[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115622796A - Network security linkage response combat map generation method, system, device and medium - Google Patents

Network security linkage response combat map generation method, system, device and medium Download PDF

Info

Publication number
CN115622796A
CN115622796A CN202211436979.8A CN202211436979A CN115622796A CN 115622796 A CN115622796 A CN 115622796A CN 202211436979 A CN202211436979 A CN 202211436979A CN 115622796 A CN115622796 A CN 115622796A
Authority
CN
China
Prior art keywords
network
event
access
subgraph
network event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211436979.8A
Other languages
Chinese (zh)
Other versions
CN115622796B (en
Inventor
魏兴慎
杨维永
犹锋
曹永健
周剑
刘苇
张浩天
高鹏
吴超
田秋涵
祁龙云
王晔
郭靓
马增洲
金倩倩
张付存
刘剑
朱溢铭
屠正伟
顾一凡
潘易辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nari Information and Communication Technology Co
Original Assignee
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nari Information and Communication Technology Co filed Critical Nari Information and Communication Technology Co
Priority to CN202211436979.8A priority Critical patent/CN115622796B/en
Publication of CN115622796A publication Critical patent/CN115622796A/en
Application granted granted Critical
Publication of CN115622796B publication Critical patent/CN115622796B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method, a system, a device and a medium for generating a network security linkage response combat map, wherein the method comprises the following steps: constructing a topological graph containing network defense information according to a service system; collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph; dividing the network event graph and generating a network event subgraph sequence; inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph; generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph; generating a network security linkage response combat map according to the security strategy and the tracing result; the invention can find out the safety event in the network and automatically generate the blocking strategy, and generate the network safety battle graph aiming at the safety event, thereby improving the safety analysis efficiency of safety operators.

Description

Method, system, device and medium for generating network security linkage response combat chart
Technical Field
A method, a system, a device and a medium for generating a network security linkage response combat chart belong to the technical field of information security.
Background
With the continuous development of network security attack and defense technology, the security problems of the network faced by the national key information infrastructure are continuously increased, the network security risk is continuously increased, the network threat is developing towards intellectualization and automation, the attack means usually adopts a plurality of attack steps to combine to form a complex attack process, the attack duration is long, the attack frequency is low, and the traditional network security detection tool is difficult to find and detect. On the other hand, a certain gap exists between the network attack behavior detection and the subsequent attack response, the situation awareness platform does not integrate the attack detection capability, the defense information of the security device and the attack response, the fast blocking of the attack behavior is realized, the security operator is often required to confirm the attack event, a strategy of the attack response is made, and finally the security device is logged in offline and the strategy is modified, the blocking of the attack behavior is realized, and the efficiency is low.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a method, a system, a device and a medium for generating a network security linkage response combat map, which can find out that a security event in a network automatically generates a blocking strategy, generate the network security combat map aiming at the security event and improve the security analysis efficiency of security operators.
In order to achieve the purpose, the invention is realized by adopting the following technical scheme:
in a first aspect, the invention provides a method for generating a network security linkage response combat chart, which comprises the following steps:
constructing a topological graph containing network defense information according to a service system;
collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event subgraph sequence;
inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph;
and generating a network security linkage response combat drawing according to the security strategy and the tracing result.
Optionally, the network defense information includes security devices connected in series in the network, and the security devices include a firewall and a gateway.
Optionally, the collecting the network access event and mapping the network access event to the topology map to form the network event map includes:
acquiring a network access event, and describing the acquired network access event according to an access source node, a destination resource node and an access type; the access type comprises spanning a security device and not spanning the security device;
if the access source node or the destination resource node corresponding to the network access event does not exist in the topological graph, adding the access source node or the destination resource node into the topological graph;
if an access source node and a destination resource node corresponding to a network access event exist in the topological graph, judging whether to cross the security equipment according to the access type, and if not, adding an access source node to the edge of the destination resource node; if the node crosses the safety device, an edge from the access source node to the safety device and an edge from the safety device to the destination resource node are respectively added.
Optionally, the dividing the network event graph and generating the network event sub-graph sequence includes:
traversing the network access event, if the access type of the network access event is a crossing safety device, generating a network event subgraph
Figure 789400DEST_PATH_IMAGE001
Figure 242378DEST_PATH_IMAGE002
Figure 493231DEST_PATH_IMAGE003
In the formula (I), the compound is shown in the specification,
Figure 6251DEST_PATH_IMAGE004
in the form of a set of nodes, the nodes,
Figure 795085DEST_PATH_IMAGE005
in the form of a set of edges,
Figure 114071DEST_PATH_IMAGE006
for network event subgraphs
Figure 157113DEST_PATH_IMAGE001
To middle
Figure 903352DEST_PATH_IMAGE007
Each side; to the edge
Figure 399056DEST_PATH_IMAGE006
When is coming into contact with
Figure 521732DEST_PATH_IMAGE008
If so, the access type of the corresponding network access event is a spanning safety device; when in use
Figure 684860DEST_PATH_IMAGE009
If so, the access type of the corresponding network access event is not to cross the safety equipment;
summarizing the network event subgraphs in sequence to generate a network event subgraph sequence
Figure 290416DEST_PATH_IMAGE010
Figure 601312DEST_PATH_IMAGE011
Is the number of network event subgraphs.
Optionally, the constructing of the classification model includes:
collecting network access events in a training phase and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event sub-graph sequence;
adding marks to the network event sub-graph sequence to generate a training data set; the training data set is:
Figure 199784DEST_PATH_IMAGE012
in the formula (I), the compound is shown in the specification,
Figure 217418DEST_PATH_IMAGE013
for network event subgraphs
Figure 571039DEST_PATH_IMAGE015
The flag being normal access or abnormal access;
and inputting the training data set into an improved Graphormer network for training to obtain a classification model.
Optionally, the improved Graphormer network comprises:
introducing a coder-decoder structure of Graphormer network, only using a coder and cutting off a decoder module; in the self-attention mechanism calculation process of an encoder, central coding and spatial coding introduced into a Graphormer network are improved; adding an MLP layer at the output of the encoder;
the embedding of the center code is represented as:
Figure 41335DEST_PATH_IMAGE016
in the formula (I), the compound is shown in the specification,
Figure 505814DEST_PATH_IMAGE017
is a first
Figure 361643DEST_PATH_IMAGE018
Sub-iterative network event subgraph
Figure 89428DEST_PATH_IMAGE001
Middle node
Figure 109337DEST_PATH_IMAGE019
The center code value of (a) is,
Figure 49611DEST_PATH_IMAGE020
is as follows
Figure 838575DEST_PATH_IMAGE021
Sub-iterative network event subgraph
Figure 471682DEST_PATH_IMAGE022
Middle node
Figure 713307DEST_PATH_IMAGE023
A center code value of (a);
the embedding of the spatial coding is represented as:
Figure 470654DEST_PATH_IMAGE024
Figure 317388DEST_PATH_IMAGE025
in the formula (I), the compound is shown in the specification,
Figure 918133DEST_PATH_IMAGE026
subgraph of network events
Figure 850317DEST_PATH_IMAGE001
Middle node
Figure 194711DEST_PATH_IMAGE027
The center code value of (a) is,
Figure 161530DEST_PATH_IMAGE028
as a parameter matrix for the Graphormer network,
Figure 120128DEST_PATH_IMAGE029
is a parameter of the dimension of the object,
Figure 601924DEST_PATH_IMAGE030
to pass through
Figure 687692DEST_PATH_IMAGE031
A matrix of weights that can be learned,
Figure 305755DEST_PATH_IMAGE032
for network event subgraphs
Figure 451566DEST_PATH_IMAGE001
Middle node
Figure 155080DEST_PATH_IMAGE033
The spatial relationship between the two or more of the two,
Figure 44538DEST_PATH_IMAGE034
for network event subgraphs
Figure 471103DEST_PATH_IMAGE022
Middle node
Figure 584552DEST_PATH_IMAGE035
The spatial relationship between the two components is that,
Figure 713045DEST_PATH_IMAGE036
for network event subgraphs
Figure 202932DEST_PATH_IMAGE022
Middle node
Figure 733271DEST_PATH_IMAGE023
Network event subgraph
Figure 283201DEST_PATH_IMAGE001
Middle node
Figure 164569DEST_PATH_IMAGE037
The spatial relationship between the two components is that,
Figure 379519DEST_PATH_IMAGE038
for network event subgraphs
Figure 826681DEST_PATH_IMAGE001
Middle node
Figure 485195DEST_PATH_IMAGE019
Network event subgraph
Figure 650597DEST_PATH_IMAGE022
Middle node
Figure 419970DEST_PATH_IMAGE039
The spatial relationship between them.
Optionally, the generating the corresponding security policy and the tracing result according to the classification result of the network event subgraph includes:
if network event subgraph
Figure 721638DEST_PATH_IMAGE001
If the classification result is abnormal access, searching the network event subgraph
Figure 816633DEST_PATH_IMAGE001
The added edges crossing the corresponding edges of the safety equipment are judged as abnormal edges;
searching the safety equipment crossed by the abnormal edge, and generating a safety strategy of the safety equipment crossed by the abnormal edge;
lookup network event subgraph
Figure 148958DEST_PATH_IMAGE001
Adjacent network event subgraphs
Figure 518759DEST_PATH_IMAGE022
Figure 878197DEST_PATH_IMAGE040
Taking nodes and edges which have time sequence and spatial relation correlation with the abnormal edges as tracing results;
the generating of the security policy of the security device crossed by the abnormal edge comprises the following steps:
during the battle, the IP of the access security equipment is forbidden;
and when the user does not fight, the Port or the URL corresponding to the IP of the access security device is forbidden.
In a second aspect, the present invention provides a network security linkage response combat map generation system, including:
the topological graph module is used for constructing a topological graph containing network defense information according to the service system;
the network event graph module is used for acquiring network access events in a detection stage and mapping the network access events to the topological graph to form a network event graph;
the network time subgraph module is used for dividing the network event graph and generating a network event subgraph sequence;
the classification module is used for inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the processing module is used for generating a corresponding security strategy and a tracing result according to the classification result of the network event subgraph;
and the operation diagram module is used for generating a network security linkage response operation diagram according to the security strategy and the source tracing result.
In a third aspect, the invention provides a network security linkage response combat chart generation device, which comprises a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps according to the above-described method.
In a fourth aspect, the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above-described method.
Compared with the prior art, the invention has the following beneficial effects:
according to the method, the system, the device and the medium for generating the network security linkage response combat map, a topological map containing network defense information is constructed in a training stage, the acquired network access events are mapped into the topological map to form a network event map, then the network event map is segmented to form a network security event sub-graph sequence, and the network security event sub-graph sequence is transmitted to an improved Graphormer algorithm to perform model training, so that a classification model is obtained. In the detection stage, network security event subgraphs in a real system are input into a classification model in sequence, then the network security event subgraphs are classified, after abnormality is found, abnormal edges in an abnormal graph are searched, security equipment spanned by the abnormal edges is found, and a strategy capable of blocking access is generated; and further finding out the associated access behaviors in the event sequence to form an event tracing graph, helping security personnel further analyze the influence of the security events and providing effective support for the decision of security response.
Drawings
Fig. 1 is a flowchart of a method for generating a network security linkage response combat chart according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The first embodiment is as follows:
as shown in fig. 1, an embodiment of the present invention provides a method for generating a network security linkage response combat map, including the following steps:
1. constructing a topological graph containing network defense information according to a service system;
the network defense information comprises security devices which are connected in series in the network, wherein the security devices comprise a firewall, a gateway and the like.
2. Collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph; the process comprises the following steps:
2.1, collecting network access events, and describing the collected network access events according to access source nodes, destination resource nodes and access types; the access type comprises spanning the security device and not spanning the security device;
2.2, if the access source node or the destination resource node corresponding to the network access event does not exist in the topological graph, adding the access source node or the destination resource node into the topological graph;
2.3, if an access source node and a destination resource node corresponding to the network access event exist in the topological graph, judging whether to cross the safety equipment according to the access type, and if not, adding an access source node to the edge of the destination resource node; if the node crosses the safety device, an edge from the access source node to the safety device and an edge from the safety device to the destination resource node are respectively added.
3. Dividing the network event graph and generating a network event subgraph sequence; the specific process comprises the following steps:
3.1, traversing the network access event, and if the access type of the network access event is the crossing safety device, generating a network event subgraph
Figure 940831DEST_PATH_IMAGE001
Figure 752929DEST_PATH_IMAGE002
Figure 192000DEST_PATH_IMAGE003
In the formula (I), the compound is shown in the specification,
Figure 671523DEST_PATH_IMAGE004
in the form of a set of nodes, the nodes,
Figure 92009DEST_PATH_IMAGE005
in the form of a set of edges,
Figure 453720DEST_PATH_IMAGE006
for network event subgraphs
Figure 103008DEST_PATH_IMAGE001
To middle
Figure 499354DEST_PATH_IMAGE007
Each side; to the edge
Figure 841473DEST_PATH_IMAGE006
When is coming into contact with
Figure 893743DEST_PATH_IMAGE008
If so, the access type of the corresponding network access event is a spanning safety device; when in use
Figure 409038DEST_PATH_IMAGE009
If so, the access type of the corresponding network access event is not to cross the safety equipment;
3.2, summarizing the network event subgraphs in sequence to generate a network event subgraph sequence
Figure 348306DEST_PATH_IMAGE010
Figure 923644DEST_PATH_IMAGE011
Is the number of network event subgraphs.
4. Inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the construction of the classification model comprises the following steps:
(1) Collecting network access events in a training stage and mapping the network access events to a topological graph to form a network event graph;
(2) Dividing the network event graph and generating a network event subgraph sequence;
(3) Adding marks to the network event sub-graph sequence to generate a training data set; the training data set was:
Figure 197631DEST_PATH_IMAGE012
in the formula (I), the compound is shown in the specification,
Figure 516617DEST_PATH_IMAGE013
subgraph of network events
Figure 559659DEST_PATH_IMAGE015
A flag of (1), the flag being a normal access or an abnormal access;
(4) And inputting the training data set into an improved Graphormer network for training to obtain a classification model.
Wherein the improved Graphormer network comprises:
introducing a coder-decoder structure of a Graphormer network, only using a coder and cutting off a decoder module; in the self-attention mechanism calculation process of an encoder, central coding and spatial coding introduced into a Graphorrmer network are improved; adding an MLP layer at the output of the encoder;
the embedding of the center code is represented as:
Figure 509160DEST_PATH_IMAGE016
in the formula (I), the compound is shown in the specification,
Figure 67181DEST_PATH_IMAGE017
is as follows
Figure 376808DEST_PATH_IMAGE018
Sub-iterative network event subgraph
Figure 336674DEST_PATH_IMAGE001
Middle node
Figure 191497DEST_PATH_IMAGE019
The center-coded value of (a) is,
Figure 502393DEST_PATH_IMAGE020
is as follows
Figure 100865DEST_PATH_IMAGE021
Sub-iterative network event subgraph
Figure 118499DEST_PATH_IMAGE022
Middle node
Figure 472120DEST_PATH_IMAGE023
The center code value of (a); if network event subgraph
Figure 690219DEST_PATH_IMAGE022
In the absence of nodes
Figure 889119DEST_PATH_IMAGE023
Then, then
Figure 761260DEST_PATH_IMAGE041
The embedding of the spatial coding is represented as:
Figure 489044DEST_PATH_IMAGE042
Figure 243374DEST_PATH_IMAGE025
in the formula (I), the compound is shown in the specification,
Figure 449227DEST_PATH_IMAGE026
subgraph of network events
Figure 238192DEST_PATH_IMAGE001
Middle node
Figure 854987DEST_PATH_IMAGE027
The center code value of (a) is,
Figure 362191DEST_PATH_IMAGE028
as a parameter matrix for the Graphormer network,
Figure 371736DEST_PATH_IMAGE030
to pass through
Figure 952890DEST_PATH_IMAGE031
A matrix of weights that can be learned,
Figure 819214DEST_PATH_IMAGE032
for network event subgraphs
Figure 485819DEST_PATH_IMAGE001
Middle node
Figure 95792DEST_PATH_IMAGE033
The spatial relationship between the two components is that,
Figure 813343DEST_PATH_IMAGE034
for network event subgraphs
Figure 522673DEST_PATH_IMAGE022
Middle node
Figure 4470DEST_PATH_IMAGE035
The spatial relationship between the two components is that,
Figure 355817DEST_PATH_IMAGE036
for network event subgraphs
Figure 911564DEST_PATH_IMAGE022
Middle node
Figure 306642DEST_PATH_IMAGE023
Network event subgraph
Figure 213418DEST_PATH_IMAGE001
Middle node
Figure 165193DEST_PATH_IMAGE037
The spatial relationship between the two components is that,
Figure 575446DEST_PATH_IMAGE038
for network event subgraphs
Figure 954475DEST_PATH_IMAGE001
Middle node
Figure 348547DEST_PATH_IMAGE019
Network event subgraph
Figure 529779DEST_PATH_IMAGE022
Middle node
Figure 122435DEST_PATH_IMAGE039
The spatial relationship between them; if the spatial relationship is not connected, the corresponding relationship is
Figure 610048DEST_PATH_IMAGE043
The value is-1.
5. Generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph; the method specifically comprises the following steps:
5.1 if network event subgraph
Figure 22575DEST_PATH_IMAGE001
If the classification result is abnormal access, searching the network event subgraph
Figure 519415DEST_PATH_IMAGE001
The edges corresponding to the crossing safety devices are added and judged as abnormal edges;
5.2, searching for the safety equipment crossed by the abnormal edge, and generating a safety strategy of the safety equipment crossed by the abnormal edge;
5.3 searching network event subgraph
Figure 904260DEST_PATH_IMAGE001
Adjacent network event subgraphs
Figure 77621DEST_PATH_IMAGE022
Figure 243023DEST_PATH_IMAGE040
Taking nodes and edges which have time precedence and spatial relation correlation with the abnormal edges as tracing results;
the generating of the security policy of the security device crossed by the abnormal edge comprises the following steps:
during the battle, the IP of the access security equipment is forbidden;
when the user does not fight, the Port or URL corresponding to the IP of the access security equipment is forbidden;
6. and generating a network security linkage response combat map according to the security strategy and the tracing result.
Example two:
the embodiment of the invention provides a network security linkage response combat chart generation system, which comprises:
the topological graph module is used for constructing a topological graph containing network defense information according to the service system;
the network event graph module is used for acquiring network access events in a detection stage and mapping the network access events to the topological graph to form a network event graph;
the network time subgraph module is used for dividing the network event graph and generating a network event subgraph sequence;
the classification module is used for inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the processing module is used for generating a corresponding security strategy and a tracing result according to the classification result of the network event subgraph;
and the operation diagram module is used for generating a network security linkage response operation diagram according to the security strategy and the source tracing result.
Example three:
based on the first embodiment, the embodiment of the invention provides a network security linkage response combat map generation device, which comprises a processor and a storage medium, wherein the processor is used for processing a network security linkage response combat map;
a storage medium to store instructions;
the processor is configured to operate in accordance with instructions to perform steps in accordance with the above-described method.
Example four:
according to a first embodiment, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A network security linkage response combat map generation method is characterized by comprising the following steps:
constructing a topological graph containing network defense information according to a service system;
collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event subgraph sequence;
inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph;
and generating a network security linkage response combat drawing according to the security strategy and the tracing result.
2. The method as claimed in claim 1, wherein the network security coordinated response combat map generation method comprises a security device connected in series in the network, wherein the security device comprises a firewall and a gateway.
3. The method for generating the network security linkage response combat map according to claim 2, wherein the step of collecting the network access events and mapping the network access events into the topological map to form the network event map comprises the steps of:
acquiring a network access event, and describing the acquired network access event according to an access source node, a destination resource node and an access type; the access type comprises spanning a security device and not spanning the security device;
if the access source node or the destination resource node corresponding to the network access event does not exist in the topological graph, adding the access source node or the destination resource node into the topological graph;
if an access source node and a destination resource node corresponding to a network access event exist in the topological graph, judging whether to cross the safety equipment according to the access type, and if not, adding an access source node to the edge of the destination resource node; if the node crosses the safety device, an edge from the access source node to the safety device and an edge from the safety device to the destination resource node are respectively added.
4. The method for generating the network security linkage response combat map according to claim 3, wherein the step of dividing the network event map and generating the network event sub-map sequence comprises the steps of:
traversing the network access event, if the access type of the network access event is crossing the safety device, generating a network event subgraph
Figure 256527DEST_PATH_IMAGE001
Figure 626197DEST_PATH_IMAGE002
Figure 671514DEST_PATH_IMAGE003
In the formula (I), the compound is shown in the specification,
Figure 535565DEST_PATH_IMAGE004
in the form of a set of nodes, the nodes,
Figure 553199DEST_PATH_IMAGE005
in the form of a set of edges,
Figure 641241DEST_PATH_IMAGE006
for network event subgraphs
Figure 111537DEST_PATH_IMAGE001
To middle
Figure 530011DEST_PATH_IMAGE007
Each side; to the edge
Figure 464469DEST_PATH_IMAGE006
When is coming into contact with
Figure 661095DEST_PATH_IMAGE008
When the access type of the corresponding network access event is cross-securityThe whole equipment; when the temperature is higher than the set temperature
Figure 681003DEST_PATH_IMAGE009
If so, the access type of the corresponding network access event is not to cross the safety equipment;
summarizing the network event subgraphs in sequence to generate a network event subgraph sequence
Figure 621278DEST_PATH_IMAGE010
Figure 613504DEST_PATH_IMAGE011
Is the number of network event subgraphs.
5. The method as claimed in claim 4, wherein the construction of the classification model comprises:
collecting network access events in a training stage and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event subgraph sequence;
adding marks to the network event sub-graph sequence to generate a training data set; the training data set is:
Figure 308928DEST_PATH_IMAGE012
in the formula (I), the compound is shown in the specification,
Figure 3083DEST_PATH_IMAGE013
for network event subgraphs
Figure 543786DEST_PATH_IMAGE014
The flag being normal access or abnormal access;
and inputting the training data set into an improved Graphormer network for training to obtain a classification model.
6. The method as claimed in claim 5, wherein the improved Graphormer network comprises:
introducing a coder-decoder structure of a Graphormer network, only using a coder and cutting off a decoder module; in the self-attention mechanism calculation process of an encoder, central coding and spatial coding introduced into a Graphorrmer network are improved; adding an MLP layer at the output of the encoder;
the embedding of the center code is represented as:
Figure 390519DEST_PATH_IMAGE015
in the formula (I), the compound is shown in the specification,
Figure 991265DEST_PATH_IMAGE016
is as follows
Figure 923449DEST_PATH_IMAGE017
Sub-iterative network event subgraph
Figure 471105DEST_PATH_IMAGE001
Middle node
Figure 234662DEST_PATH_IMAGE018
The center code value of (a) is,
Figure 957373DEST_PATH_IMAGE019
is as follows
Figure 173591DEST_PATH_IMAGE020
Sub-iterative network event subgraph
Figure 259359DEST_PATH_IMAGE021
Middle node
Figure 877422DEST_PATH_IMAGE022
The center code value of (a);
the embedding of the spatial coding is represented as:
Figure 288812DEST_PATH_IMAGE023
Figure 930009DEST_PATH_IMAGE024
in the formula (I), the compound is shown in the specification,
Figure 616205DEST_PATH_IMAGE025
for network event subgraphs
Figure 541305DEST_PATH_IMAGE001
Middle node
Figure 920333DEST_PATH_IMAGE026
The center code value of (a) is,
Figure 48826DEST_PATH_IMAGE027
is a parameter matrix of the Graphormer network,
Figure 741976DEST_PATH_IMAGE028
in order to be a dimension parameter, the dimension parameter,
Figure 69052DEST_PATH_IMAGE029
to pass through
Figure 556665DEST_PATH_IMAGE030
A matrix of weights that can be learned,
Figure 234771DEST_PATH_IMAGE031
subgraph of network events
Figure 216765DEST_PATH_IMAGE001
Middle node
Figure 663927DEST_PATH_IMAGE032
The spatial relationship between the two or more of the two,
Figure 56862DEST_PATH_IMAGE033
for network event subgraphs
Figure 222264DEST_PATH_IMAGE021
Middle node
Figure 257216DEST_PATH_IMAGE034
The spatial relationship between the two components is that,
Figure 762147DEST_PATH_IMAGE035
for network event subgraphs
Figure 388300DEST_PATH_IMAGE021
Middle node, network event subgraph
Figure 227949DEST_PATH_IMAGE001
Middle node
Figure 66592DEST_PATH_IMAGE036
The spatial relationship between the two components is that,
Figure 222767DEST_PATH_IMAGE037
subgraph of network events
Figure 223084DEST_PATH_IMAGE001
Middle node
Figure 300761DEST_PATH_IMAGE018
Network event subgraph
Figure 739833DEST_PATH_IMAGE021
Middle node
Figure 707439DEST_PATH_IMAGE038
The spatial relationship between them.
7. The method for generating the network security linkage response combat map according to claim 6, wherein the step of generating the corresponding security policy and the traceability result according to the classification result of the network event subgraph comprises the following steps:
if network event subgraph
Figure 144236DEST_PATH_IMAGE001
If the classification result is abnormal access, searching the network event subgraph
Figure 505947DEST_PATH_IMAGE001
The added edges crossing the corresponding edges of the safety equipment are judged as abnormal edges;
searching the safety equipment crossed by the abnormal edge, and generating a safety strategy of the safety equipment crossed by the abnormal edge;
lookup network event subgraph
Figure 420814DEST_PATH_IMAGE001
Adjacent network event subgraphs
Figure 551581DEST_PATH_IMAGE021
Figure 893700DEST_PATH_IMAGE039
Taking nodes and edges which have time precedence and spatial relation correlation with the abnormal edges as tracing results;
the generating of the security policy of the security device crossed by the abnormal edge comprises the following steps:
during the battle, the IP of the access security equipment is forbidden;
and when the user does not fight, the Port or the URL corresponding to the IP of the access security device is forbidden.
8. A network security linkage response combat map generation system is characterized by comprising:
the topological graph module is used for constructing a topological graph containing network defense information according to the service system;
the network event graph module is used for acquiring network access events in a detection stage and mapping the network access events to the topological graph to form a network event graph;
the network time subgraph module is used for dividing the network event graph and generating a network event subgraph sequence;
the classification module is used for inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the processing module is used for generating a corresponding security strategy and a tracing result according to the classification result of the network event subgraph;
and the operation diagram module is used for generating a network security linkage response operation diagram according to the security strategy and the source tracing result.
9. A network security linkage response combat map generating device is characterized by comprising a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method according to any one of claims 1 to 7.
10. Computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202211436979.8A 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium Active CN115622796B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211436979.8A CN115622796B (en) 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211436979.8A CN115622796B (en) 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium

Publications (2)

Publication Number Publication Date
CN115622796A true CN115622796A (en) 2023-01-17
CN115622796B CN115622796B (en) 2023-04-07

Family

ID=84878692

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211436979.8A Active CN115622796B (en) 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium

Country Status (1)

Country Link
CN (1) CN115622796B (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000070463A1 (en) * 1999-05-14 2000-11-23 L-3 Communications Corporation Apparatus and methods for analyzing multiple network security vulnerabilities
CN101820357A (en) * 2010-02-11 2010-09-01 哈尔滨工业大学 Network security incident visualization system
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN109302380A (en) * 2018-08-15 2019-02-01 全球能源互联网研究院有限公司 A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system
CN109587174A (en) * 2019-01-10 2019-04-05 广东电网有限责任公司信息中心 Composite defense method and system for network protection
CN110290120A (en) * 2019-06-12 2019-09-27 西安邮电大学 A kind of timing evolved network safe early warning method of cloud platform
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN113067728A (en) * 2021-03-17 2021-07-02 中国人民解放军海军工程大学 Network security attack and defense test platform
CN113824643A (en) * 2021-11-25 2021-12-21 中国科学院信息工程研究所 Ubiquitous network topological graph construction method and network security protection method
CN114090374A (en) * 2021-11-08 2022-02-25 北京许继电气有限公司 Network security operation management platform
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data
CN115037561A (en) * 2022-08-10 2022-09-09 杭州悦数科技有限公司 Network security detection method and system
CN115277102A (en) * 2022-06-29 2022-11-01 北京天融信网络安全技术有限公司 Network attack detection method and device, electronic equipment and storage medium

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000070463A1 (en) * 1999-05-14 2000-11-23 L-3 Communications Corporation Apparatus and methods for analyzing multiple network security vulnerabilities
CN101820357A (en) * 2010-02-11 2010-09-01 哈尔滨工业大学 Network security incident visualization system
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN109302380A (en) * 2018-08-15 2019-02-01 全球能源互联网研究院有限公司 A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system
CN109587174A (en) * 2019-01-10 2019-04-05 广东电网有限责任公司信息中心 Composite defense method and system for network protection
CN110290120A (en) * 2019-06-12 2019-09-27 西安邮电大学 A kind of timing evolved network safe early warning method of cloud platform
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN113067728A (en) * 2021-03-17 2021-07-02 中国人民解放军海军工程大学 Network security attack and defense test platform
CN114090374A (en) * 2021-11-08 2022-02-25 北京许继电气有限公司 Network security operation management platform
CN113824643A (en) * 2021-11-25 2021-12-21 中国科学院信息工程研究所 Ubiquitous network topological graph construction method and network security protection method
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data
CN115277102A (en) * 2022-06-29 2022-11-01 北京天融信网络安全技术有限公司 Network attack detection method and device, electronic equipment and storage medium
CN115037561A (en) * 2022-08-10 2022-09-09 杭州悦数科技有限公司 Network security detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吴华等: "大规模网络安全事件威胁量化分析", 《微计算机信息》 *

Also Published As

Publication number Publication date
CN115622796B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
US11637853B2 (en) Operational network risk mitigation system and method
US11522882B2 (en) Detection of adversary lateral movement in multi-domain IIOT environments
CN115296924B (en) Network attack prediction method and device based on knowledge graph
CN106357470B (en) One kind threatening method for quickly sensing based on SDN controller network
JP2021060987A (en) Method of data-efficient threat detection in computer network
Pan et al. Anomaly based intrusion detection for building automation and control networks
GhasemiGol et al. E‐correlator: an entropy‐based alert correlation system
CN111049827A (en) Network system safety protection method, device and related equipment
CN112019523A (en) Network auditing method and device for industrial control system
CN113890821B (en) Log association method and device and electronic equipment
Rubio et al. Tracking apts in industrial ecosystems: A proof of concept
Kozik et al. Pattern extraction algorithm for NetFlow‐based botnet activities detection
CN111159702B (en) Process list generation method and device
CN107479518A (en) A kind of method and system for automatically generating alarm association rule
Frankowski et al. Application of the Complex Event Processing system for anomaly detection and network monitoring
CN115622796B (en) Network security linkage response combat map generation method, system, device and medium
Guruprasad et al. Development of an evolutionary framework for autonomous rule creation for intrusion detection
Yu et al. Mining anomaly communication patterns for industrial control systems
Sampath et al. Intrusion detection in software defined networking using genetic algorithm
CN114826685B (en) Information analysis method, equipment and computer readable storage medium
CN115098602B (en) Data processing method, device and equipment based on big data platform and storage medium
CN115913640B (en) Large-scale network attack deduction and risk early warning method based on attack graph
Iturbe Data-driven anomaly detection in industrial networks
Ayoughi et al. Enhancing Automata Learning with Statistical Machine Learning: A Network Security Case Study
Ayyadapu CYBER THREAT MITIGATION THROUGH AI-ENABLED BIG DATA ANALYSIS IN CLOUD ADMINISTRATION

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant