CN110493218B - Situation awareness virtualization method and device - Google Patents

Situation awareness virtualization method and device Download PDF

Info

Publication number
CN110493218B
CN110493218B CN201910757775.6A CN201910757775A CN110493218B CN 110493218 B CN110493218 B CN 110493218B CN 201910757775 A CN201910757775 A CN 201910757775A CN 110493218 B CN110493218 B CN 110493218B
Authority
CN
China
Prior art keywords
situation
data
information
single key
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910757775.6A
Other languages
Chinese (zh)
Other versions
CN110493218A (en
Inventor
段彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN201910757775.6A priority Critical patent/CN110493218B/en
Publication of CN110493218A publication Critical patent/CN110493218A/en
Application granted granted Critical
Publication of CN110493218B publication Critical patent/CN110493218B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/258Data format conversion from or to a database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Human Computer Interaction (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a device for situational awareness virtualization, which encapsulate interfaces for collecting different information sources, facilitate calling of customers, preprocessing to obtain data stream with uniform format, extracting high-frequency project group elements from the data stream, generating high-frequency association rule, sending into situation evaluation for evaluation and quantification, the situation values of single equipment and a local network are obtained through fusion with different evaluation systems and fuzzy processing of data elements, the situation value of the whole device is obtained by combining the framework composition of the whole network, the situation values of different layers are led into a neural network model for prediction, the prediction result is displayed in a visualized manner, the whole network and each single equipment are fully evaluated, each equipment and each single equipment are hierarchically associated, therefore, future devices can be scientifically predicted, and valuable reference suggestions are provided for users.

Description

Situation awareness virtualization method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for situational awareness virtualization.
Background
The situation awareness function needs to be called in the next generation of networks including car networking, internet of things, cloud networks, industrial internet and video monitoring networks, and the situation awareness platform is complex and expensive to build, so that a service provider capable of providing situation awareness service needs to virtualize situation awareness into plug-in or component, and customers can conveniently call the situation awareness.
Meanwhile, the existing situation awareness technology adopts simple situation understanding, so that a safety situation assessment result of the whole device can be obtained, a situation assessment report cannot be quantitatively given, safety situation prediction cannot be performed based on the situation assessment result, and the utilization value of the technology is very limited.
The invention is intended to not only algorithmically fully evaluate the whole network and each single device, but also establish association with each device and each layer based on given situation values, thereby scientifically predicting future devices and providing valuable reference suggestions for users.
Disclosure of Invention
The invention aims to provide a situation awareness virtualization method and device, wherein interfaces for collecting different information sources are packaged, a client can call the interfaces conveniently, a data stream with a uniform format is obtained through preprocessing, high-frequency project group elements are extracted from the data stream, high-frequency association rules are generated and sent to situation assessment for assessment and quantification, situation values of single equipment and a local network are obtained through fusion with different assessment systems and fuzzy processing of the data elements, the situation values of the whole device are obtained through combination of the situation values and the architecture composition of the whole network, the situation values of different levels are led into a neural network model for prediction, and finally prediction results are displayed visually.
In a first aspect, the present application provides a method of situational awareness virtualization, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and sending the security situation values of the single key equipment, the local network and the whole network, and the prediction results of the attacker source and the attack range for visual display.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the extracting elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the removing redundant information in the data, converting the data format into a uniform format according to the type of the source, and processing based on Map Reduce distributed parallel computing.
With reference to the first aspect, in a third possible implementation manner of the first aspect, the fuzzy processing calculation is based on a method that combines a D-S theory and a fuzzy set, and calculates a probability that an attack is supported.
In a second aspect, the present application provides an apparatus for situational awareness virtualization, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the attacker source and the attack range prediction results for visual display.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the extracting, by the situation understanding unit, elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
With reference to the second aspect, in a third possible implementation manner of the second aspect, the situation assessment unit calculates the probability of attack occurrence support based on a method that combines a D-S theory and a fuzzy set.
The invention provides a method and a device for situational awareness virtualization, which encapsulate interfaces for collecting different information sources, facilitate calling of customers, preprocessing to obtain data stream with uniform format, extracting high-frequency project group elements from the data stream, generating high-frequency association rule, sending into situation evaluation for evaluation and quantification, the situation values of single equipment and a local network are obtained through fusion with different evaluation systems and fuzzy processing of data elements, the situation value of the whole device is obtained by combining the framework composition of the whole network, the situation values of different layers are led into a neural network model for prediction, the prediction result is displayed in a visualized manner, the whole network and each single equipment are fully evaluated, each equipment and each single equipment are hierarchically associated, therefore, future devices can be scientifically predicted, and valuable reference suggestions are provided for users.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow chart of a method of context-aware virtualization of the present invention;
FIG. 2 is an architecture diagram of a situation-aware virtualization device of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present invention can be more easily understood by those skilled in the art, and the scope of the present invention will be more clearly and clearly defined.
Fig. 1 is a flowchart of a method for situation-aware virtualization provided in the present application, the method including:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and sending the security situation values of the single key equipment, the local network and the whole network, and the prediction results of the attacker source and the attack range for visual display.
In some preferred embodiments, said extracting elements from the merged data stream comprises: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
In some preferred embodiments, the removing of redundant information in the data, converting the data format into a uniform format according to the type of the source, is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and the probability of attack occurrence support is calculated.
Fig. 2 is an architecture diagram of a situation-aware virtualization apparatus provided herein, the apparatus including:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
and the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the attacker source and the attack range prediction results for visual display.
In some preferred embodiments, the situation understanding unit extracts elements from the merged data stream, including: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
In some preferred embodiments, the preprocessing unit removes redundant information in the data, converts the data format into a uniform format according to the type of the source, and is based on Map Reduce distributed parallel computing processing.
In some preferred embodiments, the situation assessment unit calculates the probability of attack occurrence support based on a method of combining D-S theory and fuzzy sets.
In specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments of the present specification may be referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the description in the method embodiments.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (6)

1. A method of situation-aware virtualization, the method comprising:
the interfaces capable of receiving different information sources are virtualized into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
after receiving the collected data, clearing redundant information in the data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields, and combining the fields into a data stream;
extracting elements from the merged data stream, finding information of behavior action, access object, source address and instantaneous flow included in the elements, discovering high-frequency project group, generating high-frequency association rule according to the information corresponding to the high-frequency project group, increasing the corresponding weight of the high-frequency project group, and forming a frequent pattern tree structure;
according to the frequent pattern tree structure, calling a distributed database, inquiring the asset situation information adjacent to the address, inquiring the asset situation information of the same layer to which the access object belongs, and inquiring the asset situation information with similar flow speed and flow total;
judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
respectively importing security situation values of a single key device, a local network and the whole network into a neural network model in a distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
sending the security situation values of a single key device, a local network and the whole network, and the prediction results of the attacker source and the attack range for visual display;
the extracting elements from the merged data stream includes: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
2. The method according to claim 1, wherein the removing of redundant information in the data, the converting of the data format into a unified format according to the type of the source, is based on MapReduce distributed parallel computing processing.
3. The method of claim 2, wherein the fuzzy processing calculation is based on a method of combining D-S theory and fuzzy sets, and calculates the probability of attack support.
4. An apparatus of situation-aware virtualization, the apparatus comprising:
the external interface unit is used for virtualizing the interfaces capable of receiving different information sources into an external data interface, so that other networks can be conveniently called, the different information sources are mutually independent, the interfaces of other information sources cannot be found, and the corresponding interfaces are self-adaptively corresponding; acquiring running state data of sensors, information platforms and detection equipment from different sources through an external data interface;
the preprocessing unit is used for clearing redundant information in the data after receiving the acquired data, converting the data format into a uniform format according to the type of a source, dividing the uniform format into corresponding fields and combining the fields into a data stream;
the situation understanding unit is used for extracting elements from the merged data stream, finding information of behavior actions, access objects, source addresses and instantaneous flow included in the elements, discovering high-frequency project groups from the information, generating high-frequency association rules according to the information corresponding to the high-frequency project groups, increasing the corresponding weights of the high-frequency project groups and forming a frequent pattern tree structure;
the situation evaluation unit is used for calling the distributed database according to the frequent pattern tree structure, inquiring the asset situation information with adjacent addresses, inquiring the asset situation information of the access object belonging to the same layer, and inquiring the asset situation information with similar flow speed and flow total; judging whether a single key device has a security vulnerability identical to the adjacent similar assets of the address, judging whether a concurrent thread, a bandwidth, a network topology and an access frequency of the single key device have an alarm identical to the assets of the same layer, judging whether the inflow increase rate, the distribution proportion of different protocol data packets and the distribution proportion of different size data packets of the single key device have the same change identical to the assets similar to the flow speed and the flow total amount, and calculating the security situation value of the single key device;
forming a local network by a plurality of adjacent single key devices or a plurality of single key devices with service interaction, calling a distributed database again, introducing fuzzy processing according to service priority to calculate the security situation value of the local network by using the security loophole, concurrent threads, bandwidth, network topology, access frequency, inflow increase rate, data packet distribution proportion of different protocols and data packet distribution proportion of different sizes corresponding to each key device in the local network;
requesting a network topological relation from a distributed equalization server, and calculating a security situation value of the whole network through fuzzy processing according to the topological relations of a plurality of local networks;
the situation prediction unit is used for respectively importing the security situation values of the single key device, the local network and the whole network into a neural network model in the distributed equalization server, obtaining the prediction about the source and the attack range of an attacker in a future period of time through deduction of the neural network model, and returning the prediction result by the distributed equalization server;
the situation output unit is used for sending the safety situation values of the single key equipment, the local network and the whole network, the source of the attacker and the prediction result of the attack range out for visual display;
the situation understanding unit extracts elements from the merged data stream, including: and calling an evaluation model, an association rule and an index library of the past historical data, and extracting element information from corresponding fields of the data stream.
5. The apparatus of claim 4, wherein the preprocessing unit removes redundant information from the data, converts the data format into a uniform format according to the type of the source, and is based on MapReduce distributed parallel computing processing.
6. The apparatus of claim 5, wherein the situation assessment unit is configured to compute the probability of attack support based on a method combining D-S theory and fuzzy set.
CN201910757775.6A 2019-08-16 2019-08-16 Situation awareness virtualization method and device Active CN110493218B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910757775.6A CN110493218B (en) 2019-08-16 2019-08-16 Situation awareness virtualization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910757775.6A CN110493218B (en) 2019-08-16 2019-08-16 Situation awareness virtualization method and device

Publications (2)

Publication Number Publication Date
CN110493218A CN110493218A (en) 2019-11-22
CN110493218B true CN110493218B (en) 2022-04-08

Family

ID=68549782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910757775.6A Active CN110493218B (en) 2019-08-16 2019-08-16 Situation awareness virtualization method and device

Country Status (1)

Country Link
CN (1) CN110493218B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866027B (en) * 2020-08-10 2021-05-25 武汉思普崚技术有限公司 Asset safety assessment method and system based on intelligence analysis
CN113271321B (en) * 2021-07-20 2021-09-17 成都信息工程大学 Propagation prediction processing method and system based on network abnormal attack

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107404400B (en) * 2017-07-20 2020-05-19 中国电子科技集团公司第二十九研究所 Network situation awareness implementation method and device
CN108494810B (en) * 2018-06-11 2021-01-26 中国人民解放军战略支援部队信息工程大学 Attack-oriented network security situation prediction method, device and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263410A (en) * 2010-05-31 2011-11-30 河南省电力公司 Security risk assessment model, assessment method and assessment parameter determining method
CN102624696A (en) * 2011-12-27 2012-08-01 中国航天科工集团第二研究院七〇六所 Network security situation evaluation method
WO2016172514A1 (en) * 2015-04-24 2016-10-27 Siemens Aktiengesellschaft Improving control system resilience by highly coupling security functions with control
CN108769048A (en) * 2018-06-08 2018-11-06 武汉思普崚技术有限公司 A kind of secure visualization and Situation Awareness plateform system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于RAN-RBF神经网络的网络安全态势预测模型;甘文道等;《计算机科学》;20161115;全文 *

Also Published As

Publication number Publication date
CN110493218A (en) 2019-11-22

Similar Documents

Publication Publication Date Title
US10855545B2 (en) Centralized resource usage visualization service for large-scale network topologies
CN110445801B (en) Situation sensing method and system of Internet of things
CN110493043B (en) Distributed situation awareness calling method and device
US9647904B2 (en) Customer-directed networking limits in distributed systems
CN110474904B (en) Situation awareness method and system for improving prediction
CA3041871A1 (en) System and method for monitoring security attack chains
CN111786950B (en) Network security monitoring method, device, equipment and medium based on situation awareness
CN111586046B (en) Network traffic analysis method and system combining threat intelligence and machine learning
CN110460608B (en) Situation awareness method and system including correlation analysis
CN108989136A (en) Business end to end performance monitoring method and device
CN110493218B (en) Situation awareness virtualization method and device
CN109873790A (en) Network security detection method, device and computer readable storage medium
CN110471975B (en) Internet of things situation awareness calling method and device
CN110493217B (en) Distributed situation perception method and system
CN110493044B (en) Quantifiable situation perception method and system
CN114363212B (en) Equipment detection method, device, equipment and storage medium
JP2022000775A (en) Test method, device and apparatus for traffic flow monitoring measurement system
CN110322153A (en) Monitor event processing method and system
CN114362994A (en) Multilayer different-granularity intelligent aggregation railway system operation behavior safety risk identification method
US9471779B2 (en) Information processing system, information processing device, monitoring device, monitoring method
CN110474805B (en) Method and device for situation awareness analysis capable of being called
CN110460472B (en) Weighted quantization situation perception method and system
US20230012202A1 (en) Graph computing over micro-level and macro-level views
Zhang et al. A security monitoring method based on autonomic computing for the cloud platform
Rivera et al. Automation of network anomaly detection and mitigation with the use of IBN: A deployment case on KOREN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant