CN115296876A - Network security early warning system of self-adaptation mimicry technique - Google Patents

Network security early warning system of self-adaptation mimicry technique Download PDF

Info

Publication number
CN115296876A
CN115296876A CN202210886499.5A CN202210886499A CN115296876A CN 115296876 A CN115296876 A CN 115296876A CN 202210886499 A CN202210886499 A CN 202210886499A CN 115296876 A CN115296876 A CN 115296876A
Authority
CN
China
Prior art keywords
network
security
module
target
network security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210886499.5A
Other languages
Chinese (zh)
Inventor
刘庆
王继超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Connected Information Technology Co ltd
Original Assignee
Beijing Connected Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Connected Information Technology Co ltd filed Critical Beijing Connected Information Technology Co ltd
Priority to CN202210886499.5A priority Critical patent/CN115296876A/en
Publication of CN115296876A publication Critical patent/CN115296876A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention belongs to the technical field of network security early warning, and discloses a network security early warning system adopting a self-adaptive mimicry technology, which comprises the following components: the system comprises a network security scanning module, a central control module, a network information extraction module, an information analysis module, a security knowledge map construction module, a security threshold setting module, a security prediction module and an alarm module. According to the invention, the loss relation can be automatically inferred and the network security knowledge graph is generated through the security knowledge graph construction module, manual participation is not required, the accuracy is high, the speed is high, and the construction efficiency of the network security knowledge graph is further improved; meanwhile, the change trend of the overall network security state in a period of time in the future can be predicted according to the security protection state data of a group of network security devices through a security prediction module; the method overcomes the defect that the network security situation perception field at the present stage has no specific prediction result on the future trend of the overall security state of the network.

Description

Network security early warning system of self-adaptation mimicry technique
Technical Field
The invention belongs to the technical field of network security early warning, and particularly relates to a network security early warning system adopting a self-adaptive mimicry technology.
Background
The network Security (Cyber Security) means that the hardware, software and data in the system of the network system are protected and are not damaged, changed and leaked due to accidental or malicious reasons, the system continuously, reliably and normally operates, and the network service is not interrupted. Network security, which generally refers to the security of computer networks, may actually also refer to the security of computer communication networks. The computer communication network is a system which interconnects a plurality of computers with independent functions through communication equipment and transmission media and realizes information transmission and exchange among the computers under the support of communication software. The computer network is a system that connects a plurality of independent computer systems, terminals, and data devices, which are relatively dispersed geographically, by a communication means for the purpose of sharing resources, and performs data exchange under the control of a protocol. The fundamental purpose of computer networks is resource sharing, and communication networks are the way to implement network resource sharing, so that computer networks are secure, and corresponding computer communication networks must also be secure, and information exchange and resource sharing should be implemented for network users. However, the network security knowledge graph construction method adopted by the network security early warning system of the existing adaptive mimicry technology has low accuracy, so that the construction efficiency of the network security knowledge graph is reduced; meanwhile, the prior art cannot predict the security state of the whole network in a future stage, namely the prior art has defects in predicting the future trend of the security situation of the whole network.
Through the above analysis, the problems and defects of the prior art are as follows:
(1) The network security knowledge graph construction method adopted by the network security early warning system of the existing self-adaptive mimicry technology is low in accuracy, so that the construction efficiency of the network security knowledge graph is reduced.
(2) The prior art cannot predict the security state of the whole network in a future stage, namely the prior art has defects in predicting the future trend of the security situation of the whole network.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a network security early warning system adopting a self-adaptive mimicry technology.
The invention is realized in this way, a network security early warning system of the adaptive mimicry technology includes:
the system comprises a network security scanning module, a central control module, a network information extraction module, an information analysis module, a security knowledge map construction module, a security threshold setting module, a security prediction module and an alarm module;
the network security scanning module is connected with the central control module and is used for scanning security information such as network attacks, bugs, invasion and the like;
the central control module is connected with the network security scanning module, the network information extraction module, the information analysis module, the security knowledge map construction module, the security threshold setting module, the security prediction module and the alarm module and is used for controlling each module to work normally;
the network information extraction module is connected with the central control module and is used for extracting network security information data;
the information analysis module is connected with the central control module and is used for analyzing the network security information through an analysis program;
the safety knowledge graph building module is connected with the central control module and used for building a network safety knowledge graph;
the safety threshold setting module is connected with the central control module and is used for setting a network safety threshold;
the safety prediction module is connected with the central control module and used for predicting the network safety situation;
and the alarm module is connected with the central control module and is used for carrying out alarm notification on the network security according to the network security analysis result, the network security knowledge graph and the prediction result through the alarm.
Further, the construction method of the safety knowledge graph construction module comprises the following steps:
(1) Counting network security events; acquiring network original relation data for constructing the network security knowledge graph according to a network security event;
(2) Constructing a network original relationship map according to the network original relationship data; carrying out relationship inference processing on the network original relationship map through a pre-constructed relationship inference model to obtain a missing relationship set;
(3) And optimizing the network original relation map according to the missing relation set to obtain the network security knowledge map.
Further, the acquiring network original relationship data for constructing the network security knowledge graph includes:
acquiring network security event data for constructing the network security knowledge graph;
and extracting and processing the entity relationship of the network security event data to obtain network original relationship data.
Further, the performing relationship inference processing on the network original relationship graph through a pre-constructed relationship inference model to obtain a missing relationship set includes:
determining a target node pair needing to predict a new relationship and a relationship path of the target node pair according to the network original relationship map;
determining a path vector set of the target node pair according to the network original relation atlas and the relation path;
carrying out relational reasoning processing on the path vector set through a pre-constructed relational reasoning model to obtain at least one predicted relation of the target node pair;
determining a set of missing relationships for the target node pair based on the at least one predicted relationship.
Further, the determining a set of path vectors of the target node pair according to the network original relationship graph and the relationship path includes:
calculating the out-degree of each node in the relation path according to the network original relation graph; determining the initial weight of each node in the relationship path according to the out degree; determining at least one sub-path according to the relationship path, and calculating a path vector corresponding to each sub-path according to a preset attack relationship weight coefficient and the initial weight;
and generating a path vector set of the target node pair according to the path vector corresponding to each sub-path.
Further, the determining a set of missing relationships for the target node pair based on the at least one predicted relationship comprises:
acquiring an output vector of the last model unit of the relational inference model when the relational inference model predicts the path vector set;
adding each prediction relation into the relation path respectively to obtain a new relation path corresponding to each prediction relation;
vectorizing the new relation path corresponding to each prediction relation to obtain a prediction path vector corresponding to each prediction relation;
respectively calculating vector similarity between the output vector and a prediction path vector corresponding to each prediction relation to obtain target similarity corresponding to each prediction relation;
filtering the at least one prediction relation according to a preset similarity threshold and the target similarity to obtain a missing relation set;
the optimizing the network original relationship map according to the missing relationship set to obtain the network security knowledge map includes:
determining a prediction relation corresponding to the maximum target similarity from the missing relation set, and taking the prediction relation as a target prediction relation of the target node pair; optimizing the network original relation map according to the target prediction relation of the target node pair to obtain the network security knowledge map;
the optimizing the network original relationship map according to the missing relationship set to obtain the network security knowledge map includes:
outputting the missing relationship set and the target node pair; acquiring a selected instruction aiming at the target prediction relation in the missing relation set; determining the target predicted relationship of the target node pair from the set of missing relationships according to the selected instruction;
and optimizing the network original relation map according to the target prediction relation of the target node pair to obtain the network security knowledge map.
Further, the safety prediction module prediction method comprises the following steps:
1) Constructing a network security database; acquiring safety protection state data of N network safety devices in a target network within a target time period as input data; and detecting the abnormality of the target network;
2) Inputting the input data into a pre-trained to converged hidden Markov model for calculation to obtain the safety situation prediction data of the target network; storing the acquired safety protection state data and the safety situation prediction data into a network safety database; the hidden Markov model takes the security situation of a target network as a hidden state, takes the security protection states of N network security devices in the target network as observation states, and takes N as a positive integer;
the method for detecting the target network abnormity comprises the following steps:
step 1, extracting multi-source features from multi-source data;
step 2, fusing the multi-source characteristics extracted in the step 1 to form equipment node characteristics;
step 3, optimizing the node characteristics of the equipment generated in the step 2, and describing the topology of the target network by using a graph model, wherein the equipment in the target network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph;
step 4, on the basis of the step 3, according to the graph structure defined in the step 3, using a spectral clustering algorithm to aggregate similar points on the graph to generate K clusters; wherein: the spectral clustering algorithm comprises the following steps:
4.1, calculating a Laplace matrix of the graph;
4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors;
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Figure BDA0003765995640000051
Step 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to n nodes, and clustering the n nodes into K classes; defining a mapping from a node set in the graph to a cluster through a spectral clustering algorithm; meanwhile, according to the spectral clustering result, each cluster is regarded as a node, a new graph is generated, and the edges of two nodes in the new graph are defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph; the formalization of the adjacency matrix of the generated new graph is defined as follows:
Figure BDA0003765995640000052
wherein V i Representing the ith cluster in the original image;
step 5, regarding each cluster generated in the step 4 as a point, so that the graph is mapped into a sub-graph with smaller scale, the point in the sub-graph corresponds to the original cluster, and the edge in the sub-graph indicates that the original two clusters are adjacent; meanwhile, mapping the feature vectors of all nodes in one cluster into one feature vector as the feature of the corresponding node in the subgraph;
step 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again;
7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6; calculating the average value of the feature vectors of all the nodes output in the step 6 to generate the semantic features of the whole graph;
step 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space; wherein: the method adopts two full connection layers for characteristic optimization, and the formula of the full connection layers is as follows: xl +1= F (WXl) Xl represents the eigenvector of the l-th layer, W is a transformation matrix and is a linear mapping, and F is an activation function that can increase nonlinearity;
and 9, predicting whether the target network has abnormity according to the optimized feature vector obtained in the step 8.
Further, before the obtaining of the safety protection state data of the N network safety devices in the target network within the target time period, the method further includes the following steps:
the method comprises the steps that in a first preset time length, safety situation data of a target network and safety protection state data of N network safety devices in the target network are regularly obtained according to a first collection period, and a first set formed by the safety situation data of the target network and a second set formed by the safety protection state data of the N network safety devices in the first preset time length are obtained;
calculating an initial state probability matrix, a state transition probability matrix and an observation state transition probability matrix according to the first set and the second set;
establishing a hidden Markov model according to the initial state probability matrix, the state transition probability matrix and the observation state transition probability matrix;
within a second preset time, regularly acquiring security situation data of the target network and security protection state data of N network security devices in the target network according to a second acquisition cycle to obtain a training sample; the first preset time length and the second preset time length are equal or unequal, and the first acquisition period and the second acquisition period are the same or different;
training the hidden Markov model by the training sample, and judging whether the hidden Markov model meets a preset convergence condition;
if the hidden Markov model does not meet the preset convergence condition, returning to execute the step of periodically acquiring the safety protection state data of the N network safety devices within a second preset time length according to a second acquisition cycle;
and if the hidden Markov model meets the preset convergence condition, obtaining the converged hidden Markov model.
Further, the periodically acquiring the safety protection state data of the N network safety devices in the target network according to the first/second acquisition periods includes:
counting the threat detection amount of each network security device in each acquisition period;
when each acquisition period expires, calculating the mean value of the threat detection amounts of the N network security devices in the current expired acquisition period, and taking the mean value as the state baseline of the network security devices in the current expired acquisition period;
determining the safety protection state of each network safety device in each acquisition period according to a preset protection state classification rule; wherein the safeguard status classification rule is related to the status baseline.
Further, the protection state classification rule includes:
classifying the safety protection state of the network safety equipment with the threat detection amount smaller than the first threat detection amount into a first safety state, classifying the safety protection state of the network safety equipment with the threat detection amount larger than or equal to the first threat detection amount and smaller than or equal to the second threat detection amount into a second safety state, and classifying the safety protection state of the network safety equipment with the threat detection amount larger than the second threat detection amount into a third safety state;
wherein the first threat detection amount is equal to a first preset percentage of the state baseline descent, the second threat detection amount is equal to a second preset percentage of the state baseline ascent, and the first and second percentages are equal or unequal.
In combination with the above technical solutions and the technical problems to be solved, please analyze the advantages and positive effects of the technical solutions to be protected in the present invention from the following aspects:
first, aiming at the technical problems existing in the prior art and the difficulty in solving the problems, the technical problems to be solved by the technical scheme of the present invention are closely combined with the technical scheme to be protected and the results and data in the research and development process, and some creative technical effects brought after the problems are solved are analyzed in detail and deeply. The specific description is as follows:
according to the invention, the missing relationship can be automatically inferred through the security knowledge graph building module to generate the network security knowledge graph, manual participation is not needed, the accuracy is high, the speed is high, and the building efficiency of the network security knowledge graph is further improved; meanwhile, the security prediction module utilizes a hidden Markov model to model the daily threat detection quantity of each network security device and the data of the security situation of the target network security through time sequence analysis, establishes the relation between the daily threat detection quantity of each network security device in the target network and the security of the network situation, and finally predicts the change trend of the whole network security state in a period of time in the future according to the security protection state data of a group of network security devices; the method overcomes the defect that the future trend of the overall network security state is not specifically predicted in the network security situation awareness field at the present stage.
Secondly, considering the technical scheme as a whole or from the perspective of products, the technical effect and advantages of the technical scheme to be protected by the invention are specifically described as follows:
according to the invention, the loss relation can be automatically inferred and the network security knowledge graph is generated through the security knowledge graph construction module, manual participation is not required, the accuracy is high, the speed is high, and the construction efficiency of the network security knowledge graph is further improved; meanwhile, a safety prediction module utilizes a hidden Markov model to carry out modeling on data such as daily threat detection amount of each network safety device and safety situation of target network safety through time sequence analysis, establishes the relation between the daily threat detection amount of each network safety device in the target network and the safety of the network situation, and finally predicts the change trend of the whole network safety state in a period of time in the future according to safety protection state data of a group of network safety devices; the method overcomes the defect that the future trend of the overall network security state is not specifically predicted in the network security situation awareness field at the present stage.
Drawings
Fig. 1 is a block diagram of a network security early warning system of an adaptive mimicry technology according to an embodiment of the present invention.
FIG. 2 is a flow chart of a method for constructing a security knowledge graph building module according to an embodiment of the present invention.
Fig. 3 is a flowchart of a security prediction module prediction method according to an embodiment of the present invention.
In FIG. 1: 1. a network security scanning module; 2. a central control module; 3. a network information extraction module; 4. an information analysis module; 5. a safety knowledge graph construction module; 6. a safety threshold setting module; 7. a security prediction module; 8. and an alarm module.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail with reference to the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
1. The embodiments are explained. This section is an explanatory embodiment expanding on the claims so as to fully understand how the present invention is embodied by those skilled in the art.
As shown in fig. 1, the network security early warning system of the adaptive mimicry technology provided in the embodiment of the present invention includes: the system comprises a network security scanning module 1, a central control module 2, a network information extraction module 3, an information analysis module 4, a security knowledge map construction module 5, a security threshold setting module 6, a security prediction module 7 and an alarm module 8.
The network security scanning module 1 is connected with the central control module 2 and is used for scanning security information such as network attacks, bugs, invasion and the like;
the central control module 2 is connected with the network security scanning module 1, the network information extraction module 3, the information analysis module 4, the security knowledge map construction module 5, the security threshold setting module 6, the security prediction module 7 and the alarm module 8 and is used for controlling each module to work normally;
the network information extraction module 3 is connected with the central control module 2 and is used for extracting network security information data;
the information analysis module 4 is connected with the central control module 2 and is used for analyzing the network security information through an analysis program;
the safety knowledge graph building module 5 is connected with the central control module 2 and used for building a network safety knowledge graph;
the safety threshold setting module 6 is connected with the central control module 2 and is used for setting a network safety threshold;
the safety prediction module 7 is connected with the central control module 2 and used for predicting the network safety situation;
and the alarm module 8 is connected with the central control module 2 and is used for carrying out alarm notification on the network security according to the network security analysis result, the network security knowledge graph and the prediction result through an alarm.
As shown in fig. 2, the construction method of the security knowledge graph construction module 5 provided by the present invention is as follows:
s101, counting network security events; acquiring network original relation data for constructing the network security knowledge graph according to a network security event;
s102, constructing a network original relationship map according to the network original relationship data; carrying out relationship inference processing on the network original relationship map through a pre-constructed relationship inference model to obtain a missing relationship set;
s103, optimizing the network original relation map according to the missing relation set to obtain the network security knowledge map.
The invention provides a method for acquiring network original relation data for constructing a network security knowledge graph, which comprises the following steps:
acquiring network security event data for constructing the network security knowledge graph;
and extracting and processing the entity relationship of the network security event data to obtain network original relationship data.
The invention provides a method for carrying out relationship inference processing on a network original relationship map through a pre-constructed relationship inference model to obtain a missing relationship set, which comprises the following steps:
determining a target node pair needing to predict a new relationship and a relationship path of the target node pair according to the network original relationship map;
determining a path vector set of the target node pair according to the network original relation atlas and the relation path;
carrying out relational reasoning processing on the path vector set through a pre-constructed relational reasoning model to obtain at least one predicted relation of the target node pair;
and determining the missing relationship set of the target node pair according to the at least one predicted relationship.
The method for determining the path vector set of the target node pair according to the network original relationship atlas and the relationship path, which is provided by the invention, comprises the following steps:
calculating the out-degree of each node in the relation path according to the network original relation graph; determining the initial weight of each node in the relationship path according to the out degree; determining at least one sub-path according to the relationship path, and calculating a path vector corresponding to each sub-path according to a preset attack relationship weight coefficient and the initial weight;
and generating a path vector set of the target node pair according to the path vector corresponding to each sub-path.
The invention provides a method for determining a missing relationship set of a target node pair according to at least one predicted relationship, which comprises the following steps:
acquiring an output vector of the last model unit of the relational inference model when the relational inference model predicts the path vector set;
adding each prediction relation into the relation path respectively to obtain a new relation path corresponding to each prediction relation;
vectorizing the new relation path corresponding to each prediction relation to obtain a prediction path vector corresponding to each prediction relation;
respectively calculating vector similarity between the output vector and a prediction path vector corresponding to each prediction relation to obtain target similarity corresponding to each prediction relation;
filtering the at least one prediction relation according to a preset similarity threshold and the target similarity to obtain a missing relation set;
the optimizing the network original relationship map according to the missing relationship set to obtain the network security knowledge map includes:
determining a prediction relation corresponding to the maximum target similarity from the missing relation set, and taking the prediction relation as a target prediction relation of the target node pair; optimizing the network original relation map according to the target prediction relation of the target node pair to obtain the network security knowledge map;
the optimizing the network original relationship map according to the missing relationship set to obtain the network security knowledge map includes:
outputting the missing relationship set and the target node pair; obtaining a selected instruction aiming at a target prediction relation in the missing relation set; determining the target predicted relationship of the target node pair from the set of missing relationships according to the selected instruction;
and optimizing the network original relation map according to the target prediction relation of the target node pair to obtain the network security knowledge map.
As shown in fig. 3, the prediction method of the security prediction module 7 provided by the present invention is as follows:
s201, constructing a network security database; acquiring safety protection state data of N network safety devices in a target network in a target time period as input data; and detecting the abnormality of the target network;
s202, inputting the input data into a hidden Markov model trained in advance to be converged for calculation to obtain safety situation prediction data of a target network; storing the acquired safety protection state data and the safety situation prediction data into a network safety database; the hidden Markov model takes the security situation of a target network as a hidden state, takes the security protection states of N network security devices in the target network as observation states, and N is a positive integer;
the method for detecting the target network abnormity comprises the following steps:
step 1, extracting multi-source features from multi-source data;
step 2, fusing the multi-source characteristics extracted in the step 1 to form equipment node characteristics;
step 3, optimizing the node characteristics of the equipment generated in the step 2, and describing the topology of the target network by using a graph model, wherein the equipment in the target network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph;
step 4, on the basis of the step 3, according to the graph structure defined in the step 3, similar points on the graph are aggregated by using a spectral clustering algorithm to generate K clusters; wherein: the spectral clustering algorithm comprises the following steps:
4.1, calculating a Laplace matrix of the graph;
4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors;
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Figure BDA0003765995640000121
Step 4.4, regarding the row vectors in the V as nodes, applying a K-means clustering algorithm to n nodes, and clustering the n nodes into K classes; defining a mapping from a node set in the graph to a cluster through a spectral clustering algorithm; meanwhile, according to the spectral clustering result, each cluster is regarded as a node, a new graph is generated, and the edges of two nodes in the new graph are defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph; the formalization of the adjacency matrix of the generated new graph is defined as follows:
Figure BDA0003765995640000122
wherein V i Representing the ith cluster in the original image;
step 5, regarding each cluster generated in the step 4 as a point, so that the graph is mapped into a sub-graph with smaller scale, wherein the nodes in the sub-graph correspond to the original clusters, and the edges in the sub-graph indicate that the original two clusters are adjacent; meanwhile, mapping the feature vectors of all nodes in one cluster into one feature vector as the feature of the corresponding node in the subgraph;
step 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again;
7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6; calculating the average value of the feature vectors of all the nodes output in the step 6 to generate the semantic features of the whole graph;
step 8, further optimizing the feature vector obtained in the step 7 to generate a more optimal feature vector in a low-dimensional feature space; wherein: the method adopts two full connection layers for characteristic optimization, and the formula of the full connection layers is as follows: xl +1= F (WXl) Xl represents the eigenvector of the l-th layer, W is a transformation matrix and is a linear mapping, and F is an activation function that can increase nonlinearity;
and 9, predicting whether the target network has abnormity according to the optimized feature vector obtained in the step 8.
Before the obtaining of the safety protection state data of the N network safety devices in the target network in the target time period, the method further includes the following steps:
the method comprises the steps that in a first preset duration, according to a first acquisition cycle, security situation data of a target network and security protection state data of N network security devices in the target network are regularly acquired, and a first set consisting of the security situation data of the target network and a second set consisting of the security protection state data of the N network security devices in the first preset duration are obtained;
calculating an initial state probability matrix, a state transition probability matrix and an observation state transition probability matrix according to the first set and the second set;
establishing a hidden Markov model according to the initial state probability matrix, the state transition probability matrix and the observation state transition probability matrix;
within a second preset time length, regularly acquiring security situation data of a target network and security protection state data of N network security devices in the target network according to a second acquisition cycle to obtain a training sample; the first preset time length and the second preset time length are equal or unequal, and the first acquisition period and the second acquisition period are the same or different;
training the hidden Markov model by using the training sample, and judging whether the hidden Markov model meets a preset convergence condition;
if the hidden Markov model does not meet the preset convergence condition, returning to execute the step of periodically acquiring the safety protection state data of the N network safety devices within a second preset time length according to a second acquisition cycle;
and if the hidden Markov model meets the preset convergence condition, obtaining the converged hidden Markov model.
The invention provides a method for regularly acquiring safety protection state data of N network safety devices in a target network according to a first/second acquisition cycle, which comprises the following steps:
counting the threat detection amount of each network security device in each acquisition period;
when each acquisition period expires, calculating the mean value of the threat detection amounts of the N network safety devices in the current expired acquisition period, and taking the mean value as the state baseline of the network safety devices in the current expired acquisition period;
determining the safety protection state of each network safety device in each acquisition period according to a preset protection state classification rule; wherein the safeguard status classification rule is related to the status baseline.
The protection state classification rule provided by the invention comprises the following steps:
classifying the safety protection state of the network safety equipment with the threat detection amount smaller than the first threat detection amount into a first safety state, classifying the safety protection state of the network safety equipment with the threat detection amount larger than or equal to the first threat detection amount and smaller than or equal to the second threat detection amount into a second safety state, and classifying the safety protection state of the network safety equipment with the threat detection amount larger than the second threat detection amount into a third safety state;
wherein the first threat detection amount is equal to a first preset percentage of the state baseline descent, the second threat detection amount is equal to a second preset percentage of the state baseline ascent, and the first and second percentages are equal or unequal.
2. Application examples. In order to prove the creativity and the technical value of the technical scheme of the invention, the part is the application example of the technical scheme of the claims on specific products or related technologies.
When the invention works, firstly, the network security scanning module 1 scans the security information such as network attack, loophole, invasion and the like; secondly, the central control module 2 extracts network safety information data through the network information extraction module 3; analyzing the network security information by using an analysis program through an information analysis module 4; constructing a network security knowledge graph through a security knowledge graph construction module 5; setting a network security threshold value through a security threshold value setting module 6; then, the network security situation is predicted through a security prediction module 7; and finally, carrying out alarm notification on the network security according to the network security analysis result, the network security knowledge graph and the prediction result by using an alarm through an alarm module 8.
It should be noted that embodiments of the present invention can be realized in hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or specially designed hardware. Those skilled in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such code being provided on a carrier medium such as a disk, CD-or DVD-ROM, programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier, for example. The apparatus and its modules of the present invention may be implemented by hardware circuits such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., or by software executed by various types of processors, or by a combination of hardware circuits and software, e.g., firmware.
3. Evidence of the relevant effects of the examples. The embodiment of the invention achieves some positive effects in the process of research and development or use, and has great advantages compared with the prior art, and the following contents are described by combining data, diagrams and the like in the test process.
According to the invention, the missing relationship can be automatically inferred through the security knowledge graph building module to generate the network security knowledge graph, manual participation is not needed, the accuracy is high, the speed is high, and the building efficiency of the network security knowledge graph is further improved; meanwhile, the security prediction module utilizes a hidden Markov model to model the daily threat detection quantity of each network security device and the data of the security situation of the target network security through time sequence analysis, establishes the relation between the daily threat detection quantity of each network security device in the target network and the security of the network situation, and finally predicts the change trend of the whole network security state in a period of time in the future according to the security protection state data of a group of network security devices; the method overcomes the defect that the network security situation perception field at the present stage has no specific prediction result on the future trend of the overall security state of the network.
The above description is only for the purpose of illustrating the present invention and the appended claims are not to be construed as limiting the scope of the invention, which is intended to cover all modifications, equivalents and improvements that are within the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A network security early warning system of an adaptive mimicry technology is characterized by comprising the following components:
the system comprises a network security scanning module, a central control module, a network information extraction module, an information analysis module, a security knowledge map construction module, a security threshold setting module, a security prediction module and an alarm module;
the network security scanning module is connected with the central control module and is used for scanning security information such as network attacks, bugs, invasion and the like;
the central control module is connected with the network security scanning module, the network information extraction module, the information analysis module, the security knowledge map construction module, the security threshold setting module, the security prediction module and the alarm module and is used for controlling each module to work normally;
the network information extraction module is connected with the central control module and is used for extracting network security information data;
the information analysis module is connected with the central control module and is used for analyzing the network security information through an analysis program;
the safety knowledge graph building module is connected with the central control module and used for building a network safety knowledge graph;
the safety threshold setting module is connected with the central control module and is used for setting a network safety threshold;
the safety prediction module is connected with the central control module and used for predicting the network safety situation;
and the alarm module is connected with the central control module and is used for carrying out alarm notification on the network security according to the network security analysis result, the network security knowledge graph and the prediction result through the alarm.
2. The network security early warning system of the adaptive mimicry technology of claim 1, wherein the security knowledge graph building module is constructed by the following method:
(1) Counting network security events; acquiring network original relation data for constructing the network security knowledge graph according to the network security event;
(2) Constructing a network original relationship map according to the network original relationship data; carrying out relational reasoning processing on the network original relational graph through a pre-constructed relational reasoning model to obtain a missing relation set;
(3) And optimizing the network original relation map according to the missing relation set to obtain the network security knowledge map.
3. The adaptive mimicry network security pre-warning system of claim 2, wherein the obtaining of network raw relationship data for constructing the network security knowledge-graph comprises:
acquiring network security event data for constructing the network security knowledge graph;
and extracting and processing the entity relationship of the network security event data to obtain network original relationship data.
4. The network security early warning system of the adaptive mimicry technology of claim 2, wherein the performing the relationship inference process on the network original relationship graph through a pre-constructed relationship inference model to obtain a missing relationship set comprises:
determining a target node pair needing to predict a new relationship and a relationship path of the target node pair according to the network original relationship map;
determining a path vector set of the target node pair according to the network original relation atlas and the relation path;
carrying out relational reasoning processing on the path vector set through a pre-constructed relational reasoning model to obtain at least one predicted relation of the target node pair;
determining a set of missing relationships for the target node pair based on the at least one predicted relationship.
5. The adaptive mimicry network security pre-warning system of claim 2, wherein the determining the set of path vectors for the target node pair from the network original relationship graph and the relationship path comprises:
calculating the out-degree of each node in the relation path according to the network original relation graph; determining the initial weight of each node in the relationship path according to the out degree; determining at least one sub-path according to the relationship path, and calculating a path vector corresponding to each sub-path according to a preset attack relationship weight coefficient and the initial weight;
and generating a path vector set of the target node pair according to the path vector corresponding to each sub-path.
6. The adaptive mimicry network security pre-warning system of claim 2, wherein the determining the set of missing relationships for the target node pair based on the at least one predicted relationship comprises:
acquiring an output vector of the last model unit of the relational inference model when the relational inference model predicts the path vector set;
adding each prediction relation into the relation path respectively to obtain a new relation path corresponding to each prediction relation;
vectorizing the new relation path corresponding to each prediction relation to obtain a prediction path vector corresponding to each prediction relation;
respectively calculating vector similarity between the output vector and a predicted path vector corresponding to each predicted relationship to obtain target similarity corresponding to each predicted relationship;
filtering the at least one prediction relation according to a preset similarity threshold and the target similarity to obtain a missing relation set;
the optimizing the network original relationship map according to the missing relationship set to obtain the network security knowledge map includes:
determining a prediction relation corresponding to the maximum target similarity from the missing relation set, and taking the prediction relation as a target prediction relation of the target node pair; optimizing the network original relation map according to the target prediction relation of the target node pair to obtain the network security knowledge map;
the optimizing the network original relationship map according to the missing relationship set to obtain the network security knowledge map includes:
outputting the missing relationship set and the target node pair; obtaining a selected instruction aiming at a target prediction relation in the missing relation set; determining the target predicted relationship of the target node pair from the set of missing relationships according to the selected instruction;
and optimizing the network original relation map according to the target prediction relation of the target node pair to obtain the network security knowledge map.
7. The adaptive mimicry network security pre-warning system of claim 1, wherein the security prediction module predicts as follows:
1) Constructing a network security database; acquiring safety protection state data of N network safety devices in a target network in a target time period as input data; and detecting the abnormality of the target network;
2) Inputting the input data into a hidden Markov model trained in advance to be converged for calculation to obtain safety situation prediction data of a target network; storing the acquired safety protection state data and the safety situation prediction data into a network safety database; the hidden Markov model takes the security situation of a target network as a hidden state, takes the security protection states of N network security devices in the target network as observation states, and N is a positive integer;
the method for detecting the target network abnormity comprises the following steps:
step 1, extracting multi-source features from multi-source data;
step 2, fusing the multi-source characteristics extracted in the step 1 to form equipment node characteristics;
step 3, optimizing the node characteristics of the equipment generated in the step 2, and describing the topology of the target network by using a graph model, wherein the equipment in the target network is modeled as nodes in the graph, and the connection relation between the equipment is modeled as edges in the graph;
step 4, on the basis of the step 3, according to the graph structure defined in the step 3, using a spectral clustering algorithm to aggregate similar points on the graph to generate K clusters; wherein: the spectral clustering algorithm comprises the following steps:
4.1, calculating a Laplace matrix of the graph;
4.2, calculating generalized eigenvalue decomposition to obtain all eigenvalues and corresponding eigenvectors;
4.3, sequencing all eigenvalues from small to large, and taking eigenvectors corresponding to the first k eigenvalues to form an eigenvector matrix
Figure FDA0003765995630000041
Step 4.4, taking the row vectors in the V as nodes, applying a K-means clustering algorithm to n nodes, and clustering the n nodes into K classes; defining a mapping from a node set in the graph to a cluster through a spectral clustering algorithm; meanwhile, according to the spectral clustering result, each cluster is regarded as a node, a new graph is generated, and the edges of two nodes in the new graph are defined as that if two points exist in the original graph corresponding to the two clusters and an edge exists between the two points, an edge exists between the two nodes in the new graph; the formalization of the adjacency matrix for the generated new graph is defined as follows:
Figure FDA0003765995630000042
wherein V i Representing the ith cluster in the original image;
step 5, regarding each cluster generated in the step 4 as a point, so that the graph is mapped into a sub-graph with smaller scale, wherein the nodes in the sub-graph correspond to the original clusters, and the edges in the sub-graph indicate that the original two clusters are adjacent; simultaneously mapping the feature vectors of all nodes in one cluster into one feature vector as the feature of the corresponding node in the subgraph;
step 6, optimizing the node characteristics in the subgraph by using the subgraph generated in the step 5 and the node characteristics of the subgraph and by using the graph convolution module again;
7, fusing and generating semantic features of the whole graph according to the optimized node features in the step 6; averaging the feature vectors of all the nodes output in the step 6 to generate semantic features of the whole graph;
step 8, further optimizing the feature vectors obtained in the step 7 to generate more optimal feature vectors in a low-dimensional feature space; wherein: two full connection layers are adopted for feature optimization, and the formula of the full connection layers is as follows: xl +1= F (WXl) Xl represents the eigenvector of the l-th layer, W is a transformation matrix, which is a linear mapping, and F is an activation function, which can increase the nonlinearity;
and 9, predicting whether the target network is abnormal or not according to the optimized feature vector obtained in the step 8.
8. The adaptive mimicry network security pre-warning system of claim 7, wherein before the obtaining the security protection status data of the N network security devices in the target network within the target time period, the method further comprises the following steps:
the method comprises the steps that in a first preset time length, safety situation data of a target network and safety protection state data of N network safety devices in the target network are regularly obtained according to a first collection period, and a first set formed by the safety situation data of the target network and a second set formed by the safety protection state data of the N network safety devices in the first preset time length are obtained;
calculating an initial state probability matrix, a state transition probability matrix and an observation state transition probability matrix according to the first set and the second set;
establishing a hidden Markov model according to the initial state probability matrix, the state transition probability matrix and the observation state transition probability matrix;
within a second preset time, regularly acquiring security situation data of the target network and security protection state data of N network security devices in the target network according to a second acquisition cycle to obtain a training sample; the first preset time length and the second preset time length are equal or unequal, and the first acquisition period and the second acquisition period are the same or different;
training the hidden Markov model by the training sample, and judging whether the hidden Markov model meets a preset convergence condition;
if the hidden Markov model does not meet the preset convergence condition, returning to execute the step of regularly acquiring the safety protection state data of the N network safety devices within the second preset duration according to a second acquisition cycle;
and if the hidden Markov model meets the preset convergence condition, obtaining the converged hidden Markov model.
9. The network security early warning system of the adaptive mimicry technology of claim 8, wherein the periodically obtaining the security protection status data of N network security devices in the target network according to the first/second collection periods comprises:
counting the threat detection amount of each network security device in each acquisition period;
when each acquisition period expires, calculating the mean value of the threat detection amounts of the N network security devices in the current expired acquisition period, and taking the mean value as the state baseline of the network security devices in the current expired acquisition period;
determining the safety protection state of each network safety device in each acquisition period according to a preset protection state classification rule; wherein the safeguard status classification rule is related to the status baseline.
10. The adaptive mimicry network security pre-warning system of claim 9, wherein the protection state classification rules comprise:
classifying the safety protection state of the network safety equipment with the threat detection amount smaller than the first threat detection amount into a first safety state, classifying the safety protection state of the network safety equipment with the threat detection amount larger than or equal to the first threat detection amount and smaller than or equal to the second threat detection amount into a second safety state, and classifying the safety protection state of the network safety equipment with the threat detection amount larger than the second threat detection amount into a third safety state;
wherein the first threat detection amount is equal to a first preset percentage of the state baseline descent, the second threat detection amount is equal to a second preset percentage of the state baseline ascent, and the first and second percentages are equal or unequal.
CN202210886499.5A 2022-07-26 2022-07-26 Network security early warning system of self-adaptation mimicry technique Pending CN115296876A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210886499.5A CN115296876A (en) 2022-07-26 2022-07-26 Network security early warning system of self-adaptation mimicry technique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210886499.5A CN115296876A (en) 2022-07-26 2022-07-26 Network security early warning system of self-adaptation mimicry technique

Publications (1)

Publication Number Publication Date
CN115296876A true CN115296876A (en) 2022-11-04

Family

ID=83823618

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210886499.5A Pending CN115296876A (en) 2022-07-26 2022-07-26 Network security early warning system of self-adaptation mimicry technique

Country Status (1)

Country Link
CN (1) CN115296876A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116127522A (en) * 2023-04-17 2023-05-16 北京盛科沃科技发展有限公司 Safety risk analysis method and system based on multi-source data acquisition

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method
CN112073415A (en) * 2020-09-08 2020-12-11 北京天融信网络安全技术有限公司 Method and device for constructing network security knowledge graph
CN112165496A (en) * 2020-10-13 2021-01-01 清华大学 Network security anomaly detection algorithm and detection system based on cluster map neural network
CN113098828A (en) * 2019-12-23 2021-07-09 ***通信集团辽宁有限公司 Network security alarm method and device
CN113852510A (en) * 2021-10-13 2021-12-28 北京安天网络安全技术有限公司 Network security situation prediction method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method
CN113098828A (en) * 2019-12-23 2021-07-09 ***通信集团辽宁有限公司 Network security alarm method and device
CN112073415A (en) * 2020-09-08 2020-12-11 北京天融信网络安全技术有限公司 Method and device for constructing network security knowledge graph
CN112165496A (en) * 2020-10-13 2021-01-01 清华大学 Network security anomaly detection algorithm and detection system based on cluster map neural network
CN113852510A (en) * 2021-10-13 2021-12-28 北京安天网络安全技术有限公司 Network security situation prediction method and device, electronic equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116127522A (en) * 2023-04-17 2023-05-16 北京盛科沃科技发展有限公司 Safety risk analysis method and system based on multi-source data acquisition

Similar Documents

Publication Publication Date Title
US11522881B2 (en) Structural graph neural networks for suspicious event detection
US11973774B2 (en) Multi-stage anomaly detection for process chains in multi-host environments
US11614989B2 (en) Method and apparatus for intelligent operation management of infrastructure
US20200244673A1 (en) Multivariate network structure anomaly detector
US20160308725A1 (en) Integrated Community And Role Discovery In Enterprise Networks
US20140279762A1 (en) Analytical neural network intelligent interface machine learning method and system
US20220263860A1 (en) Advanced cybersecurity threat hunting using behavioral and deep analytics
CN103870751A (en) Method and system for intrusion detection
Szabo et al. Formalization of weak emergence in multiagent systems
Raja et al. Combined analysis of support vector machine and principle component analysis for IDS
US20240121262A1 (en) Endpoint agents and scalable cloud architecture for low latency classification
Gupta et al. A supervised deep learning framework for proactive anomaly detection in cloud workloads
TWM622216U (en) Apparatuses for service anomaly detection and alerting
CN117061322A (en) Internet of things flow pool management method and system
Kalaivani et al. A Hybrid Deep Learning Intrusion Detection Model for Fog Computing Environment.
Yi et al. A deep and systematic review of the intrusion detection systems in the fog environment
Bebeshko et al. Use of Neural Networks for Predicting Cyberattacks.
CN115296876A (en) Network security early warning system of self-adaptation mimicry technique
Alohali et al. Swarm intelligence for IoT attack detection in fog-enabled cyber-physical system
US20230396637A1 (en) Adaptive system for network and security management
CN116644437A (en) Data security assessment method, device and storage medium
WO2008060643A2 (en) Sna-based anomaly detection
CN114039837B (en) Alarm data processing method, device, system, equipment and storage medium
CN114915446A (en) Intelligent network security detection method fusing priori knowledge
CN115296872A (en) Network security risk assessment system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination