CN114928468A - Network security sensing method and system - Google Patents
Network security sensing method and system Download PDFInfo
- Publication number
- CN114928468A CN114928468A CN202210337000.5A CN202210337000A CN114928468A CN 114928468 A CN114928468 A CN 114928468A CN 202210337000 A CN202210337000 A CN 202210337000A CN 114928468 A CN114928468 A CN 114928468A
- Authority
- CN
- China
- Prior art keywords
- state information
- equipment
- network
- network security
- safety monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides a network security sensing method and system, and relates to the technical field of network security. Respectively acquiring equipment running state information of each network safety monitoring equipment in a plurality of network safety monitoring equipment to obtain a plurality of corresponding equipment running state information; classifying the running state information of the plurality of pieces of equipment to obtain at least one corresponding state information classification set; and analyzing the equipment running state of the corresponding network safety monitoring equipment based on the running state information of each piece of equipment included in at least one state information classification set to obtain the abnormal degree of the equipment running state of the network safety monitoring equipment corresponding to the running state information of each piece of equipment included in the state information classification set. Based on the method, the problem that the sensing reliability of the degree of abnormality of the equipment is poor in the prior art can be solved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network security sensing method and a network security sensing system.
Background
In order to ensure the safe operation of the network device, a network security monitoring device responding to the network device is generally configured to monitor the device operation state of the network device. Therefore, whether the network safety monitoring equipment normally operates in the monitoring process directly determines the corresponding monitoring effect. Therefore, the device operating status of the network security monitoring device needs to be analyzed to obtain the abnormal degree of the corresponding device operating status. However, in the prior art, the abnormality determination processing is generally performed separately for the device operating state information of each network security monitoring device, which may result in a problem of poor reliability of sensing (determining) the degree of abnormality of the device.
Disclosure of Invention
In view of the above, the present invention provides a method and a system for sensing network security to solve the problem of poor reliability of sensing the degree of abnormality of a device in the prior art.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
a network security perception method is applied to a network security monitoring server, the network security monitoring server is in communication connection with a plurality of network security monitoring devices, the network security monitoring devices are respectively used for monitoring the device running state of each network device in a plurality of corresponding network devices, and the network security perception method comprises the following steps:
respectively obtaining equipment running state information of each network safety monitoring equipment in the plurality of network safety monitoring equipment to obtain a plurality of pieces of equipment running state information corresponding to the plurality of network safety monitoring equipment, wherein the equipment running state information is used for representing the running state of the corresponding network safety monitoring equipment in the process of monitoring the corresponding network equipment;
classifying the running state information of the plurality of pieces of equipment to obtain at least one state information classification set corresponding to the running state information of the plurality of pieces of equipment;
and analyzing the equipment running state of the corresponding network safety monitoring equipment based on the running state information of each piece of equipment included in the state information classification set aiming at each state information classification set in the at least one state information classification set to obtain the equipment running state abnormal degree of the network safety monitoring equipment corresponding to the running state information of each piece of equipment included in the state information classification set.
In some preferred embodiments, in the network security sensing method, the step of respectively obtaining device operating state information of each of the multiple network security monitoring devices to obtain multiple pieces of device operating state information corresponding to the multiple network security monitoring devices includes:
judging whether state monitoring needs to be carried out on the plurality of network safety monitoring devices or not;
if the state of the plurality of network safety monitoring devices needs to be monitored, generating corresponding state monitoring notification information, and sending the state monitoring notification information to each network safety monitoring device in the plurality of network safety monitoring devices, wherein each network safety monitoring device in the plurality of network safety monitoring devices is used for sending the running state information of the network safety monitoring device to the network safety monitoring server based on the state monitoring notification information;
and respectively acquiring the equipment running state information sent by each of the network safety monitoring equipment based on the state monitoring notification information to obtain a plurality of pieces of equipment running state information corresponding to the network safety monitoring equipment.
In some preferred embodiments, in the foregoing method for sensing network security, the step of determining whether state monitoring of the multiple network security monitoring devices is required includes:
determining the time for monitoring the state of the plurality of network safety monitoring devices in the history last time to obtain corresponding first historical time information, and calculating the relative size between the time difference between the first historical time information and the current time information and a preset time difference threshold;
if the time difference between the first historical time information and the current time information is greater than or equal to the time difference threshold, determining that the state monitoring of the plurality of network safety monitoring devices is required;
and if the time difference between the first historical time information and the current time information is smaller than the time difference threshold, determining that the state monitoring of the plurality of network safety monitoring devices is not needed.
In some preferred embodiments, in the above network security sensing method, the step of classifying the multiple pieces of device operation state information to obtain at least one state information classification set corresponding to the multiple pieces of device operation state information includes:
for each network safety monitoring device in the plurality of network safety monitoring devices, acquiring running state information of each piece of historical equipment corresponding to the network safety monitoring device to obtain running state information of a plurality of pieces of historical equipment corresponding to the network safety monitoring device;
classifying the multiple pieces of equipment operation state information corresponding to the multiple pieces of network safety monitoring equipment based on the multiple pieces of historical equipment operation state information corresponding to each piece of network safety monitoring equipment in the multiple pieces of network safety monitoring equipment to obtain at least one state information classification set corresponding to the multiple pieces of equipment operation state information, wherein each state information classification set in the at least one state information classification set comprises at least one piece of equipment operation state information.
In some preferred embodiments, in the above network security sensing method, the step of classifying, based on the multiple pieces of historical device operating state information corresponding to each of the multiple pieces of network security monitoring equipment, the multiple pieces of device operating state information corresponding to the multiple pieces of network security monitoring equipment to obtain at least one state information classification set corresponding to the multiple pieces of device operating state information includes:
for each network safety monitoring device in the network safety monitoring devices, sequencing the running state information of the historical devices corresponding to the network safety monitoring device according to the sequence of the acquisition time to obtain a historical state information sequence corresponding to the network safety monitoring device;
for every two network safety monitoring devices in the plurality of network safety monitoring devices, performing sequence similarity calculation operation on two historical state information sequences corresponding to the two network safety monitoring devices to obtain historical state sequence similarity corresponding to the two network safety monitoring devices;
classifying the network safety monitoring devices based on the historical state sequence similarity corresponding to every two network safety monitoring devices in the network safety monitoring devices to obtain at least one monitoring device set corresponding to the network safety monitoring devices;
and aiming at each monitoring equipment set in the at least one monitoring equipment set, putting equipment running state information corresponding to each network safety monitoring equipment included in the monitoring equipment set into the same set to obtain a state information classification set corresponding to the monitoring equipment set, wherein the monitoring equipment set and the state information classification set have one-to-one correspondence relationship.
In some preferred embodiments, in the above network security sensing method, the step of classifying the multiple network security monitoring devices based on the historical state sequence similarity corresponding to every two network security monitoring devices in the multiple network security monitoring devices to obtain at least one monitoring device set corresponding to the multiple network security monitoring devices includes:
a, determining any one network safety monitoring device from the plurality of network safety monitoring devices, and putting the network safety monitoring device as a first network safety monitoring device into a first device set which is constructed in advance;
b, respectively determining the relative size relationship between the historical state sequence similarity between the network security monitoring device and each first network security monitoring device in the first device set and a preset historical state sequence similarity threshold value aiming at each network security monitoring device outside the first device set, and placing the network security monitoring device into the first device set when the historical state sequence similarity between the network security monitoring device and at least one first network security monitoring device is greater than or equal to the historical state sequence similarity threshold value;
c, executing the step b at least once until the historical state sequence similarity between each network security monitoring device outside the first device set and each network security monitoring device in the first device set is smaller than the historical state sequence similarity, and determining any one network security monitoring device from each network security monitoring device outside the first device set to be used as a new first network security monitoring device to be placed into a currently constructed new device set;
d, respectively determining the relative magnitude relation between the historical state sequence similarity between the network security monitoring device and each new first network security monitoring device in the new first device set and the historical state sequence similarity threshold value for each network security monitoring device outside the first device set and the new first device set, and placing the network security monitoring device in the new first device set when the historical state sequence similarity between the network security monitoring device and at least one new first network security monitoring device is greater than or equal to the historical state sequence similarity threshold value;
e, executing step d at least once until the historical state sequence similarity between each network security monitoring device outside the first device set and the new first device set and each new first network security monitoring device in the new first device set is smaller than the historical state sequence similarity, and then determining any one network security monitoring device from each network security monitoring device outside the first device set and the new first device set to be used as a new first network security monitoring device to be placed in the currently constructed new first device set;
and f, circularly executing the step d and the step e at least once until no network security monitoring device exists outside the first device set and the new first device set, and respectively using the first device set and each new first device set as a monitoring device set.
In some preferred embodiments, in the above network security sensing method, for each state information classification set in the at least one state information classification set, analyzing the device operating state of the corresponding network security monitoring device based on each piece of device operating state information included in the state information classification set, to obtain a device operating state abnormality degree of the network security monitoring device corresponding to each piece of device operating state information included in the state information classification set, includes:
aiming at each state information classification set in the at least one state information classification set, calculating state information similarity between every two pieces of equipment operation state information included in the state information classification set to obtain at least one state information similarity corresponding to the state information classification set, wherein each state information classification set comprises at least two pieces of equipment operation state information, the equipment operation state information is operation log information of corresponding network safety monitoring equipment, and the state information similarity is text similarity between the operation log information;
for each piece of equipment operation state information included in each state information classification set in at least one state information classification set, respectively determining a relative size relation between a state information similarity between the equipment operation state information and each piece of other equipment operation state information in the state information classification set and a preset state information similarity threshold, and determining the quantity ratio of the other equipment operation state information of which the state information similarity with the equipment operation state information is smaller than the state information similarity threshold to obtain the quantity ratio corresponding to the equipment operation state information;
and for each piece of equipment running state information included in each state information classification set in the at least one state information classification set, obtaining the equipment running state abnormality degree of the network safety monitoring equipment corresponding to the equipment running state information based on the quantity ratio corresponding to the equipment running state information, wherein the equipment running state abnormality degree and the quantity ratio have positive correlation.
The embodiment of the present invention further provides a network security sensing system, which is applied to a network security monitoring server, wherein the network security monitoring server is communicatively connected with a plurality of network security monitoring devices, the plurality of network security monitoring devices are respectively used for monitoring the device operating state of each of a plurality of corresponding network devices, and the network security sensing system includes:
a state information obtaining module, configured to obtain device operation state information of each network security monitoring device in the multiple network security monitoring devices, respectively, to obtain multiple pieces of device operation state information corresponding to the multiple network security monitoring devices, where the device operation state information is used to represent an operation state of the corresponding network security monitoring device in a process of monitoring the corresponding network device;
the state information classification module is used for classifying the running state information of the plurality of pieces of equipment to obtain at least one state information classification set corresponding to the running state information of the plurality of pieces of equipment;
and the running state analysis module is used for analyzing the running state of the corresponding network safety monitoring equipment based on the running state information of each piece of equipment in the state information classification set aiming at each state information classification set in the at least one state information classification set to obtain the abnormal degree of the running state of the network safety monitoring equipment corresponding to the running state information of each piece of equipment in the state information classification set.
In some preferred embodiments, in the foregoing network security awareness system, the state information classification module is specifically configured to:
for each network safety monitoring device in the plurality of network safety monitoring devices, acquiring running state information of each piece of historical equipment corresponding to the network safety monitoring device to obtain running state information of a plurality of pieces of historical equipment corresponding to the network safety monitoring device;
classifying the multiple pieces of equipment operation state information corresponding to the multiple pieces of network safety monitoring equipment based on the multiple pieces of historical equipment operation state information corresponding to each piece of network safety monitoring equipment in the multiple pieces of network safety monitoring equipment to obtain at least one state information classification set corresponding to the multiple pieces of equipment operation state information, wherein each state information classification set in the at least one state information classification set comprises at least one piece of equipment operation state information.
In some preferred embodiments, in the above network security awareness system, the operation state analysis module is specifically configured to:
for each state information classification set in the at least one state information classification set, calculating state information similarity between every two pieces of equipment operation state information included in the state information classification set to obtain at least one state information similarity corresponding to the state information classification set, wherein each state information classification set includes at least two pieces of equipment operation state information, the equipment operation state information is operation log information of corresponding network security monitoring equipment, and the state information similarity is text similarity between the operation log information;
for each piece of equipment running state information included in each state information classification set in at least one state information classification set, respectively determining the relative size relationship between the state information similarity between the equipment running state information and each piece of other equipment running state information in the state information classification set and a preset state information similarity threshold, and determining the number proportion of the other equipment running state information of which the state information similarity with the equipment running state information is smaller than the state information similarity threshold to obtain the number proportion corresponding to the equipment running state information;
and aiming at each piece of equipment running state information included in each state information classification set in at least one state information classification set, obtaining the equipment running state abnormality degree of the network safety monitoring equipment corresponding to the equipment running state information based on the quantity ratio corresponding to the equipment running state information, wherein the equipment running state abnormality degree and the quantity ratio have positive correlation.
In the network security sensing method and system provided in the embodiments of the present invention, after the device operating state information of each network security monitoring device in the multiple network security monitoring devices is obtained and the corresponding multiple pieces of device operating state information are obtained, the multiple pieces of device operating state information may be classified to obtain the corresponding at least one state information classification set, so that for each state information classification set in the at least one state information classification set, the device operating state of the corresponding network security monitoring device is analyzed based on each piece of device operating state information included in the state information classification set to obtain the device operating state abnormality degree of the network security monitoring device corresponding to each piece of device operating state information included in the state information classification set, and thus, the basis for analyzing the device operating state may be more sufficient, the reliability of the result of analyzing the running state of the equipment is guaranteed, and therefore the problem that the sensing reliability of the abnormal degree of the equipment in the prior art is poor is solved.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
Fig. 1 is a block diagram of a network security monitoring server according to an embodiment of the present invention.
Fig. 2 is a schematic flow chart of a network security sensing method according to an embodiment of the present invention.
Fig. 3 is a schematic block diagram of a network security awareness system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a network security monitoring server. Wherein the network security monitoring server may include a memory and a processor.
In detail, the memory and the processor are electrically connected directly or indirectly to realize data transmission or interaction. For example, they may be electrically connected to each other via one or more communication buses or signal lines. The memory can have stored therein at least one software function (computer program) which can be present in the form of software or firmware. The processor may be configured to execute the executable computer program stored in the memory, so as to implement the network security awareness method provided by the embodiments of the present invention (described below).
It is understood that in some possible implementations, the Memory may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Read Only Memory (EPROM), an electrically Erasable Read Only Memory (EEPROM), and the like.
It is understood that, in some possible implementations, the Processor may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), a System on Chip (SoC), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
Also, the structure shown in fig. 1 is only an illustration, and the network security monitoring server may further include more or fewer components than those shown in fig. 1, or have a different configuration from that shown in fig. 1, for example, may include a communication unit for information interaction with other devices.
With reference to fig. 2, an embodiment of the present invention further provides a network security sensing method, which is applicable to the network security monitoring server. The method steps defined by the flow related to the network security sensing method can be implemented by the network security monitoring server. The network security monitoring server is in communication connection with a plurality of network security monitoring devices, and the plurality of network security monitoring devices are respectively used for monitoring the device running state of each of the plurality of corresponding network devices.
The specific process shown in FIG. 2 will be described in detail below.
Step S110, respectively obtaining device running state information of each of the multiple network security monitoring devices, and obtaining multiple device running state information corresponding to the multiple network security monitoring devices.
In the embodiment of the present invention, the network security monitoring server may respectively obtain the device operating state information of each of the plurality of network security monitoring devices, so as to obtain a plurality of device operating state information corresponding to the plurality of network security monitoring devices. The device running state information is used for representing the running state of the corresponding network safety monitoring device in the process of monitoring the corresponding network device.
Step S120, performing classification processing on the multiple pieces of device operation state information to obtain at least one state information classification set corresponding to the multiple pieces of device operation state information.
In the embodiment of the present invention, the network security monitoring server may perform classification processing on the multiple pieces of device operation state information to obtain at least one state information classification set corresponding to the multiple pieces of device operation state information.
Step S130, for each status information classification set in the at least one status information classification set, analyzing the device operating status of the corresponding network security monitoring device based on each device operating status information included in the status information classification set, and obtaining the device operating status abnormality degree of the network security monitoring device corresponding to each device operating status information.
In this embodiment of the present invention, the network security monitoring server may analyze, for each status information classification set in the at least one status information classification set, the device operating state of the corresponding network security monitoring device based on each piece of device operating state information included in the status information classification set, so as to obtain a device operating state abnormality degree of the network security monitoring device corresponding to each piece of device operating state information included in the status information classification set.
Based on the steps included in the foregoing network security sensing method, after the device operating state information of each of the multiple network security monitoring devices is respectively obtained and the corresponding multiple pieces of device operating state information are obtained, the multiple pieces of device operating state information may be firstly classified to obtain the corresponding at least one state information classification set, so that for each state information classification set in the at least one state information classification set, the device operating state of the corresponding network security monitoring device is analyzed based on each piece of device operating state information included in the state information classification set to obtain the device operating state abnormality degree of the network security monitoring device corresponding to each piece of device operating state information included in the state information classification set, and thus, the basis for analyzing the device operating state may be more sufficient, the reliability of the result of analyzing the running state of the equipment is guaranteed, and therefore the problem that the sensing reliability of the abnormal degree of the equipment in the prior art is poor is solved.
It is understood that in some possible implementations, step S110 may include the following:
firstly, judging whether state monitoring needs to be carried out on the plurality of network safety monitoring devices or not;
secondly, if the plurality of network safety monitoring devices need to be subjected to state monitoring, generating corresponding state monitoring notification information, and sending the state monitoring notification information to each of the plurality of network safety monitoring devices, wherein each of the plurality of network safety monitoring devices is used for sending the running state information of the device to the network safety monitoring server based on the state monitoring notification information;
then, respectively obtaining the device running state information sent by each of the network safety monitoring devices based on the state monitoring notification information, and obtaining multiple pieces of device running state information corresponding to the multiple network safety monitoring devices.
It is to be understood that, in some possible implementations, the step of determining whether the status monitoring of the multiple network security monitoring devices is required may include the following steps:
firstly, determining the time for monitoring the states of the plurality of network safety monitoring devices in the history last time to obtain corresponding first historical time information, and calculating the relative size between the time difference between the first historical time information and the current time information and a preset time difference threshold (for example, whether the time difference between the first historical time information and the current time information is greater than or equal to the time difference threshold);
secondly, if the time difference between the first historical time information and the current time information is greater than or equal to the time difference threshold, determining that the state monitoring needs to be carried out on the plurality of network safety monitoring devices; then, if the time difference between the first historical time information and the current time information is smaller than the time difference threshold, it is determined that the state monitoring of the plurality of network security monitoring devices is not needed.
It will be appreciated that in some possible implementations, step S120 may include the following:
firstly, aiming at each network safety monitoring device in the plurality of network safety monitoring devices, obtaining the running state information of each historical device corresponding to the network safety monitoring device, and obtaining the running state information of a plurality of historical devices corresponding to the network safety monitoring device;
secondly, based on the multiple pieces of historical device operation state information corresponding to each of the multiple pieces of network security monitoring devices, classifying the multiple pieces of device operation state information corresponding to the multiple pieces of network security monitoring devices to obtain at least one state information classification set corresponding to the multiple pieces of device operation state information, wherein each state information classification set in the at least one state information classification set comprises at least one piece of device operation state information.
It may be understood that, in some possible implementations, the step of classifying, based on the multiple pieces of historical device operating state information corresponding to each of the multiple network security monitoring devices, the multiple pieces of device operating state information corresponding to the multiple network security monitoring devices to obtain at least one state information classification set corresponding to the multiple pieces of device operating state information may include the following steps:
firstly, for each network safety monitoring device in the plurality of network safety monitoring devices, sequencing the running state information of the plurality of historical devices corresponding to the network safety monitoring device according to the sequence of the acquisition time (for example, the obtaining time is earlier before and later), and obtaining the historical state information sequence corresponding to the network safety monitoring device;
secondly, aiming at every two network safety monitoring devices in the plurality of network safety monitoring devices, performing sequence similarity calculation operation on two historical state information sequences corresponding to the two network safety monitoring devices to obtain the historical state sequence similarity corresponding to the two network safety monitoring devices;
then, based on the historical state sequence similarity corresponding to every two network safety monitoring devices in the plurality of network safety monitoring devices, classifying the plurality of network safety monitoring devices to obtain at least one monitoring device set corresponding to the plurality of network safety monitoring devices;
and finally, aiming at each monitoring equipment set in the at least one monitoring equipment set, putting equipment running state information corresponding to each network safety monitoring equipment included in the monitoring equipment set into the same set to obtain a state information classification set corresponding to the monitoring equipment set, wherein the monitoring equipment set and the state information classification set have one-to-one correspondence.
It will be appreciated that in some possible implementations, the sequence similarity calculation operation may include the following:
firstly, a first step of constructing a first history abnormal degree sequence corresponding to a first history state information sequence based on the abnormal degree of the history device operation state corresponding to each piece of history device operation state information in the first history state information sequence in the two history state information sequences, and constructing a second history abnormal degree sequence corresponding to a second history state information sequence based on the abnormal degree of the history device operation state corresponding to each piece of history device operation state information in the second history state information sequence in the two history state information sequences;
performing difference-similarity comparison processing on the abnormal degrees of the operating states of the historical devices at the corresponding sequence positions between the first historical abnormal degree sequence and the second historical abnormal degree sequence to obtain a corresponding historical abnormal degree comparison sequence, wherein the historical abnormal degree comparison sequence is used for indicating whether the difference value between the abnormal degrees of the operating states of the historical devices at the corresponding sequence positions between the first historical abnormal degree sequence and the second historical abnormal degree sequence is smaller than a threshold value or not;
a third step of determining a position number ratio of sequence positions in the historical abnormality degree comparison sequence, in which a difference between abnormality degrees characterizing corresponding historical apparatus operating states is smaller than the threshold, and determining a maximum position number of consecutive sequence positions in the historical abnormality degree comparison sequence, in which a difference between abnormality degrees characterizing corresponding historical apparatus operating states is smaller than the threshold, and determining an abnormality degree sequence similarity coefficient between the first historical abnormality degree sequence and the second historical abnormality degree sequence based on the position number ratio and the maximum position number, wherein the abnormality degree sequence similarity coefficient has a positive correlation with the position number ratio, and the abnormality degree sequence similarity coefficient has a positive correlation with the maximum position number;
fourthly, calculating the similarity between the running state information of the two pieces of historical equipment corresponding to the sequence position aiming at each corresponding sequence position in the two historical state information sequences to obtain the historical state information similarity corresponding to the sequence position, and constructing and forming a state information similarity sequence corresponding to the two historical state information sequences based on the historical state information similarity corresponding to each corresponding sequence position in the two historical state information sequences;
fifthly, determining the number ratio of sequence positions corresponding to the historical state information similarity which is greater than or equal to a preset state information similarity threshold in the state information similarity sequence to obtain the historical number ratio corresponding to the state information similarity sequence, and determining the maximum number of continuous positions of the continuous sequence positions corresponding to the historical state information similarity which is greater than or equal to the state information similarity threshold value in the state information similarity sequence, and determining a history state sequence similarity coefficient between two history state information sequences based on the history number ratio and the maximum continuous position number, wherein the historical state sequence similarity coefficient and the historical quantity proportion have positive correlation, the historical state sequence similarity coefficient and the maximum continuous position number have positive correlation;
and sixthly, fusing the similarity coefficient of the abnormal degree sequence and the similarity coefficient of the historical state sequence (such as calculating a weighted sum value and the like) to obtain the similarity of the historical state sequences corresponding to the two pieces of network safety monitoring equipment corresponding to the historical state information sequences.
It may be understood that, in some possible implementations, the step of classifying the multiple network security monitoring devices based on the historical state sequence similarity corresponding to every two network security monitoring devices in the multiple network security monitoring devices to obtain at least one monitoring device set corresponding to the multiple network security monitoring devices may include the following steps:
a, determining any one network safety monitoring device from the plurality of network safety monitoring devices, and putting the network safety monitoring device as a first network safety monitoring device into a first device set which is constructed in advance;
b, respectively determining the relative size relationship between the historical state sequence similarity between the network security monitoring device and each first network security monitoring device in the first device set and a preset historical state sequence similarity threshold value aiming at each network security monitoring device outside the first device set, and placing the network security monitoring device into the first device set when the historical state sequence similarity between the network security monitoring device and at least one first network security monitoring device is greater than or equal to the historical state sequence similarity threshold value;
c, executing the step b at least once until the historical state sequence similarity between each network safety monitoring device outside the first device set and each first network safety monitoring device in the first device set is smaller than the historical state sequence similarity, and then determining any one network safety monitoring device from each network safety monitoring device outside the first device set as a new first network safety monitoring device to be placed into the currently constructed new first device set;
d, respectively determining the relative magnitude relation between the historical state sequence similarity between the network security monitoring device and each new first network security monitoring device in the new first device set and the historical state sequence similarity threshold value for each network security monitoring device outside the first device set and the new first device set, and placing the network security monitoring device in the new first device set when the historical state sequence similarity between the network security monitoring device and at least one new first network security monitoring device is greater than or equal to the historical state sequence similarity threshold value;
e, executing step d at least once until the historical state sequence similarity between each network security monitoring device outside the first device set and the new first device set and each new first network security monitoring device in the new first device set is smaller than the historical state sequence similarity, and then determining any one network security monitoring device from each network security monitoring device outside the first device set and the new first device set to be used as a new first network security monitoring device to be placed in the currently constructed new first device set;
and f, circularly executing the step d and the step e at least once until no network security monitoring device exists outside the first device set and the new first device set, and respectively using the first device set and each new first device set as a monitoring device set.
It will be appreciated that in some possible implementations, step S130 may include the following:
firstly, aiming at each state information classification set in at least one state information classification set, calculating the state information similarity between every two pieces of equipment operation state information included in the state information classification set to obtain at least one state information similarity corresponding to the state information classification set, wherein each state information classification set comprises at least two pieces of equipment operation state information, the equipment operation state information is the operation log information of corresponding network safety monitoring equipment, and the state information similarity is the text similarity between the operation log information;
secondly, respectively determining the relative size relationship between the state information similarity between the equipment operation state information and each piece of other equipment operation state information in the state information classification set and a preset state information similarity threshold value aiming at each piece of equipment operation state information in each state information classification set in the at least one state information classification set, and determining the number ratio of the other equipment operation state information of which the state information similarity with the equipment operation state information is smaller than the state information similarity threshold value (the ratio of the number of the other equipment operation state information of which the corresponding state information similarity is smaller than the state information similarity threshold value to the number of the other equipment operation state information), so as to obtain the number ratio corresponding to the equipment operation state information;
then, for each piece of equipment operation state information included in each state information classification set of the at least one state information classification set, based on a quantity ratio corresponding to the equipment operation state information, obtaining an equipment operation state abnormality degree of the network security monitoring equipment corresponding to the equipment operation state information, where the equipment operation state abnormality degree and the quantity ratio have a positive correlation (for example, the quantity ratio may be determined as the equipment operation state abnormality degree).
With reference to fig. 3, an embodiment of the present invention further provides a network security sensing system, which is applicable to the network security monitoring server. Wherein the network security awareness system may include:
a state information obtaining module, configured to obtain device operation state information of each of the multiple network security monitoring devices, respectively, to obtain multiple pieces of device operation state information corresponding to the multiple network security monitoring devices, where the device operation state information is used to represent an operation state of the corresponding network security monitoring device in a process of monitoring the corresponding network device;
the state information classification module can be used for classifying the running state information of the plurality of pieces of equipment to obtain at least one state information classification set corresponding to the running state information of the plurality of pieces of equipment;
the operating state analyzing module may be configured to, for each status information classification set in the at least one status information classification set, analyze the device operating state of the corresponding network security monitoring device based on the device operating state information included in the status information classification set, and obtain a device operating state abnormality degree of the network security monitoring device corresponding to the device operating state information included in the status information classification set.
It is to be understood that, in some possible implementations, the state information classification module is specifically configured to: for each network safety monitoring device in the plurality of network safety monitoring devices, acquiring running state information of each piece of historical equipment corresponding to the network safety monitoring device to obtain running state information of a plurality of pieces of historical equipment corresponding to the network safety monitoring device; classifying the multiple pieces of equipment operation state information corresponding to the multiple pieces of network safety monitoring equipment based on the multiple pieces of historical equipment operation state information corresponding to each piece of network safety monitoring equipment in the multiple pieces of network safety monitoring equipment to obtain at least one state information classification set corresponding to the multiple pieces of equipment operation state information, wherein each state information classification set in the at least one state information classification set comprises at least one piece of equipment operation state information.
It may be understood that, in some possible implementations, the operating state analysis module is specifically configured to: for each state information classification set in the at least one state information classification set, calculating state information similarity between every two pieces of equipment operation state information included in the state information classification set to obtain at least one state information similarity corresponding to the state information classification set, wherein each state information classification set includes at least two pieces of equipment operation state information, the equipment operation state information is operation log information of corresponding network security monitoring equipment, and the state information similarity is text similarity between the operation log information; for each piece of equipment running state information included in each state information classification set in at least one state information classification set, respectively determining the relative size relationship between the state information similarity between the equipment running state information and each piece of other equipment running state information in the state information classification set and a preset state information similarity threshold, and determining the number proportion of the other equipment running state information of which the state information similarity with the equipment running state information is smaller than the state information similarity threshold to obtain the number proportion corresponding to the equipment running state information; and aiming at each piece of equipment running state information included in each state information classification set in at least one state information classification set, obtaining the equipment running state abnormality degree of the network safety monitoring equipment corresponding to the equipment running state information based on the quantity ratio corresponding to the equipment running state information, wherein the equipment running state abnormality degree and the quantity ratio have positive correlation.
In summary, after the device operating status information of each network security monitoring device in the multiple network security monitoring devices is obtained and the corresponding multiple pieces of device operating status information are obtained, the multiple pieces of device operating status information may be classified to obtain the corresponding at least one status information classification set, so that for each status information classification set in the at least one status information classification set, the device operating status of the corresponding network security monitoring device may be analyzed based on each piece of device operating status information included in the status information classification set to obtain the device operating status abnormality degree of the network security monitoring device corresponding to each piece of device operating status information included in the status information classification set, and thus, the basis for analyzing the device operating status may be more sufficient, the reliability of the result of analyzing the running state of the equipment is guaranteed, and therefore the problem that the sensing reliability of the abnormal degree of the equipment in the prior art is poor is solved.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A network security sensing method is applied to a network security monitoring server, the network security monitoring server is connected with a plurality of network security monitoring devices in a communication mode, the network security monitoring devices are respectively used for monitoring the device running state of each network device in a plurality of corresponding network devices, and the network security sensing method comprises the following steps:
respectively obtaining equipment running state information of each network safety monitoring equipment in the plurality of network safety monitoring equipment to obtain a plurality of pieces of equipment running state information corresponding to the plurality of network safety monitoring equipment, wherein the equipment running state information is used for representing the running state of the corresponding network safety monitoring equipment in the process of monitoring the corresponding network equipment;
classifying the running state information of the plurality of pieces of equipment to obtain at least one state information classification set corresponding to the running state information of the plurality of pieces of equipment;
and analyzing the equipment running state of the corresponding network safety monitoring equipment based on each piece of equipment running state information included in the state information classification set aiming at each state information classification set in the at least one state information classification set to obtain the equipment running state abnormal degree of the network safety monitoring equipment corresponding to each piece of equipment running state information included in the state information classification set.
2. The network security sensing method according to claim 1, wherein the step of respectively obtaining the device operating state information of each of the plurality of network security monitoring devices to obtain the plurality of device operating state information corresponding to the plurality of network security monitoring devices comprises:
judging whether state monitoring needs to be carried out on the plurality of network safety monitoring devices or not;
if the state monitoring of the plurality of network safety monitoring devices is needed, generating corresponding state monitoring notification information, and sending the state monitoring notification information to each network safety monitoring device in the plurality of network safety monitoring devices, wherein each network safety monitoring device in the plurality of network safety monitoring devices is used for sending the running state information of the device to the network safety monitoring server based on the state monitoring notification information;
and respectively acquiring the equipment running state information sent by each of the network safety monitoring equipment based on the state monitoring notification information to obtain a plurality of pieces of equipment running state information corresponding to the network safety monitoring equipment.
3. The network security aware method of claim 2, wherein the step of determining whether the status monitoring of the plurality of network security monitoring devices is required comprises:
determining the time for monitoring the state of the plurality of network safety monitoring devices in the history last time to obtain corresponding first historical time information, and calculating the relative size between the time difference between the first historical time information and the current time information and a preset time difference threshold;
if the time difference between the first historical time information and the current time information is greater than or equal to the time difference threshold, determining that the state monitoring needs to be carried out on the plurality of network safety monitoring devices;
and if the time difference between the first historical time information and the current time information is smaller than the time difference threshold, determining that the state monitoring of the plurality of network safety monitoring devices is not required.
4. The network security sensing method of claim 1, wherein the step of classifying the running state information of the plurality of pieces of equipment to obtain at least one state information classification set corresponding to the running state information of the plurality of pieces of equipment comprises:
for each network safety monitoring device in the network safety monitoring devices, acquiring running state information of each piece of historical equipment corresponding to the network safety monitoring device to obtain running state information of a plurality of pieces of historical equipment corresponding to the network safety monitoring device;
classifying the multiple pieces of equipment operation state information corresponding to the multiple pieces of network safety monitoring equipment based on the multiple pieces of historical equipment operation state information corresponding to each piece of network safety monitoring equipment in the multiple pieces of network safety monitoring equipment to obtain at least one state information classification set corresponding to the multiple pieces of equipment operation state information, wherein each state information classification set in the at least one state information classification set comprises at least one piece of equipment operation state information.
5. The network security sensing method of claim 4, wherein the step of classifying the pieces of device operation state information corresponding to the plurality of network security monitoring devices based on the pieces of historical device operation state information corresponding to each of the plurality of network security monitoring devices to obtain at least one state information classification set corresponding to the pieces of device operation state information comprises:
for each network safety monitoring device in the network safety monitoring devices, sequencing the running state information of the historical devices corresponding to the network safety monitoring device according to the sequence of the acquisition time to obtain a historical state information sequence corresponding to the network safety monitoring device;
for every two network safety monitoring devices in the plurality of network safety monitoring devices, performing sequence similarity calculation operation on two historical state information sequences corresponding to the two network safety monitoring devices to obtain historical state sequence similarity corresponding to the two network safety monitoring devices;
classifying the network safety monitoring devices based on the historical state sequence similarity corresponding to every two network safety monitoring devices in the network safety monitoring devices to obtain at least one monitoring device set corresponding to the network safety monitoring devices;
and aiming at each monitoring equipment set in the at least one monitoring equipment set, putting equipment running state information corresponding to each network safety monitoring equipment included in the monitoring equipment set into the same set to obtain a state information classification set corresponding to the monitoring equipment set, wherein the monitoring equipment set and the state information classification set have one-to-one correspondence.
6. The network security sensing method according to claim 5, wherein the step of classifying the plurality of network security monitoring devices based on the historical state sequence similarity corresponding to each two network security monitoring devices in the plurality of network security monitoring devices to obtain at least one monitoring device set corresponding to the plurality of network security monitoring devices comprises:
a, determining any one network security monitoring device from the plurality of network security monitoring devices, and putting the network security monitoring device into a first device set which is constructed in advance as a first network security monitoring device;
b, respectively determining the relative size relationship between the historical state sequence similarity between the network security monitoring device and each first network security monitoring device in the first device set and a preset historical state sequence similarity threshold value aiming at each network security monitoring device outside the first device set, and placing the network security monitoring device into the first device set when the historical state sequence similarity between the network security monitoring device and at least one first network security monitoring device is greater than or equal to the historical state sequence similarity threshold value;
c, executing the step b at least once until the historical state sequence similarity between each network safety monitoring device outside the first device set and each first network safety monitoring device in the first device set is smaller than the historical state sequence similarity, and then determining any one network safety monitoring device from each network safety monitoring device outside the first device set as a new first network safety monitoring device to be placed into the currently constructed new first device set;
d, respectively determining the relative magnitude relation between the historical state sequence similarity between the network security monitoring device and each new first network security monitoring device in the new first device set and the historical state sequence similarity threshold value for each network security monitoring device outside the first device set and the new first device set, and placing the network security monitoring device in the new first device set when the historical state sequence similarity between the network security monitoring device and at least one new first network security monitoring device is greater than or equal to the historical state sequence similarity threshold value;
e, executing step d at least once until the historical state sequence similarity between each network security monitoring device outside the first device set and the new first device set and each new network security monitoring device in the new first device set is smaller than the historical state sequence similarity, and determining any one network security monitoring device from each network security monitoring device outside the first device set and the new first device set to be used as a new first network security monitoring device to be placed in the currently constructed new first device set;
and f, circularly executing the step d and the step e at least once until no network security monitoring device exists outside the first device set and the new first device set, and respectively using the first device set and each new first device set as a monitoring device set.
7. The network security sensing method according to any one of claims 1 to 6, wherein the step of, for each status information classification set of the at least one status information classification set, analyzing the device operation status of the corresponding network security monitoring device based on each piece of device operation status information included in the status information classification set to obtain a device operation status abnormality degree of the network security monitoring device corresponding to each piece of device operation status information included in the status information classification set includes:
aiming at each state information classification set in the at least one state information classification set, calculating state information similarity between every two pieces of equipment operation state information included in the state information classification set to obtain at least one state information similarity corresponding to the state information classification set, wherein each state information classification set comprises at least two pieces of equipment operation state information, the equipment operation state information is operation log information of corresponding network safety monitoring equipment, and the state information similarity is text similarity between the operation log information;
for each piece of equipment running state information included in each state information classification set in at least one state information classification set, respectively determining the relative size relationship between the state information similarity between the equipment running state information and each piece of other equipment running state information in the state information classification set and a preset state information similarity threshold, and determining the number proportion of the other equipment running state information of which the state information similarity with the equipment running state information is smaller than the state information similarity threshold to obtain the number proportion corresponding to the equipment running state information;
and for each piece of equipment running state information included in each state information classification set in the at least one state information classification set, obtaining the equipment running state abnormality degree of the network safety monitoring equipment corresponding to the equipment running state information based on the quantity ratio corresponding to the equipment running state information, wherein the equipment running state abnormality degree and the quantity ratio have positive correlation.
8. The utility model provides a network security perception system which characterized in that is applied to network security monitoring server, network security monitoring server communication connection has a plurality of network security monitoring equipment, a plurality of network security monitoring equipment are used for respectively monitoring the equipment running state of each network equipment in a plurality of network equipment that correspond, network security perception system includes:
a state information obtaining module, configured to obtain device running state information of each of the multiple network security monitoring devices, respectively, to obtain multiple pieces of device running state information corresponding to the multiple network security monitoring devices, where the device running state information is used to represent a running state of the corresponding network security monitoring device in a process of monitoring the corresponding network device;
the state information classification module is used for classifying the running state information of the plurality of pieces of equipment to obtain at least one state information classification set corresponding to the running state information of the plurality of pieces of equipment;
and the operating state analysis module is used for analyzing the operating state of the corresponding network safety monitoring equipment based on the operating state information of each piece of equipment included in the state information classification set aiming at each state information classification set in the at least one state information classification set so as to obtain the abnormal degree of the operating state of the network safety monitoring equipment corresponding to the operating state information of each piece of equipment included in the state information classification set.
9. The network security awareness system of claim 8, wherein the status information classification module is specifically configured to:
for each network safety monitoring device in the plurality of network safety monitoring devices, acquiring running state information of each piece of historical equipment corresponding to the network safety monitoring device to obtain running state information of a plurality of pieces of historical equipment corresponding to the network safety monitoring device;
classifying the multiple pieces of equipment operation state information corresponding to the multiple pieces of network safety monitoring equipment based on the multiple pieces of historical equipment operation state information corresponding to each piece of network safety monitoring equipment in the multiple pieces of network safety monitoring equipment to obtain at least one state information classification set corresponding to the multiple pieces of equipment operation state information, wherein each state information classification set in the at least one state information classification set comprises at least one piece of equipment operation state information.
10. The network security awareness system of claim 8, wherein the operating state analysis module is specifically configured to:
for each state information classification set in the at least one state information classification set, calculating state information similarity between every two pieces of equipment operation state information included in the state information classification set to obtain at least one state information similarity corresponding to the state information classification set, wherein each state information classification set includes at least two pieces of equipment operation state information, the equipment operation state information is operation log information of corresponding network security monitoring equipment, and the state information similarity is text similarity between the operation log information;
for each piece of equipment running state information included in each state information classification set in at least one state information classification set, respectively determining the relative size relationship between the state information similarity between the equipment running state information and each piece of other equipment running state information in the state information classification set and a preset state information similarity threshold, and determining the number proportion of the other equipment running state information of which the state information similarity with the equipment running state information is smaller than the state information similarity threshold to obtain the number proportion corresponding to the equipment running state information;
and for each piece of equipment running state information included in each state information classification set in the at least one state information classification set, obtaining the equipment running state abnormality degree of the network safety monitoring equipment corresponding to the equipment running state information based on the quantity ratio corresponding to the equipment running state information, wherein the equipment running state abnormality degree and the quantity ratio have positive correlation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210337000.5A CN114928468A (en) | 2022-03-31 | 2022-03-31 | Network security sensing method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210337000.5A CN114928468A (en) | 2022-03-31 | 2022-03-31 | Network security sensing method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114928468A true CN114928468A (en) | 2022-08-19 |
Family
ID=82804795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210337000.5A Withdrawn CN114928468A (en) | 2022-03-31 | 2022-03-31 | Network security sensing method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114928468A (en) |
-
2022
- 2022-03-31 CN CN202210337000.5A patent/CN114928468A/en not_active Withdrawn
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112162878B (en) | Database fault discovery method and device, electronic equipment and storage medium | |
| CN110674009B (en) | Application server performance monitoring method and device, storage medium and electronic equipment | |
| US9524223B2 (en) | Performance metrics of a computer system | |
| CN113176978A (en) | Monitoring method, system and device based on log file and readable storage medium | |
| CN106874135B (en) | Method, device and equipment for detecting machine room fault | |
| CN115841255B (en) | On-site early warning method and system for building engineering based on-line analysis | |
| CN112286771A (en) | Alarm method for monitoring global resources | |
| CN113656255A (en) | Operation abnormity judgment method based on chip operation data | |
| CN114511026A (en) | Fault diagnosis method and device, terminal equipment and storage medium | |
| CN112069070A (en) | Page detection method, device, server and computer readable storage medium | |
| CN113992602B (en) | Cable monitoring data uploading method, device, equipment and storage medium | |
| CN114928467A (en) | Network security operation and maintenance association analysis method and system | |
| CN114928468A (en) | Network security sensing method and system | |
| CN113533891A (en) | Fault diagnosis system and device | |
| CN113835961B (en) | Alarm information monitoring method, device, server and storage medium | |
| CN114896653A (en) | Building data monitoring method and system based on BIM | |
| CN115333770A (en) | Network security risk monitoring system and method for electric power system | |
| CN115471968A (en) | Cable burglar alarm | |
| CN115330140A (en) | Building risk prediction method based on data mining and prediction system thereof | |
| CN111651503B (en) | Power distribution network data anomaly identification method and system and terminal equipment | |
| CN115185724A (en) | Fault processing method, device, electronic equipment and storage medium | |
| CN113821402A (en) | Chip use warning method and system based on chip running state | |
| CN113625092A (en) | Electronic component performance data detection method | |
| CN113986659A (en) | Fault analysis method, device, equipment and computer storage medium | |
| CN113804235A (en) | Environment detection method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220819 |