CN116827687A - Network security protection method, device and medium - Google Patents

Network security protection method, device and medium Download PDF

Info

Publication number
CN116827687A
CN116827687A CN202311087057.5A CN202311087057A CN116827687A CN 116827687 A CN116827687 A CN 116827687A CN 202311087057 A CN202311087057 A CN 202311087057A CN 116827687 A CN116827687 A CN 116827687A
Authority
CN
China
Prior art keywords
target
hty
qty
equipment
period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202311087057.5A
Other languages
Chinese (zh)
Other versions
CN116827687B (en
Inventor
李丹
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202311087057.5A priority Critical patent/CN116827687B/en
Publication of CN116827687A publication Critical patent/CN116827687A/en
Application granted granted Critical
Publication of CN116827687B publication Critical patent/CN116827687B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Alarm Systems (AREA)

Abstract

The invention discloses a network security protection method, a device and a medium, which relate to the technical field of network security and comprise the following steps: acquiring a port information set corresponding to target equipment in a target time window; acquiring a foreground application feature set corresponding to target equipment in a target time window; acquiring a background application feature set corresponding to target equipment in a target time window; determining a target feature vector corresponding to the target device according to the port information set, the foreground application feature set and the background application feature set; inputting the target feature vector into a target model to obtain a target time period corresponding to the target equipment for generating a network threat event; and carrying out safety protection on the target equipment according to the target time period. The invention can carry out safety protection on the target equipment when the network threat sniffs the equipment port and does not permeate successfully, effectively avoids the occurrence of network threat event on the target equipment, ensures the network safety of the target equipment, and maintains the data and personal information safety of the equipment user.

Description

Network security protection method, device and medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network security protection method, device, and medium.
Background
With the continuous development of network security technology, the technical support capability of the monitoring, early warning, emergency treatment and other works of network threat events is continuously improved. However, most of the prior art can only provide threat discovery and handling capability after the network threat has successfully permeated, and cannot detect the network threat at the stage that the network threat sniffs the equipment port and has not successfully invaded, so that the defending work on the network threat event is too passive, and the network security cannot be guaranteed more efficiently.
Disclosure of Invention
In view of the above, the present invention provides a network security protection method, device and medium, which can perform security protection on a target device when a network threat sniffs a device port and does not successfully invade the device, more fully ensure network security of the target device, and at least partially solve the problems existing in the prior art.
The specific invention comprises the following steps:
a method of network security protection, comprising:
acquiring a port information set D= (D) corresponding to target equipment in a target time window 1 ,D 2 ,…,D i ,…,D n ) The method comprises the steps of carrying out a first treatment on the surface of the The ending time of the target time window is the current time, the target time window comprises n historical time periods which are continuously arranged, the length of the target time window is n x delta T, and delta T is the length of each historical time period; wherein i=1, 2, …, n; d (D) i The number of ports that have been accessed by the external device for the target device during the ith history period.
Acquiring foreground application feature set QTY= (QTY) corresponding to target equipment in target time window 1 ,QTY 2 ,…,QTY i ,…,QTY n );QTY i =(QTY i1 ,QTY i2 ,…,QTY ij ,…,QTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2, …, m; QTYi is foreground application feature information corresponding to the ith historical period; QTY ij Ranking application features of a jth foreground application for a maximum memory occupancy rate within an ith historical period; m is a preset number.
Obtaining a background application feature set Hty= (HTY) corresponding to the target device in the target time window 1 ,HTY 2 ,…,HTY i ,…,HTY n );HTY i =(HTY i1 ,HTY i2 ,…,HTY ij ,…,HTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein HTY is i Applying characteristic information for a background corresponding to the ith historical time period; HTY (HTY) ij And ordering the application characteristics of the j background application for the maximum memory occupancy rate in the i historical time period.
According to D, QTY and HTY, determining a target feature vector Q= (Q) corresponding to the target device 1 ,Q 2 ,…,Q i ,…,Q n );Q i The device characteristics corresponding to the ith historical time period; q (Q) i =(D i ,QTY i ,HTY i )。
And inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target equipment for generating the network threat event.
And carrying out safety protection on the target equipment according to the target time period.
Further, QTY ij =(QCPU ij ,QRAM ij ,QWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein QCPU (QCPU) ij For the maximum CPU occupancy of the jth foreground application during the ith historical period, QRAM ij QWL for the maximum memory occupancy of the jth foreground application during the ith historical period ij The maximum network occupancy for the jth foreground application during the ith historical period.
HTY ij =(HCPU ij ,HRAM ij ,HWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, HCPU ij HRAM for the maximum CPU occupancy of the jth background application during the ith history period ij HWL for the maximum memory occupancy of the jth background application in the ith history period ij The maximum network occupancy for the jth background application during the ith historical period.
Further, the inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target device, where the network threat event occurs, includes:
inputting the target feature vector Q into a target model to obtain a probability set V= (V) of the network threat event corresponding to the target equipment 1 ,V 2 ,…,V h ,…,V k ) The method comprises the steps of carrying out a first treatment on the surface of the Where h=1, 2, …, k; v (V) h The probability of the network threat event occurring in the h prediction time period corresponding to the target equipment is given; each prediction time period is continuously arranged, and the corresponding time periods are the same; each predicted time period is later than the current time; k is the number of preset predicted time periods.
Determining the probability V of the maximum in the probability set V max Whether greater than a preset probability value.
If the probability value is larger than the preset probability value, V is determined max The corresponding predicted time period is determined as the target time period.
Further, the target model includes a port parameter set w, a foreground application parameter set e and a background application parameter set r obtained after training, so as to determine the V h
w=(w 1 ,w 2 ,…,w h ,…,w k );w h =(w h1 ,w h2 ,…,w hi ,…,w hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein w is h For the port parameter list corresponding to the h prediction time period, w hi D corresponding to the h prediction time period i Is a parameter of (a).
e=(e 1 ,e 2 ,…,e h ,…,e k );e h =(e h1 ,e h2 ,…,e hi ,…,e hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein e h Applying a characteristic parameter list for a foreground corresponding to the h prediction time period; e, e hi QTY for the h prediction period i Is a parameter list of (2); e, e hi =(e hi1 ,e hi2 ,…,e hij ,…,e him );e hij QTY for the h prediction period ij Is a parameter of (a).
r=(r 1 ,r 2 ,…,r h ,…,r k );r h =(r h1 ,r h2 ,…,r hi ,…,r hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein r is h Applying a characteristic parameter list for a background corresponding to the h prediction time period; r is (r) hi For the h prediction timeHTY of segment correspondence i Is a parameter list of (2); r is (r) hi =(r hi1 ,r hi2 ,…,r hij ,…,r him );r hij HTY corresponding to the h prediction period ij Is a parameter of (a).
V h =w h1 *D 1 +w h2 *D 2 +…+w hi *D i +…+w hn *D n +e h11 *QTY 11 +e h12 *QTY 12 +…+e hij *QTY ij +…+e hnm *QTY nm + r h11 *HTY 11 +r h12 *HTY 12 +…+r hij *HTY ij +…+r hnm *HTY nm
Further, the port parameter set w, the foreground application parameter set e and the background application parameter set r are obtained by the following method:
obtain the first data set m= (M 1 ,M 2 ,…,M a ,…,M b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein a=1, 2, …, b; m is M a A feature vector set corresponding to the a first type device in a first time window; the first type of equipment is equipment with a network threat event; the ending time of the first time window corresponding to each first type of equipment is the time when the corresponding current state is determined to be successfully invaded by the network threat; the length L= (2*k-1) t' of the first time window corresponding to each first type of device; t' is the length of the predicted time period; m is M a =(M a1 ,M a2 ,…,M ah ,…,M ak );M ah The method comprises the steps that feature vectors corresponding to a first type of equipment in a key time window correspond to the first type of equipment after the key time window slides forwards (h-1); the initial ending time of the key time window corresponding to each first type of equipment is the same as the ending time of the first time window; the length of the key time window is k't'; the step length of each forward sliding of the key time window is t'; b is the number of devices of the first type; m is M a Each feature vector in the (a) is marked with a probability label, and each probability label comprises k marking bits; m is M ah Corresponding probability tagsThe value of the h-th flag bit is 1, and the values of the remaining flag bits are 0.
Obtain a second data set h= (H) 1 ,H 2 ,…,H x ,…,H g ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein x=1, 2, …, g; h x The feature vector corresponding to the xth second type of equipment in the second time window; the second type of equipment is equipment which does not have a network threat event; the length of the second time window corresponding to each second type of equipment is the same as that of the key time window; the value of the marking bit of the probability label corresponding to each feature vector in the H is 0; g is the number of the preset second type devices.
Training an initial model according to M and H to obtain the port parameter set w, the foreground application parameter set e and the background application parameter set r so as to determine the target model.
Further, the port parameter, the foreground application characteristic parameter and the background application characteristic parameter corresponding to the h prediction time period meet the following constraint conditions:
w h1 +w h2 +…+w hi +…+w hn =rat 1
e h11 +e h12 +…+e hij +…+e hnm =rat 2
r h11 +r h12 +…+r hij +…+r hnm =rat 2
w h1 ,w h2 ,…,w hi ,…,w hn ,e h11 ,e h12 ,…,e hij ,…,e hnm ,r h11 ,r h12 ,…,r hij ,…,r hnm none equal to 0;
wherein, rate 1 Sum rata of 2 Is a preset coefficient constraint value, rate 1 +2*rat 2 =1。
Further, the number of the ports accessed by the external device is the number of the ports receiving Telnet data; the Telnet data includes: telnet data package, telnet instruction.
Further, the performing safety protection on the target device according to the target time period includes:
and obtaining the vulnerability information of the target equipment, and sending patches to the target equipment according to the vulnerability information.
A network security appliance comprising:
a port information set obtaining module, configured to obtain a port information set d= (D) corresponding to the target device in the target time window 1 ,D 2 ,…,D i ,…,D n ) The method comprises the steps of carrying out a first treatment on the surface of the The ending time of the target time window is the current time, the target time window comprises n historical time periods which are continuously arranged, the length of the target time window is n x delta T, and delta T is the length of each historical time period; wherein i=1, 2, …, n; d (D) i The number of ports that have been accessed by the external device for the target device during the ith history period.
A foreground application feature set acquisition module, configured to acquire a foreground application feature set Qty= (QTY) corresponding to the target device in the target time window 1 ,QTY 2 ,…,QTY i ,…,QTY n );QTY i =(QTY i1 ,QTY i2 ,…,QTY ij ,…,QTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2, …, m; QTY i Applying characteristic information for a foreground corresponding to the ith historical time period; QTY ij Ranking application features of a jth foreground application for a maximum memory occupancy rate within an ith historical period; m is a preset number.
A background application feature set obtaining module, configured to obtain a background application feature set Hty= (HTY) corresponding to the target device in the target time window 1 ,HTY 2 ,…,HTY i ,…,HTY n );HTY i =(HTY i1 ,HTY i2 ,…,HTY ij ,…,HTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein HTY is i Applying characteristic information for a background corresponding to the ith historical time period; HTY (HTY) ij And ordering the application characteristics of the j background application for the maximum memory occupancy rate in the i historical time period.
A target feature vector determining module for determining according to D, QTY and HTYTarget feature vector q= (Q) corresponding to the target device 1 ,Q 2 ,…,Q i ,…,Q n );Q i The device characteristics corresponding to the ith historical time period; q (Q) i =(D i ,QTY i ,HTY i )。
And the target time period determining module is used for inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target equipment and in which the network threat event occurs.
And the safety protection module is used for carrying out safety protection on the target equipment according to the target time period.
A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the foregoing method.
The beneficial effects of the invention are as follows:
according to the method, the characteristics that the network threat behavior can traverse the device port before successfully invading the device are considered to find an attack break, the port information set corresponding to the target device in the target time window is taken as a part of the target feature vector, in the process that the network threat behavior is scanned for the target device port to try to break the target device, partial foreground application and background application can abnormally preempt memory resources, the application features of the foreground application and the application features of the background application with high memory occupancy rate of the target device in the target time window are taken as a part of the target feature vector, the length and the ending time of the target time window are controlled, the target feature vector is input into the target model, the device behavior condition of the target device in a period of time shorter than the current time can be analyzed, the finally determined target time period corresponding to the target device, in which a network threat event occurs is more accurate, the target device can be safely protected according to the target time period, the network threat event of the target device can be effectively avoided, and the network safety of the target device can be more fully ensured, and the data safety and personal information safety of a device user can be further maintained. Compared with the existing technology for predicting the network threat through the vulnerability information and the like of the equipment, the method and the device can accurately detect the equipment which is subjected to network threat behavior heuristics and is in the process of being penetrated by the network threat but is not penetrated successfully, and perform network safety protection on the corresponding equipment before the network threat event occurs, so that the accuracy of network threat monitoring and early warning is greatly improved, meanwhile, the network safety protection redundancy of the equipment is greatly reduced, and the user experience of the equipment side is improved. The invention is suitable for various network environments, such as the Internet, private networks, ad hoc networks and the like.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a network security protection method according to an embodiment of the present invention;
fig. 2 is a diagram illustrating a network security protection apparatus according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be noted that, without conflict, the following embodiments and features in the embodiments may be combined with each other; and, based on the embodiments in this disclosure, all other embodiments that may be made by one of ordinary skill in the art without inventive effort are within the scope of the present disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
The invention provides an embodiment of a network security protection method, as shown in fig. 1, comprising the following steps:
s11: acquiring a port information set D= (D) corresponding to target equipment in a target time window 1 ,D 2 ,…,D i ,…,D n ) The method comprises the steps of carrying out a first treatment on the surface of the The ending time of the target time window is the current time, the target time window comprises n historical time periods which are continuously arranged, the length of the target time window is n x delta T, and delta T is the length of each historical time period; wherein i=1, 2, …, n; d (D) i The number of ports that have been accessed by the external device for the target device during the ith history period.
S12: acquiring foreground application feature set QTY= (QTY) corresponding to target equipment in target time window 1 ,QTY 2 ,…,QTY i ,…,QTY n );QTY i =(QTY i1 ,QTY i2 ,…,QTY ij ,…,QTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2, …, m; QTY i Applying characteristic information for a foreground corresponding to the ith historical time period; QTY ij Ranking application features of a jth foreground application for a maximum memory occupancy rate within an ith historical period; m is a preset number.
S13: obtaining a background application feature set Hty= (HTY) corresponding to the target device in the target time window 1 ,HTY 2 ,…,HTY i ,…,HTY n );HTY i =(HTY i1 ,HTY i2 ,…,HTY ij ,…,HTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein HTY is i Applying characteristic information for a background corresponding to the ith historical time period; HTY (HTY) ij And ordering the application characteristics of the j background application for the maximum memory occupancy rate in the i historical time period.
S14: according to D, QTY and HTY, determining a target feature vector Q= (Q) corresponding to the target device 1 ,Q 2 ,…,Q i ,…,Q n );Q i The device characteristics corresponding to the ith historical time period; q (Q) i =(D i ,QTY i ,HTY i )。
S15: inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target equipment for generating a network threat event; and the target time period of the network threat event corresponding to the target equipment, namely the target time period of successful penetration of the network threat.
S16: and carrying out safety protection on the target equipment according to the target time period.
The length of the target time window in step S11 in the embodiment shown in fig. 1 is set according to practical application requirements, for example, the time for scanning all ports of the target device once in consideration of the network threat behavior is within 10 minutes, and the length of the target time window is set to 10 minutes correspondingly. The length of Δt is set according to practical application requirements, for example, 1 minute, 30 seconds, etc., and the shorter the length setting, the more information the target feature vector Q obtained contains, the more accurate the calculation result of the target model output. In the process of scanning the port of the target equipment by the network threat behavior in an attempt to break the target equipment, partial foreground application and background application can abnormally preempt memory resources, so that the application features of the foreground application and the application features of the background application which occupy large memory are added in the target feature vector Q.
The embodiment shown in fig. 1 considers that the network threat behavior traverses the device port before successfully invading the device to find the characteristic of the attack break, takes the port information set corresponding to the target device in the target time window as a part of the target feature vector, considers that in the process of scanning the target device port by the network threat behavior, there may be a part of foreground application and background application that abnormally preempt memory resources in an attempt to break the target device, takes the application feature of the foreground application and the application feature of the background application with high memory occupancy rate of the target device in the target time window as a part of the target feature vector, controls the length and the end time of the target time window, and inputs the target feature vector into the target model, so that the device behavior condition of the target device in a period of time shorter than the current time can be analyzed, the finally determined target time period corresponding to the target device, the occurrence of the network threat event is more accurate, the safety protection of the target device is performed according to the target time period, the network threat event is effectively avoided, and the network security of the target device is more fully ensured, and the safety data and the personal safety information of the user of the target device are further maintained. Compared with the existing technology for predicting the cyber threat through vulnerability information and the like of the equipment, the embodiment of fig. 1 can accurately detect the equipment which is already detected by the cyber threat behavior and is in the infiltration process of the cyber threat but is not yet successfully infiltrated, and perform cyber safety protection on the corresponding equipment before the cyber threat event occurs, so that the accuracy of cyber threat monitoring and early warning is greatly improved, meanwhile, the cyber safety protection redundancy of the equipment is greatly reduced, and the user experience of the equipment side is improved. The embodiment described in fig. 1 is applicable to various network environments, such as the internet, private networks, ad hoc networks, etc.
Preferably, QTY ij =(QCPU ij ,QRAM ij ,QWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein QCPU (QCPU) ij For the maximum CPU occupancy of the jth foreground application during the ith historical period, QRAM ij QWL for the maximum memory occupancy of the jth foreground application during the ith historical period ij The maximum network occupancy for the jth foreground application during the ith historical period.
HTY ij =(HCPU ij ,HRAM ij ,HWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, HCPU ij HRAM for the maximum CPU occupancy of the jth background application during the ith history period ij HWL for the maximum memory occupancy of the jth background application in the ith history period ij The maximum network occupancy for the jth background application during the ith historical period.
Preferably, the inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target device, where a network threat event occurs, includes:
inputting the target feature vector Q into a target model to obtain a probability set V= (V) of the network threat event corresponding to the target equipment 1 ,V 2 ,…,V h ,…,V k ) The method comprises the steps of carrying out a first treatment on the surface of the Where h=1, 2, …, k; v (V) h The probability of the network threat event occurring in the h prediction time period corresponding to the target equipment is given; each prediction time period is continuously arranged, and the corresponding time periods are the same; each predicted time period is later than the current time; k is the number of preset predicted time periods.
Determining the probability V of the maximum in the probability set V max Whether greater than a preset probability value.
If the probability value is larger than the preset probability value, V is determined max The corresponding predicted time period is determined as the target time period.
In the above preferred solution, because the parameters, performance indexes, open ports, and other conditions of the actual device are different, the duration from the sniffing of each network threat behavior from the port to the port breaking of the port is different, and the duration of the predicted time period is determined according to the actual application requirement, for example, 30 minutes, 2 hours, 24 hours, and the like, for example, if k=7, and the duration of the predicted time period is 24 hours, then V is the probability that the target device will have a network threat event every day in 7 days in the future. The preset probability value is set according to practical application requirements, for example, 0.3, 0.5 and the like.
Preferably, the target model includes a port parameter set w, a foreground application parameter set e and a background application parameter set r obtained after training, so as to determine the V h
w=(w 1 ,w 2 ,…,w h ,…,w k );w h =(w h1 ,w h2 ,…,w hi ,…,w hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein w is h For the port parameter list corresponding to the h prediction time period, w hi D corresponding to the h prediction time period i Is a parameter of (a).
e=(e 1 ,e 2 ,…,e h ,…,e k );e h =(e h1 ,e h2 ,…,e hi ,…,e hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein e h Applying a characteristic parameter list for a foreground corresponding to the h prediction time period; e, e hi QTY for the h prediction period i Is a parameter list of (2); e, e hi =(e hi1 ,e hi2 ,…,e hij ,…,e him );e hij QTY for the h prediction period ij Is a parameter of (a).
r=(r 1 ,r 2 ,…,r h ,…,r k );r h =(r h1 ,r h2 ,…,r hi ,…,r hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein r is h Applying a characteristic parameter list for a background corresponding to the h prediction time period; r is (r) hi HTY corresponding to the h prediction period i Is a parameter list of (2); r is (r) hi =(r hi1 ,r hi2 ,…,r hij ,…,r him );r hij HTY corresponding to the h prediction period ij Is a parameter of (a).
V h =w h1 *D 1 +w h2 *D 2 +…+w hi *D i +…+w hn *D n +e h11 *QTY 11 +e h12 *QTY 12 +…+e hij *QTY ij +…+e hnm *QTY nm + r h11 *HTY 11 +r h12 *HTY 12 +…+r hij *HTY ij +…+r hnm *HTY nm
Preferably, the port parameter set w, the foreground application parameter set e and the background application parameter set r are obtained by the following method:
obtain the first data set m= (M 1 ,M 2 ,…,M a ,…,M b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein a=1, 2, …, b; m is M a A feature vector set corresponding to the a first type device in a first time window; the first type of equipment is equipment with a network threat event; first devices of each first typeThe ending time of the time window is the time when the corresponding current state is determined to be successfully invaded by the network threat; the length L= (2*k-1) t' of the first time window corresponding to each first type of device; t' is the length of the predicted time period; m is M a =(M a1 ,M a2 ,…,M ah ,…,M ak );M ah The method comprises the steps that feature vectors corresponding to a first type of equipment in a key time window correspond to the first type of equipment after the key time window slides forwards (h-1); the initial ending time of the key time window corresponding to each first type of equipment is the same as the ending time of the first time window; the length of the key time window is k't'; the step length of each forward sliding of the key time window is t'; b is the number of devices of the first type; m is M a Each feature vector in the (a) is marked with a probability label, and each probability label comprises k marking bits; m is M ah The value of the h-th marker bit of the corresponding probability tag is 1, and the values of the rest marker bits are 0.
Obtain a second data set h= (H) 1 ,H 2 ,…,H x ,…,H g ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein x=1, 2, …, g; h x The feature vector corresponding to the xth second type of equipment in the second time window; the second type of equipment is equipment which does not have a network threat event; the length of the second time window corresponding to each second type of equipment is the same as that of the key time window; the value of the marking bit of the probability label corresponding to each feature vector in the H is 0; g is the number of the preset second type devices.
Training an initial model according to M and H to obtain the port parameter set w, the foreground application parameter set e and the background application parameter set r so as to determine the target model.
In the above preferred solution, considering that the number of the first type of devices having the network threat event is smaller than the number of the second type of devices having no network threat event, in order to obtain enough negative sample data, k feature vectors of each first type of devices in a corresponding time window are collected by a key time window sliding manner, that is, b x k negative sample data corresponding to b first types of devices are obtained. In the aspect of acquiring the positive sample data, in order to ensure the diversity of the positive sample data, only one characteristic vector of each second type of equipment in a corresponding time window is acquired, and the ending time of the corresponding time window of each second type of equipment is random. To secure the number of positive sample data, g > =b×k.
The above preferred embodiments are exemplified as follows:
assuming that t' =24 hours, and k=7, the length of the first time window corresponding to each first device is 312 hours, that is, 13 days, and the length of the key time window corresponding to each first device is 168 hours, that is, 7 days, where the key time window slides according to the rule of sliding forward for 24 hours each time, and slides (k-1) times in total in the first time window corresponding to each first device, and the key time window slides from the initial state to the end, so as to obtain 7 feature vectors corresponding to each first device in the corresponding first time window. If the first type a device is determined to be successfully invaded by the network threat at the time of 6 months 30 days 0, the end time of the first time window and the key time window corresponding to the first type a device is 6 months 30 days 0, namely, 6 months 24 days 24, ma1 is a feature vector corresponding to the first type a device in the time from the time of 6 months 17 days 24 to the time of 6 months 24 days 24, the probability label corresponding to Ma1 is (1,0,0,0,0,0,0), the first type a device is successfully infiltrated at the time of 6 months 25, a network threat event occurs, correspondingly Ma2 is a feature vector corresponding to the first type a device in the time from the time of 6 months 16 days 24 to the time of 6 months 23 days 24, the probability label corresponding to Ma2 is (0, 1, 0) and the probability label corresponding to Ma2 is (0,0,0,0,0,0,1, 0) and represents that the first type a device is safe at the time of 6 months 24 days, is successfully infiltrated at the time of 6 months 25, a network threat event occurs, and so on. The feature vector corresponding to each second class device is positive sample data, and the probability label corresponding to each positive sample data is 0,0,0,0,0,0,0.
Preferably, the port parameter, the foreground application feature parameter and the background application feature parameter corresponding to the h prediction time period satisfy the following constraint conditions:
w h1 +w h2 +…+w hi +…+w hn =rat 1
e h11 +e h12 +…+e hij +…+e hnm =rat 2
r h11 +r h12 +…+r hij +…+r hnm =rat 2
w h1 ,w h2 ,…,w hi ,…,w hn ,e h11 ,e h12 ,…,e hij ,…,e hnm ,r h11 ,r h12 ,…,r hij ,…,r hnm none equal to 0;
wherein, rate 1 Sum rata of 2 Is a preset coefficient constraint value, rate 1 +2*rat 2 =1。
In the above preferred embodiment, e h11 ,e h12 ,…,e hij ,…,e hnm Sum and r h11 ,r h12 ,…,r hij ,…,r hnm And the same, so that the target model can better balance the influence of foreground application and background application with high memory occupancy rate on the target equipment in a certain time.
Preferably, the number of the ports accessed by the external device is the number of ports receiving Telnet data; the Telnet data includes: telnet data package, telnet instruction. When the network threat behavior sniffs the device port to find the breach, traversing and sending Telnet data to each port of the device to determine an open port and a port with a vulnerability, and then trying to attack. The total number of ports for each device is 65535, and the time for a full traversal is typically within 10 minutes.
Preferably, the performing safety protection on the target device according to the target time period includes:
and obtaining the vulnerability information of the target equipment, and sending patches to the target equipment according to the vulnerability information.
The security protection also includes linkage with other security policies, or installation of protection procedures, cutting into the isolation network, cutting off the network, etc.
The present invention also provides an embodiment of a network security protection apparatus, as shown in fig. 2, including:
a port information set obtaining module 21, configured to obtain a port information set d= (D) corresponding to the target device in the target time window 1 ,D 2 ,…,D i ,…,D n ) The method comprises the steps of carrying out a first treatment on the surface of the The ending time of the target time window is the current time, the target time window comprises n historical time periods which are continuously arranged, the length of the target time window is n x delta T, and delta T is the length of each historical time period; wherein i=1, 2, …, n; d (D) i The number of ports that have been accessed by the external device for the target device during the ith history period.
A foreground application feature set obtaining module 22, configured to obtain a foreground application feature set Qty= (QTY) corresponding to the target device in the target time window 1 ,QTY 2 ,…,QTY i ,…,QTY n );QTY i =(QTY i1 ,QTY i2 ,…,QTY ij ,…,QTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2, …, m; QTY i Applying characteristic information for a foreground corresponding to the ith historical time period; QTY ij Ranking application features of a jth foreground application for a maximum memory occupancy rate within an ith historical period; m is a preset number.
A background application feature set obtaining module 23, configured to obtain a background application feature set Hty= (HTY) corresponding to the target device in the target time window 1 ,HTY 2 ,…,HTY i ,…,HTY n );HTY i =(HTY i1 ,HTY i2 ,…,HTY ij ,…,HTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein HTY is i Applying characteristic information for a background corresponding to the ith historical time period; HTY (HTY) ij And ordering the application characteristics of the j background application for the maximum memory occupancy rate in the i historical time period.
A target feature vector determining module 24, configured to determine a target feature direction corresponding to the target device according to D, QTY and HTYQuantity q= (Q 1 ,Q 2 ,…,Q i ,…,Q n );Q i The device characteristics corresponding to the ith historical time period; q (Q) i =(D i ,QTY i ,HTY i )。
And the target time period determining module 25 is configured to input the target feature vector Q into a target model, and obtain a target time period corresponding to the target device, in which a network threat event occurs.
And the safety protection module 26 is used for carrying out safety protection on the target equipment according to the target time period.
In the embodiment shown in fig. 2, considering that the network threat behavior traverses the device port before successfully invading the device to find the attack break, taking the port information set corresponding to the target device in the target time window as a part of the target feature vector, considering that in the process of scanning the target device port by the network threat behavior, if part of foreground application and background application abnormally preempt memory resources in an attempt to break the target device, taking the application features of the foreground application and the application features of the background application with high memory occupancy rate of the target device in the target time window as a part of the target feature vector, controlling the length and the end time of the target time window, and inputting the target feature vector into the target model, so that the device behavior condition of the target device in a period of time shorter than the current time can be analyzed, the finally determined target time period corresponding to the target device, in which the network threat event occurs, can be more accurate, the safety protection of the target device can be effectively avoided from the occurrence of the network threat event according to the target time period, and further the network security of the target device can be more fully ensured, and the safety data and the personal safety information of the user of the target device can be maintained. Compared with the existing technology for predicting the network threat through vulnerability information and the like of the equipment, the embodiment of fig. 2 can accurately probe the behavior of the network threat, detect the equipment which is in the process of being permeated by the network threat but not permeated successfully, and perform network safety protection on the corresponding equipment before the network threat event occurs, so that the accuracy of monitoring and early warning of the network threat is greatly improved, meanwhile, the network safety protection redundancy of the equipment is greatly reduced, and the user experience of the equipment side is improved. The embodiment described in fig. 2 is applicable to various network environments, such as the internet, private networks, ad hoc networks, etc.
Preferably, QTY ij =(QCPU ij ,QRAM ij ,QWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein QCPU (QCPU) ij For the maximum CPU occupancy of the jth foreground application during the ith historical period, QRAM ij QWL for the maximum memory occupancy of the jth foreground application during the ith historical period ij The maximum network occupancy for the jth foreground application during the ith historical period.
HTY ij =(HCPU ij ,HRAM ij ,HWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, HCPU ij HRAM for the maximum CPU occupancy of the jth background application during the ith history period ij HWL for the maximum memory occupancy of the jth background application in the ith history period ij The maximum network occupancy for the jth background application during the ith historical period.
Preferably, the inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target device, where a network threat event occurs, includes:
inputting the target feature vector Q into a target model to obtain a probability set V= (V) of the network threat event corresponding to the target equipment 1 ,V 2 ,…,V h ,…,V k ) The method comprises the steps of carrying out a first treatment on the surface of the Where h=1, 2, …, k; v (V) h The probability of the network threat event occurring in the h prediction time period corresponding to the target equipment is given; each prediction time period is continuously arranged, and the corresponding time periods are the same; each predicted time period is later than the current time; k is the number of preset predicted time periods.
Determining the probability V of the maximum in the probability set V max Whether greater than a preset probability value.
If the probability value is larger than the preset probability value, V is determined max The corresponding predicted time period is determined as the target time period.
PreferablyThe target model comprises a port parameter set w, a foreground application parameter set e and a background application parameter set r which are obtained after training so as to determine the V h
w=(w 1 ,w 2 ,…,w h ,…,w k );w h =(w h1 ,w h2 ,…,w hi ,…,w hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein w is h For the port parameter list corresponding to the h prediction time period, w hi D corresponding to the h prediction time period i Is a parameter of (a).
e=(e 1 ,e 2 ,…,e h ,…,e k );e h =(e h1 ,e h2 ,…,e hi ,…,e hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein e h Applying a characteristic parameter list for a foreground corresponding to the h prediction time period; e, e hi QTY for the h prediction period i Is a parameter list of (2); e, e hi =(e hi1 ,e hi2 ,…,e hij ,…,e him );e hij QTY for the h prediction period ij Is a parameter of (a).
r=(r 1 ,r 2 ,…,r h ,…,r k );r h =(r h1 ,r h2 ,…,r hi ,…,r hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein r is h Applying a characteristic parameter list for a background corresponding to the h prediction time period; r is (r) hi HTY corresponding to the h prediction period i Is a parameter list of (2); r is (r) hi =(r hi1 ,r hi2 ,…,r hij ,…,r him );r hij HTY corresponding to the h prediction period ij Is a parameter of (a).
V h =w h1 *D 1 +w h2 *D 2 +…+w hi *D i +…+w hn *D n +e h11 *QTY 11 +e h12 *QTY 12 +…+e hij *QTY ij +…+e hnm *QTY nm + r h11 *HTY 11 +r h12 *HTY 12 +…+r hij *HTY ij +…+r hnm *HTY nm
Preferably, the port parameter set w, the foreground application parameter set e and the background application parameter set r are obtained by the following method:
obtain the first data set m= (M 1 ,M 2 ,…,M a ,…,M b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein a=1, 2, …, b; m is M a A feature vector set corresponding to the a first type device in a first time window; the first type of equipment is equipment with a network threat event; the ending time of the first time window corresponding to each first type of equipment is the time when the corresponding current state is determined to be successfully invaded by the network threat; the length L= (2*k-1) t' of the first time window corresponding to each first type of device; t' is the length of the predicted time period; m is M a =(M a1 ,M a2 ,…,M ah ,…,M ak );M ah The method comprises the steps that feature vectors corresponding to a first type of equipment in a key time window correspond to the first type of equipment after the key time window slides forwards (h-1); the initial ending time of the key time window corresponding to each first type of equipment is the same as the ending time of the first time window; the length of the key time window is k't'; the step length of each forward sliding of the key time window is t'; b is the number of devices of the first type; m is M a Each feature vector in the (a) is marked with a probability label, and each probability label comprises k marking bits; m is M ah The value of the h-th marker bit of the corresponding probability tag is 1, and the values of the rest marker bits are 0.
Obtain a second data set h= (H) 1 ,H 2 ,…,H x ,…,H g ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein x=1, 2, …, g; h x The feature vector corresponding to the xth second type of equipment in the second time window; the second type of equipment is equipment which does not have a network threat event; the length of the second time window corresponding to each second type of equipment is the same as that of the key time window; the value of the marking bit of the probability label corresponding to each feature vector in the H is 0; g is the number of the preset second type devices.
Training an initial model according to M and H to obtain the port parameter set w, the foreground application parameter set e and the background application parameter set r so as to determine the target model.
Preferably, the port parameter, the foreground application feature parameter and the background application feature parameter corresponding to the h prediction time period satisfy the following constraint conditions:
w h1 +w h2 +…+w hi +…+w hn =rat 1
e h11 +e h12 +…+e hij +…+e hnm =rat 2
r h11 +r h12 +…+r hij +…+r hnm =rat 2
w h1 ,w h2 ,…,w hi ,…,w hn ,e h11 ,e h12 ,…,e hij ,…,e hnm ,r h11 ,r h12 ,…,r hij ,…,r hnm none equal to 0;
wherein, rate 1 Sum rata of 2 Is a preset coefficient constraint value, rate 1 +2*rat 2 =1。
Preferably, the number of the ports accessed by the external device is the number of ports receiving Telnet data; the Telnet data includes: telnet data package, telnet instruction.
Preferably, the performing safety protection on the target device according to the target time period includes:
and obtaining the vulnerability information of the target equipment, and sending patches to the target equipment according to the vulnerability information.
The embodiment shown in fig. 2 is an embodiment of the apparatus corresponding to the embodiment of the method shown in fig. 1, and a part of implementation procedures and technical effects of the embodiment shown in fig. 2 are similar to those of the embodiment shown in fig. 1, so that the description of the embodiment shown in fig. 2 is simpler, and please refer to the embodiment shown in fig. 1 for the relevant points.
In the embodiment of the invention, the probability V with the largest value in the probability set V max Is greater than a preset probabilityAfter the value, further comprising:
the target device is determined to be a first target device.
Acquiring behavior characteristics of the first target device in a target historical time period; and the ending time of the target historical time period is the current time.
And determining the target attack type of the network threat event occurring in the target time period according to the behavior characteristics.
And determining the equipment type of the equipment attacked by the target attack type according to the target attack type, and determining the equipment type as the target equipment type.
Determining equipment with the same type as the target equipment in the target network as second target equipment; the target network is the network where the target device is located.
And carrying out safety protection on each second target device.
The attack types include, but are not limited to: phishing attacks, malware attacks, intrusion attacks, denial of service attacks, man-in-the-middle attacks, cryptographic attacks, social engineering attacks, side communication attacks, wiFi attacks, internet of things attacks. The equipment type of the equipment for the target attack type attack is determined by acquiring technical information in the network threat framework, or the corresponding relation between each attack type and the equipment type is generated in advance by acquiring the technical information in the network threat framework, for example, SQL injection attack corresponds to a server, router phishing attack corresponds to a router, printer worm corresponds to a printer, malicious software attack corresponds to a computer, the corresponding relation is written into a mapping table, and then the information of the mapping table is read to determine the equipment type of the equipment for the target attack type attack. The cyber threat framework includes, but is not limited to: ATT & CK, cyber Kill Chain, diamond Model.
According to the embodiment, before the network threat event is about to occur and the network threat is not successfully permeated, the corresponding equipment in the target network can be safely protected according to the equipment type of the equipment attacked by the attack type of the network threat event, the network safety of each equipment in the target network is effectively guaranteed while the network threat event is effectively avoided in the target network, the network safety protection redundancy of each equipment in the target network is effectively reduced, the performance of each equipment is guaranteed, the user experience of the terminal equipment side is improved, and the data safety and the personal information safety of the equipment user are maintained.
The obtaining the behavior characteristics of the first target device in the target history time period includes:
acquiring a device log of the first target device in a target history time period; the device log includes: system log, web log, application log.
And cleaning the data of the equipment log to obtain target data.
And calculating the target data by using a timestamp analysis algorithm to obtain the behavior characteristics of the first target device in the target historical time period. The behavior feature is a feature vector set, the feature vector set comprises a behavior feature vector of a first target device corresponding to each timestamp in a target historical time period, the interval length of two adjacent timestamps is determined according to algorithm related parameters, and each behavior feature vector comprises feature values of features such as device activity frequency, duration time, event time interval and the like. The time stamp analysis algorithm can obtain the time sequence relation of the activity frequency, the working mode, the periodic behavior and the event occurrence of the device, and the time stamp analysis algorithm is used for obtaining the behavior characteristics of the first target device in the target historical time period, so that the method is beneficial to more accurately determining the target attack type of the network threat event occurring in the target time period.
Before the acquiring the behavior characteristics of the first target device in the target history period, the method further comprises:
and acquiring network flow data corresponding to each device in the target network.
And determining the interaction relation among all the devices in the target network according to the network flow data.
And determining a network topology structure corresponding to the target network taking each device in the target network as a node according to the interaction relation.
Preferably, the method further comprises:
determining a location of the first target device in the network topology to determine a critical device within the target network that has an interaction relationship with the first target device.
And carrying out safety protection on each key device.
According to the preferred scheme, if the network threat behavior invasion is successful, the probability of the network threat event occurring to the key equipment with the interactive relation with the first target equipment in the target network is extremely high, so that the safety protection of each key equipment can be further ensured, the target network can avoid the network threat attack from the unauthorized user, and the network safety of the equipment in the target network can be more fully ensured.
The determining, according to the behavior feature, a target attack type of the cyber threat event occurring in the target time period includes:
And matching the behavior characteristics with threat characteristics in a network threat framework, and determining an attack type corresponding to the threat characteristics which are successfully matched as a target attack type of the network threat event occurring in the target time period.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.
Those skilled in the art will appreciate that the various aspects of the application may be implemented as a system, method, or program product. Accordingly, aspects of the application may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device according to this embodiment of the application. The electronic device is merely an example, and should not impose any limitations on the functionality and scope of use of embodiments of the present application.
The electronic device is in the form of a general purpose computing device. Components of an electronic device may include, but are not limited to: the at least one processor, the at least one memory, and a bus connecting the various system components, including the memory and the processor.
Wherein the memory stores program code that is executable by the processor to cause the processor to perform steps according to various exemplary embodiments of the application described in the "exemplary methods" section of this specification.
The storage may include readable media in the form of volatile storage, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM).
The storage may also include a program/utility having a set (at least one) of program modules including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The bus may be one or more of several types of bus structures including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any device (e.g., router, modem, etc.) that enables the electronic device to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface. And, the electronic device may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through a network adapter. The network adapter communicates with other modules of the electronic device via a bus. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with an electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium having stored thereon a program product capable of implementing the method described above in the present specification is also provided. In some possible embodiments, the various aspects of the application may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the application as described in the "exemplary methods" section of this specification, when said program product is run on the terminal device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present application, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present application should be included in the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.

Claims (10)

1. A method of protecting network security, comprising:
acquiring target time of target equipmentCorresponding port information set d= (D) within window 1 ,D 2 ,…,D i ,…,D n ) The method comprises the steps of carrying out a first treatment on the surface of the The ending time of the target time window is the current time, the target time window comprises n historical time periods which are continuously arranged, the length of the target time window is n x delta T, and delta T is the length of each historical time period; wherein i=1, 2, …, n; d (D) i The number of ports accessed by the external device for the target device in the i-th history period;
acquiring foreground application feature set QTY= (QTY) corresponding to target equipment in target time window 1 ,QTY 2 ,…,QTY i ,…,QTY n );QTY i =(QTY i1 ,QTY i2 ,…,QTY ij ,…,QTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2, …, m; QTY i Applying characteristic information for a foreground corresponding to the ith historical time period; QTY ij Ranking application features of a jth foreground application for a maximum memory occupancy rate within an ith historical period; m is a preset number;
obtaining a background application feature set Hty= (HTY) corresponding to the target device in the target time window 1 ,HTY 2 ,…,HTY i ,…,HTY n );HTY i =(HTY i1 ,HTY i2 ,…,HTY ij ,…,HTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein HTY is i Applying characteristic information for a background corresponding to the ith historical time period; HTY (HTY) ij Ordering application features of a j-th background application for the maximum memory occupancy rate in the i-th historical period;
according to D, QTY and HTY, determining a target feature vector Q= (Q) corresponding to the target device 1 ,Q 2 ,…,Q i ,…,Q n );Q i The device characteristics corresponding to the ith historical time period; q (Q) i =(D i ,QTY i ,HTY i );
Inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target equipment for generating a network threat event;
and carrying out safety protection on the target equipment according to the target time period.
2. The method of claim 1, wherein the step of determining the position of the substrate comprises,
QTY ij =(QCPU ij ,QRAM ij ,QWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein QCPU (QCPU) ij For the maximum CPU occupancy of the jth foreground application during the ith historical period, QRAM ij QWL for the maximum memory occupancy of the jth foreground application during the ith historical period ij The maximum network occupancy for the jth foreground application in the ith historical period;
HTY ij =(HCPU ij ,HRAM ij ,HWL ij ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein, HCPU ij HRAM for the maximum CPU occupancy of the jth background application during the ith history period ij HWL for the maximum memory occupancy of the jth background application in the ith history period ij The maximum network occupancy for the jth background application during the ith historical period.
3. The method according to claim 1 or 2, wherein the inputting the target feature vector Q into a target model, to obtain a target period of time for occurrence of a network threat event corresponding to the target device, includes:
inputting the target feature vector Q into a target model to obtain a probability set V= (V) of the network threat event corresponding to the target equipment 1 ,V 2 ,…,V h ,…,V k ) The method comprises the steps of carrying out a first treatment on the surface of the Where h=1, 2, …, k; v (V) h The probability of the network threat event occurring in the h prediction time period corresponding to the target equipment is given; each prediction time period is continuously arranged, and the corresponding time periods are the same; each predicted time period is later than the current time; k is the number of preset prediction time periods;
Determining the probability V of the maximum in the probability set V max Whether the probability value is larger than a preset probability value;
if the probability value is larger than the preset probability value, V is determined max The corresponding predicted time period is determined as the target timeSegments.
4. A method according to claim 3, wherein the target model includes a port parameter set w, a foreground application parameter set e and a background application parameter set r obtained after training to determine the V h
w=(w 1 ,w 2 ,…,w h ,…,w k );w h =(w h1 ,w h2 ,…,w hi ,…,w hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein w is h For the port parameter list corresponding to the h prediction time period, w hi D corresponding to the h prediction time period i Parameters of (2);
e=(e 1 ,e 2 ,…,e h ,…,e k );e h =(e h1 ,e h2 ,…,e hi ,…,e hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein e h Applying a characteristic parameter list for a foreground corresponding to the h prediction time period; e, e hi QTY for the h prediction period i Is a parameter list of (2); e, e hi =(e hi1 ,e hi2 ,…,e hij ,…,e him );e hij QTY for the h prediction period ij Parameters of (2);
r=(r 1 ,r 2 ,…,r h ,…,r k );r h =(r h1 ,r h2 ,…,r hi ,…,r hn ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein r is h Applying a characteristic parameter list for a background corresponding to the h prediction time period; r is (r) hi HTY corresponding to the h prediction period i Is a parameter list of (2); r is (r) hi =(r hi1 ,r hi2 ,…,r hij ,…,r him );r hij HTY corresponding to the h prediction period ij Parameters of (2);
V h =w h1 *D 1 +w h2 *D 2 +…+w hi *D i +…+w hn *D n +e h11 *QTY 11 +e h12 *QTY 12 +…+e hij *QTY ij +…+e hnm *QTY nm + r h11 *HTY 11 +r h12 *HTY 12 +…+r hij *HTY ij +…+r hnm *HTY nm
5. the method according to claim 4, wherein the port parameter set w, the foreground application parameter set e and the background application parameter set r are obtained by:
Obtain the first data set m= (M 1 ,M 2 ,…,M a ,…,M b ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein a=1, 2, …, b; m is M a A feature vector set corresponding to the a first type device in a first time window; the first type of equipment is equipment with a network threat event; the ending time of the first time window corresponding to each first type of equipment is the time when the corresponding current state is determined to be successfully invaded by the network threat; the length L= (2*k-1) t' of the first time window corresponding to each first type of device; t' is the length of the predicted time period; m is M a =(M a1 ,M a2 ,…,M ah ,…,M ak );M ah The method comprises the steps that feature vectors corresponding to a first type of equipment in a key time window correspond to the first type of equipment after the key time window slides forwards (h-1); the initial ending time of the key time window corresponding to each first type of equipment is the same as the ending time of the first time window; the length of the key time window is k't'; the step length of each forward sliding of the key time window is t'; b is the number of devices of the first type; m is M a Each feature vector in the (a) is marked with a probability label, and each probability label comprises k marking bits; m is M ah The value of the h marking bit of the corresponding probability label is 1, and the values of the rest marking bits are 0;
Obtain a second data set h= (H) 1 ,H 2 ,…,H x ,…,H g ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein x=1, 2, …, g; h x The feature vector corresponding to the xth second type of equipment in the second time window; the second type of equipment is set for not having network threat eventPreparing; the length of the second time window corresponding to each second type of equipment is the same as that of the key time window; the value of the marking bit of the probability label corresponding to each feature vector in the H is 0; g is the number of the preset second type of equipment;
training an initial model according to M and H to obtain the port parameter set w, the foreground application parameter set e and the background application parameter set r so as to determine the target model.
6. The method of claim 4, wherein the port parameter, the foreground application feature parameter, and the background application feature parameter corresponding to the h-th predicted time period satisfy the following constraint:
w h1 +w h2 +…+w hi +…+w hn =rat 1
e h11 +e h12 +…+e hij +…+e hnm =rat 2
r h11 +r h12 +…+r hij +…+r hnm =rat 2
w h1 ,w h2 ,…,w hi ,…,w hn ,e h11 ,e h12 ,…,e hij ,…,e hnm ,r h11 ,r h12 ,…,r hij ,…,r hnm none equal to 0;
wherein, rate 1 Sum rata of 2 Is a preset coefficient constraint value, rate 1 +2*rat 2 =1。
7. The method of claim 1, wherein the number of ports accessed by the external device is the number of ports that received Telnet data; the Telnet data includes: telnet data package, telnet instruction.
8. The method of claim 1, wherein the securing the target device according to the target time period comprises:
and obtaining the vulnerability information of the target equipment, and sending patches to the target equipment according to the vulnerability information.
9. A network security appliance, comprising:
a port information set obtaining module, configured to obtain a port information set d= (D) corresponding to the target device in the target time window 1 ,D 2 ,…,D i ,…,D n ) The method comprises the steps of carrying out a first treatment on the surface of the The ending time of the target time window is the current time, the target time window comprises n historical time periods which are continuously arranged, the length of the target time window is n x delta T, and delta T is the length of each historical time period; wherein i=1, 2, …, n; d (D) i The number of ports accessed by the external device for the target device in the i-th history period;
a foreground application feature set acquisition module, configured to acquire a foreground application feature set Qty= (QTY) corresponding to the target device in the target time window 1 ,QTY 2 ,…,QTY i ,…,QTY n );QTY i =(QTY i1 ,QTY i2 ,…,QTY ij ,…,QTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein j=1, 2, …, m; QTY i Applying characteristic information for a foreground corresponding to the ith historical time period; QTY ij Ranking application features of a jth foreground application for a maximum memory occupancy rate within an ith historical period; m is a preset number;
A background application feature set obtaining module, configured to obtain a background application feature set Hty= (HTY) corresponding to the target device in the target time window 1 ,HTY 2 ,…,HTY i ,…,HTY n );HTY i =(HTY i1 ,HTY i2 ,…,HTY ij ,…,HTY im ) The method comprises the steps of carrying out a first treatment on the surface of the Wherein HTY is i Applying characteristic information for a background corresponding to the ith historical time period; HTY (HTY) ij Ordering application features of a j-th background application for the maximum memory occupancy rate in the i-th historical period;
a target feature vector determining module, configured to determine, according to D, QTY and HTY, a target device corresponding to the target deviceTarget feature vector q= (Q) 1 ,Q 2 ,…,Q i ,…,Q n );Q i The device characteristics corresponding to the ith historical time period; q (Q) i =(D i ,QTY i ,HTY i );
The target time period determining module is used for inputting the target feature vector Q into a target model to obtain a target time period corresponding to the target equipment and having a network threat event;
and the safety protection module is used for carrying out safety protection on the target equipment according to the target time period.
10. A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, wherein the at least one instruction or the at least one program is loaded and executed by a processor to implement the method of any one of claims 1-8.
CN202311087057.5A 2023-08-28 2023-08-28 Network security protection method, device and medium Active CN116827687B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311087057.5A CN116827687B (en) 2023-08-28 2023-08-28 Network security protection method, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311087057.5A CN116827687B (en) 2023-08-28 2023-08-28 Network security protection method, device and medium

Publications (2)

Publication Number Publication Date
CN116827687A true CN116827687A (en) 2023-09-29
CN116827687B CN116827687B (en) 2023-11-03

Family

ID=88122458

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311087057.5A Active CN116827687B (en) 2023-08-28 2023-08-28 Network security protection method, device and medium

Country Status (1)

Country Link
CN (1) CN116827687B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation
CN114978617A (en) * 2022-05-06 2022-08-30 国网湖北省电力有限公司信息通信公司 Network attack threat statistical judgment method based on Markov process learning model
CN115086002A (en) * 2022-06-10 2022-09-20 福建省网络与信息安全测评中心 Network security protection method and system
CN115314304A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security event analysis device and method
US11556638B1 (en) * 2021-07-19 2023-01-17 Expel, Inc. Systems and methods for intelligent cybersecurity alert similarity detection and cybersecurity alert handling
CN115664860A (en) * 2022-12-26 2023-01-31 广东财经大学 Network security threat assessment method and system
CN115842647A (en) * 2022-09-19 2023-03-24 上海辰锐信息科技有限公司 Network security threat detection method based on flow data

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation
US11556638B1 (en) * 2021-07-19 2023-01-17 Expel, Inc. Systems and methods for intelligent cybersecurity alert similarity detection and cybersecurity alert handling
CN114978617A (en) * 2022-05-06 2022-08-30 国网湖北省电力有限公司信息通信公司 Network attack threat statistical judgment method based on Markov process learning model
CN115086002A (en) * 2022-06-10 2022-09-20 福建省网络与信息安全测评中心 Network security protection method and system
CN115314304A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security event analysis device and method
CN115842647A (en) * 2022-09-19 2023-03-24 上海辰锐信息科技有限公司 Network security threat detection method based on flow data
CN115664860A (en) * 2022-12-26 2023-01-31 广东财经大学 Network security threat assessment method and system

Also Published As

Publication number Publication date
CN116827687B (en) 2023-11-03

Similar Documents

Publication Publication Date Title
AU2019216687B2 (en) Path scanning for the detection of anomalous subgraphs and use of DNS requests and host agents for anomaly/change detection and network situational awareness
US20220368722A1 (en) Monitoring for lateral movements-related security threats
US10320814B2 (en) Detection of advanced persistent threat attack on a private computer network
US7962960B2 (en) Systems and methods for performing risk analysis
Kholidy et al. A finite state hidden markov model for predicting multistage attacks in cloud systems
US11080392B2 (en) Method for systematic collection and analysis of forensic data in a unified communications system deployed in a cloud environment
US11824878B2 (en) Malware detection at endpoint devices
US9338187B1 (en) Modeling user working time using authentication events within an enterprise network
WO2017074747A1 (en) Detection of cyber threats against cloud-based applications
US10805343B2 (en) Network security using artificial intelligence and high speed computing
US11770409B2 (en) Intrusion management with threat type clustering
US11514173B2 (en) Predicting software security exploits by monitoring software events
CN116827687B (en) Network security protection method, device and medium
CN116827688B (en) Equipment safety protection method, device, equipment and medium
GB2621237A (en) Traffic scanning with context-aware threat signatures
Jagdish et al. Modeling software architecture design on data storage security in cloud computing environments
US10819730B2 (en) Automatic user session profiling system for detecting malicious intent
Chen et al. Active event correlation in Bro IDS to detect multi-stage attacks
CN112241535A (en) Server security policy configuration method based on flow data analysis
Choudhary et al. Detection and Isolation of Zombie Attack under Cloud Computing
US20240154981A1 (en) Logging configuration system and method
Osipov et al. Distributed profile of typical user behavior in a multi-system environment
Venkatesan et al. Modeling Software Architecture Design on Data Storage Security in Cloud Computing Environments
Gomathi et al. Identification of Network Intrusion in Network Security by Enabling Antidote Selection
Meetei Mathematical model of security approaches on cloud computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant