CN116743406A - Network security early warning method and device, storage medium and computer equipment - Google Patents
Network security early warning method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN116743406A CN116743406A CN202210207618.XA CN202210207618A CN116743406A CN 116743406 A CN116743406 A CN 116743406A CN 202210207618 A CN202210207618 A CN 202210207618A CN 116743406 A CN116743406 A CN 116743406A
- Authority
- CN
- China
- Prior art keywords
- node
- situation
- determining
- network
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000011156 evaluation Methods 0.000 abstract description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011144 upstream manufacturing Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a network security early warning method, a network security early warning device, a storage medium and computer equipment. The method comprises the following steps: determining the asset situation of the network according to the node type of each node in the network and the hardware information of each node in a preset time period; determining a threat situation of the network according to the node type and the acquired flow information of each node in a preset time period; determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period; determining the security situation of the network according to the asset situation, the threat situation and the vulnerability situation; and carrying out safety precaution according to the safety situation. According to the technical scheme provided by the embodiment of the invention, the security situation is evaluated by the asset situation, threat situation and vulnerability situation of each node in the network, and the security early warning is performed by three dimensions, so that the evaluation accuracy of the security situation is improved, and the timeliness and accuracy of the security early warning are further ensured.
Description
[ field of technology ]
The present invention relates to the field of security technologies, and in particular, to a network security early warning method, device, storage medium, and computer apparatus.
[ background Art ]
With the rapid development of computer and communication technologies, computer networks are increasingly widely applied, the scale of the computer networks is increasingly huge, the threat and the security risk of multi-layer network security are continuously increased, the threat and the loss formed by network viruses, dos/DDos attacks and the like are increasingly large, the network attack behaviors are developed towards the trends of distribution, scale, complexity and the like, and the demands of network security cannot be met only by means of single network security protection technologies such as firewall, intrusion detection, virus prevention, access control and the like, so that the timeliness and the accuracy of security early warning are lower.
[ invention ]
In view of this, the embodiments of the present invention provide a network security early warning method, device, storage medium and computer device, so as to improve the timeliness and accuracy of security early warning.
In one aspect, an embodiment of the present invention provides a network security early warning method, including:
determining the asset situation of the network according to the node type of each node in the network and the hardware information of each node in a preset time period;
determining a threat situation of the network according to the node type and the acquired flow information of each node in a preset time period;
determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period;
determining a security situation of a network according to the asset situation, the threat situation and the vulnerability situation;
and carrying out safety early warning according to the safety situation.
Optionally, the hardware information of each node in the preset time period includes a CPU usage rate, a memory usage rate, and a vulnerability count corresponding to each node type, and determining, according to the obtained node type of each node in the network and the hardware information of each node in the preset time period, an asset situation of the network includes:
determining the asset value of each node according to the node type, the CPU utilization rate, the memory utilization rate and the vulnerability number corresponding to each node type;
and determining the asset situation of the network according to the set weight of each node and the asset value of each node.
Optionally, the traffic information of each node in the preset time period includes uplink traffic data and downlink traffic data, and determining the threat situation of the network according to the node type and the acquired traffic information of each node in the preset time period includes:
clustering the uplink flow data to obtain the number of elements included in the maximum class of the uplink flow data and the total amount of the uplink flow data;
clustering the downlink flow data to obtain the element number and the total downlink flow data contained in the maximum class of the downlink flow data;
generating threat values of all nodes according to the element number included in the maximum class of the uplink flow data, the total amount of the uplink flow data, the element number included in the maximum class of the downlink flow data and the total amount of the downlink flow data;
and determining the threat situation of the network according to the set weight of each node and the threat value of each node.
Optionally, the traffic information of each node in the preset time period includes a packet loss rate, a maximum connection number at the same time, and a traffic situation, and determining the vulnerability situation of the network according to the node type and the traffic information of each node in the preset time period includes:
determining the fragile value of each node according to the packet loss rate, the maximum connection number at the same time and the traffic situation;
and determining the vulnerability situation of the network according to the set weight of each node and the vulnerability value of each node.
Optionally, the determining the security posture of the network according to the asset posture, the threat posture and the vulnerability posture includes:
multiplying the asset situation, the threat situation and the vulnerability situation to determine a security situation of the network.
Optionally, the determining the asset value of each node according to the node type, the CPU usage, the memory usage, and the vulnerability count corresponding to each node type includes:
determining the asset value of each node according to the maximum value of the CPU utilization rate in the preset time period, the average value of the CPU utilization rate in the preset time period, the minimum value of the CPU utilization rate in the preset time period, the maximum value of the memory utilization rate in the preset time period, the average value of the memory utilization rate in the preset time period, the minimum value of the memory utilization rate in the preset time period, the vulnerability numbers of different node types in the vulnerability numbers corresponding to each node type and the vulnerability numbers of the same node type.
Optionally, the performing the security early warning according to the security situation includes:
and if the safety situation is larger than the early warning threshold value, carrying out safety early warning.
In another aspect, an embodiment of the present invention provides a network security early warning device, including:
the first determining module is used for determining the asset situation of the network according to the obtained node type of each node in the network and the hardware information of each node in a preset time period;
the second determining module is used for determining the threat situation of the network according to the node type and the acquired flow information of each node in a preset time period;
the third determining module is used for determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period;
a fourth determining module, configured to determine a security situation of a network according to the asset situation, the threat situation, and the vulnerability situation;
and the safety early warning module is used for carrying out safety early warning according to the safety situation.
On the other hand, the embodiment of the invention provides a storage medium, which comprises a stored program, wherein the device where the storage medium is located is controlled to execute the network security early warning method when the program runs.
In another aspect, an embodiment of the present invention provides a computer device, including a memory and a processor, where the memory is configured to store information including program instructions, and the processor is configured to control execution of the program instructions, where the program instructions, when loaded and executed by the processor, implement the steps of the network security early warning method described above.
According to the technical scheme of the network security early warning method provided by the embodiment of the invention, the asset situation of the network is determined according to the node type of each node in the network and the hardware information of each node in a preset time period; determining a threat situation of the network according to the node type and the acquired flow information of each node in a preset time period; determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period; determining the security situation of the network according to the asset situation, the threat situation and the vulnerability situation; and carrying out safety precaution according to the safety situation. According to the technical scheme provided by the embodiment of the invention, the security situation is evaluated by the asset situation, threat situation and vulnerability situation of each node in the network, and the security early warning is performed by three dimensions, so that the evaluation accuracy of the security situation is improved, and the timeliness and accuracy of the security early warning are further ensured.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a network security early warning method according to an embodiment of the present invention;
FIG. 2 is a flowchart of determining an asset situation of the network according to the obtained node type of each node in the network and the hardware information of each node in a preset time period in FIG. 1;
FIG. 3 is a flowchart for determining a threat situation of the network according to the node type and the acquired traffic information of each node in a preset time period in FIG. 1;
FIG. 4 is a flow chart of FIG. 1 for determining a vulnerability situation of a network according to node types and traffic information of each node in a preset time period;
fig. 5 is a schematic structural diagram of a network security early warning device according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a computer device according to an embodiment of the present invention.
[ detailed description ] of the invention
For a better understanding of the technical solution of the present invention, the following detailed description of the embodiments of the present invention refers to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one way of describing an association of associated objects, meaning that there may be three relationships, e.g., a and/or b, which may represent: the first and second cases exist separately, and the first and second cases exist separately. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
The related art provides a network security early warning method, which comprises the following steps: acquiring security scene information depending on the activity of a network, analyzing the security scene information through a processor, and determining a security guarantee value; extracting network information of each device from the weblog, the network information including: the identification of the equipment, the attack quantity of the equipment and historical operation data; for each node in the network topology, determining the security situation of the node according to the degree of the node and the network information of equipment at the node; and determining whether the network is safe or not according to the security situation of each node, and if not, carrying out security early warning. According to the method, only the condition of node data, such as the number of received attacks and historical operation data, is considered when the security situation is determined, but the consequences of different nodes when the attacks are received are different, such as high vulnerability, namely, the relatively fragile nodes are paralyzed, the vulnerability is low, namely, the nodes with high security are not affected, and the evaluation of the security situation is relatively unilateral, so that the timeliness and the accuracy of security early warning are low.
In order to solve the technical problems in the related art, an embodiment of the present invention provides a network security early warning method, and fig. 1 is a flowchart of the network security early warning method provided in the embodiment of the present invention, as shown in fig. 1, where the method includes:
step 102, determining the asset situation of the network according to the obtained node type of each node in the network and the hardware information of each node in a preset time period.
In an embodiment of the invention, the steps are performed by a computer device.
In an embodiment of the present invention, step 102 includes:
step S1, obtaining node types of all nodes in the network.
In the embodiment of the invention, the node types of each node in the network comprise: a terminal, a server or a switch, etc. The node type of each node in the network is determined at the time of deployment of the network node.
And S2, acquiring hardware information of each node in the network in a preset time period and flow information of each node in the preset time period.
In the embodiment of the present invention, the hardware information is related content corresponding to the hardware of each node, for example, the hardware information includes: the number of ports, the status of each port, the central processing unit (Central Processing Unit, CPU for short) usage, memory usage, and/or a list of vulnerabilities.
The state of each port is the current state of each port for the current hardware information, and if one port is currently open, the current state is 1; if a port is currently closed, the current state is 0.
For the hardware information in the preset time period, as long as the port has 1 in the preset time period, the state of the port is 1. That is, for any port, as long as it is open for a preset period of time, the state of that port for the preset period of time is 1.
The vulnerability list is a port vulnerability caused by the current operating system of the node or hardware configuration and the like, and the vulnerability is objectively existing in the node equipment and is irrelevant to whether the vulnerability is attacked or not. The vulnerability list comprises vulnerability numbers corresponding to each node type, vulnerability types and/or port numbers corresponding to the vulnerability types. The vulnerability list may be obtained from vulnerability information published by authorities such as the operating system.
The traffic information is related content of the node data transmission, such as: packet information and network information. The packet information describes information about each packet, such as packet identification, data direction (downstream, or upstream), port involved, source internet protocol (Internet Protocol, IP for short), address (for downstream data only, upstream data does not have such an indicator), and destination IP address (for upstream data only, downstream data does not have such an indicator). The network information describes the overall situation in the data transmission process, such as: packet loss rate, maximum number of connections at the same time, and/or traffic situation.
In the embodiment of the invention, the flow information of each node in the preset time period comprises uplink flow data and downlink flow data.
Fig. 2 is a flowchart of determining an asset situation of the network according to the obtained node type of each node in the network and the hardware information of each node in the preset time period in fig. 1, as shown in fig. 2, step 102 includes:
step 1022, determining the asset value of each node according to the node type, the CPU utilization rate, the memory utilization rate and the vulnerability number corresponding to each node type.
Specifically, according to the maximum value of CPU usage rate within a preset period of timeMean value of CPU usage within preset time period +.>Minimum value of CPU utilization within a preset period of time +.>Maximum value of memory usage within a preset period of time +.>Mean value of memory usage within preset time period +.>Minimum value of memory usage in a predetermined period of time +.>Vulnerability number of different node types in vulnerability numbers corresponding to each node type>And vulnerability count of the same node type->And determining the asset value of each node.
Wherein, because the vulnerability list states the vulnerability type (such as DDOS attack) and the corresponding port number, the situation that the same vulnerability type corresponds to a plurality of ports may occur, and the situation that the same port corresponds to a plurality of vulnerability types may also occur. Thus, the first and second substrates are bonded together,is the total amount of data recorded in the vulnerability list. />For the same vulnerability type, the maximum of its corresponding port number.
By the formula Calculating the maximum value of the CPU utilization rate in the preset time period, the average value of the CPU utilization rate in the preset time period, the minimum value of the CPU utilization rate in the preset time period, the maximum value of the memory utilization rate in the preset time period, the average value of the memory utilization rate in the preset time period, the minimum value of the memory utilization rate in the preset time period, the vulnerability numbers of different node types in the vulnerability numbers corresponding to each node type and the vulnerability numbers of the same node type, and generating the asset value of each node.
Wherein,,for the maximum value of CPU usage within a preset period of time, < >>Is the average value of CPU usage rate in the preset time period,/for the CPU usage rate>For a minimum value of CPU usage within a preset period of time,/for a predetermined period of time>For the maximum value of the memory usage rate within the preset time period, +.>For the average value of the memory usage rate in the preset time period,/for the memory usage rate in the preset time period>For the minimum value of the memory usage rate within the preset time period,/for the memory usage rate>For each nodeVulnerability count of different node types in vulnerability count corresponding to type, < ->For the vulnerability number of the same node type in the vulnerability numbers corresponding to each node type, the vulnerability number is +.>For the number of ports>Port number, A, for state 1 i Is the asset value of each node.
Step 1024, determining the asset situation of the network according to the set weight of each node and the asset value of each node.
Specifically, by the formula a= Σ i W i *A i And calculating the set weight of each node and the asset value of each node to generate the asset situation of the network. Wherein i is the node identification of each node, W i Is the weight of the ith node, A i The asset value of the ith node, and A is the asset situation.
In the embodiment of the invention, W i Corresponding to the type of the i node, the weight of the terminal is 2, the weight of the server is 4, etc. may be preset.
Step 104, determining the threat situation of the network according to the node type and the acquired flow information of each node in the preset time period.
Fig. 3 is a flowchart of determining a threat situation of the network according to the node type and the acquired flow information of each node in the preset time period in fig. 1, and as shown in fig. 3, step 104 includes:
step 1042, clustering the uplink traffic data to obtain the number of elements included in the maximum class of the uplink traffic data and the total amount of the uplink traffic data.
Specifically, step 1042 comprises:
and A1, sequencing the uplink data packets according to the arrival time from the early to the late to obtain an uplink data sequence.Calculating the arrival time difference between each uplink data in the uplink data sequence and the uplink data before the uplink data sequence
A2, forming the uplink flow data into a set
Step A3, slaveOptionally one element as the center of a class, the element is labeled as categorized.
Step A4, sequentially selecting an unclassified oneFor example element x, calculates the degree of attribution between (unclassified) element x and (classified) classes of elements y +.>
If the port corresponding to element x is the same as the port corresponding to element y, thenWherein (1)>And the number of the vulnerability types corresponding to the ports corresponding to the element x in the vulnerability list.
If the port corresponding to the vulnerability list element x is different from the port corresponding to the vulnerability list element y, then Wherein (1)>And the number of the vulnerability types corresponding to the ports corresponding to the element y in the vulnerability list.
For the similarity of source addresses between the element x and the element y, the calculation method is as follows:
the IP address is divided into 4 decimal numbers. For example 120.244.110.131.
And comparing whether the values of the element x and the element y in the bit are the same or not in sequence from the leftmost decimal number of the source address, and searching the position of the first different decimal number.
For example, element x has a source IP of 120.244.110.131 and element y has a source IP of 120.244.110.100, then the first different decimal number is the rightmost one.
Take aaa.bbb.ccc.ddd as an example.
If the first different decimal number is the rightmost (i.e., the location of the DDD), then
If the first different decimal number is second to the right (i.e., the location of the CCC), then
If the first different decimal number is second to the left (i.e., the location of the BBB), then
If the first different decimal number is leftmost (i.e., the position of the AAA), then
Execution to this point, calculateDegree of attribution between each unclassified element and each classified element.
And step A5, finding the largest attribution degree in all attribution degrees, and classifying the uncategorized elements in the largest attribution degree into the class of the corresponding categorized elements.
And A6, finding the smallest attribution degree in all attributions, determining an unclassified element in the smallest attribution degree as a new class, and marking the unclassified element as classified.
Step A7, repeatedly executing the steps A4-A6 untilAll elements of (a) are categorized.
Step 1044, clustering the downlink traffic data to obtain the number of elements included in the maximum class of the downlink traffic data and the total amount of the downlink traffic data.
In the embodiment of the present invention, the clustering manner of the downlink traffic data is the same as that of the above steps A1 to A7, and only the source IP is changed to the destination IP, which is not described herein again.
Step 1046, generating threat values of each node according to the number of elements included in the maximum class of uplink traffic data, the total amount of uplink traffic data, the number of elements included in the maximum class of downlink traffic data, and the total amount of downlink traffic data.
Specifically, by formula R i The number of elements included in the uplink traffic data maximum class/the total amount of uplink traffic data+the number of elements included in the downlink traffic data maximum class/the total amount of downlink traffic data are calculated, and threat values of each node are generated. Wherein R is i Is a threat value for each node.
Step 1048, determining a threat situation of the network according to the set weight of each node and the threat value of each node.
Specifically, by the formula r= Σ i W i *R i And calculating the set weight of each node and the threat value of each node, and determining the threat situation of the network. Wherein i is the node identification of each node, W i Is the weight of the ith node, R i And R is a threat situation, wherein the threat value is the threat value of the ith node.
And 106, determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period.
Fig. 4 is a flowchart of determining a vulnerability situation of the network according to the node type and the traffic information of each node in the preset time period in fig. 1, and as shown in fig. 4, step 106 includes:
step 1062, determining the vulnerable value of each node according to the packet loss rate, the maximum connection number at the same time and the traffic situation.
Specifically, by formula L i And calculating the packet loss rate, the maximum connection number at the same time and the traffic situation by the product of the loss maximum value caused by the corresponding vulnerability type attack of the port with the state of 1 in the average value of the maximum connection number traffic situation at the same time, and generating the fragile value of each node. Wherein. L (L) i Is the vulnerability value of each node.
Step 1064, determining the vulnerability situation of the network according to the set weights of the nodes and the vulnerability values of the nodes.
Specifically, by the formula l= Σ i W i *L i And calculating the set weight of each node and the vulnerability value of each node to generate the vulnerability situation of the network. Wherein i is the node identification of each node, W i Is the weight of the ith node, L i L is the vulnerability posture, which is the vulnerability value of the ith node.
And step 108, determining the security situation of the network according to the asset situation, the threat situation and the vulnerability situation.
Specifically, the asset situation, threat situation and vulnerability situation are multiplied, and the security situation of the network is determined.
And multiplying the asset situation, the threat situation and the vulnerability situation by the formula s=a×r×l to determine the security situation of the network. Wherein A is an asset situation, R is a threat situation, L is a vulnerability situation, and S is a security situation.
And 110, carrying out safety precaution according to the safety situation.
As an alternative, if the security situation is greater than the early warning threshold, then the security early warning is performed.
According to the technical scheme provided by the embodiment of the invention, the asset situation of the network is determined according to the node type of each node in the network and the hardware information of each node in a preset time period; determining a threat situation of the network according to the node type and the acquired flow information of each node in a preset time period; determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period; determining the security situation of the network according to the asset situation, the threat situation and the vulnerability situation; and carrying out safety precaution according to the safety situation. According to the technical scheme provided by the embodiment of the invention, the security situation is evaluated by the asset situation, threat situation and vulnerability situation of each node in the network, and the security early warning is performed by three dimensions, so that the evaluation accuracy of the security situation is improved, and the timeliness and accuracy of the security early warning are further ensured.
The embodiment of the invention provides a network security early warning device. Fig. 5 is a schematic structural diagram of a network security early warning device according to an embodiment of the present invention, as shown in fig. 5, where the device includes: the first determining module 11, the second determining module 12, the third determining module 13, the fourth determining module 14 and the safety precaution module 15.
The first determining module 11 is configured to determine an asset situation of the network according to the obtained node type of each node in the network and the hardware information of each node in a preset time period;
the second determining module 12 is configured to determine a threat situation of the network according to the node type and the acquired traffic information of each node in a preset time period;
the third determining module 13 is configured to determine a vulnerability situation of a network according to the node type and flow information of each node in a preset time period;
the fourth determining module 14 is configured to determine a security situation of the network according to the asset situation, the threat situation and the vulnerability situation;
the safety pre-warning module 15 is used for carrying out safety pre-warning according to the safety situation.
In the embodiment of the present invention, the first determining module 11 is specifically configured to determine the asset value of each node according to the node type, the CPU utilization, the memory utilization, and the vulnerability count corresponding to each node type; and determining the asset situation of the network according to the set weight of each node and the asset value of each node.
In the embodiment of the present invention, the second determining module 12 is specifically configured to cluster the uplink traffic data, and obtain the number of elements included in the maximum class of the uplink traffic data and the total amount of the uplink traffic data; clustering the downlink flow data to obtain the element number and the total downlink flow data contained in the maximum class of the downlink flow data; generating threat values of all nodes according to the element number included in the maximum class of the uplink flow data, the total amount of the uplink flow data, the element number included in the maximum class of the downlink flow data and the total amount of the downlink flow data; and determining the threat situation of the network according to the set weight of each node and the threat value of each node.
In the embodiment of the present invention, the third determining module 13 is specifically configured to determine the vulnerability value of each node according to the packet loss rate, the maximum connection number at the same time, and the traffic situation; and determining the vulnerability situation of the network according to the set weight of each node and the vulnerability value of each node.
In the embodiment of the present invention, the fourth determining module 14 is specifically configured to multiply the asset situation, the threat situation and the vulnerability situation to determine a security situation of the network.
In the embodiment of the present invention, the safety pre-warning module 15 is specifically configured to perform safety pre-warning if the safety situation is greater than a pre-warning threshold.
According to the technical scheme provided by the embodiment of the invention, the asset situation of the network is determined according to the node type of each node in the network and the hardware information of each node in a preset time period; determining a threat situation of the network according to the node type and the acquired flow information of each node in a preset time period; determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period; determining the security situation of the network according to the asset situation, the threat situation and the vulnerability situation; and carrying out safety precaution according to the safety situation. According to the technical scheme provided by the embodiment of the invention, the security situation is evaluated by the asset situation, threat situation and vulnerability situation of each node in the network, and the security early warning is performed by three dimensions, so that the evaluation accuracy of the security situation is improved, and the timeliness and accuracy of the security early warning are further ensured.
The network security early warning device provided in this embodiment may be used to implement the network security early warning methods in fig. 1, 2, 3 and 4, and the detailed description may refer to the embodiments of the network security early warning methods, and the description is not repeated here.
The embodiment of the invention provides a storage medium, which comprises a stored program, wherein the program is used for controlling equipment where the storage medium is located to execute the steps of the embodiment of the network security early warning method, and the specific description can be seen from the embodiment of the network security early warning method.
The embodiment of the invention provides a computer device, which comprises a memory and a processor, wherein the memory is used for storing information comprising program instructions, the processor is used for controlling the execution of the program instructions, and when the program instructions are loaded and executed by the processor, the steps of the embodiment of the network security early warning method are realized.
Fig. 6 is a schematic diagram of a computer device according to an embodiment of the present invention. As shown in fig. 6, the computer device 20 of this embodiment includes: the processor 21, the memory 22, and the computer program 23 stored in the memory 22 and capable of running on the processor 21, where the computer program 23 is executed by the processor 21 to implement the network security early warning method in the embodiment, and is not described herein in detail to avoid repetition. Alternatively, the computer program when executed by the processor 21 implements the functions of the embodiments applied to each model/unit in the network security early warning device, and in order to avoid repetition, the description is omitted here.
Computer device 20 includes, but is not limited to, a processor 21, a memory 22. It will be appreciated by those skilled in the art that fig. 6 is merely an example of computer device 20 and is not intended to limit computer device 20, and may include more or fewer components than shown, or may combine certain components, or different components, e.g., a computer device may also include an input-output device, a network access device, a bus, etc.
The processor 21 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field-programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 22 may be an internal storage unit of the computer device 20, such as a hard disk or memory of the computer device 20. The memory 22 may also be an external storage device of the computer device 20, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the computer device 20. Further, the memory 22 may also include both internal and external storage units of the computer device 20. The memory 22 is used to store computer programs and other programs and data required by the computer device. The memory 22 may also be used to temporarily store data that has been output or is to be output.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present invention, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a Processor (Processor) to perform part of the steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather to enable any modification, equivalent replacement, improvement or the like to be made within the spirit and principles of the invention.
Claims (10)
1. The network security early warning method is characterized by comprising the following steps of:
determining the asset situation of the network according to the node type of each node in the network and the hardware information of each node in a preset time period;
determining a threat situation of the network according to the node type and the acquired flow information of each node in a preset time period;
determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period;
determining a security situation of a network according to the asset situation, the threat situation and the vulnerability situation;
and carrying out safety early warning according to the safety situation.
2. The method according to claim 1, wherein the hardware information of each node in the preset time period includes a CPU usage rate, a memory usage rate, and a vulnerability count corresponding to each node type, and the determining the asset situation of the network according to the obtained node type of each node in the network and the hardware information of each node in the preset time period includes:
determining the asset value of each node according to the node type, the CPU utilization rate, the memory utilization rate and the vulnerability number corresponding to each node type;
and determining the asset situation of the network according to the set weight of each node and the asset value of each node.
3. The method according to claim 1, wherein the traffic information of each node in the preset time period includes uplink traffic data and downlink traffic data, and the determining the threat situation of the network according to the node type and the acquired traffic information of each node in the preset time period includes:
clustering the uplink flow data to obtain the number of elements included in the maximum class of the uplink flow data and the total amount of the uplink flow data;
clustering the downlink flow data to obtain the element number and the total downlink flow data contained in the maximum class of the downlink flow data;
generating threat values of all nodes according to the element number included in the maximum class of the uplink flow data, the total amount of the uplink flow data, the element number included in the maximum class of the downlink flow data and the total amount of the downlink flow data;
and determining the threat situation of the network according to the set weight of each node and the threat value of each node.
4. The method according to claim 1, wherein the traffic information of each node in the preset time period includes a packet loss rate, a maximum connection number at the same time, and a traffic situation, and the determining the vulnerability situation of the network according to the node type and the traffic information of each node in the preset time period includes:
determining the fragile value of each node according to the packet loss rate, the maximum connection number at the same time and the traffic situation;
and determining the vulnerability situation of the network according to the set weight of each node and the vulnerability value of each node.
5. The method of claim 1, wherein the determining a security posture of the network based on the asset posture, the threat posture, and the vulnerability posture comprises:
multiplying the asset situation, the threat situation and the vulnerability situation to determine a security situation of the network.
6. The method of claim 2, wherein determining the asset value of each node according to the node type, the CPU utilization, the memory utilization, and the vulnerability count corresponding to each node type comprises:
determining the asset value of each node according to the maximum value of the CPU utilization rate in the preset time period, the average value of the CPU utilization rate in the preset time period, the minimum value of the CPU utilization rate in the preset time period, the maximum value of the memory utilization rate in the preset time period, the average value of the memory utilization rate in the preset time period, the minimum value of the memory utilization rate in the preset time period, the vulnerability numbers of different node types in the vulnerability numbers corresponding to each node type and the vulnerability numbers of the same node type.
7. The method of claim 1, wherein the performing the security pre-warning according to the security posture comprises:
and if the safety situation is larger than the early warning threshold value, carrying out safety early warning.
8. A network security early warning device, comprising:
the first determining module is used for determining the asset situation of the network according to the obtained node type of each node in the network and the hardware information of each node in a preset time period;
the second determining module is used for determining the threat situation of the network according to the node type and the acquired flow information of each node in a preset time period;
the third determining module is used for determining the vulnerability situation of the network according to the node type and the flow information of each node in a preset time period;
a fourth determining module, configured to determine a security situation of a network according to the asset situation, the threat situation, and the vulnerability situation;
and the safety early warning module is used for carrying out safety early warning according to the safety situation.
9. A storage medium comprising a stored program, wherein the program, when run, controls a device in which the storage medium is located to perform the network security early warning method of any one of claims 1 to 7.
10. A computer device comprising a memory for storing information including program instructions and a processor for controlling execution of the program instructions, wherein the program instructions, when loaded and executed by the processor, implement the steps of the network security early warning method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207618.XA CN116743406A (en) | 2022-03-04 | 2022-03-04 | Network security early warning method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207618.XA CN116743406A (en) | 2022-03-04 | 2022-03-04 | Network security early warning method and device, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116743406A true CN116743406A (en) | 2023-09-12 |
Family
ID=87917352
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210207618.XA Pending CN116743406A (en) | 2022-03-04 | 2022-03-04 | Network security early warning method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116743406A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117375982A (en) * | 2023-11-07 | 2024-01-09 | 广州融服信息技术有限公司 | Network situation safety monitoring system |
-
2022
- 2022-03-04 CN CN202210207618.XA patent/CN116743406A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117375982A (en) * | 2023-11-07 | 2024-01-09 | 广州融服信息技术有限公司 | Network situation safety monitoring system |
| CN117375982B (en) * | 2023-11-07 | 2024-03-15 | 广州融服信息技术有限公司 | Network situation safety monitoring system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Santos et al. | Machine learning algorithms to detect DDoS attacks in SDN | |
| KR102135024B1 (en) | Method and apparatus for identifying category of cyber attack aiming iot devices | |
| Choi et al. | A method of DDoS attack detection using HTTP packet pattern and rule engine in cloud computing environment | |
| US10114934B2 (en) | Calculating consecutive matches using parallel computing | |
| EP3399723B1 (en) | Performing upper layer inspection of a flow based on a sampling rate | |
| CN105871811B (en) | Control the method and controller of application program permission | |
| CN104836702A (en) | Host network abnormal behavior detection and classification method under large flow environment | |
| EP4344134A1 (en) | Traffic detection method and apparatus, device and storage medium | |
| Alzahrani et al. | ML‐IDSDN: Machine learning based intrusion detection system for software‐defined network | |
| Rathore et al. | Hadoop based real-time intrusion detection for high-speed networks | |
| CN114598512B (en) | Network security guarantee method and device based on honeypot and terminal equipment | |
| CN116743406A (en) | Network security early warning method and device, storage medium and computer equipment | |
| CN111131309A (en) | Distributed denial of service detection method and device and model creation method and device | |
| CN108737344A (en) | A kind of network attack protection method and device | |
| CN113268735B (en) | Distributed denial of service attack detection method, device, equipment and storage medium | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| CN115695041B (en) | DDOS attack detection and protection method and application based on SDN | |
| Singh | Machine learning in openflow network: comparative analysis of DDoS detection techniques. | |
| CN111786940A (en) | Data processing method and device | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN112532610B (en) | Intrusion prevention detection method and device based on TCP segmentation | |
| CN112565290B (en) | Intrusion prevention method, system and related equipment | |
| CN110460559A (en) | Distribution hits detection method, device and the computer readable storage medium of library behavior | |
| CN107888624B (en) | Method and device for protecting network security | |
| EP3618389B1 (en) | Systems and methods for operating a networking device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |