CN117040664A - Computer system detection method based on network operation safety - Google Patents

Abstract

The invention discloses a computer system detection method based on network operation safety, which comprises a server, wherein the server is connected with a characteristic contour building unit, and is used for building a computer network and a corresponding user with characteristic contours, obtaining the network characteristic contour and the user characteristic contour of the computer, wherein the network characteristic contour and the user characteristic contour of each user are both adapted in the computer network, and the network characteristic contour is different for different user characteristic contours; further comprises: feature extraction and threat detection, and introducing a time factor in the threat detection stage to improve the accuracy of threat detection; the method can be effectively used for detecting potential security threats in the network system, and the algorithm also combines a Netflow analysis method and a time sequence analysis method, can rapidly identify and respond to network attacks and abnormal behaviors, and can analyze and predict future threats according to historical data, so that the security performance of the information network system is improved.

Description

Computer system detection method based on network operation safety

Technical Field

The invention relates to the field of computer security, in particular to a computer system detection method based on network operation security.

Background

The invention aims to solve the problems, and provides a computer network operation safety intrusion detection system, which is characterized in that a computer network and a corresponding user are constructed by characteristic contours, so that the operation efficiency of the computer network and the use quality of the corresponding user are improved, meanwhile, the accuracy of safety intrusion detection is improved according to the constructed characteristic contours, the data of the user are indirectly protected, and the fault risk of the computer network is reduced; setting and controlling a safety reference threshold value in a computer network, preventing the increase of the false alarm rate caused by overlarge threshold value and simultaneously preventing the overlarge false alarm rate caused by overlarge threshold value, and accurately controlling the safety reference threshold value is beneficial to improving the safety detection strength of the computer network and enhancing the working efficiency of the computer network; parameters influenced by abnormal operation of each part in the computer network are judged through computer network intrusion simulation, so that the detection strength of network intrusion is improved, and the maintenance progress after the network intrusion can be enhanced. With the increasing demand for information security, the development of network operation security technology has received a great deal of attention. In order to prevent attacks by an attacker or hacker, honeypot technology is used in the prior art. Among them, honeypot technology is a technology of spoofing an attacker, for example, by arranging some network services or information as baits, inducing the attacker to attack them, thereby capturing and analyzing the attack behavior, facilitating tracking and marking of the attacker, etc. Various network attacks and threats are endless, and the traditional security defense means cannot meet the requirements of modern networks; the outliers of the time series are user (or system) generated data that does not conform to the expected time series behavior pattern. The abnormal points of the time sequence are detected and found, unknown threats such as DDOS attack, partial data leakage and the like can be effectively found by a user (or a system), effective decision support is provided, the network threat behaviors can be more accurately identified, and the level of network operation safety is improved.

Therefore, there is a need to provide a method for detecting a computer system based on network operation security, so as to solve the above-mentioned deficiencies in the prior art.

Disclosure of Invention

This section is intended to summarize some aspects of embodiments of the application and to briefly introduce some preferred embodiments, which may be simplified or omitted in this section, as well as the description abstract and the title of the application, to avoid obscuring the objects of this section, description abstract and the title of the application, which is not intended to limit the scope of this application.

Accordingly, the technical problem underlying the present application is to detect potential security threats in a computer network system.

In order to solve the technical problems, the application provides the following technical scheme: the computer system detection method based on network operation safety is characterized by comprising a server, wherein the server is connected with a characteristic contour building unit and is used for building a computer network and corresponding users with characteristic contours to obtain a network characteristic contour and a user characteristic contour of the computer, the network characteristic contour is matched with the user characteristic contour of each user in the computer network, the network characteristic contours are different for different user characteristic contours, and the network characteristic contours are different;

Further comprises: feature extraction and threat detection, and introducing a time factor in the threat detection stage to improve the accuracy of threat detection; according to periodic synchronous flow statistics data sent to a sounding server platform by a probe, the algorithm performs time sequence modeling and anomaly detection for SYN, HTTP, UDP and ICMP flood attacks, and operates on an algorithm cluster module of a sounding system;

the reference threshold setting control unit is used for setting and controlling a safety reference threshold in the computer network, forming an operation closed loop by the matched qualified user characteristic profile and the network characteristic profile after the user corresponding user characteristic profile and the network characteristic profile are built, analyzing the operation closed loop, generating a threshold resetting signal and a threshold meeting signal, and sending the signals to the server; the test intrusion early warning analysis unit is used for performing intrusion simulation on the current computer network, judging parameters influenced by abnormal operation of each part in the computer network through the computer network intrusion simulation, generating a network operation security policy, an intrusion label and a real-time intrusion type through analysis, and sending the network operation security policy, the intrusion label and the real-time intrusion type to the server; the real-time intrusion detection unit is used for carrying out real-time intrusion detection on a computer network running in real time, and carrying out maintenance and early warning on network running parameters through analysis;

In the process that target attack equipment attacks a target virtual application program, detecting whether the target attack equipment recognizes that the target virtual application program runs on a virtual computer, wherein the target virtual application program is generated based on business logic simulating the target application program; if the target attack equipment is detected to identify that the target virtual application program runs on the virtual computer, acquiring target historical data from a first target database, wherein the target historical data is generated when the target virtual application program is identified to run on the virtual computer each time; determining whether the target virtual application program is identified to run on the virtual computer when being attacked next time based on the target historical data; if it is determined that the target virtual application is identified to be running on the virtual computer, the target virtual application is run through a target physical computer, where the target physical computer is a network running security protection platform or other network device associated with the network running security protection platform.

When the computer network is in communication connection with the user, analyzing the communication process of the computer network, analyzing the communication process according to the execution operation of logging in the computer network by the user, and marking the corresponding execution operation as counted execution if the execution operation frequency of the user exceeds an execution frequency threshold value; if the corresponding execution operation frequency of the user does not exceed the execution frequency threshold, marking the corresponding execution operation as non-counted execution; summarizing the counting execution of the user in the communication process to execute the sequence, constructing a user characteristic outline, collecting execution characteristics of the counting execution in the user characteristic outline, wherein the execution characteristics are expressed as frequency and time consumption of corresponding execution operation after the user logs in a computer network; the user characteristic outline is expressed as a browsing flow after the user correspondingly counts and executes the combination of the execution sequences, and comprises execution characteristics of each counted and executed; when the corresponding user characteristic profile is executed, analyzing response operation in the computer network, and marking the corresponding response operation as a counted response if the occurrence probability of the response operation in the computer network exceeds a probability threshold; if the occurrence probability of the response operation in the computer network does not exceed the probability threshold, marking the corresponding response operation as a non-counted response; ordering the counted responses corresponding to the computer network according to the user characteristic profile sequence, collecting response characteristics of the counted responses in the corresponding sequence, and constructing a network characteristic profile after the response characteristics are collected, wherein the response characteristics are expressed as response duration and passing rate of the computer network for executing operation by a user;

The algorithm can be further decomposed into three modules, namely time series linear regression modeling, time series RCF modeling and time series detection.

As a preferred scheme of the computer system detection method based on network operation security, the method detects whether the target attack equipment stops attacking the target virtual application program or not; if the target attack equipment is detected to stop attacking the target virtual application program, target attack behavior data of the target attack equipment are obtained, wherein the target attack behavior data are generated based on all network attack behaviors of the target attack equipment on the target virtual application program; analyzing the target attack behavior data through a first target thread to obtain a first analysis result, wherein the first analysis result comprises at least one target attack behavior type information of network attack behaviors performed on the target virtual application program by the target attack equipment; generating attack event request information based on the first target attack behavior type information through a second target thread, and searching at least one target attack event information in a second target database based on the attack event request information, wherein an attack event corresponding to each target attack event information is formed at least based on a network attack behavior corresponding to the first target attack behavior type information, the second target database comprises a plurality of attack event information, and an attack event corresponding to each attack event information is formed at least based on one network attack behavior; for each piece of target attack event information, acquiring all attack behavior type information corresponding to all network attack behaviors forming the attack event corresponding to the target attack event information, and forming an attack behavior type information set corresponding to the target attack event information; determining the relation between all attack behavior type information included in each attack behavior type information set and the target attack behavior type information; if all the attack behavior type information included in each attack behavior type information set and the target attack behavior type information belong to a first target relation, historical attack data are searched in a target cache of the network operation security platform, wherein the first target relation is that all the attack behavior type information included in the attack behavior type information set belongs to part of a plurality of target attack behavior type information, and the historical attack data are generated based on network attack behaviors carried out on the target virtual application program by the target attack equipment or other equipment in history;

Setting a fault time period according to the simulated faults of the hardware equipment and the network equipment, collecting the corresponding value floating moment and the corresponding value floating frequency of the real-time network operation parameters in the fault time period, setting an intrusion label for the type of the real-time network operation parameters of which the corresponding value floating frequency exceeds a floating frequency threshold value, binding the corresponding intrusion label with the real-time intrusion type, and sending the intrusion label to a server; marking real-time network operation parameters with intrusion labels as influencing parameters, screening qualified parameters of a computer network according to the influencing parameters, marking the screened qualified parameters as network operation security policies, and sending the network operation security policies to a server; the network operation security policy is expressed as a qualified threshold range of network operation parameters.

As a preferable scheme of the computer system detection method based on network operation safety, the characteristic extraction stage adopts a machine learning algorithm to extract the characteristics of the data; the time series linear regression modeling comprises the following steps: firstly, filtering a batch of netflows taken out every 5 minutes by SparkStreaming through an interface (1) on the condition that DestIP is an intranet asset, then carrying out groupby on the condition that DstIP is an intranet asset, and taking the latest ending time in the batch of netflows as a time stamp after rounding according to 5 minutes on the basis of upstream SYN/SYNACK, HTTP upstream messages Bytes (Back attack), UDP upstream messages Bytes (UDP flood) and ICMP upstream messages Bytes (Ping of Death attack) of a groupby object sum;

Secondly, constructing a secondary dictionary by using the statistical value and the time stamp obtained in the processing flow 1, accumulating the statistical value and the time stamp into Redis through the interface (2), and deleting the statistical value of the asset time stamp exceeding 24 hours;

and (III) asset linear regression modeling. Each time an asset arrives at the time series modeling time of the asset (the time period is 1 hour), reading different statistical values of the asset from redis, and constructing a time series; filling missing date according to the period of 24 hours, and taking 0 for the missing value; extracting time features and autocorrelation features for the time sequence;

modeling by using SGDRegresor, performing online incremental modeling by using a partial_fit method by adopting L1 from the balance; after model serialization is established, asset indexes and statistical protocols are used as secondary dictionaries and stored in redis;

and (V) asset clustering linear regression modeling. When the assets are clustered, reading asset indexes from redis through an interface (3), taking out different statistical values of the assets, constructing a time sequence, modeling by using SGDRegresor, performing online incremental modeling by using a partial_fit method by adopting L1; after model serialization is established, the asset index and the protocol type are used as a secondary dictionary to be stored in redis.

As a preferred scheme of the computer system detection method based on network operation safety, the threat detection stage adopts a threat detection algorithm based on a time factor to classify and predict feature vectors; the time series RCF modeling steps are as follows: firstly, filtering a batch of netflows taken out every 5 minutes by SparkStreaming through an interface (1) on the condition that DestIP is an intranet asset, then carrying out groupby on the condition that DstIP is an intranet asset, and taking the latest ending time in the netflows of the batch as a timestamp after rounding according to 5 minutes according to SYN session number, HTTP uplink messages Bytes (Back attack), UDP uplink messages Bytes (UDP flood) and ICMP uplink messages Bytes (Ping of Death attack) of a groupby object sum;

secondly, constructing a secondary dictionary by using the statistical value and the time stamp obtained in the processing flow 1 according to the asset index and the protocol type, accumulating the statistical value and the time stamp into Redis through the interface (2), and deleting the statistical value of the asset time stamp exceeding 24 hours;

and (III) asset RCF modeling. Each time an asset arrives at the time series modeling time of the asset (the time period is 1 hour), reading different statistical values of the asset from redis, and constructing a time series; filling missing date according to the period of 24 hours, and taking 0 for the missing value; for the time sequence, a sliding window is used for segmentation, the window size w defaults to 12, and the sliding step s defaults to 1; modeling was performed using RCF, and the default for containment was (1 +.

(7×24×12) =0.0005); after model serialization is established, asset index, statistical protocol and modeling time are taken as three-level dictionary, and the three-level dictionary is stored in redis, and a model with time exceeding one month is deleted;

and (IV) modeling asset clustering RCF. When the assets are clustered, reading asset indexes from rediss through an interface (3), taking out different statistical values of the assets, constructing a time sequence, filling missing dates according to a period of 24 hours, and taking 0 from the missing values; aiming at all time sequences of the class, a sliding window is used for segmentation, the window size defaults to 12, and the sliding step length is 1; modeling was performed using RCF, and the default for containment was (1/(7×24×12)

=0.0005); after model serialization is established, asset indexes, statistical protocols and modeling time are taken as tertiary dictionaries and stored into redis; while deleting the model for more than one month.

As a preferable scheme of the computer system detection method based on network operation safety, the operation process of the real-time intrusion detection unit is as follows: taking the network operation parameter with the intrusion label as a priority monitoring parameter, taking the real-time intrusion type corresponding to the priority monitoring parameter as the current intrusion type if the corresponding value of the priority monitoring parameter is not in the network operation security policy, and controlling the influence parameter corresponding to the current intrusion type while rectifying the current intrusion type; when the corresponding value of the priority monitoring parameter is in the network operation safety strategy, if the shortening speed of the difference value between the value of the priority monitoring parameter and the range threshold value in the network operation safety strategy exceeds the shortening speed threshold value, the corresponding priority monitoring parameter is used as a real-time early warning parameter, and meanwhile, the influence parameter of the corresponding intrusion type of the priority monitoring parameter is monitored.

As a preferred embodiment of the method for detecting a computer system based on network operation security of the present invention, the step of detecting whether the target attack device identifies that the target virtual application program is running on a virtual computer further includes: if at least all attack behavior type information included in one attack behavior type information set does not belong to the first target relation with the target attack behavior type information, determining whether all attack behavior type information included in the attack behavior type information set exists and the target attack behavior type information belong to a second target relation, wherein the second target relation is that all attack behavior type information included in the attack behavior type information set is identical to the target attack behavior type information; if all attack behavior type information included in one attack behavior type information set and the target attack behavior type information belong to the second target relation, determining that the target attack equipment does not recognize that the target virtual application program runs on a virtual computer; and if all attack behavior type information included in one attack behavior type information set does not belong to the second target relation with the target attack behavior type information, determining that the target attack equipment has identified that the target virtual application program runs on a virtual computer.

As a preferred embodiment of the method for detecting a computer system based on network operation security of the present invention, the step of detecting whether the target attack device identifies that the target virtual application program is running on a virtual computer further includes: if the plurality of pieces of target attack behavior type information do not belong to the historical attack behavior type information of the network attack behavior performed on the target virtual application program at any time, determining that the target attack equipment does not recognize that the target virtual application program runs on a virtual computer;

the step of detecting whether the target attack apparatus recognizes that the target virtual application program is running on the virtual computer further includes: if the plurality of target attack behavior type information does not belong to the historical attack behavior type information of the network attack behavior performed on the target virtual application program at any time, generating new attack event information based on the plurality of target attack behavior type information; and storing the new attack event information to the second target database.

As a preferred scheme of the computer system detection method based on network operation safety, when threat behaviors are detected, a corresponding safety strategy can be triggered; the time sequence detection module comprises the following steps: firstly, filtering a batch of netflows taken out every 5 minutes by SparkStreaming through an interface (1) on the condition that DestIP is an intranet asset, then carrying out groupby on the condition that DstIP is an intranet asset, and taking the latest ending time in the netflows of the batch as a timestamp after rounding according to 5 minutes according to SYN session number, HTTP uplink messages Bytes (Back attack), UDP uplink messages Bytes (UDP flood) and ICMP uplink messages Bytes (Ping of Death attack) of a groupby object sum;

Secondly, calculating the statistics value and the time stamp obtained in the processing flow 1, calculating the residual error of the predicted value of the linear regression with the time sequence, calculating the average value of the accumulated residual error and the variance of the accumulated residual error, and recording the accumulated residual error and the variance of the accumulated residual error into a Redis by taking an asset index and a protocol type as a secondary dictionary through an interface (2);

thirdly, calculating whether statistics of the batch exceeds 10 times of standard deviation, wherein xi-xi is not less than n x sigma, n defaults to 10, calculating distribution probability, constructing a secondary dictionary through an interface (2) together with statistics values of the batch of data, and recording the secondary dictionary into redis according to asset indexes and protocol types, and deleting data exceeding 24 hours;

fourthly, constructing a sliding window with the size of w by default, wherein the statistical value and the time stamp obtained in the processing flow 1 are taken as 12; and detecting by using the RCF model, and if the RCF model reports abnormality, simultaneously writing alarm information into the ES through the interface (3) when the linear regression result of one or more data in the sliding window is abnormal.

The invention has the beneficial effects that: collecting log data, traffic data and other security data of the network device; preprocessing the collected data, cleaning the data, converting the format and the like so as to facilitate the subsequent threat detection algorithm processing; by combining the functions of Netflow analysis, a time sequence analysis method, a machine learning algorithm and security defense measures and through the functions of time sequence analysis, trend analysis, period analysis and time sequence prediction, potential security threats in a network system can be rapidly identified and responded; the method can analyze and predict future threats according to historical data, and trigger corresponding security policies if threat behaviors are detected, so that the security performance of a network system is improved, model and algorithm parameters can be adaptively adjusted, and different network environments and threat conditions can be adapted. The computer network and the corresponding user are subjected to feature profile construction, so that the operation efficiency of the computer network and the use quality of the corresponding user are improved, meanwhile, the accuracy of security intrusion detection is improved according to the constructed feature profile, the data of the user are indirectly protected, and meanwhile, the fault risk of the computer network is reduced;

Setting and controlling a safety reference threshold value in a computer network, preventing the increase of the false alarm rate caused by overlarge threshold value and simultaneously preventing the overlarge false alarm rate caused by overlarge threshold value, and accurately controlling the safety reference threshold value is beneficial to improving the safety detection strength of the computer network and enhancing the working efficiency of the computer network; the computer network running in real time is subjected to real-time intrusion detection, the intrusion detection efficiency of the computer network is improved, and meanwhile, the targeted intrusion detection is beneficial to reducing the detection intensity. The target virtual application program can be operated through the target physical computer, the difficulty of being identified by the target virtual application program is improved, the problem that the target virtual application program is easy to identify because the target virtual application program is operated through the virtual computer all the time is solved, the problem that the protection effect is poor in the existing network operation safety technology is solved, the problem that the cost is high because the target virtual application program is operated through the target physical computer directly is avoided, and the method has high practical value.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Wherein:

FIG. 1 is a block diagram of an algorithm cluster for a computer system detection method based on network operational security according to an embodiment of the present application;

FIG. 2 is a diagram showing steps of a time-series regression modeling method for a computer system detection method based on network operation security according to an embodiment of the present application;

FIG. 3 is a functional block diagram of a method for detecting a computer system based on network operational security according to one embodiment of the present application;

FIG. 4 is a flowchart illustrating steps of a method for detecting a computer system based on network operation security according to an embodiment of the present application;

FIG. 5 is a block diagram illustrating a time series detection module of a method for detecting a computer system based on network operation security according to an embodiment of the present application;

Detailed Description

In order that the above-recited objects, features and advantages of the present application will become more readily apparent, a more particular description of the application will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.

Embodiment 1 referring to fig. 1-5, a first embodiment of the present application provides a method for detecting a computer system based on network operation security, which includes directly or indirectly electrically connecting the memory and the processor to realize data transmission or interaction. For example, electrical connection may be made to each other via one or more communication buses or signal lines. The memory may have stored therein at least one software functional module that may exist in the form of software or firmware (firmware). The processor may be configured to execute an executable computer program stored in the memory, such as the software functional module, to implement a big data based network operation security protection method provided by an embodiment of the present application (as described below). Alternatively, the memory may be, but is not limited to, random access memory (RandomAccessMemory, RAM), read-only memory (ReadOnlyMemory, ROM), programmable read-only memory (Programmable read-OnlyMemory, PROM), erasable read-only memory (ErasableProgrammable read-OnlyMemory, EPROM), electrically erasable read-only memory (ElectroErasableProgrammable read-OnlyMemory, EEPROM), and the like. Also, the processor may be a general purpose processor including a central processing unit (CentralProcessingUnit, CPU), a network processor (NetworkProcessor, NP), a system on chip (SystemonChip, soC), and the like; but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The network operation security protection platform may be a server with data processing capabilities. Also, the network-running security platform may include more or fewer components than shown, with different configurations shown, for example, and may also include a communication unit for information interaction with other devices. The embodiment of the application also provides a network operation safety protection method based on big data, which can be applied to the network operation safety protection platform. The method steps defined by the flow related to the network operation safety protection method based on big data can be realized by the network operation safety protection platform.

The server generates a characteristic contour building signal and sends the characteristic contour building signal to the characteristic contour building unit, after the characteristic contour building unit receives the characteristic contour building signal, the computer network and a corresponding user are subjected to characteristic contour building, so that the operation efficiency of the computer network and the use quality of the corresponding user are improved, meanwhile, the accuracy of safety intrusion detection is improved according to the built characteristic contour, the data of the user are indirectly protected, and meanwhile, the fault risk of the computer network is reduced; when the computer network is in communication connection with the user, analyzing the communication process of the computer network, analyzing the communication process according to the execution operation of logging in the computer network by the user, and marking the corresponding execution operation as counted execution if the execution operation frequency of the user exceeds an execution frequency threshold value; if the corresponding execution operation frequency of the user does not exceed the execution frequency threshold, marking the corresponding execution operation as non-counted execution; summarizing the counting execution of the user in the communication process to execute the sequence, constructing a user characteristic outline, collecting execution characteristics of the counting execution in the user characteristic outline, wherein the execution characteristics are related characteristics such as frequency, time consumption and the like of corresponding execution operation after the user logs in a computer network, and the user characteristic outline is represented as a browsing flow of the user corresponding counting execution after the combination of the execution sequence and comprises the execution characteristics of each counting execution; when the corresponding user characteristic profile is executed, analyzing response operation in the computer network, and marking the corresponding response operation as a counted response if the occurrence probability of the response operation in the computer network exceeds a probability threshold; if the occurrence probability of the response operation in the computer network does not exceed the probability threshold, marking the corresponding response operation as a non-counted response; ordering the counted responses corresponding to the computer network according to the user characteristic profile sequence, collecting response characteristics of the counted responses in the corresponding sequence, and constructing a network characteristic profile after the response characteristics are collected, wherein the response characteristics are expressed as characteristics of response time length, passing rate and the like of the computer network for executing operation by a user; the network characteristic contour is matched with the user characteristic contour of each user in the computer network, and the network characteristic contour is different for different user characteristic contours, so that different user characteristic contours correspond to one network characteristic contour; after the feature profile is built, the server generates a reference threshold setting control signal and sends the reference threshold setting control signal to the reference threshold setting control unit, and after the reference threshold setting control unit receives the reference threshold setting control signal, the reference threshold setting control unit sets and controls the safety reference threshold in the computer network, so that the increase of the false alarm rate caused by overlarge threshold is prevented, the overlarge false alarm rate caused by overlarge threshold is prevented, the safety reference threshold is accurately controlled, the safety detection force of the computer network is improved, and the working efficiency of the computer network is enhanced; after building the user characteristic contours corresponding to the users and the network characteristic contours corresponding to the users, forming an operation closed loop by the matched qualified user characteristic contours and the network characteristic contours, analyzing user execution characteristics and network response characteristics in the operation closed loop, and marking the user execution characteristics or the network response characteristics as updating of the operation closed loop if the user execution characteristics or the network response characteristics correspond to the parameter values; collecting buffer time length corresponding to the floating time of the user executing characteristic and the floating time of the network response characteristic in the process of updating the operation closed loop and frequency of the user executing characteristic floating and the network response characteristic floating, and comparing the buffer time length corresponding to the floating time of the user executing characteristic and the floating time of the network response characteristic in the process of updating the operation closed loop and the frequency of the user executing characteristic floating and the network response characteristic floating with a buffer time length threshold and a non-proportional frequency threshold respectively: in the application, the user executing feature floating and the network response feature floating are not proportional, and after the user executing feature floating, the network response feature floating but the requirement of the user executing feature cannot be met; if the buffer time length corresponding to the floating time of the user executing feature and the floating time of the network response feature exceeds the buffer time length threshold in the running closed loop updating process, or the frequency of the user executing feature floating and the network response feature floating exceeds the disproportionate frequency threshold, judging that the network running safety reference threshold needs to be reset, generating a threshold resetting signal and sending the threshold resetting signal to a server, and resetting the safety reference threshold in the corresponding computer network according to the real-time working intensity after the server receives the threshold resetting signal, wherein the safety reference threshold is expressed as the threshold of the safety detection parameter of the network in the prior art, such as: the network speed fluctuation frequency, the network speed floating value and other related safety reference thresholds; if the buffer time corresponding to the floating time of the user executing feature and the floating time of the network response feature in the running closed loop updating process does not exceed the buffer time threshold, and the frequency of the user executing feature floating and the network response feature floating is not exceeding the disproportionate frequency threshold, judging that the running safety reference threshold of the network is met, generating a threshold meeting signal and transmitting the threshold meeting signal to the server;

According to periodic synchronous flow statistics data sent to a sounding server platform by a probe, the algorithm performs time sequence modeling and anomaly detection for SYN, HTTP, UDP and ICMP flood attacks, and operates on an algorithm cluster module of a sounding system;

the algorithm can be further decomposed into three modules, namely time series linear regression modeling, time series RCF modeling and time series detection.

The feature extraction stage adopts a machine learning algorithm to extract the features of the data; the time series linear regression modeling comprises the following steps:

firstly, filtering a batch of netflows taken out every 5 minutes by SparkStreaming through an interface (1) on the condition that DestIP is an intranet asset, then carrying out groupby on the condition that DstIP is an intranet asset, and taking the latest ending time in the batch of netflows as a time stamp after rounding according to 5 minutes on the basis of upstream SYN/SYNACK, HTTP upstream messages Bytes (Back attack), UDP upstream messages Bytes (UDP flood) and ICMP upstream messages Bytes (Ping of Death attack) of a groupby object sum;

secondly, constructing a secondary dictionary by using the statistical value and the time stamp obtained in the processing flow 1, accumulating the statistical value and the time stamp into Redis through the interface (2), and deleting the statistical value of the asset time stamp exceeding 24 hours;

And (III) asset linear regression modeling. Each time an asset arrives at the time series modeling time of the asset (the time period is 1 hour), reading different statistical values of the asset from redis, and constructing a time series; filling missing date according to the period of 24 hours, and taking 0 for the missing value; for a time series, extracting a time feature and an autocorrelation feature:

f_hour: what hour of the day

F_weekday: day of the week

F_is_weekend: whether or not it is Saturday or Sunday

F_weekday_avg: average by weekday

F_hour_avg: mean by hour

F_lag_12: forward 12 th data point

F_lag_13: forward 13 th data point

F_lag_14: forward 14 th data point

F_lag_15: forward 15 th data point

F_lag_16: forward 16 th data point

F_lag_17: forward 17 th data point

F_lag_18: forward 18 th data point

F_lag_19: forward 19 th data point

F_lag_20: forward 20 th data point

F_lag_21: forward 21 st data point

F_lag_22: forward 22 th data point

F_lag_23: forward 23 rd data point

F_lag_24: forward 24 th data point

Modeling by using SGDRegresor, performing online incremental modeling by using a partial_fit method by adopting L1 from the balance; after model serialization is established, asset indexes and statistical protocols are used as secondary dictionaries and stored in redis;

And (V) asset clustering linear regression modeling. When the assets are clustered, reading asset indexes from redis through an interface (3), taking out different statistical values of the assets, constructing a time sequence, modeling by using SGDRegresor, performing online incremental modeling by using a partial_fit method by adopting L1; after model serialization is established, the asset index and the protocol type are used as a secondary dictionary to be stored in redis.

The threat detection stage adopts a threat detection algorithm based on a time factor to classify and predict the feature vector; the time series RCF modeling steps are as follows: firstly, taking out a batch of netflows every 5 minutes from SparkStreaming through an interface (1), and aiming at DestIP, taking the netflows as an intranet

Filtering assets under the condition, carrying out groupby under the condition of DstIP, aiming at the SYN session number, HTTP uplink messages Bytes (Back attack), UDP uplink messages Bytes (UDP flood) and ICMP uplink messages Bytes (Ping of Death attack) of the groupby object sum, and taking the latest ending time in the Netflow batch as a time stamp after rounding according to 5 minutes;

secondly, constructing a secondary dictionary by using the statistical value and the time stamp obtained in the processing flow 1 according to the asset index and the protocol type, accumulating the statistical value and the time stamp into Redis through the interface (2), and deleting the statistical value of the asset time stamp exceeding 24 hours;

And (III) asset RCF modeling. Each time an asset arrives at a time-series modeling time of the asset,

(time period 1 hour), reading different statistical values of the asset from redis, and constructing a time sequence; filling missing date according to the period of 24 hours, and taking 0 for the missing value; for the time sequence, a sliding window is used for segmentation, the window size w defaults to 12, and the sliding step s defaults to 1; modeling was performed using RCF, and the default for containment was (1 +.

(7×24×12) =0.0005); after model serialization is established, asset indexes, statistical protocols and modeling time are taken as tertiary dictionaries and stored into redis. Simultaneously deleting the model with the time exceeding one month;

and (IV) modeling asset clustering RCF. When the assets are clustered, reading asset indexes from rediss through an interface (3), taking out different statistical values of the assets, constructing a time sequence, filling missing dates according to a period of 24 hours, and taking 0 from the missing values; aiming at all time sequences of the class, a sliding window is used for segmentation, the window size defaults to 12, and the sliding step length is 1; modeling was performed using RCF, and the default for containment was (1/(7×24×12)

=0.0005); after model serialization is established, asset indexes, statistical protocols and modeling time are taken as tertiary dictionaries and stored into redis; while deleting the model for more than one month.

When threat behaviors are detected, corresponding security policies can be triggered; the time sequence detection module comprises the following steps:

firstly, filtering a batch of netflows taken out every 5 minutes by SparkStreaming through an interface (1) on the condition that DestIP is an intranet asset, then carrying out groupby on the condition that DstIP is an intranet asset, and taking the latest ending time in the netflows of the batch as a timestamp after rounding according to 5 minutes according to SYN session number, HTTP uplink messages Bytes (Back attack), UDP uplink messages Bytes (UDP flood) and ICMP uplink messages Bytes (Ping of Death attack) of a groupby object sum;

secondly, calculating the statistics value and the time stamp obtained in the processing flow 1, calculating the residual error of the predicted value of the linear regression with the time sequence, calculating the average value of the accumulated residual error and the variance of the accumulated residual error, and recording the accumulated residual error and the variance of the accumulated residual error into a Redis by taking an asset index and a protocol type as a secondary dictionary through an interface (2);

thirdly, calculating whether statistics of the batch exceeds 10 times of standard deviation, wherein xi-xi is not less than n x sigma, n defaults to 10, calculating distribution probability, constructing a secondary dictionary through an interface (2) together with statistics values of the batch of data, and recording the secondary dictionary into redis according to asset indexes and protocol types, and deleting data exceeding 24 hours;

fourthly, constructing a sliding window with the size of w by default, wherein the statistical value and the time stamp obtained in the processing flow 1 are taken as 12; and detecting by using the RCF model, and if the RCF model reports abnormality and the linear regression result of one or more data in the sliding window is abnormal, writing alarm information into an ES (additional segment register) through an interface (3).

In summary, the computer system detection method for network use safety of the invention establishes a virtual computer by denoising, establishing a reference threshold value and establishing a virtual application program, establishes communication connection between the computer network and a user, establishes network feature profiles according to the sequence of the user feature profiles, performs feature extraction, normalization and other operations, and the time sequence analysis steps of the algorithm comprise trend analysis, period analysis and time sequence prediction, thereby being capable of more accurately identifying network threat behaviors and improving the level of network operation safety; the three modules of time sequence linear regression modeling, time sequence RCF modeling and time sequence detection are decomposed through an algorithm, and the method of Netflow analysis and time sequence analysis is combined, so that potential security threats in a network system can be rapidly identified and responded; the future threat can be analyzed and predicted according to the historical data, and corresponding security defense measures are adopted, so that the security performance of the network system is improved; the method can adaptively adjust the model and algorithm parameters, adapt to different network environments and threat conditions, analyze and predict future threats according to historical data, and therefore improve the safety performance of a network system.

Importantly, although only a few embodiments have been described in detail in this disclosure, those skilled in the art who review this disclosure will readily appreciate that many modifications are possible without materially departing from the novel teachings and advantages of the subject matter described in this application.

Furthermore, in an effort to provide a concise description of the exemplary embodiments, all features of an actual implementation may not be described (i.e., those not associated with the best mode presently contemplated for carrying out the invention, or those not associated with practicing the invention).

It should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions may be made.

It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.

Claims (8)

1. The computer system detection method based on network operation safety is characterized by comprising a server, wherein the server is connected with a characteristic contour building unit and is used for building a computer network and corresponding users with characteristic contours to obtain a network characteristic contour and a user characteristic contour of the computer, the network characteristic contour is matched with the user characteristic contour of each user in the computer network, the network characteristic contours are different for different user characteristic contours, and the network characteristic contours are different;

Further comprises: feature extraction and threat detection, and introducing a time factor in the threat detection stage to improve the accuracy of threat detection; according to periodic synchronous flow statistics data sent to a sounding server platform by a probe, the algorithm performs time sequence modeling and anomaly detection for SYN, HTTP, UDP and ICMP flood attacks, and operates on an algorithm cluster module of a sounding system;

the reference threshold setting control unit is used for setting and controlling a safety reference threshold in the computer network, forming an operation closed loop by the matched qualified user characteristic profile and the network characteristic profile after the user corresponding user characteristic profile and the network characteristic profile are built, analyzing the operation closed loop, generating a threshold resetting signal and a threshold meeting signal, and sending the signals to the server; the test intrusion early warning analysis unit is used for performing intrusion simulation on the current computer network, judging parameters influenced by abnormal operation of each part in the computer network through the computer network intrusion simulation, generating a network operation security policy, an intrusion label and a real-time intrusion type through analysis, and sending the network operation security policy, the intrusion label and the real-time intrusion type to the server; the real-time intrusion detection unit is used for carrying out real-time intrusion detection on a computer network running in real time, and carrying out maintenance and early warning on network running parameters through analysis;

In the process that target attack equipment attacks a target virtual application program, detecting whether the target attack equipment recognizes that the target virtual application program runs on a virtual computer, wherein the target virtual application program is generated based on business logic simulating the target application program; if the target attack equipment is detected to identify that the target virtual application program runs on the virtual computer, acquiring target historical data from a first target database, wherein the target historical data is generated when the target virtual application program is identified to run on the virtual computer each time; determining whether the target virtual application program is identified to run on the virtual computer when being attacked next time based on the target historical data; if the target virtual application program is identified to be operated on the virtual computer, the target virtual application program is operated through a target physical computer, wherein the target physical computer is a network operation safety protection platform or other network equipment associated with the network operation safety protection platform;

when the computer network is in communication connection with the user, analyzing the communication process of the computer network, analyzing the communication process according to the execution operation of logging in the computer network by the user, and marking the corresponding execution operation as counted execution if the execution operation frequency of the user exceeds an execution frequency threshold value; if the corresponding execution operation frequency of the user does not exceed the execution frequency threshold, marking the corresponding execution operation as non-counted execution; summarizing the counting execution of the user in the communication process to execute the sequence, constructing a user characteristic outline, collecting execution characteristics of the counting execution in the user characteristic outline, wherein the execution characteristics are expressed as frequency and time consumption of corresponding execution operation after the user logs in a computer network; the user characteristic outline is expressed as a browsing flow after the user correspondingly counts and executes the combination of the execution sequences, and comprises execution characteristics of each counted and executed; when the corresponding user characteristic profile is executed, analyzing response operation in the computer network, and marking the corresponding response operation as a counted response if the occurrence probability of the response operation in the computer network exceeds a probability threshold; if the occurrence probability of the response operation in the computer network does not exceed the probability threshold, marking the corresponding response operation as a non-counted response; ordering the counted responses corresponding to the computer network according to the user characteristic profile sequence, collecting response characteristics of the counted responses in the corresponding sequence, and constructing a network characteristic profile after the response characteristics are collected, wherein the response characteristics are expressed as response duration and passing rate of the computer network for executing operation by a user;

The algorithm can be further decomposed into three modules, namely time series linear regression modeling, time series RCF modeling and time series detection.

2. The method for detecting a computer system based on network operation security according to claim 1, wherein: detecting whether the target attack equipment stops attacking the target virtual application program or not; if the target attack equipment is detected to stop attacking the target virtual application program, target attack behavior data of the target attack equipment are obtained, wherein the target attack behavior data are generated based on all network attack behaviors of the target attack equipment on the target virtual application program; analyzing the target attack behavior data through a first target thread to obtain a first analysis result, wherein the first analysis result comprises at least one target attack behavior type information of network attack behaviors performed on the target virtual application program by the target attack equipment; generating attack event request information based on the first target attack behavior type information through a second target thread, and searching at least one target attack event information in a second target database based on the attack event request information, wherein an attack event corresponding to each target attack event information is formed at least based on a network attack behavior corresponding to the first target attack behavior type information, the second target database comprises a plurality of attack event information, and an attack event corresponding to each attack event information is formed at least based on one network attack behavior; for each piece of target attack event information, acquiring all attack behavior type information corresponding to all network attack behaviors forming the attack event corresponding to the target attack event information, and forming an attack behavior type information set corresponding to the target attack event information; determining the relation between all attack behavior type information included in each attack behavior type information set and the target attack behavior type information; if all the attack behavior type information included in each attack behavior type information set and the target attack behavior type information belong to a first target relation, historical attack data are searched in a target cache of the network operation security platform, wherein the first target relation is that all the attack behavior type information included in the attack behavior type information set belongs to part of a plurality of target attack behavior type information, and the historical attack data are generated based on network attack behaviors carried out on the target virtual application program by the target attack equipment or other equipment in history;

Setting a fault time period according to the simulated faults of the hardware equipment and the network equipment, collecting the corresponding value floating moment and the corresponding value floating frequency of the real-time network operation parameters in the fault time period, setting an intrusion label for the type of the real-time network operation parameters of which the corresponding value floating frequency exceeds a floating frequency threshold value, binding the corresponding intrusion label with the real-time intrusion type, and sending the intrusion label to a server; marking real-time network operation parameters with intrusion labels as influencing parameters, screening qualified parameters of a computer network according to the influencing parameters, marking the screened qualified parameters as network operation security policies, and sending the network operation security policies to a server; the network operation security policy is expressed as a qualified threshold range of network operation parameters.

3. The method for detecting a computer system based on network operation security according to claim 1, wherein: the feature extraction stage adopts a machine learning algorithm to extract the features of the data; the time series linear regression modeling comprises the following steps: firstly, filtering a batch of netflows taken out every 5 minutes by SparkStreaming through an interface (1) under the condition that DestIP is used as an intranet asset, then carrying out groupby under the condition that DstIP is used as a condition, and taking the latest ending time in the netflows of the batch as a time stamp after rounding according to 5 minutes according to uplink SYN/SYNACK, HTTP uplink messages Bytes, UDP uplink messages Bytes and ICMP uplink messages Bytes of a groupby object sum;

Secondly, constructing a secondary dictionary by using the statistical value and the time stamp obtained in the processing flow 1, accumulating the statistical value and the time stamp into Redis through the interface (2), and deleting the statistical value of the asset time stamp exceeding 24 hours;

and (III) asset linear regression modeling. Each time an asset arrives at the time series modeling time of the asset, reading different statistical values of the asset from redis, and constructing a time series; filling missing date according to the period of 24 hours, and taking 0 for the missing value; extracting time features and autocorrelation features for the time sequence;

modeling by using SGDRegresor, performing online incremental modeling by using a partial_fit method by adopting L1 from the balance; after model serialization is established, asset indexes and statistical protocols are used as secondary dictionaries and stored in redis;

and (V) asset clustering linear regression modeling. When the assets are clustered, reading asset indexes from redis through an interface (3), taking out different statistical values of the assets, constructing a time sequence, modeling by using SGDRegresor, performing online incremental modeling by using a partial_fit method by adopting L1; after model serialization is established, the asset index and the protocol type are used as a secondary dictionary to be stored in redis.

4. A method for detecting a computer system based on network operation security according to claim 3, wherein: the threat detection stage adopts a threat detection algorithm based on a time factor to classify and predict the feature vector; the time series RCF modeling steps are as follows: firstly, taking out a batch of netflows every 5 minutes from SparkStreaming through an interface (1), and aiming at DestIP, taking the netflows as an intranet

Filtering assets under the condition, carrying out groupby under the condition of DstIP, aiming at SYN session quantity, HTTP uplink message Bytes, UDP uplink message Bytes and ICMP uplink message Bytes of the groupby object sum, and taking the latest finishing time in the Netflow batch as a time stamp after rounding according to 5 minutes;

secondly, constructing a secondary dictionary by using the statistical value and the time stamp obtained in the processing flow 1 according to the asset index and the protocol type, accumulating the statistical value and the time stamp into Redis through the interface (2), and deleting the statistical value of the asset time stamp exceeding 24 hours;

and (III) asset RCF modeling. Each time an asset arrives at the time of time series modeling of the asset, reading different statistics of the asset from redis, constructing a time series; filling missing date according to the period of 24 hours, and taking 0 for the missing value; for the time sequence, a sliding window is used for segmentation, the window size w defaults to 12, and the sliding step s defaults to 1; modeling by using RCF, and defaulting to be taken by contamination; after model serialization is established, asset index, statistical protocol and modeling time are taken as three-level dictionary, and the three-level dictionary is stored in redis, and a model with time exceeding one month is deleted;

and (IV) modeling asset clustering RCF. When the assets are clustered, reading asset indexes from rediss through an interface (3), taking out different statistical values of the assets, constructing a time sequence, filling missing dates according to a period of 24 hours, and taking 0 from the missing values; aiming at all time sequences of the class, a sliding window is used for segmentation, the window size defaults to 12, and the sliding step length is 1; modeling by using RCF, and con-taining; after model serialization is established, asset indexes, statistical protocols and modeling time are taken as tertiary dictionaries and stored into redis; while deleting the model for more than one month.

5. The method for detecting a computer system based on network operation security according to claim 1, wherein: the real-time intrusion detection unit operates as follows: taking the network operation parameter with the intrusion label as a priority monitoring parameter, taking the real-time intrusion type corresponding to the priority monitoring parameter as the current intrusion type if the corresponding value of the priority monitoring parameter is not in the network operation security policy, and controlling the influence parameter corresponding to the current intrusion type while rectifying the current intrusion type; when the corresponding value of the priority monitoring parameter is in the network operation safety strategy, if the shortening speed of the difference value between the value of the priority monitoring parameter and the range threshold value in the network operation safety strategy exceeds the shortening speed threshold value, the corresponding priority monitoring parameter is used as a real-time early warning parameter, and meanwhile, the influence parameter of the corresponding intrusion type of the priority monitoring parameter is monitored.

6. The method for detecting a computer system based on network operation security according to claim 1, wherein: the step of detecting whether the target attack apparatus recognizes that the target virtual application program is running on the virtual computer further includes: if at least all attack behavior type information included in one attack behavior type information set does not belong to the first target relation with the target attack behavior type information, determining whether all attack behavior type information included in the attack behavior type information set exists and the target attack behavior type information belong to a second target relation, wherein the second target relation is that all attack behavior type information included in the attack behavior type information set is identical to the target attack behavior type information; if all attack behavior type information included in one attack behavior type information set and the target attack behavior type information belong to the second target relation, determining that the target attack equipment does not recognize that the target virtual application program runs on a virtual computer; and if all attack behavior type information included in one attack behavior type information set does not belong to the second target relation with the target attack behavior type information, determining that the target attack equipment has identified that the target virtual application program runs on a virtual computer.

7. The method for detecting a computer system based on network operation security according to claim 1, wherein: the step of detecting whether the target attack apparatus recognizes that the target virtual application program is running on the virtual computer further includes: if the plurality of pieces of target attack behavior type information do not belong to the historical attack behavior type information of the network attack behavior performed on the target virtual application program at any time, determining that the target attack equipment does not recognize that the target virtual application program runs on a virtual computer;

the step of detecting whether the target attack apparatus recognizes that the target virtual application program is running on the virtual computer further includes: if the plurality of target attack behavior type information does not belong to the historical attack behavior type information of the network attack behavior performed on the target virtual application program at any time, generating new attack event information based on the plurality of target attack behavior type information; and storing the new attack event information to the second target database.

8. The method for detecting a computer system based on network operation security according to claim 1, wherein: when threat behaviors are detected, corresponding security policies can be triggered; the time sequence detection module comprises the following steps: firstly, filtering a batch of netflows taken out every 5 minutes by SparkStreaming through an interface (1) under the condition that DestIP is used as an intranet asset, then carrying out groupby under the condition that DstIP is used as a condition, taking the latest ending time in the batch of netflows as a timestamp after rounding according to 5 minutes according to SYN session number, HTTP uplink messages Bytes, UDP uplink messages Bytes and ICMP uplink messages Bytes of a groupby object sum;

Secondly, calculating the statistics value and the time stamp obtained in the processing flow 1, calculating the residual error of the predicted value of the linear regression with the time sequence, calculating the average value of the accumulated residual error and the variance of the accumulated residual error, and recording the accumulated residual error and the variance of the accumulated residual error into a Redis by taking an asset index and a protocol type as a secondary dictionary through an interface (2);

thirdly, calculating whether statistics of the batch exceeds 10 times of standard deviation, wherein xi-xi is not less than n x sigma, n defaults to 10, calculating distribution probability, constructing a secondary dictionary through an interface (2) together with statistics values of the batch of data, and recording the secondary dictionary into redis according to asset indexes and protocol types, and deleting data exceeding 24 hours;

fourthly, constructing a sliding window with the size of w by default, wherein the statistical value and the time stamp obtained in the processing flow 1 are taken as 12; and detecting by using the RCF model, and if the RCF model reports abnormality, simultaneously writing alarm information into the ES through the interface (3) when the linear regression result of one or more data in the sliding window is abnormal.