a calculates;
Result is conclusion of the business scheme,, whereinIt is expressed as the price struck a bargain, conclusion of the business attribute vector;Now the income of buyer B is, the sellerIncome be;
Auction flow process is divided into four steps:
Step 1: announced evaluation function by the seller(Can be otherwise varied with V);
Step 2: each seller i secretly marks asked price;
Step 3: determine the conclusion of the business seller;First the buyer determines that the alternative conclusion of the business seller gathers
(,ForAsked price), if, then
Do not strike a bargain the seller, End of Auction;If, then randomly generate as the conclusion of the business seller;And make, wherein,,, it is apparent from, wherein,;Implication directly perceived be the maximum removed after a maximum element in surplus element, such as,;Implication directly perceived be except the conclusion of the business sellerOutside the highest price of other sellers;
Step 4: proposed conclusion of the business scheme by the conclusion of the business seller, legal motion needs to meet, strike a bargain
The seller strikes a bargain with this scheme that strikes a bargain with the buyer, End of Auction.
Present invention have the beneficial effect that
1, this patent is created and is made system possess preferable adaptivity, it is possible to effectively obtain situation information, accurate
Solve the current safety situation of network, fast prediction future network security postures, it is possible to dynamic and intelligent ground adapts to complex environment and has
Effect ground instructs following making decisions on one's own.Thus alleviate the burden of manager, reduce management cost, solve network peace further
Full complex management sex chromosome mosaicism.
2, defense mechanism is high, has the strongest control in the Situation Assessment stage, can be in all directions to whole network security state
Gesture is estimated, and has soft good adaptivity.
Accompanying drawing explanation
Fig. 1 is the structural representation of the present invention;
Fig. 2 is that the situation of the present invention extracts flow chart;
Fig. 3 is the structural representation of the network system layering of the present invention;
Fig. 4 is the structural representation of hierarchical network security of system threat situation assessment models of the present invention;
Detailed description of the invention
This system includes such as lower module:
Managed Resource (Managed Resource, MR) module, mainly includes data base, application module, router, clothes
The business various multiple and distributing sources such as device and host log, Firewall Alerts information and network packet.MR is worked in coordination with layer by Agent
Carry out United Dispatching and management.
Agent works in coordination with layer module, the MR module described in connection, for different types of MR, uses different intelligent Agents
For self-discipline, manager provides data support, and these Agent are all can the entity of independent operating.Agent entity capture MR information
And do pretreatment, remove redundancy, finally give self-discipline manager (Autonomic Manager, AM) information.Meanwhile,
Agent works in coordination with layer and receives the information feedback of AM, and from main regulation system environments so that it is can change, with reality by dynamic adapting environment
The dynamically configuration of existing resource, dynamically synthesis, the dynamic calibration of systematic parameter of service.
Sensor and effector module, the Agent described in connection works in coordination with layer module, needs to define unified standard interface
The communication of the software and hardware provided by different suppliers, the isomerism that shielding produces due to the difference of internal structure are provided.
Situation extraction module, is used for extracting effective situation information, i.e. attack factors.
Situation Assessment module, the situation extraction module described in connection, by identifying the security incident in situation information, foundation
Incidence relation between them, calculates service, main frame and the threat suffered by network, and then realizes current network security
The analysis of situation.
Tendency Prediction module, the Situation Assessment module described in connection, for according to past and current network security situation shape
Condition, is predicted future network security postures.
Autonomous respond module, for according to Kp and Ks in knowledge base, the behavior characteristics extracting situation extraction module is real
Time respond, to assessment after situation value carry out from main regulation.
As it can be seen, be the situation extraction flow chart of the present invention, this situation extraction module includes with lower module:
Network security data source integrated platform module, for realizing the integrated process of multi-source heterogeneous data and being collectively expressed as
XML, provides data support for upper layer module.These data mainly include such as intruding detection system (IDS), fire wall
(Firewall) warning message of safety equipment, the system log message etc. such as.
Anomaly module uses mode-matching technique, detects in network that may be present all kinds of according to Deviant Behavior storehouse
Aggressive behavior, and Deviant Behavior storehouse is carried out real-time update.
Self-discipline learning by association module is for the record according to attack signature Yu original aggressive behavior feature in Deviant Behavior storehouse
It is associated, integrates and integrated analysis, find out formation and the law of development of potential safety hazard;Prediction may produce abnormal condition and
Abnormal in early stage sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will
Learning outcome adds Deviant Behavior storehouse.Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction.
Cluster Analysis module, the self-discipline learning by association module described in connection, use distinctiveness ratio to calculate (DSimC) clustering method
Self-discipline learning by association result is carried out cluster and discriminant analysis.The characteristic attribute wherein considered mainly has source/destination IP, source/mesh
Port, detection time, attack classification etc., calculate its distinctiveness ratio respectively, finally calculate comprehensive different degree.
Convergence analysis module, the Cluster Analysis module described in connection, use exponential weighting DS evidence theory (EWDS) to poly-
Safety information after conjunction carries out convergence analysis, simplifies safety information quantity further and identifies aggressive behavior.
Situation is extracted process and is comprised the following steps:
Step A: data source is integrated, to the integrated process of multi-source heterogeneous data and be collectively expressed as XML, carries for upper layer module
For data support, these data mainly include the such as safety equipment such as intruding detection system (IDS), fire wall (Firewall)
Warning message, system log message etc..
Step B: anomaly, uses mode-matching technique, detects in network that may be present according to Deviant Behavior storehouse
All kinds of aggressive behaviors, and Deviant Behavior storehouse is carried out real-time update.
Step C: self-discipline learning by association, enters according to the record of attack signature with original aggressive behavior feature in Deviant Behavior storehouse
Row association, integration and integrated analysis, find out formation and the law of development of potential safety hazard;Prediction may produce abnormal condition early
Phase exception sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will learn
Practise result and add Deviant Behavior storehouse.Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction.
Step D: self-discipline learning by association result is carried out cluster analysis, specifically comprises the following steps that
Step D1: warning is clustered by the method using association attributes distance to calculate.Assume there are two warningsWith
, utilize formulaCalculate the distinctiveness ratio between the two warning;Wherein, n is during the two is reported to the police
The number of attribute, k represents some in n attribute,Represent attribute k weight in corresponding warning distinctiveness ratio,Represent
Report to the policeWithDistinctiveness ratio on attribute k.
Step D2: calculate according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.
Step E: utilize EWDS that cluster result is merged, specifically include:
Step E1: using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, foundation
Attack condition, obtains the weights of each sensor.
Step E2: use DS evidence that evidence is combined.
Step E3: use the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making
Judge, extract situation key element.
As it can be seen, be the hierarchical diagram of network system, as follows to the quantum chemical method step of each layer:
Step A: be layered network system, then carries out quantum chemical method to layering index.Network system is divided into net
Network layers, host layer and attacking and defending layer.Internet is made up of different main frames, and host layer is by institutes such as the service run, safety measures
Constituting, attacking and defending layer mainly considers service and the security factor two parts running on main frame
Step B: calculate network safety situation value at all levels.
Step B1: calculate the service safe situation situation of objective network.The security postures of service accesses with the normal of service
Amount, attack strength are relevant with attack Threat, and quantitative formula is as follows:
Wherein,For service safe situation value, s represents certain service that objective network is currently provided;K represents this
The attack kind that service is subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents t
Moment attacks the number of times occurred;D (t) represents the order of severity that t is attacked.The threat degree attacked is usedCounted
Calculate, it is intended to what preferably reflection threat degree was high attacks the influence degree to service safe situation.The biggest, illustrate to service s
The threat degree being subject to is the biggest.
Step B2: calculate the Host Security situation situation of objective network.
Step B21: calculate the defensive strength of objective network.The safety measure run on defensive strength and main frame is to main frame
The disturbance degree of full attribute is relevant at the importance of this main frame with security attribute, and computing formula is as follows:
Wherein,For the defensive strength value on main frame,Represent security attribute weights of importance on main frame, SM
Representing the safety measure run on main frame, ed represents the SM disturbance degree relative to security attribute.WhenValue the biggest, explanation
The Prevention-Security ability of main frame Host is the strongest.
Step B22: calculate the Host Security situation situation of objective network, the service suffered according to the operation service of t institute
Security postures and the defensive strength of main frame, carry out quantum chemical method to it, and formula is as follows:
Wherein,For the security postures value of main frame, H represents the main frame in objective network,Represent that service is opened at main frame
Weight shared in logical all services,For service safe situation value,Represent the defensive strength on main frame.WhenValue the biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts in time
Defence policies is tackled.
Step C: calculate the security postures situation of t objective network.The network safety situation of t and the master in this moment
Machine security postures is relevant, and quantitative formula is as follows:
Wherein,For network safety situation value,Represent main frame power of shared importance in evaluated LAN
Weight,Security postures value for main frame.WhenValue the biggest, illustrate that the threat degree suffered by network system is the biggest,
Now, autonomous response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.
The security postures of network is predicted, specifically comprises the following steps that
Step 1: according to history and current situation value information, defines about service, main frame and the multi input list of network system
The Tendency Prediction function of outputWith corresponding error function G (V):
Wherein, k represents the attack kind that service is subject to;WithThe reality representing pth layer m-th neuron respectively is defeated
Go out and desired output, corresponding to Tendency Prediction value;For the flow parameter in each single-point input communication process, in formula, V is respectively
Represent attack order of severity d in Situation Assessment hierarchical model, service weightWith main frame weights of importance。
Step 2: train this neutral net, make fitness biasGo to zero, the weights specifying parameter are carried out certainly
Study adjusts, and finds optimum parameter combination, the Tendency Prediction curve after finally output training.
To achieve these goals, the present invention provides a kind of network security situational awareness method based on Autonomic computing, its
It is characterised by, including:
Step A, Agent works in coordination with layer and uses multi-Attribute Auction method to process the data that Managed Resource provides;
Described multi-Attribute Auction method solves the problem such as resource distribution, task distribution, to optimize systematic function, its side
Method is:
Definition multi-Attribute Auction Model
, wherein, the space that the attribute that A is all items is formed,, article under the hammer have n attribute, span is.The attribute making a be article
Vector, and,。
In auction, B is the only buyer, and B needs to buy commodity.
S is the set being made up of the seller, comprises m the seller,, each seller can provide different attribute
Article.
V: For the Attribute Weight value function (R is real number set) of B, i.e.Represent that seller B is according to attribute a
Evaluation to article.
, whereinIt is expressed as Item Cost function, thenIt is exactly that the seller is according to attribute
The Item Cost value that a calculates.
Result is conclusion of the business scheme,, whereinIt is expressed as the price struck a bargain, conclusion of the business attribute vector.Now the income of buyer B is, the sellerIncome be 。
Auction flow process is divided into four steps:
Step 1: announced evaluation function by the seller(Can be otherwise varied with V);
Step 2: each seller i secretly marks asked price;
Step 3: determine the conclusion of the business seller.First the buyer determines that the alternative conclusion of the business seller gathers
(,ForAsked price), if, then
Do not strike a bargain the seller, End of Auction.If, then randomly generate as the conclusion of the business seller.And make, wherein,,, it is apparent from, wherein,。Implication directly perceived be the maximum removed after a maximum element in surplus element, such as,。Implication directly perceived be except the conclusion of the business sellerOutside other sellers
At high price.
Step 4: proposed conclusion of the business scheme by the conclusion of the business seller, legal motion needs to meet, strike a bargain
The seller strikes a bargain with this scheme that strikes a bargain with the buyer, End of Auction.
Step B, self-discipline manager (AM) place reason Agent works in coordination with the data message that layer provides.
Described network security situational awareness method based on Autonomic computing, wherein, described step B farther includes:
Step B1, situation extracting parts extracting attack behavior characteristics, if having with the aggressive behavior feature in knowledge base not
The Deviant Behavior joined occurs, then call autonomous response component and respond, and autonomous response component is according to the pattern in knowledge base
Join knowledge and plan knowledge, from main regulation system environments so that it is can change, to realize dynamically joining of resource by dynamic adapting environment
Dynamically synthesis, the dynamic calibration of systematic parameter put, serviced.Subsequently into Situation Assessment stage, i.e. step B2;If there is no the unknown
Aggressive behavior occurs, then be directly entered Situation Assessment stage, i.e. step B2;
Step B2, extracts information according to described situation, uses analytic hierarchy process (AHP) to be layered network system, and then realizes working as
The analysis of front network safety situation is estimated.If situation value information does not meets the plan knowledge in situation knowledge base, the most automatically
Response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.Subsequently into step B3;
If meeting, then it is directly entered step B3;
Step B3, future network security postures is carried out by historical information and current state according to described network safety situation
Prediction.
Described network security situational awareness method based on Autonomic computing, wherein,
Described B1 step farther includes:
Step B11, data source is integrated, processes multi-source heterogeneous data integration and is collectively expressed as XML, carrying for upper layer module
For data support.These data mainly include the such as safety equipment such as intruding detection system (IDS), fire wall (Firewall)
Warning message, system log message etc.;
Step B12, anomaly, use mode-matching technique, detect in network according to Deviant Behavior storehouse and there may be
All kinds of aggressive behaviors, and Deviant Behavior storehouse is carried out real-time update;
Step B13, learning by association of restraining oneself, according to the record of attack signature Yu original aggressive behavior feature in Deviant Behavior storehouse
It is associated, integrates and integrated analysis, find out formation and the law of development of potential safety hazard;Prediction may produce abnormal condition and
Abnormal in early stage sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will
Learning outcome adds Deviant Behavior storehouse.Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction;
Step B14, carries out cluster analysis to self-discipline learning by association result;
Step B15, carries out convergence analysis to cluster result.
Described network security situational awareness method based on Autonomic computing, wherein,
Described step B14 step farther includes:
B141, warning is clustered by the method using association attributes distance to calculate.Calculate with equation below between reporting to the police
Distinctiveness ratio, thus the warning with identical sources, purpose and attack type is divided into same report to the police set in.
Wherein:
N is the number of attribute during the two is reported to the police, and k represents some in n attribute,Represent that attribute k is at corresponding report
Weight in alert distinctiveness ratio,Represent and report to the policeWithDistinctiveness ratio on attribute k.
B142, calculates according to association attributes distance, according to the respective threshold being previously set, carries out clustering and discriminant judgement.
Described network security situational awareness method based on Autonomic computing, wherein,
Described step B15 farther includes:
B151, using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, according to attacking
Hit situation, obtain the weights of each sensor.
B152, uses DS evidence to be combined evidence.
B153, uses the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making and sentences
Disconnected, extract situation key element.
Described network security situational awareness method based on Autonomic computing, wherein,
Described step B2 farther includes:
Step B21, is layered network system,;Network system is divided into Internet, host layer and attacking and defending layer;
Step B22, calculates network safety situation value at all levels.
Described network security situational awareness method based on Autonomic computing, wherein,
Described B22 step farther includes:
B221, calculates the service safe situation situation of objective network.The normal visit capacity of security postures and the service of service,
Attack strength is relevant with attacking Threat, and quantitative formula is as follows:
Wherein,For service safe situation value, s represents certain service that objective network is currently provided;K represents this
The attack kind that service is subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents t
Moment attacks the number of times occurred;D (t) represents the order of severity that t is attacked.The threat degree attacked is usedCounted
Calculate, it is intended to what preferably reflection threat degree was high attacks the influence degree to service safe situation.The biggest, illustrate to service s
The threat degree being subject to is the biggest.
B222, calculates the defensive strength of objective network.The safety measure run on defensive strength and main frame is complete to main frame
The disturbance degree of attribute is relevant at the importance of this main frame with security attribute, and computing formula is as follows:
Wherein,For the defensive strength value on main frame,Represent security attribute weights of importance on main frame, SM
Representing the safety measure run on main frame, ed represents the SM disturbance degree relative to security attribute.WhenValue the biggest, explanation
The Prevention-Security ability of main frame Host is the strongest.
B223, calculates the Host Security situation situation of objective network, the service safe suffered according to the operation service of t institute
Situation and the defensive strength of main frame, carry out quantum chemical method to it, and formula is as follows:
Wherein,For the security postures value of main frame, H represents the main frame in objective network,Represent that service is opened at main frame
Weight shared in logical all services,For service safe situation value,Represent the defensive strength on main frame.WhenValue the biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts in time
Defence policies is tackled.
B224, calculates the security postures situation of t objective network.The network safety situation of t and the master in this moment
Machine security postures is relevant, and quantitative formula is as follows:
Wherein,For network safety situation value,Represent main frame power of shared importance in evaluated LAN
Weight,Security postures value for main frame.WhenValue the biggest, illustrate that the threat degree suffered by network system is the biggest,
Now, autonomous response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.
Described network security situational awareness method based on Autonomic computing, wherein, described step B3 farther includes:
Step B31, according to history and current situation value information, defines about service, main frame and the multi input of network system
The Tendency Prediction function of single outputWith corresponding error function G (V):
Wherein, k represents the attack kind that service is subject to;WithThe reality representing pth layer m-th neuron respectively is defeated
Go out and desired output, corresponding to Tendency Prediction value;For the flow parameter in each single-point input communication process, in formula, V is respectively
Represent attack order of severity d in Situation Assessment hierarchical model, service weightWith main frame weights of importance。
Step B32, trains this neutral net, makes fitness biasGo to zero, the weights specifying parameter are carried out
Self study adjusts, and finds optimum parameter combination, the Tendency Prediction curve after finally output training.
Claims (7)
1. a network security situation sensing system based on Autonomic computing, it is characterised in that: include that Managed Resource, Agent assist
With layer module, sensor and effector module and self-discipline manager's module, Agent works in coordination with layer module and connects Managed Resource and self-discipline
Manager's module, sensor and effector module connect Agent respectively and work in coordination with layer module and self-discipline manager's module,
Agent works in coordination with layer module capture Managed Resource information and does pretreatment, removes redundancy, finally gives self-discipline information
Manager's module, is received from the information feedback of rule manager's module, and from main regulation system environments so that it is can dynamically adapting ring
Border changes, to realize dynamically synthesis, the dynamic calibration of systematic parameter of the dynamically configuration of resource, service;
Sensor and effector module, the Agent described in connection works in coordination with layer module, needs to define unified standard interface and realizes
The communication of the software and hardware provided by different suppliers, the isomerism that shielding produces due to the difference of internal structure;
Self-discipline manager's module includes base module, situation extraction module, Situation Assessment module, Tendency Prediction module and automatically
Respond module,
Base module includes that state judges knowledge, plan knowledge, problem solving knowledge and pattern match knowledge, extracts situation
Module, Tendency Prediction module and automated to respond to module provide knowledge support;
Situation extraction module, is used for extracting effective situation information, i.e. attack factors;
Situation Assessment module, the situation extraction module described in connection, by identifying the security incident in situation information, according to them
Between incidence relation, calculate service, main frame and the threat suffered by network, and then realize current network safety situation
Analysis;
Tendency Prediction module, the Situation Assessment module described in connection is for according to past and current network security situation situation, right
Future network security postures is predicted;
Automated to respond to module, for according to the plan knowledge in base module and problem solving knowledge, to situation extraction module
The behavior characteristics extracted responds in real time, and the situation value drawing Situation Assessment is carried out from main regulation.
A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described
Situation extraction module include network security data source integrated platform module, anomaly module, self-discipline learning by association module, poly-
Alanysis module and convergence analysis module,
Network security data source integrated platform module, for realizing the integrated process of multi-source heterogeneous data, provides for upper layer module
Data are supported;
Anomaly module, uses mode-matching technique, detects that may be present in network all kinds of attack according to Deviant Behavior storehouse
Hit behavior, and Deviant Behavior storehouse is carried out real-time update;
Self-discipline learning by association module, for carrying out according to the record of attack signature with original aggressive behavior feature in Deviant Behavior storehouse
Association, integration and integrated analysis, find out formation and the law of development of potential safety hazard;Prediction may produce abnormal condition and early stage
Abnormal sign, uses the method for diagnosis prediction and intelligent decision to realize the self-discipline learning by association of aggressive behavior feature, and will study
Result adds Deviant Behavior storehouse;
Thus realize the learning by association to unknown attack behavior, the effective situation information of rapid extraction;
Cluster Analysis module, the self-discipline learning by association module described in connection, use distinctiveness ratio to calculate DSimC clustering method to self-discipline
Learning by association result carries out cluster and discriminant analysis;
The characteristic attribute wherein considered mainly has source/destination IP, source/destination port, detection time, attacks classification, counts respectively
Calculate its distinctiveness ratio, finally calculate comprehensive different degree;
Convergence analysis module, the Cluster Analysis module described in connection, after using exponential weighting DS evidence theory EWDS to polymerization
Safety information carries out convergence analysis, simplifies safety information quantity further and identifies aggressive behavior.
A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described
The DSimC clustering method that utilizes self-discipline learning by association result is carried out cluster specifically includes:
Step 1: warning is clustered by the method using association attributes distance to calculate;
Assume there are two warning AiAnd Aj, utilize formulaCalculate between the two warning
Distinctiveness ratio;Wherein, n is the number of attribute during the two is reported to the police, and k represents some in n attribute, wkRepresent that attribute k exists
Weight in corresponding warning distinctiveness ratio,Represent warning AiAnd AjDistinctiveness ratio on attribute k;
Step 2: calculate according to association attributes distance, according to the respective threshold being previously set, carry out clustering and discriminant judgement.
4. a kind of based on Autonomic computing the network security situation sensing system described in claim 2, it is characterised in that: described
Utilize EWDS that cluster result is merged, specifically include:
Step 1: using the result after cluster as evidence, and according to the verification and measurement ratio distribution confidence level of different sensors, according to attacking
Situation, obtains the weights of each sensor;
Step 2: use DS evidence that evidence is combined;
Step 3: use the fusion decision rule of basic probability function that the basic probability assignment value after combination is carried out decision-making judgement,
Extract situation key element.
A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described
The concrete appraisal procedure of Situation Assessment module as follows:
Step 1: network system is layered, then to layering index carry out quantum chemical method, network system is divided into Internet,
Host layer and attacking and defending layer, Internet is made up of different main frames, and host layer is made up of the service run, safety measure, attacks
Anti-layer mainly considers service and the security factor two parts running on main frame;
Step 2: calculate network safety situation value at all levels, the service safe situation situation of definition t objective network is:
Rservice(s, k, N, d, t)=N (t) 10d(t)
Wherein, RserviceFor service safe situation value, s represents certain service that objective network is currently provided;K represents this service
The attack kind being subject to;N represents the number of times of the attack suffered by service;D represents the order of severity of attack;N (t) represents t
Attack the number of times occurred;D (t) represents the order of severity that t is attacked;The threat degree attacked is with 10d(t)Calculated, instead
Reflect the threat degree high attack influence degree to service safe situation, RserviceThe biggest, illustrate to service the threat degree that s is subject to
The biggest;
The defensive strength of the main frame of definition t objective network is:
DFHost(Ws, SM, ed, t)=Ws·ed(t)
Wherein, DFHostFor the defensive strength value on main frame, WsRepresenting security attribute weights of importance on main frame, SM represents main
The safety measure run on machine, ed represents the SM disturbance degree relative to security attribute, works as DFHostValue the biggest, main frame is described
The Prevention-Security ability of Host is the strongest;
The Host Security situation situation of definition t objective network is:
RHost(H, Vs, Rservice, t)=Vs·Rservice(t)/DFHost
Wherein, RHostFor the security postures value of main frame, H represents the main frame in objective network, VsRepresent the institute that service is opened at main frame
There are weight shared in service, RserviceFor service safe situation value, DFHostRepresent the defensive strength on main frame, work as RHostValue
The biggest, illustrate that the threat degree suffered by main frame Host is the biggest, safety officer should draw attention, and adjusts defence policies in time
Tackled;
The security postures situation of definition t objective network is:
RNetwork(WH, RHost, t)=WH·RHost(t)
Wherein, RNetworkFor network safety situation value, WHRepresent main frame weight of shared importance in evaluated LAN,
RHostSecurity postures value for main frame;
Work as RNetworkValue the biggest, illustrate that the threat degree suffered by network system is the biggest, work as RNetworkValue is above standard state,
Autonomous response component can respond, from main regulation system environments so that it is can dynamic adapting environment change.
A kind of network security situation sensing system based on Autonomic computing, it is characterised in that: described
The concrete prediction steps of Tendency Prediction module as follows:
Step 1: according to history and current situation value information, defines about service, main frame and the multiple input single output of network system
Tendency Prediction functionWith corresponding error function G (V):
Wherein, k represents the attack kind that service is subject to;ymRepresent the desired output corresponding to m-th neuron of input, m=1,2,
3,...,Np;WithRepresent actual output and the desired output of pth layer m-th neuron respectively, corresponding to Tendency Prediction
Value;For the flow parameter in each single-point input communication process, the attack during V represents Situation Assessment hierarchical model respectively in formula
Order of severity d, service weight VsWith main frame weights of importance WH;
Step 2: the neutral net set up in training step 1, makes fitness biasGo to zero, to the power specifying parameter
Value carries out self study adjustment, finds optimum parameter combination, the Tendency Prediction curve after finally output training.
The processing method of a kind of network security situation sensing system based on Autonomic computing, it is special
Levy and be:
Step one, Agent works in coordination with layer module and uses multi-Attribute Auction method to process the data that Managed Resource provides, finally information
Give self-discipline manager's module;
Step 2, self-discipline manager's resume module is worked in coordination with, by Agent, the data message that layer module provides;
Step 3, situation extraction module extracting attack behavior characteristics, if having with the aggressive behavior feature in base module not
The Deviant Behavior joined occurs, then call and automated to respond to module and respond, automated to respond to module according to the mould in base module
Formula coupling knowledge and plan knowledge, from main regulation system environments so that it is can change by dynamic adapting environment, to realize the dynamic of resource
State configuration, dynamically synthesis, the dynamic calibration of systematic parameter of service, subsequently into Situation Assessment stage, i.e. step 4;If no
Unknown attack behavior occurs, then be directly entered Situation Assessment stage, i.e. step 4;
Step 4, the situation key element extracted according to claim 4, use analytic hierarchy process (AHP) that network system is layered, and then realize
Analysis to current network security situation is estimated;If the strategy that situation value information does not meets in situation base module is known
Know, then automated toing respond to module can respond, from main regulation system environments so that it is can change by dynamic adapting environment, then enters
Enter step 5;If meeting, then it is directly entered step 5;
Step 5, future network security postures is carried out pre-by historical information and current state according to described network safety situation
Survey;Find optimum parameter combination, the Tendency Prediction curve after finally output training.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210275986.4A CN102821007B (en) | 2012-08-06 | 2012-08-06 | A kind of network security situation sensing system based on Autonomic computing and processing method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210275986.4A CN102821007B (en) | 2012-08-06 | 2012-08-06 | A kind of network security situation sensing system based on Autonomic computing and processing method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102821007A CN102821007A (en) | 2012-12-12 |
CN102821007B true CN102821007B (en) | 2016-12-21 |
Family
ID=47304878
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210275986.4A Active CN102821007B (en) | 2012-08-06 | 2012-08-06 | A kind of network security situation sensing system based on Autonomic computing and processing method thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102821007B (en) |
Families Citing this family (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104113544B (en) * | 2014-07-18 | 2017-10-31 | 重庆大学 | Network inbreak detection method and system based on fuzzy hidden conditional random fields model |
CN104239725B (en) * | 2014-09-19 | 2017-04-12 | 电子科技大学 | Dynamic optimal managing method for multisource sensor |
CN104318078B (en) * | 2014-10-10 | 2018-06-19 | 中国人民解放军总参谋部第五十四研究所 | A kind of target status identity method based on schema theory and Analytic Network Process |
CN104270372B (en) * | 2014-10-11 | 2017-07-14 | 国家电网公司 | A kind of network safety situation quantitative estimation method of parameter adaptive |
CN104680028B (en) * | 2015-03-13 | 2017-07-21 | 河南群智信息技术有限公司 | Medical system case information optimization storage method based on cloud platform |
CN107302517B (en) * | 2016-04-15 | 2020-05-05 | 任子行网络技术股份有限公司 | LDoS attack detection method and device for Internet autonomous domain |
CN106453404B (en) * | 2016-11-23 | 2019-09-10 | 北京邮电大学 | A kind of network inbreak detection method and device |
CN106790295B (en) * | 2017-03-16 | 2019-10-11 | 西安电子科技大学 | Method based on grey forecasting model detection distributed denial of service network attack |
CN108881110B (en) * | 2017-05-10 | 2022-05-31 | 全球能源互联网研究院 | Security situation assessment and defense strategy combined decision method and system |
CN107832578B (en) * | 2017-11-07 | 2021-08-31 | 四川大学 | Data processing method and device based on situation change model |
CN107979601A (en) * | 2017-11-30 | 2018-05-01 | 广州凡数信息科技有限公司 | Security Situation Awareness Systems based on social networks |
CN109379322A (en) * | 2018-05-16 | 2019-02-22 | 中国人民解放军战略支援部队信息工程大学 | The decision-making technique and its system that network dynamic converts under the conditions of a kind of Complete Information |
CN108646623A (en) * | 2018-05-18 | 2018-10-12 | 深圳明创自控技术有限公司 | A kind of intelligent domestic system based on block chain |
CN108494801B (en) * | 2018-05-18 | 2019-05-03 | 广西电网有限责任公司 | Security postures perceive guard system |
CN108898010A (en) * | 2018-06-25 | 2018-11-27 | 北京计算机技术及应用研究所 | A method of establishing the attacking and defending Stochastic Game Model towards malicious code defending |
CN108881250B (en) * | 2018-06-28 | 2020-07-07 | 广东电网有限责任公司 | Power communication network security situation prediction method, device, equipment and storage medium |
CN109558966B (en) * | 2018-10-28 | 2022-05-17 | 西南电子技术研究所(中国电子科技集团公司第十研究所) | Processing system for intelligently judging evidence and predicting occurrence of event |
CN109274689A (en) * | 2018-11-06 | 2019-01-25 | 江苏怡通数码科技有限公司 | Multi-Source Events network safety evaluation method based on filtering and average value processing |
CN109962916B (en) * | 2019-03-19 | 2021-11-05 | 国家计算机网络与信息安全管理中心 | Multi-attribute-based industrial internet security situation evaluation method |
CN110381013A (en) * | 2019-05-28 | 2019-10-25 | 三明学院 | A kind of network safety situation sensing control method, apparatus, equipment and storage medium |
CN110392048A (en) * | 2019-07-04 | 2019-10-29 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on CE-RBF |
CN110493043B (en) * | 2019-08-16 | 2022-05-03 | 武汉思普崚技术有限公司 | Distributed situation awareness calling method and device |
CN110493217B (en) * | 2019-08-16 | 2022-04-12 | 武汉思普崚技术有限公司 | Distributed situation perception method and system |
CN110445801B (en) * | 2019-08-16 | 2022-04-12 | 武汉思普崚技术有限公司 | Situation sensing method and system of Internet of things |
CN110471975B (en) * | 2019-08-16 | 2022-05-03 | 武汉思普崚技术有限公司 | Internet of things situation awareness calling method and device |
CN110855467B (en) * | 2019-08-19 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Network comprehensive situation prediction method based on computer vision technology |
CN111464568B (en) * | 2020-06-17 | 2020-09-25 | 广东电网有限责任公司佛山供电局 | Method and system for enhancing network attack prevention capability of multiple network ports |
CN112380514B (en) * | 2020-11-13 | 2022-11-22 | 支付宝(杭州)信息技术有限公司 | Biological identification security situation prediction method and device and electronic equipment |
CN113364812B (en) * | 2021-08-09 | 2021-11-02 | 南京聚铭网络科技有限公司 | Security situation perception response method and device based on multiple iterative verification |
CN113721569A (en) * | 2021-08-25 | 2021-11-30 | 上海电力大学 | Attack intrusion detection device and method for distributed control system |
CN115242502B (en) * | 2022-07-21 | 2024-03-08 | 广东电网有限责任公司 | Method, device, equipment and medium for evaluating network security risk of power system |
CN115063058B (en) * | 2022-08-19 | 2022-12-09 | 东方电子股份有限公司 | Comprehensive energy situation perception system based on model driving and data driving |
CN116389174B (en) * | 2023-06-07 | 2023-09-12 | 北京全路通信信号研究设计院集团有限公司 | Network security control method and device |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101650684A (en) * | 2009-09-23 | 2010-02-17 | 哈尔滨工程大学 | Method and device for measuring self-discipline capability of self-discipline calculating system based on stability probability |
CN102186204A (en) * | 2011-05-03 | 2011-09-14 | 哈尔滨工程大学 | Heterogeneous wireless sensor network and special self-recovery method thereof |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7194445B2 (en) * | 2002-09-20 | 2007-03-20 | Lenovo (Singapore) Pte. Ltd. | Adaptive problem determination and recovery in a computer system |
-
2012
- 2012-08-06 CN CN201210275986.4A patent/CN102821007B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101650684A (en) * | 2009-09-23 | 2010-02-17 | 哈尔滨工程大学 | Method and device for measuring self-discipline capability of self-discipline calculating system based on stability probability |
CN102186204A (en) * | 2011-05-03 | 2011-09-14 | 哈尔滨工程大学 | Heterogeneous wireless sensor network and special self-recovery method thereof |
Non-Patent Citations (1)
Title |
---|
基于自律计算的入侵容忍模型;吴庆涛;《计算机应用》;20100930;第30卷(第9期);第2386-2388页 * |
Also Published As
Publication number | Publication date |
---|---|
CN102821007A (en) | 2012-12-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102821007B (en) | A kind of network security situation sensing system based on Autonomic computing and processing method thereof | |
Khan et al. | A privacy-conserving framework based intrusion detection method for detecting and recognizing malicious behaviours in cyber-physical power networks | |
Zhao et al. | Study on network security situation awareness based on particle swarm optimization algorithm | |
CN103581186B (en) | A kind of network security situational awareness method and system | |
CN102546638B (en) | Scene-based hybrid invasion detection method and system | |
CN103607388B (en) | A kind of APT threat prediction method and system | |
CN101459537A (en) | Network security situation sensing system and method based on multi-layer multi-angle analysis | |
CN107317718B (en) | A kind of O&M service management and management platform | |
CN108306894A (en) | A kind of network security situation evaluating method and system that confidence level occurring based on attack | |
CN105681298A (en) | Data security abnormity monitoring method and system in public information platform | |
CN103905440B (en) | Network security situation awareness analysis method based on log and SNMP information fusion | |
Tianfield | Cyber security situational awareness | |
CN106254317A (en) | A kind of data security exception monitoring system | |
CN111641653A (en) | Network security threat situation perception system based on cloud platform | |
CN105471623A (en) | Key IP address safety alarm association analysis method based on fuzzy scene | |
CN108616529A (en) | A kind of method for detecting abnormality and system based on Business Stream | |
CN109818798A (en) | A kind of wireless sensor network intruding detection system and method merging KPCA and ELM | |
Muruganandam et al. | A deep learning based feed forward artificial neural network to predict the K-barriers for intrusion detection using a wireless sensor network | |
CN108881110A (en) | A kind of safety situation evaluation and defence policies joint decision method and system | |
Jaiganesh et al. | An analysis of intrusion detection system using back propagation neural network | |
CN106713233A (en) | Method for judging and protecting network security state | |
CN102195975A (en) | Intelligent NIPS (Network Intrusion Prevention System) framework for quantifying neural network based on mobile agent (MA) and learning vector | |
CN109698823A (en) | A kind of Cyberthreat discovery method | |
CN100414868C (en) | Data merging mechanism for large distributive intrusion inspecting system | |
Gonaygunta | Machine learning algorithms for detection of cyber threats using logistic regression |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20191106 Address after: Room 202, building 3-1, Science Park, Luoyang National University, Longyu Road, Jianxi District, Luoyang area, China (Henan) pilot free trade zone 471000 Patentee after: Henan gunz Information Technology Co., Ltd Address before: 471000 Xiyuan Road, Jianxi District, Henan, No. 48, No. Patentee before: Henan University of Science and Technology |
|
TR01 | Transfer of patent right |