CN111209564B - Cloud platform security state prediction method, device, equipment and storage medium - Google Patents

Cloud platform security state prediction method, device, equipment and storage medium Download PDF

Info

Publication number
CN111209564B
CN111209564B CN202010006685.6A CN202010006685A CN111209564B CN 111209564 B CN111209564 B CN 111209564B CN 202010006685 A CN202010006685 A CN 202010006685A CN 111209564 B CN111209564 B CN 111209564B
Authority
CN
China
Prior art keywords
threat intelligence
category
intelligence data
cloud platform
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010006685.6A
Other languages
Chinese (zh)
Other versions
CN111209564A (en
Inventor
吕品树
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010006685.6A priority Critical patent/CN111209564B/en
Publication of CN111209564A publication Critical patent/CN111209564A/en
Application granted granted Critical
Publication of CN111209564B publication Critical patent/CN111209564B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a cloud platform security state prediction method, which comprises the following steps: threat information data in a set time period in the cloud platform is obtained; determining the category of each threat intelligence data in a set time period by using a logistic regression model obtained by training, wherein the logistic regression model is as follows: obtained based on threat intelligence data in historical time period and class training thereof; and predicting the safety state of the cloud platform based on the threat intelligence data of the set type in the set time period. By applying the technical scheme provided by the embodiment of the application, the category of each threat information data in the set time period can be determined quickly and accurately, so that the prediction of the safety state of the cloud platform is more accurate based on the threat information data of the set category, the preventive measures can be executed in time, and the normal operation of the cloud platform is guaranteed. The application also discloses a cloud platform safety state prediction device, equipment and a storage medium, and the cloud platform safety state prediction device, the equipment and the storage medium have corresponding technical effects.

Description

Cloud platform security state prediction method, device, equipment and storage medium
Technical Field
The present application relates to the field of computer application technologies, and in particular, to a method, an apparatus, a device, and a storage medium for predicting a security state of a cloud platform.
Background
With the rapid development of computer technology, cloud platforms are gradually developed, and the application of the cloud platforms is more and more extensive and becomes an important part in enterprise digital construction and daily production. In the operation process of the cloud platform, the influence range of security events is larger and larger, and along with the complication of attack means, the security problem becomes a problem that the network development needs to be mainly solved and paid attention to.
By predicting the security state of the cloud platform, the security problem can be effectively solved by predicting the security state change of the cloud platform in a period of time in the future.
How to predict the security state of the cloud platform is a technical problem which needs to be solved urgently by technical personnel in the field at present.
Disclosure of Invention
The application aims to provide a method, a device, equipment and a storage medium for predicting the security state of a cloud platform, so that the security state of the cloud platform can be rapidly and accurately predicted.
In order to solve the technical problem, the application provides the following technical scheme:
a cloud platform security state prediction method comprises the following steps:
threat information data in a set time period in the cloud platform is obtained;
determining the category of each threat intelligence data in the set time period by using a logistic regression model obtained by training, wherein the logistic regression model is as follows: based on threat intelligence data in historical time period and category training thereof;
and predicting the safety state of the cloud platform based on the threat intelligence data of the set type in the set time period.
In one embodiment of the present application, the logistic regression model is obtained by training the following steps:
obtaining threat intelligence data in the historical time period;
converting threat intelligence data in the historical time period into a data matrix;
determining a category for each threat intelligence data within the historical time period;
and training to obtain the logistic regression model based on the data matrix and the category of each threat intelligence data.
In an embodiment of the present application, the converting threat intelligence data in the historical time period into a data matrix includes:
and respectively extracting relevant information in each threat intelligence data in the historical time period according to the element attributes of the vectors to form a data matrix.
In one embodiment of the subject application, the determining the category of each threat intelligence data in the historical time period comprises:
clustering threat intelligence data in the historical time period;
and determining the category of each threat intelligence data according to the clustering result.
In a specific embodiment of the present application, the training to obtain the logistic regression model based on the data matrix and the category of each threat intelligence data includes:
determining an initial logistic regression model;
inputting the data matrix into the initial logistic regression model to obtain the category output of each threat intelligence data;
constructing a loss function based on the deviation of the category output of each threat intelligence data and the determined category of each threat intelligence data;
and determining the minimum value of the loss function to obtain the logistic regression model.
In one embodiment of the present application, the predicting the security state of the cloud platform based on the threat intelligence data of the set category in the set time period includes:
determining the safety state of each component of the cloud platform according to the threat intelligence data of the set category in the set time period;
and predicting the security state of the cloud platform according to the security state of each component.
In one embodiment of the present application, after predicting the security state of the cloud platform based on the threat intelligence data of the set category in the set time period, the method further includes:
obtaining an anomaly analysis result based on a prediction result of a security state of the cloud platform;
and updating and iterating the logistic regression model according to the anomaly analysis result.
A cloud platform security state prediction apparatus, comprising:
the data acquisition module is used for acquiring threat information data in a set time period in the cloud platform;
a category determining module, configured to determine a category of each threat intelligence data in the set time period by using a logistic regression model obtained through training, where the logistic regression model is: obtained based on threat intelligence data in historical time period and class training thereof;
and the safety state prediction module is used for predicting the safety state of the cloud platform based on the threat information data of the set type in the set time period.
A cloud platform security state prediction device, comprising:
a memory for storing a computer program;
a processor, configured to implement the steps of any one of the foregoing cloud platform security state prediction methods when executing the computer program.
A computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of any of the cloud platform security state prediction methods described above.
By applying the technical scheme provided by the embodiment of the application, after threat information data in a set time period in the cloud platform are obtained, the logical regression model is utilized, the category of each threat information data in the set time period can be rapidly and accurately determined, so that the threat information data based on the set category can be predicted more accurately, the safety state of the cloud platform can be predicted more accurately, and the preventive measures can be timely executed based on the predicted safety state to guarantee the normal operation of the cloud platform.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of an implementation of a method for predicting a security state of a cloud platform according to an embodiment of the present application;
fig. 2 is a schematic view of an application scenario of a cloud platform security state prediction method in an embodiment of the present application;
fig. 3 is a flowchart of another implementation of a cloud platform security state prediction method in an embodiment of the present application;
fig. 4 is a schematic structural diagram of a cloud platform security state prediction apparatus in an embodiment of the present application;
fig. 5 is a schematic structural diagram of a cloud platform security state prediction device in an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
Referring to fig. 1, an implementation flowchart of a cloud platform security status prediction method provided in an embodiment of the present application is shown, where the method may include the following steps:
s110: threat intelligence data in a set time period in the cloud platform is obtained.
The cloud platform, which may also be referred to as a cloud computing platform, refers to a platform that provides computing, networking, and storage capabilities based on services of hardware resources and software resources. The cloud platform allows developers to put written programs in the cloud to run or use services provided in the cloud.
In the running process of the cloud platform, the cloud platform may be attacked, and a security event occurs. When the security state of the cloud platform needs to be predicted, threat information data in a set time period in the cloud platform can be obtained. In practical application, threat intelligence data in a set time period in the cloud platform can be obtained according to a set time interval, or the threat intelligence data in the set time period in the cloud platform can be obtained when a safety state prediction trigger instruction is received.
The set time period may be a time period including the current time, or may be a certain time period before the current time.
In practical applications, threat intelligence data may be obtained through a threat center. The threat center contains a large amount of security event information and has updating capability, and latest threat intelligence data can be obtained through the threat center. The threat centers may include endogenous threat centers and exogenous threat centers, and accordingly, the threat intelligence data may include internal threat intelligence data and external threat intelligence data. The internal threat intelligence data mainly come from security components inside the cloud platform, such as a next-generation firewall, internet behavior audit, a terminal detection response system, vulnerability scanning, database audit, operation and maintenance security management and the like. External threat intelligence data comes primarily from online intelligence analysis systems.
S120: and determining the category of each threat intelligence data in a set time period by using a logistic regression model obtained by training.
In the embodiment of the present application, the logistic regression model may be obtained by training in advance. The Logistic regression (Logistic regression) model is a generalized linear regression analysis model and can be obtained based on threat intelligence data in historical time periods and class training thereof. Each threat intelligence data may be classified using a logistic regression model to determine the category of each threat intelligence data.
The types of threat intelligence data may be classified according to priority, such as a high priority type, a medium priority type, and a low priority type. Threat information data which affects services such as DDOS (Distributed denial of service attack) belongs to a high priority class, threat information data which is subjected to threat early warning such as overload belongs to a medium priority class, and threat information data of administrator operation and maintenance information belongs to a low priority class.
In practical application, relevant information in each threat intelligence data in a set time period can be extracted respectively according to the element attributes of the vectors to form a data matrix, and then the data matrix is input into a logistic regression model to obtain an output result of each type of the threat intelligence data.
S130: and predicting the safety state of the cloud platform based on the threat intelligence data of the set type in the set time period.
In the present application, it may be specifically set which one or more types of threat intelligence data are to be used for predicting the security state of the cloud platform.
Based on threat information data of a set category in a set time period, the security state of the cloud platform can be predicted, for example, the security situation of the current environment of the cloud platform is evaluated, and the change of the security state in a future period is predicted, which can also be referred to as security situation perception. Thus, the manager can take precautionary measures in advance. If the vulnerability of the cloud platform is predicted to be attacked, vulnerability patches can be printed in advance to carry out vulnerability repair.
After threat information data in a set time period in the cloud platform are obtained by applying the method provided by the embodiment of the application, the category of each threat information data in the set time period can be rapidly and accurately determined by using the logistic regression model, so that the prediction of the safety state of the cloud platform is more accurate based on the threat information data in the set category, and the prevention measures can be timely executed based on the safety state obtained by prediction to ensure the normal operation of the cloud platform.
In one embodiment of the present application, the logistic regression model may be obtained by training:
the method comprises the following steps: threat intelligence data in a historical time period is obtained;
step two: converting threat intelligence data in a historical time period into a data matrix;
step three: determining a category of each threat intelligence data within a historical time period;
step four: and training to obtain a logistic regression model based on the data matrix and the category of each threat intelligence data.
For convenience of description, the above four steps are combined for illustration.
In the embodiment of the application, threat intelligence data in a historical time period in the cloud platform can be obtained. Likewise, the obtained threat intelligence data may include internal threat intelligence data and external threat intelligence data. The internal threat intelligence data mainly come from security components inside the cloud platform, such as a next-generation firewall, internet behavior audit, a terminal detection response system, vulnerability scanning, database audit, operation and maintenance security management and the like. External threat intelligence data comes primarily from online intelligence analysis systems.
The history time period may be a time period longer than the time when the threat intelligence data acquisition is performed, or may be a certain time period of the longer time period. The amount of threat intelligence data obtained needs to meet a set amount threshold.
And converting the obtained threat intelligence data in the historical time period into a data matrix. Specifically, the relevant information in each threat intelligence data in the historical time period can be respectively extracted according to the element attributes of the vector, so as to form a data matrix. Decomposing and classifying each threat intelligence data according to the attribute items, and coding the threat intelligence data in a vector format to form a data matrix.
The element attributes of the vector may include items such as packet connection time, source IP (Internet Protocol) address, source port, destination IP address, destination port, TCP (Transmission Control Protocol)/IP connection status, and the like.
The vector format is as follows:
R(T Src.IP Src.Port Dst.IP Dst.Port FLAG);
wherein, T represents the connection time of the data packet, src.IP represents the source IP address, src.Port represents the source port, dst.IP represents the destination IP address, dst.Port represents the destination port, and FLAG identifies the connection state of TCP/IP. A vector R may represent a threat intelligence data.
After obtaining threat intelligence data for a historical time period, a category for each threat intelligence data for the historical time period may be determined.
In a specific embodiment of the present application, threat intelligence data in a historical time period may be clustered, and a category of each threat intelligence data may be determined according to a clustering result.
Clustering, also called Cluster analysis (statistical analysis), is a technique for statistical data analysis, in which similar objects are classified into different groups or more subsets (subset) by means of static classification, and data clustering is generally generalized to an unsupervised learning.
In the embodiment of the application, after threat intelligence data in a historical time period are obtained, clustering processing, such as K-means clustering processing, can be performed on the obtained threat intelligence data, and the category of each threat intelligence data, such as a high priority category, a medium priority category, a low priority category, etc., can be determined according to a clustering result.
The example of k-means clustering processing of threat intelligence data obtained in a historical time period is described.
Assume that the packet vector for all threat intelligence data in a known historical time period is (R) 1 ,R 2 ,…,R n ) N is the total number of threat intelligence data, and average clustering is to divide the n vectors into k sets such that the intra-group sum of squares is minimized, i.e., the goal is to find a cluster S that satisfies the following equation i
Figure BDA0002355527480000071
Wherein, mu i Is S i Average of all points in (1). If there are only two classes, e.g., the better class and the less preferred class, k =2,argmin indicates that
Figure BDA0002355527480000072
The value of the parameter at the minimum value.
The distance may be calculated by the euclidean distance calculation formula:
Figure BDA0002355527480000073
the k-means clustering processing is carried out on the obtained threat intelligence data, and the flow of determining the category of each threat intelligence data is as follows:
selecting k threat intelligence data from threat intelligence data in the obtained historical time period as clustering centers, respectively calculating the distance from each threat intelligence data to the k clustering centers, classifying the threat intelligence data into the class with the closest distance, recalculating a new clustering center, determining whether the clustering result changes, if so, repeatedly executing the steps of respectively calculating the distance from each threat intelligence data to the k clustering centers and classifying the threat intelligence data into the class with the closest distance until the new clustering center is calculated, the clustering result does not change any more, and outputting the result to obtain the class of each threat intelligence data.
Of course, in practical applications, the category of each threat intelligence data in the historical time period may also be determined by a manual calibration.
After the obtained threat intelligence data in the historical time period is converted into a data matrix and the category of each threat intelligence data is determined, a logistic regression model can be obtained through training based on the data matrix and the category of each threat intelligence data.
In a specific embodiment of the present application, an initial logistic regression model may be determined, and then a data matrix is input into the initial logistic regression model to obtain a category output of each threat intelligence data, a loss function is constructed based on a deviation between the category output of each threat intelligence data and the determined category of each threat intelligence data, and then a minimum value of the loss function is determined to obtain the logistic regression model.
In the embodiment of the present application, a prediction function may be selected first, where the prediction function is an initial logistic regression model, and the prediction function may be represented by h and is a classification function. The data matrix is input into the initial logistic regression model, and a category output for each threat intelligence data may be obtained. A loss function may be constructed based on a deviation of the category output for each threat intelligence data from a predetermined category for each threat intelligence data. The loss function may be summing or averaging the losses, denoted by J (θ). And determining the minimum value of the loss function to obtain a logistic regression model.
The prediction function h is:
Figure BDA0002355527480000081
where θ is a weighting vector.
The constructed loss function J (θ) is:
Figure BDA0002355527480000082
where y represents the output of the prediction function.
By using a gradient descent method, the value of theta can be iteratively solved to obtain a logistic regression model:
Figure BDA0002355527480000083
where α is the learning step.
In practical application, a part of matrices can be selected from the data matrix, the logistic regression model is trained, the rest of matrices are used for verifying the logistic regression model, if the accuracy rate does not reach the set threshold, the training and verifying steps can be repeated until the accuracy rate reaches the set threshold, and the finally usable logistic regression model is obtained.
The logistic regression model can be further deployed in the cloud platform, after threat intelligence data in a set time period in the cloud platform are obtained, the logistic regression model can be used for determining the type of each threat intelligence data, and then the safety state of the cloud platform is predicted based on the threat intelligence data of the set type.
In one embodiment of the present application, step S130 may include the steps of:
the method comprises the following steps: determining the safety state of each component of the cloud platform according to the threat information data of the set category in the set time period;
step two: and predicting the security state of the cloud platform according to the security state of each component.
In the embodiment of the application, after threat information data in a set time period in a cloud platform are obtained, the type of each threat information data is determined by using a logistic regression model, and according to the set type of threat information data, the safety state of each component of the cloud platform can be determined, such as whether each component is attacked or not, how the attack result is, and the like, and according to the safety state of each component, the safety state of the cloud platform can be predicted.
In an embodiment of the present application, after predicting the security status of the cloud platform based on the threat intelligence data of the set category within the set time period, the method may further include the following steps:
the method comprises the following steps: obtaining an anomaly analysis result based on a prediction result of a security state of the cloud platform;
step two: and updating the iterative logistic regression model according to the abnormal analysis result.
In the embodiment of the application, after threat intelligence data are classified by using a logistic regression model and the security state of the cloud platform is predicted based on the threat intelligence data of the set category in the set time period, the predicted security state of the cloud platform can be output, so that a manager can execute corresponding preventive measures based on the security state. When the set time interval is reached, the manager can analyze the prediction result of the safety state of the cloud platform to see whether the prediction result is normal, and if the prediction result is abnormal, the manager can return the abnormal analysis result of the prediction result of the safety state of the cloud platform. After the abnormal analysis result of the prediction result of the security state of the cloud platform is obtained, the iterative logistic regression model can be updated according to the abnormal analysis result, so that threat information data can be classified more accurately by using the updated logistic regression model, and the security state of the cloud platform can be predicted more accurately.
Specifically, the obtained anomaly analysis result of the prediction result of the security state of the cloud platform may be a modification result of the security state, that is, the output y of the prediction function is changed, and θ may be changed according to y, so that the logistic regression model is iteratively updated.
Fig. 2 is a schematic view of an application scenario according to an embodiment of the present application. In practical application, a logistic regression model obtained through training can be deployed to a cloud platform, threat intelligence data in a set time period in the cloud platform can be obtained through an internal threat center and an external threat center, then the logistic regression model is used for determining the category of each threat intelligence data in the set time period, and the safety state of the cloud platform is predicted based on the threat intelligence data in the set category. The prediction result can be further output in a display interface.
Taking fig. 3 as an example, the overall description of the solution of the embodiment of the present application is made.
Firstly, threat intelligence data in a historical time period in a cloud platform are obtained, wherein the threat intelligence data comprise internal threat intelligence data and external threat intelligence data, then the obtained threat intelligence data in the historical time period are classified, the category of each threat intelligence data is determined, and the obtained threat intelligence data in the historical time period are coded to form a data matrix. And training to obtain a logistic regression model based on the data matrix and the category of each threat intelligence data. And putting the trained logistic regression model into the cloud platform, and predicting the safety state of the cloud platform by using the logistic regression model, namely determining the category of each threat information data in a set time period in the cloud platform, and predicting the safety state of the cloud platform based on the threat information data of the set category. And judging whether the prediction result of the safety state is normal or not, if so, continuing to use the logistic regression model to predict the safety state, and if not, updating the iterative logistic regression model and predicting the safety state by using the updated logistic regression model. Therefore, the prediction result of the safety state of the cloud platform is more and more accurate, so that preventive measures can be timely executed based on the prediction result of the safety state, and the normal operation of the cloud platform is guaranteed.
Corresponding to the above method embodiment, the present application embodiment further provides a cloud platform security state prediction apparatus, and a cloud platform security state prediction apparatus described below and a cloud platform security state prediction method described above may be referred to in a corresponding manner.
Referring to fig. 4, the apparatus may include the following modules:
a data obtaining module 410, configured to obtain threat information data in a set time period in the cloud platform;
a category determining module 420, configured to determine a category of each threat intelligence data in a set time period by using a logistic regression model obtained through training, where the logistic regression model is: based on threat intelligence data in historical time period and category training thereof;
and the security state prediction module 430 is configured to predict the security state of the cloud platform based on the threat intelligence data of the set category in the set time period.
After the device provided by the embodiment of the application is applied, after threat information data in a set time period in the cloud platform are obtained, the logistic regression model is utilized, the category of each threat information data in the set time period can be rapidly and accurately determined, so that the threat information data based on the set category can be more accurately predicted for the safety state of the cloud platform, and therefore, preventive measures can be timely executed based on the predicted safety state, and the normal operation of the cloud platform is guaranteed.
In a specific embodiment of the present application, the method further includes a model training module, configured to train and obtain the logistic regression model through the following steps:
threat intelligence data in a historical time period is obtained;
converting threat intelligence data in a historical time period into a data matrix;
determining a category of each threat intelligence data within a historical time period;
and training to obtain a logistic regression model based on the data matrix and the category of each threat intelligence data.
In one embodiment of the present application, the model training module is configured to:
and respectively extracting relevant information in each threat intelligence data in the historical time period according to the element attributes of the vectors to form a data matrix.
In one embodiment of the present application, the model training module is configured to:
clustering threat intelligence data in a historical time period;
and determining the category of each threat intelligence data according to the clustering result.
In one embodiment of the present application, the model training module is configured to:
determining an initial logistic regression model;
inputting the data matrix into an initial logistic regression model to obtain the category output of each threat intelligence data;
constructing a loss function based on the deviation of the category output of each threat intelligence data and the determined category of each threat intelligence data;
and determining the minimum value of the loss function to obtain a logistic regression model.
In one embodiment of the present application, the security state prediction module 430 is configured to:
determining the safety state of each component of the cloud platform according to the threat information data of the set category in the set time period;
and predicting the security state of the cloud platform according to the security state of each component.
In a specific embodiment of the present application, the method further includes a model updating module, configured to:
after predicting the safety state of the cloud platform based on the threat information data of the set category in the set time period, obtaining an abnormal analysis result based on the prediction result of the safety state of the cloud platform;
and updating the iterative logistic regression model according to the abnormal analysis result.
Corresponding to the above method embodiment, an embodiment of the present application further provides a cloud platform security state prediction device, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the cloud platform safety state prediction method when executing the computer program.
As shown in fig. 5, which is a schematic structural diagram of a cloud platform security state prediction apparatus, the cloud platform security state prediction apparatus may include: a processor 10, a memory 11, a communication interface 12 and a communication bus 13. The processor 10, the memory 11 and the communication interface 12 all communicate with each other through a communication bus 13.
In the embodiment of the present application, the processor 10 may be a Central Processing Unit (CPU), an application specific integrated circuit, a digital signal processor, a field programmable gate array or other programmable logic device.
The processor 10 may call a program stored in the memory 11, and in particular, the processor 10 may perform operations in an embodiment of the cloud platform security state prediction method.
The memory 11 is used for storing one or more programs, the program may include program codes, the program codes include computer operation instructions, in this embodiment, the memory 11 stores at least the program for implementing the following functions:
threat information data in a set time period in the cloud platform is obtained;
determining the category of each threat intelligence data in a set time period by using a logistic regression model obtained by training, wherein the logistic regression model is as follows: obtained based on threat intelligence data in historical time period and class training thereof;
and predicting the safety state of the cloud platform based on the threat intelligence data of the set type in the set time period.
In one possible implementation, the memory 11 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function (such as a sound playing function and an image playing function), and the like; the storage data area may store data created during use, such as threat intelligence data, model parameter data, and the like.
Further, the memory 11 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device or other volatile solid state storage device.
The communication interface 13 may be an interface of a communication module for connecting with other devices or systems.
Of course, it should be noted that the structure shown in fig. 5 does not constitute a limitation to the cloud platform security status prediction apparatus in the embodiment of the present application, and in practical applications, the cloud platform security status prediction apparatus may include more or less components than those shown in fig. 5, or some components in combination.
Corresponding to the above method embodiment, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the steps of the cloud platform security state prediction method described above.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The principle and the embodiment of the present application are explained by applying specific examples, and the above description of the embodiments is only used to help understand the technical solution and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.

Claims (9)

1. A cloud platform security state prediction method is characterized by comprising the following steps:
threat information data in a set time period in the cloud platform is obtained;
determining the category of each threat intelligence data in the set time period by using a logistic regression model obtained by training, wherein the logistic regression model is as follows: based on threat intelligence data in historical time period and category training thereof; the categories of the threat intelligence data are divided according to priority, and comprise a high priority category, a medium priority category and a low priority category;
predicting the safety state of the cloud platform based on the threat intelligence data of the set category in the set time period;
wherein the determining the category of each threat intelligence data within the set time period comprises: clustering the threat intelligence data, and determining the category of each threat intelligence data according to a clustering result; wherein, the clustering formula is as follows:
Figure FDA0003789441990000011
wherein R is threat intelligence data, S i For the clustering results, i ∈ [1,k],μ i Is S i Average of all points in;
wherein, the determining the category of each threat intelligence data in the set time period by using the logistic regression model obtained by training comprises:
and respectively extracting relevant information in each threat intelligence data in the set time period according to the element attributes of the vectors to form a data matrix, and then inputting the data matrix into the logistic regression model to obtain the output result of the category of each threat intelligence data.
2. The method of claim 1, wherein the logistic regression model is obtained by training:
obtaining threat intelligence data in the historical time period;
converting threat intelligence data in the historical time period into a data matrix;
determining a category for each threat intelligence data within the historical time period;
and training to obtain the logistic regression model based on the data matrix and the category of each threat intelligence data.
3. The method of claim 2, wherein determining the category for each threat intelligence data in the historical time period comprises:
clustering the threat intelligence data in the historical time period;
and determining the category of each threat intelligence data according to the clustering result.
4. The method of claim 2, wherein training the logistic regression model based on the data matrix and the classification of each threat intelligence data comprises:
determining an initial logistic regression model;
inputting the data matrix into the initial logistic regression model to obtain the category output of each threat intelligence data;
constructing a loss function based on the deviation of the category output of each threat intelligence data and the determined category of each threat intelligence data;
and determining the minimum value of the loss function to obtain the logistic regression model.
5. The method according to any one of claims 1 to 4, wherein predicting the security status of the cloud platform based on a set category of threat intelligence data for the set period of time comprises:
determining the safety state of each component of the cloud platform according to the threat intelligence data of the set category in the set time period;
and predicting the security state of the cloud platform according to the security state of each component.
6. The method according to any one of claims 1 to 4, further comprising, after said predicting the security status of the cloud platform based on a set category of threat intelligence data for the set period of time:
obtaining an anomaly analysis result based on a prediction result of a security state of the cloud platform;
and updating and iterating the logistic regression model according to the abnormal analysis result.
7. A cloud platform security state prediction apparatus, comprising:
the data acquisition module is used for acquiring threat information data in a set time period in the cloud platform;
a category determining module, configured to determine a category of each threat intelligence data in the set time period by using a logistic regression model obtained through training, where the logistic regression model is: obtained based on threat intelligence data in historical time period and class training thereof; the categories of the threat intelligence data are divided according to priority, and comprise a high priority category, a medium priority category and a low priority category;
the safety state prediction module is used for predicting the safety state of the cloud platform based on the threat information data of the set category in the set time period;
the category determining module is used for clustering the threat intelligence data and determining the category of each threat intelligence data according to a clustering result; wherein the clustering formula is as follows:
Figure FDA0003789441990000031
wherein R is threat intelligence data, S i For the clustering results, i E [1,k],μ i Is S i Average of all points in;
the category determining module is used for respectively extracting relevant information in each threat intelligence data in the set time period according to element attributes of vectors to form a data matrix, and then inputting the data matrix into the logistic regression model to obtain an output result of each category of the threat intelligence data.
8. A cloud platform security state prediction device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the cloud platform security state prediction method according to any one of claims 1 to 6 when executing the computer program.
9. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the cloud platform security state prediction method according to any one of claims 1 to 6.
CN202010006685.6A 2020-01-03 2020-01-03 Cloud platform security state prediction method, device, equipment and storage medium Active CN111209564B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010006685.6A CN111209564B (en) 2020-01-03 2020-01-03 Cloud platform security state prediction method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010006685.6A CN111209564B (en) 2020-01-03 2020-01-03 Cloud platform security state prediction method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111209564A CN111209564A (en) 2020-05-29
CN111209564B true CN111209564B (en) 2022-11-22

Family

ID=70787823

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010006685.6A Active CN111209564B (en) 2020-01-03 2020-01-03 Cloud platform security state prediction method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111209564B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112637017B (en) * 2020-12-25 2022-02-08 深圳市高德信通信股份有限公司 Network data analysis method based on application layer data
CN113162953B (en) * 2021-06-09 2022-02-18 南京聚铭网络科技有限公司 Network threat message detection and source tracing evidence obtaining method and device
CN115426198B (en) * 2022-11-01 2023-03-24 杭州安恒信息技术股份有限公司 Information processing method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN108449366A (en) * 2018-05-18 2018-08-24 广西电网有限责任公司 Key message infrastructure security based on artificial intelligence threatens intelligence analysis system
CN108959934A (en) * 2018-06-11 2018-12-07 平安科技(深圳)有限公司 Safety risk estimating method, device, computer equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10721254B2 (en) * 2017-03-02 2020-07-21 Crypteia Networks S.A. Systems and methods for behavioral cluster-based network threat detection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN108449366A (en) * 2018-05-18 2018-08-24 广西电网有限责任公司 Key message infrastructure security based on artificial intelligence threatens intelligence analysis system
CN108959934A (en) * 2018-06-11 2018-12-07 平安科技(深圳)有限公司 Safety risk estimating method, device, computer equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Darknet and Deepnet Mining for Proactive Cybersecurity Threat Intelligence.;Eric Nunes;《IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences》;20160728;文献全文 *
基于Netflow的内网安全检测研究;邓守勋;《计算机应用与软件》;20181031;全文 *

Also Published As

Publication number Publication date
CN111209564A (en) 2020-05-29

Similar Documents

Publication Publication Date Title
US11637853B2 (en) Operational network risk mitigation system and method
CN111209564B (en) Cloud platform security state prediction method, device, equipment and storage medium
EP3938937B1 (en) Cloud security using multidimensional hierarchical model
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
US10832083B1 (en) Advanced image recognition for threat disposition scoring
CN106973038B (en) Network intrusion detection method based on genetic algorithm oversampling support vector machine
US11805005B2 (en) Systems and methods for predictive assurance
WO2015160367A1 (en) Pre-cognitive security information and event management
CN110011932B (en) Network traffic classification method capable of identifying unknown traffic and terminal equipment
US20210185086A1 (en) Method and system for intrusion detection
US20230291755A1 (en) Enterprise cybersecurity ai platform
CN113269389A (en) Network security situation assessment and situation prediction modeling method based on deep belief network
CN110110160B (en) Method and device for determining data exception
CN111669384A (en) Malicious flow detection method integrating deep neural network and hierarchical attention mechanism
CN113435505A (en) Construction method and device for safe user portrait
CN111953665B (en) Server attack access identification method and system, computer equipment and storage medium
CN115987615A (en) Network behavior safety early warning method and system
CN115396324A (en) Network security situation perception early warning processing system
CN117892102A (en) Intrusion behavior detection method, system, equipment and medium based on active learning
Zhang et al. Many-objective optimization based intrusion detection for in-vehicle network security
Britto Dennis et al. Deep belief network and support vector machine fusion for distributed denial of service and economical denial of service attack detection in cloud
CN114866338A (en) Network security detection method and device and electronic equipment
CN111953712B (en) Intrusion detection method and device based on feature fusion and density clustering
Protic et al. WK-FNN design for detection of anomalies in the computer network traffic
CN117391214A (en) Model training method and device and related equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant