CN117061250A - Network security early warning method, system, equipment and medium based on data center - Google Patents
Network security early warning method, system, equipment and medium based on data center Download PDFInfo
- Publication number
- CN117061250A CN117061250A CN202311317603.XA CN202311317603A CN117061250A CN 117061250 A CN117061250 A CN 117061250A CN 202311317603 A CN202311317603 A CN 202311317603A CN 117061250 A CN117061250 A CN 117061250A
- Authority
- CN
- China
- Prior art keywords
- network
- security
- knowledge base
- security event
- similarity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000001514 detection method Methods 0.000 claims description 24
- 238000000605 extraction Methods 0.000 claims description 9
- 238000004220 aggregation Methods 0.000 claims description 7
- 230000002776 aggregation Effects 0.000 claims description 7
- 238000004422 calculation algorithm Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 238000011161 development Methods 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a network security early warning method, a system, equipment and a medium based on a data center, which mainly relate to the technical field of network security and are used for solving the problems that the existing method for maintaining network security cannot utilize massive network logs uploaded by a plurality of security subsystems in the data center, cannot dynamically reflect network security conditions on the whole and cannot early warn the development trend of network security. Comprising the following steps: performing attribute clustering on the weblog; obtaining the similarity between the weblogs and the typical weblogs, and determining the weblogs with the similarity larger than a preset similarity threshold as alarm logs; generating a security event corresponding to the alarm log; when the ratio of the number of the security events of the associated weblogs corresponding to the alarm logs to the number of the associated weblogs exceeds a preset ratio threshold, determining that the security events are credible; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network security early warning method, system, device, and medium based on a data center.
Background
With the rapid development of computer and communication technologies, computer networks are increasingly widely applied, the scale of the computer networks is increasingly huge, the threat and the security risk of multi-layer network security are continuously increased, the threat and the loss of network viruses are increasingly large, the network attack behaviors are developed towards the trends of distribution, scale, complexity and the like, the requirements of network security cannot be met only by means of single network security protection technologies such as firewall, intrusion detection, virus prevention, access control and the like, new technologies are urgently needed, abnormal events in the network are timely found, and the network security condition is mastered in real time.
At present, the method for maintaining network security mainly comprises the following steps: firewall, intrusion detection, antivirus, access control, etc. However, the firewall, intrusion detection, virus prevention, access control and other methods are mainly single network security protection technologies, cannot be applied to a data center station for converging a plurality of security subsystems to upload massive network logs, cannot dynamically reflect network security conditions on the whole, and cannot early warn the development trend of network security.
Therefore, a network security early warning method, system, device and medium based on a data center table are needed, security factors in all aspects are called in the data center table (a platform for fusing mass data generated on various security subsystems), network security conditions are reflected dynamically on the whole, and network security development trend is predicted and early warned.
Disclosure of Invention
Aiming at the defects in the prior art, the application provides a network security early warning method, a system, equipment and a medium based on a data center, so as to solve the problems that the existing method for maintaining network security cannot be based on mass network logs uploaded by a plurality of security subsystems in the data center, dynamically reflect network security conditions on the whole and cannot early warn the development trend of network security.
In a first aspect, the present application provides a network security early warning method based on a data center, where the data center aggregates network logs uploaded by a plurality of subsystems, the method includes: acquiring a weblog of any subsystem in a preset historical time period, and clustering attributes of the weblog through a preset alarm aggregation model; obtaining typical weblogs corresponding to each attribute cluster; obtaining the similarity between each weblog and a typical weblog under the same attribute cluster, and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log; extracting network loopholes from the alarm logs and generating security events corresponding to the alarm logs by the network environment; acquiring the corresponding quantity of the associated weblogs of the alarm logs in all subsystems according to the time stamps of the alarm logs, determining the corresponding quantity of the security events of the associated weblogs, and determining the credibility of the security events when the ratio of the quantity of the security events to the quantity of the associated weblogs exceeds a preset ratio threshold; establishing a network vulnerability knowledge base of the current network environment through a preset vulnerability scanning system; establishing a network environment knowledge base of the current network environment through a preset network environment detection system; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
Further, before obtaining the plurality of weblogs within the preset history period, the method further includes: acquiring original logs uploaded by each subsystem in a preset historical time period, deleting repeated original logs based on time stamps and a similarity detection model in the original logs to acquire weblogs; the weblog at least comprises a firewall log and an intrusion detection log.
Further, obtaining the similarity between each blog and the typical blog under the same attribute cluster specifically includes: calculating the distance between the weblog and the typical weblog through cosine similarity; and determining the similarity between the weblog and the typical weblog according to the corresponding relation between the preset distance and the similarity.
Further, determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base to determine the validity of the security event according to the matching degree, specifically including: calculating the maximum similarity value of the network loopholes in the security event and each network loophole in the network loophole knowledge base as the matching degree of the security event in the network loophole knowledge base through a preset text similarity calculation algorithm; computing the maximum of the network environment in the security event and each network environment in the network environment knowledge baseThe similarity value is the matching degree of the security event in the network environment knowledge base; according to a preset formula:calculating the validity of the security event; wherein, va of the security event in the network vulnerability knowledge base is 1, va of the security event in the network vulnerability knowledge base is not 0; da represents the matching degree of the security event in the attack knowledge base; the security event is V1 in the network environment knowledge base, and the security event is not V1 in the network environment knowledge base and is 0; dl represents the matching degree of the security event in the network environment knowledge base; when the value e of the validity of the security event is more than 0 and less than or equal to 0.5, judging the security event as valid; when the value of the validity e of the security event is 0.5 < e.ltoreq.1, the security event is judged as invalid.
In a second aspect, the present application provides a network security early warning system based on a data center, the system comprising: the extraction module is used for obtaining the weblogs of any subsystem in a preset historical time period and carrying out attribute clustering on the weblogs through a preset alarm aggregation model; obtaining typical weblogs corresponding to each attribute cluster; obtaining the similarity between each weblog and a typical weblog under the same attribute cluster, and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log; extracting network loopholes from the alarm logs and generating security events corresponding to the alarm logs by the network environment; the trusted determination module is used for acquiring the corresponding quantity of the associated weblogs of the alarm logs in all subsystems according to the time stamps of the alarm logs, determining the corresponding quantity of the security events of the associated weblogs, and determining the trusted security events when the ratio of the quantity of the security events to the quantity of the associated weblogs exceeds a preset ratio threshold; the effective determining module is used for establishing a network vulnerability knowledge base of the current network environment through a preset vulnerability scanning system; establishing a network environment knowledge base of the current network environment through a preset network environment detection system; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
Further, the extraction module further comprises a deletion unit, which is used for acquiring original logs uploaded by each subsystem in a preset historical time period, deleting repeated original logs based on time stamps and a similarity detection model in the original logs to acquire weblogs; the weblog at least comprises a firewall log and an intrusion detection log.
Further, the extraction module further comprises a similarity determination unit, configured to calculate a distance between the blog and the typical blog through cosine similarity; and determining the similarity between the weblog and the typical weblog according to the corresponding relation between the preset distance and the similarity.
Further, the effectiveness determining module comprises an effectiveness calculating unit, which is used for calculating the maximum similarity value of the network loopholes in the security event and each network loophole in the network loophole knowledge base as the matching degree of the security event in the network loophole knowledge base through a preset text similarity calculating algorithm; calculating the maximum similarity value between the network environment in the security event and each network environment in the network environment knowledge base as the matching degree of the security event in the network environment knowledge base; according to a preset formula:calculating the validity of the security event; wherein, va of the security event in the network vulnerability knowledge base is 1, va of the security event in the network vulnerability knowledge base is not 0; da represents the matching degree of the security event in the attack knowledge base; the security event is V1 in the network environment knowledge base, and the security event is not V1 in the network environment knowledge base and is 0; dl represents the matching degree of the security event in the network environment knowledge base; when the value e of the validity of the security event is more than 0 and less than or equal to 0.5, judging the security event as valid; when the value of the validity e of the security event is 0.5 < e.ltoreq.1, the security event is judged as invalid.
In a third aspect, the present application provides a network security early warning device based on a data center, the device comprising: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a data center based network security early warning method as in any of the above.
In a fourth aspect, the present application provides a non-volatile computer storage medium having stored thereon computer instructions which, when executed, implement a data center based network security early warning method as in any one of the preceding claims.
As will be appreciated by those skilled in the art, the present application has at least the following beneficial effects:
the application is based on the network logs of a plurality of sources uploaded by the data center station, and the network logs of any subsystem in a preset historical time period are obtained, so that the network logs of a single source are processed firstly; by acquiring the similarity between each weblog and the typical weblog under the same attribute cluster and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log, the weblog needing alarm processing is determined from the weblogs of a single source. In order to avoid the situation of false alarm, and that a plurality of subsystems corresponding to the same data center station are simultaneously attacked by a network, the data center station acquires the weblogs uploaded by the subsystems from each source under the same time stamp, acquires the associated weblogs corresponding to the alarm logs, and determines that the security event is credible by determining whether the associated weblogs are alarm logs (security events), that is, whether the subsystems have alarm behaviors under the same time stamp, when the ratio of the number of the security events to the number of the associated weblogs is greater than a preset ratio threshold. In order to avoid subsystem discrimination errors, the application performs validity calculation, and when the validity is valid, the security event is determined to be the alarm log with network risk.
Drawings
Some embodiments of the present disclosure are described below with reference to the accompanying drawings, in which:
fig. 1 is a flowchart of a network security early warning method based on a data center station according to an embodiment of the present application.
Fig. 2 is a schematic diagram of an internal structure of a network security early warning system based on a data center.
Fig. 3 is a schematic diagram of an internal structure of a network security early warning device based on a data center.
Detailed Description
It should be understood by those skilled in the art that the embodiments described below are only preferred embodiments of the present disclosure, and do not represent that the present disclosure can be realized only by the preferred embodiments, which are merely for explaining the technical principles of the present disclosure, not for limiting the scope of the present disclosure. Based on the preferred embodiments provided by the present disclosure, all other embodiments that may be obtained by one of ordinary skill in the art without inventive effort shall still fall within the scope of the present disclosure.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The data staging platform (data middle platform) is a data management and analysis platform that is intended to help businesses better manage and utilize data.
The following describes the technical scheme provided by the embodiment of the application in detail through the attached drawings.
The embodiment of the application provides a network security early warning method based on a data center, as shown in fig. 1, which mainly comprises the following steps:
step 110, obtaining a weblog of any subsystem in a preset historical time period, and clustering attributes of the weblog through a preset alarm aggregation model; obtaining typical weblogs corresponding to each attribute cluster; obtaining the similarity between each weblog and a typical weblog under the same attribute cluster, and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log; and extracting the network loopholes from the alarm logs and generating the security events corresponding to the alarm logs by the network environment.
The subsystem is a system connected with the data center station, and each subsystem detects and generates a weblog when a network attack exists. The weblog may be embodied as a firewall log and an intrusion detection log. A typical blog may be a blog that is closest to the cluster center extracted from the cluster or may be a blog that is manually entered. The content and number of attribute clusters are determined by those skilled in the art according to the actual situation, which is not limited by the present application.
Because of a large number of logs and related alarm records generated by each subsystem aiming at a certain possible attack event, the redundant records exist, the method and the device can delete repeated redundant records, specifically acquire original logs uploaded by each subsystem in a preset historical time period, and delete repeated original logs based on time stamps and similarity detection models in the original logs to acquire the weblog.
It should be noted that the similarity detection model may be an existing manhattan distance calculation model.
The method for acquiring the similarity between each weblog and the typical weblog under the same attribute cluster specifically comprises the following steps: calculating the distance between the weblog and the typical weblog through cosine similarity; and determining the similarity between the weblog and the typical weblog according to the corresponding relation between the preset distance and the similarity. It should be noted that, the correspondence between the distance and the similarity may be obtained by a worker skilled in the art according to experiments.
In addition, the network vulnerability and the network environment in step 110 are the content of the weblog itself, and the present application does not limit the content itself.
Step 120, according to the time stamp of the alarm log, the number of associated weblogs corresponding to the alarm log in all subsystems is obtained, the number of security events corresponding to the associated weblogs is determined, and when the ratio of the number of security events to the number of associated weblogs exceeds a preset ratio threshold, the security events are determined to be credible.
It should be noted that, the timestamp is a time point of generating the corresponding weblog of the alarm log. Because the subsystems are connected with the data center, each subsystem can detect and generate a weblog when network attacks exist. That is, there is a correlation of the weblogs generated by different subsystems under the same timestamp. The application determines whether the alarm log is authentic by determining the duty cycle at which the associated weblog is judged to be a security event.
130, establishing a network vulnerability knowledge base of the current network environment through a preset vulnerability scanning system; establishing a network environment knowledge base of the current network environment through a preset network environment detection system; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
It should be noted that, after determining that the alarm log is valid in step 120, in order to avoid the subsystem discrimination error, the present application performs validity calculation, and when valid, determines that the security event is indeed the alarm log with the network risk. The preset vulnerability scanning system in the step can be an allied vulnerability scanning system, and the preset network environment detection system can be an OpManager IT monitoring management tool.
The determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base to determine the validity of the security event according to the matching degree may specifically be:
calculating the maximum similarity value of the network loopholes in the security event and each network loophole in the network loophole knowledge base as the matching degree of the security event in the network loophole knowledge base through a preset text similarity calculation algorithm; calculating the maximum similarity value between the network environment in the security event and each network environment in the network environment knowledge base as the matching degree of the security event in the network environment knowledge base; according to a preset formula:calculating the validity of the security event; wherein, va of the security event in the network vulnerability knowledge base is 1, va of the security event in the network vulnerability knowledge base is not 0; da represents a safety eventMatching degree in the attack knowledge base; the security event is V1 in the network environment knowledge base, and the security event is not V1 in the network environment knowledge base and is 0; dl represents the matching degree of the security event in the network environment knowledge base; when the value e of the validity of the security event is more than 0 and less than or equal to 0.5, judging the security event as valid; when the value of the validity e of the security event is 0.5 < e.ltoreq.1, the security event is judged as invalid.
It should be noted that the preset text similarity calculation algorithm may be an existing manhattan distance calculation method.
In addition, fig. 2 is a schematic diagram of a network security early warning system based on a data center. As shown in fig. 2, the system provided by the embodiment of the present application mainly includes:
the system acquires the weblogs of any subsystem in a preset historical time period through the extraction module 210, and performs attribute clustering on the weblogs through a preset alarm aggregation model; obtaining typical weblogs corresponding to each attribute cluster; obtaining the similarity between each weblog and a typical weblog under the same attribute cluster, and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log; and extracting the network loopholes from the alarm logs and generating the security events corresponding to the alarm logs by the network environment.
It should be noted that, the extraction module 210 may be any feasible device or apparatus capable of generating a security event.
Because a large number of logs and related alarm records are generated by each subsystem aiming at a certain possible attack event, a lot of redundancy exists in the records, the repeated redundant records can be deleted, specifically, an original log uploaded by each subsystem in a preset historical time period is obtained through a deleting unit 211 in an extracting module 210, and the repeated original log is deleted based on a timestamp and a similarity detection model in the original log to obtain a weblog; the weblog at least comprises a firewall log and an intrusion detection log.
In addition, the extraction module 210 further includes a similarity determining unit 212 for calculating a distance between the blog and the typical blog through cosine similarity; and determining the similarity between the weblog and the typical weblog according to the corresponding relation between the preset distance and the similarity.
It should be noted that, the similarity determining unit 212 may be any feasible device or apparatus capable of invoking the cosine similarity method to calculate the similarity.
The system obtains the corresponding quantity of the associated weblogs of the alarm logs in all subsystems according to the time stamps of the alarm logs by a credibility determining module 220, determines the corresponding quantity of the safety events of the associated weblogs, and determines that the safety events are credible when the ratio of the quantity of the safety events to the quantity of the associated weblogs exceeds a preset ratio threshold.
The system establishes a network vulnerability knowledge base of the current network environment by means of a preset vulnerability scanning system through an effective determination module 230; establishing a network environment knowledge base of the current network environment through a preset network environment detection system; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
The validity determining module 230 includes a validity calculating unit 231, configured to calculate, according to a preset text similarity calculating algorithm, a maximum similarity value between a network vulnerability in a security event and each network vulnerability in a network vulnerability knowledge base as a matching degree of the security event in the network vulnerability knowledge base; calculating the maximum similarity value between the network environment in the security event and each network environment in the network environment knowledge base as the matching degree of the security event in the network environment knowledge base; according to a preset formula:calculating the validity of the security event; wherein, va of the security event in the network vulnerability knowledge base is 1, va of the security event in the network vulnerability knowledge base is not 0; da represents the matching degree of the security event in the attack knowledge base; the security event is V1 in the network environment knowledge base, and the security event is not V1 in the network environment knowledge base and is 0; dl represents the matching degree of the security event in the network environment knowledge base; when the value of the validity e of the security event is more than 0 and less than or equal to 0.5, the security event is judged to beThe effect is achieved; when the value of the validity e of the security event is 0.5 < e.ltoreq.1, the security event is judged as invalid.
The validity calculating unit 231 may be any possible device or apparatus capable of calculating the matching degree and validity.
The embodiment of the method provided by the application is based on the same inventive concept, and the embodiment of the application also provides network security early warning equipment based on the data center station. As shown in fig. 3, the apparatus includes: a processor; and a memory having executable code stored thereon that, when executed, causes the processor to perform a data center based network security early warning method as in the above embodiments.
Specifically, the server side acquires a weblog of any subsystem in a preset historical time period, and attribute clustering is carried out on the weblog through a preset alarm aggregation model; obtaining typical weblogs corresponding to each attribute cluster; obtaining the similarity between each weblog and a typical weblog under the same attribute cluster, and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log; extracting network loopholes from the alarm logs and generating security events corresponding to the alarm logs by the network environment; acquiring the corresponding quantity of the associated weblogs of the alarm logs in all subsystems according to the time stamps of the alarm logs, determining the corresponding quantity of the security events of the associated weblogs, and determining the credibility of the security events when the ratio of the quantity of the security events to the quantity of the associated weblogs exceeds a preset ratio threshold; establishing a network vulnerability knowledge base of the current network environment through a preset vulnerability scanning system; establishing a network environment knowledge base of the current network environment through a preset network environment detection system; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
In addition, the embodiment of the application also provides a nonvolatile computer storage medium, on which executable instructions are stored, and when the executable instructions are executed, the network security early warning method based on the data center is realized.
Thus far, the technical solution of the present disclosure has been described in connection with the foregoing embodiments, but it is easily understood by those skilled in the art that the protective scope of the present disclosure is not limited to only these specific embodiments. The technical solutions in the above embodiments may be split and combined by those skilled in the art without departing from the technical principles of the present disclosure, and equivalent modifications or substitutions may be made to related technical features, which all fall within the scope of the present disclosure.
Claims (10)
1. The network security early warning method based on the data center station is characterized in that the data center station gathers network logs uploaded by a plurality of subsystems, and the method comprises the following steps:
acquiring a weblog of any subsystem in a preset historical time period, and clustering attributes of the weblog through a preset alarm aggregation model; obtaining typical weblogs corresponding to each attribute cluster; obtaining the similarity between each weblog and a typical weblog under the same attribute cluster, and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log; extracting network loopholes from the alarm logs and generating security events corresponding to the alarm logs by the network environment;
acquiring the corresponding quantity of the associated weblogs of the alarm logs in all subsystems according to the time stamps of the alarm logs, determining the corresponding quantity of the security events of the associated weblogs, and determining the credibility of the security events when the ratio of the quantity of the security events to the quantity of the associated weblogs exceeds a preset ratio threshold;
establishing a network vulnerability knowledge base of the current network environment through a preset vulnerability scanning system; establishing a network environment knowledge base of the current network environment through a preset network environment detection system; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
2. The data center based network security early warning method according to claim 1, characterized in that before acquiring several weblogs within a preset history period, the method further comprises:
acquiring original logs uploaded by each subsystem in a preset historical time period, deleting repeated original logs based on time stamps and a similarity detection model in the original logs to acquire weblogs; the weblog at least comprises a firewall log and an intrusion detection log.
3. The network security early warning method based on the data center station according to claim 1, wherein the step of obtaining the similarity between each weblog and the typical weblog under the same attribute cluster comprises the following steps:
calculating the distance between the weblog and the typical weblog through cosine similarity; and determining the similarity between the weblog and the typical weblog according to the corresponding relation between the preset distance and the similarity.
4. The method for network security early warning based on a data center according to claim 1, wherein determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base to determine the validity of the security event according to the matching degree, specifically comprises:
calculating the maximum similarity value of the network loopholes in the security event and each network loophole in the network loophole knowledge base as the matching degree of the security event in the network loophole knowledge base through a preset text similarity calculation algorithm; calculating the maximum similarity value between the network environment in the security event and each network environment in the network environment knowledge base as the matching degree of the security event in the network environment knowledge base;
according to a preset formula:calculating the validity of the security event; wherein, va of the security event in the network vulnerability knowledge base is 1, va of the security event in the network vulnerability knowledge base is not 0; da represents the matching degree of the security event in the attack knowledge base; anan (safety)The full event is V1 in the network environment knowledge base, and the security event is not V1 in the network environment knowledge base and is 0; dl represents the matching degree of the security event in the network environment knowledge base;
when the value e of the validity of the security event is more than 0 and less than or equal to 0.5, judging the security event as valid; when the value of the validity e of the security event is 0.5 < e.ltoreq.1, the security event is judged as invalid.
5. A data center based network security early warning system, the system comprising:
the extraction module is used for obtaining the weblogs of any subsystem in a preset historical time period and carrying out attribute clustering on the weblogs through a preset alarm aggregation model; obtaining typical weblogs corresponding to each attribute cluster; obtaining the similarity between each weblog and a typical weblog under the same attribute cluster, and determining the weblog with the similarity larger than a preset similarity threshold as an alarm log; extracting network loopholes from the alarm logs and generating security events corresponding to the alarm logs by the network environment;
the trusted determination module is used for acquiring the corresponding quantity of the associated weblogs of the alarm logs in all subsystems according to the time stamps of the alarm logs, determining the corresponding quantity of the security events of the associated weblogs, and determining the trusted security events when the ratio of the quantity of the security events to the quantity of the associated weblogs exceeds a preset ratio threshold;
the effective determining module is used for establishing a network vulnerability knowledge base of the current network environment through a preset vulnerability scanning system; establishing a network environment knowledge base of the current network environment through a preset network environment detection system; and determining the matching degree of the security event with the network vulnerability knowledge base and the network environment knowledge base so as to determine the effectiveness of the security event according to the matching degree.
6. The data center-based network security early warning system of claim 5, wherein the extraction module further comprises a deletion unit,
the method comprises the steps of acquiring original logs uploaded by each subsystem in a preset historical time period, deleting repeated original logs based on time stamps and a similarity detection model in the original logs to acquire weblogs; the weblog at least comprises a firewall log and an intrusion detection log.
7. The data center-based network security early warning system of claim 5, wherein the extraction module further comprises a similarity determination unit,
for calculating a distance between the blog and the typical blog through cosine similarity; and determining the similarity between the weblog and the typical weblog according to the corresponding relation between the preset distance and the similarity.
8. The data center-based network security early warning system of claim 5, wherein the validity determination module comprises a validity calculation unit,
the method comprises the steps that a text similarity calculation algorithm is preset, and the maximum similarity value of network vulnerabilities in a security event and each network vulnerability in a network vulnerability knowledge base is calculated as the matching degree of the security event in the network vulnerability knowledge base; calculating the maximum similarity value between the network environment in the security event and each network environment in the network environment knowledge base as the matching degree of the security event in the network environment knowledge base; according to a preset formula:calculating the validity of the security event; wherein, va of the security event in the network vulnerability knowledge base is 1, va of the security event in the network vulnerability knowledge base is not 0; da represents the matching degree of the security event in the attack knowledge base; the security event is V1 in the network environment knowledge base, and the security event is not V1 in the network environment knowledge base and is 0; dl represents the matching degree of the security event in the network environment knowledge base; when the value e of the validity of the security event is more than 0 and less than or equal to 0.5, judging the security event as valid; when the value of the validity e of the security event is 0.5 < e.ltoreq.1, the security event is judged as invalid.
9. A data center based network security early warning device, the device comprising:
a processor;
and a memory having executable code stored thereon that, when executed, causes the processor to perform a data center based network security early warning method as recited in any one of claims 1-4.
10. A non-transitory computer storage medium having stored thereon computer instructions that, when executed, implement a data center based network security early warning method as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311317603.XA CN117061250B (en) | 2023-10-12 | 2023-10-12 | Network security early warning method, system, equipment and medium based on data center |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311317603.XA CN117061250B (en) | 2023-10-12 | 2023-10-12 | Network security early warning method, system, equipment and medium based on data center |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117061250A true CN117061250A (en) | 2023-11-14 |
| CN117061250B CN117061250B (en) | 2023-12-15 |
Family
ID=88663117
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311317603.XA Active CN117061250B (en) | 2023-10-12 | 2023-10-12 | Network security early warning method, system, equipment and medium based on data center |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117061250B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150106867A1 (en) * | 2013-10-12 | 2015-04-16 | Fortinet, Inc. | Security information and event management |
| CN107517216A (en) * | 2017-09-08 | 2017-12-26 | 瑞达信息安全产业股份有限公司 | A kind of network safety event correlating method |
| CN113098828A (en) * | 2019-12-23 | 2021-07-09 | ***通信集团辽宁有限公司 | Network security alarm method and device |
| CN115549953A (en) * | 2022-08-15 | 2022-12-30 | 国家管网集团北方管道有限责任公司 | Network security alarm method and system |
| CN115907439A (en) * | 2023-03-01 | 2023-04-04 | 广东赛博威信息科技有限公司 | Integrated marketing management system |
| CN116614245A (en) * | 2023-02-17 | 2023-08-18 | 中国科学院信息工程研究所 | Attack path modeling method and system based on multi-source alarm log compression |
-
2023
- 2023-10-12 CN CN202311317603.XA patent/CN117061250B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150106867A1 (en) * | 2013-10-12 | 2015-04-16 | Fortinet, Inc. | Security information and event management |
| CN107517216A (en) * | 2017-09-08 | 2017-12-26 | 瑞达信息安全产业股份有限公司 | A kind of network safety event correlating method |
| CN113098828A (en) * | 2019-12-23 | 2021-07-09 | ***通信集团辽宁有限公司 | Network security alarm method and device |
| CN115549953A (en) * | 2022-08-15 | 2022-12-30 | 国家管网集团北方管道有限责任公司 | Network security alarm method and system |
| CN116614245A (en) * | 2023-02-17 | 2023-08-18 | 中国科学院信息工程研究所 | Attack path modeling method and system based on multi-source alarm log compression |
| CN115907439A (en) * | 2023-03-01 | 2023-04-04 | 广东赛博威信息科技有限公司 | Integrated marketing management system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117061250B (en) | 2023-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112073389B (en) | Cloud host security situation awareness system, method, device and storage medium | |
| CN110535702B (en) | Alarm information processing method and device | |
| CN113661693A (en) | Detecting sensitive data exposure via logs | |
| US20130104230A1 (en) | System and Method for Detection of Denial of Service Attacks | |
| CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
| CN115996146B (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| CN111404909A (en) | Security detection system and method based on log analysis | |
| KR20080044145A (en) | Anomaly detection system and method of web application attacks using web log correlation | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN111666573A (en) | Method and device for evaluating vulnerability grade of website system and computer equipment | |
| CN114024773B (en) | Webshell file detection method and system | |
| CN114050937B (en) | Mailbox service unavailability processing method and device, electronic equipment and storage medium | |
| CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
| CN117061250B (en) | Network security early warning method, system, equipment and medium based on data center | |
| CN112235304A (en) | Dynamic security protection method and system for industrial internet | |
| CN113094715B (en) | Network security dynamic early warning system based on knowledge graph | |
| CN112839029B (en) | Botnet activity degree analysis method and system | |
| CN111625825B (en) | Virus detection method, device, equipment and storage medium | |
| CN113542186A (en) | Monitoring system based on network security and early warning method thereof | |
| CN113987482B (en) | IP first access detection method, system and equipment based on FM | |
| CN114268460B (en) | Network security anomaly detection method and device, storage medium and computing equipment | |
| RU2800739C1 (en) | System and method for determining the level of danger of information security events | |
| CN115577369B (en) | Source code leakage behavior detection method and device, electronic equipment and storage medium | |
| CN115086022B (en) | Method and device for adjusting safety evaluation index system | |
| CN117648689B (en) | Automatic response method for industrial control host safety event based on artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |