[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106131017B - Cloud computing information security visualization system based on trust computing - Google Patents

Cloud computing information security visualization system based on trust computing Download PDF

Info

Publication number
CN106131017B
CN106131017B CN201610554260.2A CN201610554260A CN106131017B CN 106131017 B CN106131017 B CN 106131017B CN 201610554260 A CN201610554260 A CN 201610554260A CN 106131017 B CN106131017 B CN 106131017B
Authority
CN
China
Prior art keywords
data
information
mail
trust
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610554260.2A
Other languages
Chinese (zh)
Other versions
CN106131017A (en
Inventor
陈祖斌
谢铭
胡继军
翁小云
袁勇
邓戈锋
莫英红
谢菁
张鹏
唐玲丽
黄连月
曾明霏
杭聪
贺冠博
王海
黎新
何钟柱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi Power Grid Co Ltd
Original Assignee
Guangxi Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi Power Grid Co Ltd filed Critical Guangxi Power Grid Co Ltd
Priority to CN201610554260.2A priority Critical patent/CN106131017B/en
Publication of CN106131017A publication Critical patent/CN106131017A/en
Application granted granted Critical
Publication of CN106131017B publication Critical patent/CN106131017B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides the cloud computing information security visualization system based on trust computing, the visualization system is the structure global trust environment on the basis of with functional modules such as data mining, data identification, Data Dimensionality Reductions, and then set up a storage from data mining to data processing, then the information security visualization system shown to trust data.From the beginning of excavation, pretreatment module from data, the information analysis of trust data has been believable with the data of display module, the system is by brand-new block combiner and the algorithm of innovation, ensure that the credible and secure of the network information, the credible quantization to information security and visualization assessment are realized, is that the network security management of administrative staff is provided convenience.

Description

Cloud computing information security visualization system based on trust computing
Technical field
The present invention relates to field of information security technology, in particular to the cloud computing information security based on trust computing Visualization system.
Background technology
In recent years, social informatization is constantly advanced.Network application is more and more extensive, and network security problem is also increasingly dashed forward therewith Go out sternness.Network security visualization also becomes a more and more concerned field in recent years, using the visual characteristic of people, will Data are represented in the form of graph image, the information that user can be contained in more intuitive understanding data so that network management Person is judged to safety problem present in network, so as to analysis is made to network condition.
About the concept of trust computing, give in 15408 standards of ISO/IEC defined below:One believable group The behavior of part, operation or process is predictable under any operating condition, and can resist application software, virus well And the destruction that certain physical disturbance is caused.The basic ideas of trust computing are that introducing safety chip (can on a hardware platform Letter console module) improving the security of terminal system, that is to say, that a root of trust is implanted on each terminal platform, meter is allowed Calculation machine all builds trusting relationship from BIOS to operating system nucleus layer, then to application layer;Based on this, expand on network, Corresponding trust chain is set up, hence into the computer immunity epoch.When terminal is under attack, be capable of achieving self-protection, self Management and self-recovery.
Trust computing is given birth to for behavior safety.Exist according to Chinese information security expert《Software action》Described in one book, OK Should include for safety:The features such as the confidentiality of behavior, the integrality of behavior, the authenticity of behavior, it is in terms of military posture map, existing In the confidentiality and authenticity of the more formula researchs of people how guarantee information, but for the integrality of behavior, especially may be used All the time there is many deficiencies in the complete information depending on changing.
The content of the invention
It is an object of the invention to provide the cloud computing information security visualization system based on trust computing, above-mentioned to solve Problem.
To solve above-mentioned technical problem, the technical solution used in the present invention is:
Cloud computing information security visualization system based on trust computing, it is characterised in that including the information being sequentially connected Data-mining module, reliable information pretreatment module, information storage module and the information analysis based on credible integrality and displaying Module;
Described information data-mining module, certification carry out the hardware node in the network of information, judge the network hardware Node credibility, sets up the trusting relationship of gathered information, is obtained by way of capturing network packet in LAN Original information data, the original information data include between IP sensitive information send detection data, mail-detection daily record data and Three kinds of data types of distributed denial of service attack data;
The reliable information pretreatment module, carries out Data Dimensionality Reduction, identification and pretreatment of classifying, shape to original information data Into measurable quantized data, the structure for global trust environment provides basis;
Described information memory module, by storage after pretreated information data encryption to the corresponding position of cloud storage resource pool In putting, module, reliable information pretreatment module are excavated by information data and builds jointly trust data platform, and in trust data The secure and trusted storage of data is realized on the basis of platform, global trust environment is built;The trust data platform also includes can Letter software systems, the trusted software system are that operating system and application software provide the interface for using trust data platform, together When provide integrity measurement to the trust data platform subsequent software, and the specific behavior to uncontrollable operating system enters every trade To audit and analyzing;The subsequent software includes core loading software and uncontrollable operating system software;Described information data are dug Starting point of the pick module for chain-of-trust, described information data-mining module, reliable information pretreatment module, information storage module and base Chain-of-trust is collectively formed with display module in the information analysis of credible integrality;
The information analysis and display module based on credible integrality, in the trust data platform base for having built On realize information extraction, analysis and show, for administrative staff provides visual trust data and figure displaying, which includes postal Part contact relationship analysis shows that submodule, the distributional analysis of daily record number of times show that information sends relationship analysis displaying between submodule, IP Submodule, sensitive email relaying path analysis and displaying submodule and distributed denial of service attack data analysis and displaying submodule Block, specially:
(1) mail contact relationship analysis shows submodule, for the mail-detection daily record to storing in cloud storage resource pool Data carry out extracting, analyze, process, and show the sensitive mail contact relation detected in a certain specified time period;The postal Part contact relationship analysis shows that submodule enables users to interact with interface by the calendar that design may be selected the date, Yong Huke Time period to be checked is selected arbitrarily, it is concrete to perform following operation:
According to the time period that user selects, system is chosen to the data in cloud storage resource pool, is chosen to after data Data are stored in the form of dictionary, through data are analyzed with process, according to the transmitting-receiving corresponding relation of sensitive mail Generate corresponding matrix data model;Subsequently, the transmitting-receiving by the form of chord figure to sensitive mail in the selected time period is closed System carries out visual presentation, and each different mailbox is distributed in around circle, shows email address in circular outside profile, if There is the transmission relation of sensitive information between different mailboxes, a ribbon lines are just done between two mailboxes, lines are thick One side represents the sender of mail, and the thin side of lines represents the recipient of mail;
(2) daily record number of times distributional analysis shows submodule, for carrying out according to time period and the daily record quantity for detecting Classification and statistics, and showed with the form of dendrogram, specially:
(2-1) log data set W of reception is divided into into n time subset according to the time period, i.e. W=W1, W2 ..., Wj ..., Wn };
(2-2) m daily record quantitative levels are manually set, by each time subset Wj divide m level subset, i.e. W1j, W2j、…、Wij、…、Wmj;
(2-3) with log data set W as root, Wj is the first node layer, and Wij is second layer joint structure tree TW;
(2-5) value of each node in tree TW is calculated, the value of wherein leaf node is the value of the data element, non- The value of leaf node is equal to the value sum of all child nodes of its lower floor, and so far log data set W has been configured to a tree-shaped Data structure;
(2-6) dendrogram tree data structure of generation being mapped as on two dimensional surface;
(3) between IP, information sends relationship analysis displaying submodule, for being pointed to the IP of cloud storage resource pool relevant position Between sensitive information send detection data carry out extracting, analyze, statistical disposition, shown by visual presentation form and interface alternation Sensitive information in certain period of time between different IP sends incidence relation;Between the IP, information sends relationship analysis displaying Module adopts time period selection mechanism and scatterplot layout exhibition method, uses joint form presentation-entity, lines presentation-entity it Between contact, represent that with size of node information between IP sends the degree of strength of incidence relation, had according to mouse click event Level displaying is carried out selectively;Mouse-over occurs the details of correspondent entity, the details bag on node ID, discovery time are included, mouse is clicked on entity and can select all IP related with selected node;It is provided with search engine simultaneously System, user select the IP related informations for wanting to check by being input into a certain IP;
The transmitting-receiving corresponding relation of the mail is obtained by the TCP closures for obtaining mail, specially:First by solution The network packet that analysis is obtained, obtains including the information of source IP address, purpose IP address, source port, destination interface, sequence number, And with four-tuple 1 { source IP address, source port, purpose IP address, destination interface } and four-tuple 2:{ purpose IP address, destination Mouthful, source IP address, source port indicate the both direction of TCP connections respectively, then by the application layer data of network packet according to Sequence number is sequentially write in journal file corresponding with TCP closures.
(4) sensitive email relaying path analysis and displaying submodule, for by analyzing and processing statistics mail-detection daily record Detection data and email relaying relation in data, shows the road that a certain specific mail is forwarded between different mailboxes Footpath, specially:
First, user is input into the keyword contained by mail header to be searched for or mail header, system in search inframe Fuzzy matching retrieval is carried out to all of mail header in mail record data according to keyword, if not retrieving defeated with user Enter the mail for matching, then send information reminding user and re-enter;If being successfully retrieved relative recording, just by retrieval result User is showed in the form of Table contents, while the title for each mail adds Click events, user clicks on target postal The title of part, backstage mail according to selected by user enter line retrieval matching again to mail record, find the forwarding record of the mail, And the article receiving and sending people to each forwarding carries out statistic record in the form of dictionary, constructs the data required for visual presentation;Most Afterwards, show that the forward-path of mail is presented to user and provides interactive function in the form of dendrogram being laminated with one, if certain postal Case is afterbody recipient, then the summit of arborescence is hollow display, if this email relaying is also given in addition by the mailbox One or several mailboxes, then represent the mailbox tree-like node of graph be set to it is solid;The Table contents include mail ID, Mail header, mail time, mail originator and Email attachment number;
(5) distributed denial of service attack data analysis and displaying submodule, for extracting, analyzing and show distributed refusing Exhausted service attack data, specially:
(5-1) distributed denial of service attack data analysis and displaying submodule are from the relevant position of cloud storage resource pool Distributed denial of service attack data are extracted, is stored using Hash table, keyword adopts character string forms, word in Hash table Time of the symbol string by source IP, port numbers and according to selected by the time interval of user's setting is signed three and constitutes, and appoints in this three The newly-built element of meaning one will be inserted into newly-built element in Hash table when occurring different, each element table in graphical Show a node, represent and the relation between connected main frame, the corresponding value of keyword represents this connection communication in Hash table Data total amount in activity;
(5-2) coordinate value of all nodes is calculated, and then the point with coordinate information is drawn, and according to different need Asking carries out time interval, the adjustment of the unit radius parameter of figure shows, wherein the principle followed when drawing is:Host node and Line different colours between Centroid represent the size of amount of communication data in the time interval, carry out according to certain coefficient Mapping;Host node is made up of some concentric circles, the port number that the contrast intensity of color is related in represent the connection.
Preferably, it is characterised in that the reliable information pretreatment module includes Data Dimensionality Reduction unit, data identification unit And data sorting unit, the structure for global trust environment provides basis, specially:
(1) Data Dimensionality Reduction unit, for the redundancy between original information data, drop are eliminated using improved PCA The dimension of low original information data, specially:
1) N bar original information datas to be analyzed are extracted, as matrix X=[x1,x2,…,xN], wherein xiIt is former for i-th Beginning information data;
2) solve the mean value of N bar original information datas:
3) solve the covariance matrix A of N bar original information datas:
4) its main component element is calculated according to the characteristic value of covariance matrix A:
iiδi
Wherein μi, δiRespectively characteristic value and corresponding characteristic vector;
5) according to given precision ρ, by numerical computation method, M eigenvalue of maximum before solving:
Wherein, the span of M is
6) front M eigenvalue of maximum and corresponding characteristic vector are taken, is made
Φ=[δ12,…,δM], Γ=diag (μ12,…,μM)
Then there are A Φ=Φ Γ;
7) calculate the new matrix of low-dimensional vector composition;
(2) data identification unit, for being identified detection to reducing the original information data after dimension, removes uncorrelated Information data, obtain relevant information data;
(3) data sorting unit, for classifying according to data type to relevant information data.
Preferably, the data identification unit includes being identified distributed denial of service attack data, specially:
1) the n bar original information data matrixes after dimensionality reduction are set as Y '=ΦTX ', wherein X '=[x1,x2,…,xn], xj∈ X ', selects Db3 small echos as analysis wavelet, and selects maximum decomposition scale, carry out wavelet decomposition with decomposition algorithm to Y ' and obtain To matrix of wavelet coefficients, when j≤out to out, high frequency coefficient is extracted from matrix of wavelet coefficients, calculate the variance of little coefficient After Ψ, according to [j, log2Ψ] fitting a straight line tries to achieve slope k, so as to solve self similar parameter Hurst values H of network traffics:
H=(k-1)/2;
2) by analyzing the Hurst changing value Δ H=H not in the same time for trying to achievet-Ht-1, threshold T is set, if Δ H > T, judges that distributed denial of service attack occurs, preserves corresponding original information data;If Δ H≤T, distributed refusal clothes are judged Business is attacked and is not sent, and removes corresponding original information data.Technical scheme disclosed by the invention can include following beneficial effect Really:
1st, setting Data Dimensionality Reduction unit, data identification unit and data sorting unit in reliable information pretreatment module, Carry out dimensionality reduction, identification and classification to process to original information data, so as to realize that different types of data storage is provided in cloud storage In the diverse location in source pond, beneficial to the information analysis based on credible integrality and extraction of the display module to corresponding data, enter one Step improves the speed of service of system;
2nd, using visual technology, sensitive information type in the network captured in being directed to network security detection system And transmission situation etc. carries out visual displaying, network security detection data are analyzed and are opened up from five different angles Show, be that contact relationship analysis of the sensitive mail between each mailbox shows, sensitive information sends relation between IP and IP respectively Analysis and visual presentation, the analysis displaying for being directed to forward-path of a certain specific mail between different mailboxes, daily record number of times Distributional analysis is shown with displaying and distributed denial of service attack data analysis, can be provided accurately, in all directions in network Security log information, improves the credible integrity degree of whole system;
3rd, in the distributional analysis of daily record number of times shows submodule, construct a kind of while based on daily record issuing time section sum The laminar dendrogram of amount grade, user can be intuitive to see according to issuing time and issue quantity and check that situation is issued in daily record; In mail contact relationship analysis shows submodule, by the network packet that parses and recombinate, complete TCP connection letters can be obtained Breath, and be shown using stacking dendrogram, enable users to check targeted mails without the forwarding between mailbox clear and intuitively Situation, to facilitate administrative staff to make corresponding judgement and decision-making;
4th, in distributed denial of service attack data analysis and displaying submodule, being signed based on the time carries out distributed refusal clothes The extraction of business attack data, and the principle of graphic plotting is proposed, focus is concentrated on the conditioned basic of attack, and is not Monitoring and display when being attacked after attacker possesses all conditions, and can be to distributed denial of service attack pattern Carry out various dimensions to show, in addition, the adjustment of time interval, the unit radius parameter of figure shows is carried out according to different demands, carry The high performance of user mutual.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary, this can not be limited It is open.
Description of the drawings
Fig. 1 is the connection diagram of each module of the invention;
Reference:
Information data excavate module 1, reliable information pretreatment module 2, information storage module 3, based on credible integrality Information analysis and display module 4, Data Dimensionality Reduction unit 21, data identification unit 22, data sorting unit 23, contact relationship analysis Show that submodule 41, the distributional analysis of daily record number of times show between submodule 42, IP that information sends relationship analysis and show submodule 43, quick Sense email relaying path analysis and displaying submodule 44, distributed denial of service attack data analysis and displaying submodule 45.
During accompanying drawing herein is merged in specification and the part of this specification is constituted, show the enforcement for meeting the present invention Example, and be used for explaining the principle of the present invention together with specification.
Specific embodiment
Below by specific embodiment and combine accompanying drawing the present invention is described in further detail.
Referring to Fig. 1, cloud computing information security visualization system of the present embodiment based on trust computing, including what is be sequentially connected Information data excavates module 1, reliable information pretreatment module 2, information storage module 3 and the information analysis based on credible integrality With display module 4;
Described information data-mining module 1, certification carry out the hardware node in the network of information, judge the network hardware Node credibility, sets up the trusting relationship of gathered information, is obtained by way of capturing network packet in LAN Original information data, the original information data include between IP sensitive information send detection data, mail-detection daily record data and Three kinds of data types of distributed denial of service attack data;
The reliable information pretreatment module 2, carries out Data Dimensionality Reduction, identification and pretreatment of classifying to original information data, Measurable quantized data is formed, the structure for global trust environment provides basis;
Described information memory module 3, will be storage after pretreated information data encryption corresponding to cloud storage resource pool In position, module, reliable information pretreatment module are excavated by information data and builds jointly trust data platform, and in credible number Store according to the secure and trusted that data are realized on the basis of platform, build global trust environment;The trust data platform also includes Trusted software system, the trusted software system are that operating system and application software provide the interface for using trust data platform, Integrity measurement is provided to the trust data platform subsequent software simultaneously, and the specific behavior to uncontrollable operating system is carried out Behavior auditing and analysis;The subsequent software includes core loading software and uncontrollable operating system software;Described information data Excavate module for chain-of-trust starting point, described information data-mining module, reliable information pretreatment module, information storage module and Information analysis based on credible integrality collectively forms chain-of-trust with display module;
The information analysis based on credible integrality and display module 4, in the trust data platform base for having built Extraction, analysis and the displaying of information are realized on plinth, visual trust data is provided for administrative staff and figure shows which includes Mail contact relationship analysis shows that submodule 41, the distributional analysis of daily record number of times show that information sends relation between submodule 42, IP Analysis shows submodule 43, sensitive email relaying path analysis and shows submodule 44 and distributed denial of service attack data analysis With show submodule 45, specially:
(1) mail contact relationship analysis shows submodule 41, for the mail-detection day to storing in cloud storage resource pool Will data carry out extracting, analyze, process, and show the sensitive mail contact relation detected in a certain specified time period;It is described Mail contact relationship analysis shows that submodule 41 enables users to interact with interface by the calendar that design may be selected the date, uses Family can arbitrarily select the time period to be checked, concrete to perform following operation:
According to the time period that user selects, system is chosen to the data in cloud storage resource pool, is chosen to after data Data are stored in the form of dictionary, through data are analyzed with process, according to the transmitting-receiving corresponding relation of sensitive mail Generate corresponding matrix data model;Subsequently, the transmitting-receiving by the form of chord figure to sensitive mail in the selected time period is closed System carries out visual presentation, and each different mailbox is distributed in around circle, shows email address in circular outside profile, if There is the transmission relation of sensitive information between different mailboxes, a ribbon lines are just done between two mailboxes, lines are thick One side represents the sender of mail, and the thin side of lines represents the recipient of mail;
(2) daily record number of times distributional analysis shows submodule 42, for entering according to time period and the daily record quantity for detecting Row classification and statistics, and showed with the form of dendrogram, specially:
(2-1) log data set W of reception is divided into into n time subset according to the time period, i.e. W=W1, W2 ..., Wj ..., Wn };
(2-2) m daily record quantitative levels are manually set, by each time subset Wj divide m level subset, i.e. W1j, W2j ..., Wij ..., Wmj, wherein the span of m be [4,8];
(2-3) with log data set W as root, Wj is the first node layer, and Wij is second layer joint structure tree TW;
(2-5) value of each node in tree TW is calculated, the value of wherein leaf node is the value of the data element, non- The value of leaf node is equal to the value sum of all child nodes of its lower floor, and so far log data set W has been configured to a tree-shaped Data structure;
(2-6) dendrogram tree data structure of generation being mapped as on two dimensional surface;
(3) between IP, information sends relationship analysis displaying submodule 43, for being pointed to cloud storage resource pool relevant position Between IP sensitive information send detection data carry out extracting, analyze, statistical disposition, by visual presentation form and interface alternation exhibition Show that the sensitive information between IP different in certain period of time sends incidence relation;Between the IP, information sends relationship analysis and shows Submodule 43 adopts time period selection mechanism and scatterplot layout exhibition method, uses joint form presentation-entity, lines to represent real Contact between body, represents the degree of strength of information transmission incidence relation between IP, clicks on thing according to mouse with size of node Part selectively carries out level displaying;Mouse-over occurs the details of correspondent entity, the detailed letter on node Breath includes ID, discovery time, and mouse is clicked on entity and will select all IP related with selected node, and only display should Sub-network figure, while the corresponding relation of its transmission information is also shown in the form of word;It is provided with search mechanisms, user simultaneously The IP related informations that a certain IP selects to want to check can be input into;
(4) sensitive email relaying path analysis and displaying submodule 44, for by analyzing and processing statistics mail-detection day Detection data and email relaying relation in will data, shows the road that a certain specific mail is forwarded between different mailboxes Footpath, specially:
First, user is input into the keyword contained by mail header to be searched for or mail header, system in search inframe Fuzzy matching retrieval is carried out to all of mail header in mail record data according to keyword, if not retrieving defeated with user Enter the mail for matching, then send information reminding user and re-enter;If being successfully retrieved relative recording, just by retrieval result User is showed in the form of Table contents, while the title for each mail adds Click events, user clicks on target postal The title of part, backstage mail according to selected by user enter line retrieval matching again to mail record, find the forwarding record of the mail, And the article receiving and sending people to each forwarding carries out statistic record in the form of dictionary, constructs the data required for visual presentation;Most Afterwards, show that the forward-path of mail is presented to user and provides interactive function in the form of dendrogram being laminated with one, if certain postal Case is afterbody recipient, then the summit of arborescence is hollow display, if this email relaying is also given in addition by the mailbox One or several mailboxes, then represent the mailbox tree-like node of graph be set to it is solid;
(5) distributed denial of service attack data analysis and displaying submodule 45, for extracting, analyzing and show distributed Denial of Service attack data, specially:
1) distributed denial of service attack data analysis and displaying submodule 45 are from the relevant position of cloud storage resource pool Distributed denial of service attack data are extracted, is stored using Hash table, keyword adopts character string forms, word in Hash table Time of the symbol string by source IP, port numbers and according to selected by the time interval of user's setting is signed three and constitutes, and appoints in this three The newly-built element of meaning one will be inserted into newly-built element in Hash table when occurring different, and each element is graphical future All it is a node in expression, represents and the relation between connected main frame, the corresponding value of keyword represents this time in Hash table Data total amount in connection communication activity;
2) coordinate value of all nodes is calculated, and then the point with coordinate information is drawn, and according to different demands Time interval, the adjustment of the unit radius parameter of figure shows are carried out, wherein the principle followed when drawing is:Host node is with Line between heart node represents the size of amount of communication data in the time interval, is mapped according to certain coefficient, and communicate number Represented with different colours according to amount, color is that red expression amount of communication data is larger;Host node is made up of some concentric circles, face The port number that the contrast intensity of color is related in represent the connection.
Wherein, the reliable information pretreatment module 2 includes Data Dimensionality Reduction unit 21, data identification unit 22 and data point Class unit 23, specially:
(1) Data Dimensionality Reduction unit 21, for eliminating superfluous between original information data using improved PCA It is remaining, the dimension of original information data is reduced, the improved PCA is:
1) N bar original information datas to be analyzed are lifted, as matrix X=[x1,x2,…,xN], wherein xiIt is former for i-th Beginning information data;
2) solve the mean value of N bar original information datas:
3) solve the covariance matrix M of N bar original information datas:
4) main component element is calculated according to the eigenvalue problem of covariance matrix A:
iiδi
Wherein μi, δiThe respectively characteristic value of M and corresponding characteristic vector;
5) according to given precision ρ, by numerical computation method, M eigenvalue of maximum before solving:
Wherein, the span of M is
6) front M eigenvalue of maximum and corresponding characteristic vector are taken, is made
Φ=[δ12,…,δM], Γ=diag (μ12,…,μM)
Then there are A Φ=Φ Γ;
7) calculate the new matrix of low-dimensional vector composition;
(2) data identification unit 22, for being identified detection to reducing the original information data after dimension, remove not phase The information data of pass, obtains relevant information data;
(3) data sorting unit 23, for classifying according to data type to relevant information data.
Wherein, the data identification unit 22 includes being identified distributed denial of service attack data, specially:
1) the K bar original information data matrixes after dimensionality reduction are set as Y '=ΦTX ', wherein X '=[x1,x2,…,xK], xj∈ X ', selects Db3 small echos as analysis wavelet, and selects maximum decomposition scale, carry out wavelet decomposition with decomposition algorithm to Y ' and obtain To matrix of wavelet coefficients, when j≤out to out, high frequency coefficient is extracted from matrix of wavelet coefficients, calculate the variance of little coefficient After Ψ, and according to [j, log2Ψ] fitting a straight line tries to achieve slope k, so as to solve the self similar parameter Hurst values of network traffics H:
H=(k-1)/2;
2) by analyzing the Hurst changing value Δ H=H not in the same time for trying to achievet-Ht-1, threshold T is set, if Δ H > T, judges that distributed denial of service attack occurs, preserves corresponding original information data;If Δ H≤T, distributed refusal clothes are judged Business is attacked and is not sent, and removes corresponding original information data.
Wherein, the transmitting-receiving corresponding relation of the mail is obtained by the TCP closures for obtaining mail, first by parsing The network packet of acquisition, obtains including the information of source IP address, purpose IP address, source port, destination interface, sequence number, and With four-tuple 1:Source IP address, source port, purpose IP address, destination interface and four-tuple 2:Purpose IP address, destination interface, source IP address, source port indicate the both direction of TCP connections, respectively then by the application layer data of network packet according to sequence Number sequentially write in journal file corresponding with TCP closures.
Wherein, the Table contents include mail ID, mail header, mail time, mail originator and Email attachment Number.
The present embodiment arranges Data Dimensionality Reduction unit 21,22 sum of data identification unit in reliable information pretreatment module 2 According to taxon 23, dimensionality reduction, identification and classification are carried out to original information data and is processed, so as to realize depositing different types of data Store up in the diverse location of cloud storage resource pool, beneficial to the information analysis based on credible integrality with display module 4 to respective counts According to extraction, further increase the speed of service of system;Using visual technology, it is directed in network security detection system In the network for capturing, sensitive information type and transmission situation etc. carry out visual displaying, from five different angles to net Network safety detection data are analyzed and show, it is accurate, comprehensive and facilitate administrative staff make it is corresponding judge and decision-making, carry The high credible integrity degree of whole system;The distributed denial of service attack data analysis of setting can be right with displaying submodule 45 Distributed denial of service attack pattern carries out various dimensions and shows, facilitates administrative staff to make corresponding judgement and decision-making, improves The integrity degree of information, improves the confidence level of system from other side;And it is aobvious to carry out time interval, figure according to different demands The adjustment of the unit radius parameter shown, improves the performance of user mutual;The present embodiment value m=4,The fortune of system Scanning frequency degree improves 2%.
The preferred embodiments of the present invention are the foregoing is only, the present invention is not limited to, for the skill of this area For art personnel, the present invention can have various modifications and variations.It is all within the spirit and principles in the present invention, made any repair Change, equivalent, improvement etc., should be included within the scope of the present invention.

Claims (3)

1. the cloud computing information security visualization system based on trust computing, it is characterised in that including the Information Number being sequentially connected According to excavation module, reliable information pretreatment module, information storage module and the information analysis based on credible integrality and displaying mould Block;
Described information data-mining module, certification carry out the hardware node in the network of information, judge network hardware node Confidence level, sets up the trusting relationship of gathered information, by way of capturing network packet in LAN obtains original Information data, the original information data include that sensitive information sends detection data, mail-detection daily record data and distribution between IP Three kinds of data types of formula Denial of Service attack data;
The reliable information pretreatment module, carries out Data Dimensionality Reduction, identification and pretreatment of classifying to original information data, and formation can The quantized data of tolerance, the structure for global trust environment provide basis;
Described information memory module, by storage after pretreated information data encryption to the corresponding position of cloud storage resource pool In, module, reliable information pretreatment module are excavated by information data and builds jointly trust data platform, and it is flat in trust data The secure and trusted storage of data is realized on the basis of platform, global trust environment is built;The trust data platform also includes credible Software systems, the trusted software system are that operating system and application software provide the interface for using trust data platform, while Integrity measurement is provided to the trust data platform subsequent software, and the specific behavior to uncontrollable operating system carries out behavior Audit and analysis;The subsequent software includes core loading software and uncontrollable operating system software;Described information data mining Module is the starting point of chain-of-trust, described information data-mining module, reliable information pretreatment module, information storage module and is based on The information analysis of credible integrality collectively forms chain-of-trust with display module;
The information analysis and display module based on credible integrality, for realizing information in the trusted environment for having built Extracting, analyze and showing, visual trust data being provided for administrative staff and figure showing, which includes mail contact relation Analysis shows that submodule, the distributional analysis of daily record number of times show that information sends relationship analysis displaying submodule, sensitive postal between submodule, IP Part forward-path is analyzed and shows submodule and distributed denial of service attack data analysis and show submodule, specially:
(1) mail contact relationship analysis shows submodule, for the mail-detection daily record data to storing in cloud storage resource pool Carry out extracting, analyze, process, and show the sensitive mail contact relation detected in a certain specified time period;The mail is past Carry out relationship analysis and show that submodule enables users to interact with interface by the calendar that design may be selected the date, user can be any The time period to be checked is selected, it is concrete to perform following operation:
According to the time period that user selects, system is chosen to the data in cloud storage resource pool, is chosen to after data with word The form of allusion quotation is stored to data, through data are analyzed with process, is generated according to the transmitting-receiving corresponding relation of sensitive mail Corresponding matrix data model;Subsequently, the transmitting-receiving relation of sensitive mail in the selected time period is entered by the form of chord figure Row visual presentation, each different mailbox are distributed in around circle, show email address in circular outside profile, if different Mailbox between have the transmission relation of sensitive information, a ribbon lines, the thick side of lines are just between two mailboxes The sender of mail is represented, and the thin side of lines represents the recipient of mail;
(2) daily record number of times distributional analysis shows submodule, for being classified according to time period and the daily record quantity for detecting And statistics, and showed with the form of dendrogram, specially:
(2-1) log data set W of reception is divided into into n time subset according to the time period, i.e. W=W1, W2 ..., Wj ..., Wn};
(2-2) m daily record quantitative levels are manually set, by each time subset Wj divide m level subset, i.e. W1j, W2j、…、Wij、…、Wmj;
(2-3) with log data set W as root, Wj is the first node layer, and Wij is second layer joint structure tree TW;
(2-5) value of each node in tree TW is calculated, the value of wherein leaf node is the value of the data element, non-leaf The value of node is equal to the value sum of all child nodes of its lower floor, and so far log data set W has been configured to a tree type data Structure;
(2-6) dendrogram tree data structure of generation being mapped as on two dimensional surface;
(3) between IP, information sends relationship analysis and shows submodule, quick between the IP of cloud storage resource pool relevant position for being pointed to Sense information send detection data carry out extracting, analyze, statistical disposition, shown by visual presentation form and interface alternation certain Sensitive information in time period between different IP sends incidence relation;Between the IP, information sends relationship analysis displaying submodule Using time period selection mechanism and scatterplot layout exhibition method, joint form presentation-entity is used, between lines presentation-entity Contact, represents the degree of strength of information transmission incidence relation between IP, has selection according to mouse click event with size of node Property carries out level displaying;Mouse-over occurs the details of correspondent entity on node, the details include ID, Discovery time, mouse are clicked on entity and can select all IP related with selected node;It is provided with search mechanisms simultaneously, uses Family selects the IP related informations for wanting to check by being input into a certain IP;
The transmitting-receiving corresponding relation of the mail is obtained by the TCP closures for obtaining mail, specially:Obtained by parsing first Network packet, obtain including the information of source IP address, purpose IP address, source port, destination interface, sequence number, and with Four-tuple 1 { source IP address, source port, purpose IP address, destination interface } and four-tuple 2:{ purpose IP address, destination interface, source IP address, source port } both direction that TCP connects is indicated respectively, then by the application layer data of network packet according to sequence Number sequentially write in journal file corresponding with TCP closures;
(4) sensitive email relaying path analysis and displaying submodule, for by analyzing and processing statistics mail-detection daily record data In detection data and email relaying relation, show the path that a certain specific mail is forwarded between different mailboxes, tool Body is:
First, user is input into the keyword contained by mail header to be searched for or mail header in search inframe, system according to Keyword carries out fuzzy matching retrieval to all of mail header in mail record data, if not retrieving and user input phase The mail of matching, then send information reminding user and re-enter;If being successfully retrieved relative recording, just by retrieval result with The form of Table contents shows user, while the title for each mail adds Click events, user clicks on targeted mails Title, backstage mail according to selected by user again mail record is entered line retrieval matching, find the mail forwarding record, and Statistic record is carried out in the form of dictionary to the article receiving and sending people of each forwarding, the data required for visual presentation are constructed;Finally, Show that the forward-path of mail is presented to user and provides interactive function in the form of dendrogram is laminated with one, if certain mailbox is Afterbody recipient, then the summit of arborescence is hollow display, if this email relaying is also given other one by the mailbox Individual or several mailboxes, then represent the mailbox tree-like node of graph be set to it is solid;The Table contents include mail ID, mail Title, mail time, mail originator and Email attachment number;
(5) distributed denial of service attack data analysis and displaying submodule, for extracting, analyzing and showing distributed refusal clothes Data are attacked in business, specially:
(5-1) distributed denial of service attack data analysis is extracted from the relevant position of cloud storage resource pool with displaying submodule Distributed denial of service attack data, are stored using Hash table, and in Hash table, keyword adopts character string forms, character string Time by source IP, port numbers and according to selected by the time interval of user's setting is signed three and constitutes, any one in this three Item newly-built element will be inserted into newly-built element in Hash table when occurring different, and each element represents one in graphical Individual node, represents and the relation between connected main frame, and in Hash table, the corresponding value of keyword represents this connection communication activity In data total amount;
(5-2) coordinate value of all nodes is calculated, and then the point with coordinate information is drawn, and entered according to different demands The adjustment of row time interval, the unit radius parameter of figure shows, wherein the principle followed when drawing is:Host node and center Line different colours between node represent the size of amount of communication data in the time interval, are reflected according to certain coefficient Penetrate;Host node is made up of some concentric circles, the port number that the contrast intensity of color is related in represent the connection.
2. the cloud computing information security visualization system based on trust computing according to claim 1, it is characterised in that institute Stating reliable information pretreatment module includes Data Dimensionality Reduction unit, data identification unit and data sorting unit, is global trust ring The structure in border provides basis, specially:
(1) Data Dimensionality Reduction unit, for the redundancy between original information data is eliminated using improved PCA, reduces former The dimension of beginning information data, specially:
1) N bar original information datas to be analyzed are extracted, as matrix X=[x1,x2..., xN], wherein xiFor i-th original letter Breath data;
2) solve the mean value of N bar original information datas:
x ‾ = 1 N Σ i = 1 N x i
3) solve the covariance matrix A of N bar original information datas:
A = 1 N Σ i = 1 N ( x i - x ‾ ) ( x i - x ‾ ) T
4) its main component element is calculated according to the characteristic value of covariance matrix A:
iiδi
Wherein μi, δiThe respectively characteristic value of A and corresponding characteristic vector;
5) according to given precision ρ, by numerical computation method, M eigenvalue of maximum before solving:
Σ i = 1 M μ i / Σ i = 1 N μ i ≥ ρ
Wherein, the span of M is
6) front M eigenvalue of maximum and corresponding characteristic vector are taken, is made
Φ=[δ12,…,δM], Γ=diag (μ12,…,μM)
Then there are A Φ=Φ Γ;
7) calculate the new matrix of low-dimensional vector composition;
(2) data identification unit, for being identified detection to reducing the original information data after dimension, removes incoherent letter Breath data, obtain relevant information data;
(3) data sorting unit, for classifying according to data type to relevant information data.
3. the cloud computing information security visualization system based on trust computing according to claim 2, it is characterised in that institute Stating data identification unit includes being identified distributed denial of service attack data, specially:
1) the n bar original information data matrixes after dimensionality reduction are set as Y '=ΦTX ', wherein X '=[x1,x2,…,xn], xj∈ X ', choosing Db3 small echos are selected as analysis wavelet, and selects maximum decomposition scale, wavelet decomposition is carried out with decomposition algorithm to Y ' and obtains small echo Coefficient matrix, when j≤out to out, extracts high frequency coefficient from matrix of wavelet coefficients, after calculating variance Ψ of little coefficient, root According to [j, log2Ψ] fitting a straight line tries to achieve slope k, so as to solve self similar parameter Hurst values H of network traffics:
H=(k-1)/2;
2) by analyzing the Hurst changing value Δ H=H not in the same time for trying to achievet-Ht-1, threshold T is set, if Δ H > T, is judged Distributed denial of service attack occurs, and preserves corresponding original information data;If Δ H≤T, distributed denial of service attack is judged Do not send, remove corresponding original information data.
CN201610554260.2A 2016-07-14 2016-07-14 Cloud computing information security visualization system based on trust computing Expired - Fee Related CN106131017B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610554260.2A CN106131017B (en) 2016-07-14 2016-07-14 Cloud computing information security visualization system based on trust computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610554260.2A CN106131017B (en) 2016-07-14 2016-07-14 Cloud computing information security visualization system based on trust computing

Publications (2)

Publication Number Publication Date
CN106131017A CN106131017A (en) 2016-11-16
CN106131017B true CN106131017B (en) 2017-04-05

Family

ID=57282621

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610554260.2A Expired - Fee Related CN106131017B (en) 2016-07-14 2016-07-14 Cloud computing information security visualization system based on trust computing

Country Status (1)

Country Link
CN (1) CN106131017B (en)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108090938A (en) * 2016-11-22 2018-05-29 北京国双科技有限公司 A kind of method for exhibiting data and device
CN108090101A (en) * 2016-11-22 2018-05-29 北京国双科技有限公司 The method and device of data display
CN106599234A (en) * 2016-12-20 2017-04-26 深圳飓风传媒科技有限公司 Data visualization processing method and system based on multidimensional identification
CN109587104A (en) * 2018-02-26 2019-04-05 新华三信息安全技术有限公司 A kind of anomalous traffic detection method, device and equipment
CN108491452B (en) * 2018-02-28 2021-09-14 武汉大学 Character cloud position configuration method driven by geographic space distribution characteristics
CN108964979B (en) * 2018-06-07 2021-05-18 成都深思科技有限公司 Network data stream display system and working method thereof
CN109388732B (en) * 2018-10-16 2022-02-25 腾讯音乐娱乐科技(深圳)有限公司 Music map generating and displaying method, device and storage medium
CN110147406A (en) * 2019-05-29 2019-08-20 深圳市城市屋超科技有限公司 A kind of visual numeric simulation system and its framework method towards cloud computing
US20210117908A1 (en) * 2019-10-16 2021-04-22 Ciena Corporation Graph views and models for representing networks and associated inventory
CN112134897B (en) * 2020-09-27 2023-04-18 奇安信科技集团股份有限公司 Network attack data processing method and device
CN112685756B (en) * 2020-12-30 2021-09-21 北京海泰方圆科技股份有限公司 Data writing and reading method, device, medium and equipment
CN113392286B (en) * 2021-06-11 2022-02-11 深圳市宏博信息科技有限公司 Big data information acquisition system
CN116027903B (en) * 2023-01-30 2023-09-29 中软国际科技服务有限公司 Computer network security analysis system and method based on big data
CN117235761B (en) * 2023-09-22 2024-04-19 北京宝联之星科技股份有限公司 Cloud computing-based data security processing method, system and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546638B (en) * 2012-01-12 2014-07-09 冶金自动化研究设计院 Scene-based hybrid invasion detection method and system
US9218463B2 (en) * 2014-02-21 2015-12-22 Venafi, Inc. Trust map management and user interface
CN104462995A (en) * 2014-11-28 2015-03-25 福建畅云安鼎信息科技有限公司 Digital processing safety protection system
CN104573516B (en) * 2014-12-25 2017-11-28 中国科学院软件研究所 A kind of industrial control system trusted context management-control method and platform based on safety chip

Also Published As

Publication number Publication date
CN106131017A (en) 2016-11-16

Similar Documents

Publication Publication Date Title
CN106131017B (en) Cloud computing information security visualization system based on trust computing
CN110380896A (en) Network security situation awareness model and method based on attack graph
CN112053221A (en) Knowledge graph-based internet financial group fraud detection method
Miller et al. Multi-perspective machine learning a classifier ensemble method for intrusion detection
CN104660594A (en) Method for identifying virtual malicious nodes and virtual malicious node network in social networks
Nguyen et al. Vasabi: Hierarchical user profiles for interactive visual user behaviour analytics
CN103795723A (en) Distributed type internet-of-things safety situation awareness method
CN112053222A (en) Knowledge graph-based internet financial group fraud detection method
CN112991079B (en) Multi-card co-occurrence medical treatment fraud detection method, system, cloud end and medium
CN110995643B (en) Abnormal user identification method based on mail data analysis
CN105262715A (en) Abnormal user detection method based on fuzzy sequential association pattern
Krishnasamy et al. DIWGAN optimized with Namib Beetle Optimization Algorithm for intrusion detection in mobile ad hoc networks
Wijayanto Fighting cyber crime in email spamming: An evaluation of fuzzy clustering approach to classify spam messages
Malik et al. Performance evaluation of classification algorithms for intrusion detection on nsl-kdd using rapid miner
Keila et al. Detecting unusual email communication.
CN106080510A (en) A kind of automotive theft proof system based on cloud network
Okolica et al. Using PLSI-U to detect insider threats by datamining e-mail
Vasan et al. Feature subset selection for intrusion detection using various rank-based algorithms
CN106294542B (en) A kind of letters and calls data mining methods of marking and system
CN106210066A (en) A kind of indoor irrigation system of long-range monitoring
CN106204985A (en) A kind of intelligentized Furniture system based on cloud security
CN106204846A (en) A kind of high security intelligent door lock system
Yeom et al. Detail analysis on machine learning based malicious network traffic classification
CN106131197A (en) A kind of multifunctional intellectual cell management system
CN106156256A (en) A kind of user profile classification transmitting method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C41 Transfer of patent application or patent right or utility model
CB03 Change of inventor or designer information

Inventor after: Chen Zubin

Inventor after: Tang Lingli

Inventor after: Huang Lianyue

Inventor after: Zeng Mingfei

Inventor after: Hang Cong

Inventor after: He Guanbo

Inventor after: Wang Hai

Inventor after: Li Xin

Inventor after: He Zhongzhu

Inventor after: Xie Ming

Inventor after: Hu Jijun

Inventor after: Weng Xiaoyun

Inventor after: Yuan Yong

Inventor after: Deng Gefeng

Inventor after: Mo Yinghong

Inventor after: Xie Jing

Inventor after: Zhang Peng

Inventor before: Chen Zubin

Inventor before: Tang Lingli

Inventor before: Huang Lianyue

Inventor before: Zeng Mingfei

Inventor before: Hang Cong

Inventor before: He Guanbo

Inventor before: Wang Hai

Inventor before: Li Xin

Inventor before: Xie Ming

Inventor before: Hu Jijun

Inventor before: Weng Xiaoyun

Inventor before: Yuan Yong

Inventor before: Deng Gefeng

Inventor before: Mo Yinghong

Inventor before: Xie Jing

Inventor before: Zhang Peng

COR Change of bibliographic data
TA01 Transfer of patent application right

Effective date of registration: 20170213

Address after: 530000 Xingning, Nanning District, democratic road, No. 6,

Applicant after: GUANGXI POWER GRID CO., LTD.

Address before: 530000 Xingning, Nanning District, democratic road, No. 6,

Applicant before: He Zhongzhu

GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170405

Termination date: 20200714