[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115622796B - Network security linkage response combat map generation method, system, device and medium - Google Patents

Network security linkage response combat map generation method, system, device and medium Download PDF

Info

Publication number
CN115622796B
CN115622796B CN202211436979.8A CN202211436979A CN115622796B CN 115622796 B CN115622796 B CN 115622796B CN 202211436979 A CN202211436979 A CN 202211436979A CN 115622796 B CN115622796 B CN 115622796B
Authority
CN
China
Prior art keywords
network
event
access
graph
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211436979.8A
Other languages
Chinese (zh)
Other versions
CN115622796A (en
Inventor
魏兴慎
杨维永
犹锋
曹永健
周剑
刘苇
张浩天
高鹏
吴超
田秋涵
祁龙云
王晔
郭靓
马增洲
金倩倩
张付存
刘剑
朱溢铭
屠正伟
顾一凡
潘易辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nari Information and Communication Technology Co
Original Assignee
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nari Information and Communication Technology Co filed Critical Nari Information and Communication Technology Co
Priority to CN202211436979.8A priority Critical patent/CN115622796B/en
Publication of CN115622796A publication Critical patent/CN115622796A/en
Application granted granted Critical
Publication of CN115622796B publication Critical patent/CN115622796B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method, a system, a device and a medium for generating a network security linkage response combat map, wherein the method comprises the following steps: constructing a topological graph containing network defense information according to a service system; collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph; dividing the network event graph and generating a network event subgraph sequence; inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph; generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph; generating a network security linkage response combat drawing according to the security strategy and the tracing result; the invention can find out the safety event in the network and automatically generate the blocking strategy, and generate the network safety battle graph aiming at the safety event, thereby improving the safety analysis efficiency of safety operators.

Description

Network security linkage response combat map generation method, system, device and medium
Technical Field
A method, a system, a device and a medium for generating a network security linkage response combat chart belong to the technical field of information security.
Background
With the continuous development of network security attack and defense technology, the security problems of the network faced by the national key information infrastructure are continuously increased, the network security risk is continuously increased, the network threat is developing towards intellectualization and automation, the attack means usually adopts a plurality of attack steps to combine to form a complex attack process, the attack duration is long, the attack frequency is low, and the traditional network security detection tool is difficult to find and detect. On the other hand, a certain gap exists between network attack behavior detection and subsequent attack response, and the situation awareness platform does not integrate attack detection capability, security device defense information and attack response to realize rapid blocking of the attack behavior.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a method, a system, a device and a medium for generating a network security linkage response combat map, which can find out that a security event in a network automatically generates a blocking strategy, generate the network security combat map aiming at the security event and improve the security analysis efficiency of security operators.
In order to achieve the purpose, the invention is realized by adopting the following technical scheme:
in a first aspect, the invention provides a method for generating a network security linkage response combat map, which comprises the following steps:
constructing a topological graph containing network defense information according to a service system;
collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event subgraph sequence;
inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph;
and generating a network security linkage response combat map according to the security strategy and the tracing result.
Optionally, the network defense information includes security devices connected in series in the network, and the security devices include a firewall and a gateway.
Optionally, the collecting the network access event and mapping the network access event to the topology map to form the network event map includes:
acquiring a network access event, and describing the acquired network access event according to an access source node, a destination resource node and an access type; the access type comprises spanning the security device and not spanning the security device;
if the access source node or the destination resource node corresponding to the network access event does not exist in the topological graph, adding the access source node or the destination resource node into the topological graph;
if an access source node and a destination resource node corresponding to a network access event exist in the topological graph, judging whether to cross the safety equipment according to the access type, and if not, adding an access source node to the edge of the destination resource node; if the node crosses the safety equipment, an access source node is respectively added to the safety equipment, and the safety equipment is respectively added to the edge of the destination resource node.
Optionally, the dividing the network event graph and generating the network event sub-graph sequence includes:
traversing the network access event, if the access type of the network access event is crossing the safety device, generating a network event subgraph
Figure 789400DEST_PATH_IMAGE001
Figure 242378DEST_PATH_IMAGE002
Figure 493231DEST_PATH_IMAGE003
In the formula (I), the compound is shown in the specification,
Figure 6251DEST_PATH_IMAGE004
in the form of a set of nodes, the nodes,
Figure 795085DEST_PATH_IMAGE005
in the form of a set of edges,
Figure 114071DEST_PATH_IMAGE006
for network event subgraphs
Figure 157113DEST_PATH_IMAGE001
To middle
Figure 903352DEST_PATH_IMAGE007
Side edge(ii) a To the edge
Figure 399056DEST_PATH_IMAGE006
When is coming into contact with
Figure 521732DEST_PATH_IMAGE008
If so, the access type of the corresponding network access event is a spanning safety device; when the temperature is higher than the set temperature
Figure 684860DEST_PATH_IMAGE009
If so, the access type of the corresponding network access event is not to cross the safety equipment;
summarizing the network event subgraphs in sequence to generate a network event subgraph sequence
Figure 290416DEST_PATH_IMAGE010
Figure 601312DEST_PATH_IMAGE011
Is the number of network event subgraphs.
Optionally, the constructing of the classification model includes:
collecting network access events in a training stage and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event subgraph sequence;
adding marks to the network event sub-graph sequence to generate a training data set; the training data set is:
Figure 199784DEST_PATH_IMAGE012
in the formula (I), the compound is shown in the specification,
Figure 217418DEST_PATH_IMAGE013
for network event subgraphs
Figure 571039DEST_PATH_IMAGE015
The flag being normal access or abnormal access;
and inputting the training data set into an improved Graphormer network for training to obtain a classification model.
Optionally, the improved Graphormer network comprises:
introducing a coder-decoder structure of a Graphormer network, only using a coder and cutting off a decoder module; in the self-attention mechanism calculation process of an encoder, central coding and spatial coding introduced into a Graphorrmer network are improved; adding an MLP layer at the output of the encoder;
the embedding of the center code is represented as:
Figure 41335DEST_PATH_IMAGE016
in the formula (I), the compound is shown in the specification,
Figure 505814DEST_PATH_IMAGE017
is as follows
Figure 361643DEST_PATH_IMAGE018
Sub-iterative network event subgraph
Figure 89428DEST_PATH_IMAGE001
Middle node
Figure 109337DEST_PATH_IMAGE019
The center-coded value of (a) is,
Figure 49611DEST_PATH_IMAGE020
is as follows
Figure 838575DEST_PATH_IMAGE021
Sub-iterative network event subgraph
Figure 471682DEST_PATH_IMAGE022
Middle node
Figure 713307DEST_PATH_IMAGE023
A center code value of (a);
the embedding of the spatial coding is represented as:
Figure 470654DEST_PATH_IMAGE024
Figure 317388DEST_PATH_IMAGE025
in the formula (I), the compound is shown in the specification,
Figure 918133DEST_PATH_IMAGE026
for network event subgraphs
Figure 850317DEST_PATH_IMAGE001
Middle node
Figure 194711DEST_PATH_IMAGE027
The center code value of (a) is,
Figure 161530DEST_PATH_IMAGE028
as a parameter matrix for the Graphormer network,
Figure 120128DEST_PATH_IMAGE029
in order to be a dimension parameter, the dimension parameter,
Figure 601924DEST_PATH_IMAGE030
to pass through
Figure 687692DEST_PATH_IMAGE031
A matrix of weights that can be learned,
Figure 305755DEST_PATH_IMAGE032
for network event subgraphs
Figure 451566DEST_PATH_IMAGE001
Middle node
Figure 155080DEST_PATH_IMAGE033
The spatial relationship between the two or more of the two,
Figure 44538DEST_PATH_IMAGE034
subgraph of network events
Figure 471103DEST_PATH_IMAGE022
Middle node
Figure 584552DEST_PATH_IMAGE035
The spatial relationship between the two components is that,
Figure 713045DEST_PATH_IMAGE036
for network event subgraphs
Figure 202932DEST_PATH_IMAGE022
Middle node
Figure 733271DEST_PATH_IMAGE023
Network event subgraph
Figure 283201DEST_PATH_IMAGE001
Middle node
Figure 164569DEST_PATH_IMAGE037
The spatial relationship between the two components is that,
Figure 379519DEST_PATH_IMAGE038
for network event subgraphs
Figure 826681DEST_PATH_IMAGE001
Middle node
Figure 485195DEST_PATH_IMAGE019
Network event subgraph
Figure 650597DEST_PATH_IMAGE022
Middle node
Figure 419970DEST_PATH_IMAGE039
The spatial relationship therebetween.
Optionally, the generating the corresponding security policy and the tracing result according to the classification result of the network event subgraph includes:
if network event subgraph
Figure 721638DEST_PATH_IMAGE001
If the classification result is abnormal access, searching the network event subgraph
Figure 816633DEST_PATH_IMAGE001
The added edges crossing the corresponding edges of the safety equipment are judged as abnormal edges;
searching the safety equipment crossed by the abnormal edge, and generating a safety strategy of the safety equipment crossed by the abnormal edge;
lookup network event subgraph
Figure 148958DEST_PATH_IMAGE001
Adjacent network event subgraphs
Figure 518759DEST_PATH_IMAGE022
Figure 878197DEST_PATH_IMAGE040
Taking nodes and edges which have time precedence and spatial relation correlation with the abnormal edges as tracing results;
the method for generating the security policy of the security device crossed by the abnormal edge comprises the following steps:
during the battle, the IP of the access security equipment is forbidden;
and when the user does not fight, the Port or the URL corresponding to the IP of the access safety device is forbidden.
In a second aspect, the present invention provides a system for generating a network security linkage response combat chart, comprising:
the topological graph module is used for constructing a topological graph containing network defense information according to the service system;
the network event graph module is used for acquiring network access events in a detection stage and mapping the network access events to the topological graph to form a network event graph;
the network time subgraph module is used for dividing the network event graph and generating a network event subgraph sequence;
the classification module is used for inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the processing module is used for generating a corresponding security strategy and a tracing result according to the classification result of the network event subgraph;
and the operation diagram module is used for generating a network security linkage response operation diagram according to the security strategy and the source tracing result.
In a third aspect, the invention provides a network security linkage response combat chart generation device, which comprises a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps according to the above-described method.
In a fourth aspect, the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method described above.
Compared with the prior art, the invention has the following beneficial effects:
according to the method, the system, the device and the medium for generating the network security linkage response combat map, a topological map containing network defense information is constructed in a training stage, the acquired network access events are mapped into the topological map to form a network event map, then the network event map is segmented to form a network security event sub-graph sequence, and the network security event sub-graph sequence is transmitted to an improved Graphormer algorithm to perform model training, so that a classification model is obtained. In the detection stage, network security event subgraphs in a real system are input into a classification model in sequence, then the network security event subgraphs are classified, after abnormality is found, abnormal edges in an abnormal graph are searched, security equipment spanned by the abnormal edges is found, and a strategy capable of blocking access is generated; and further finding out the associated access behaviors in the event sequence to form an event tracing graph, helping security personnel further analyze the influence of the security events and providing effective support for the decision of security response.
Drawings
Fig. 1 is a flowchart of a method for generating a network security linkage response combat chart according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
The first embodiment is as follows:
as shown in fig. 1, an embodiment of the present invention provides a method for generating a network security linkage response combat map, including the following steps:
1. constructing a topological graph containing network defense information according to a service system;
the network defense information comprises security devices which are connected in series in the network, wherein the security devices comprise a firewall, a gateway and the like.
2. Collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph; the process comprises the following steps:
2.1, collecting network access events, and describing the collected network access events according to access source nodes, destination resource nodes and access types; the access type comprises spanning the security device and not spanning the security device;
2.2, if the access source node or the destination resource node corresponding to the network access event does not exist in the topological graph, adding the access source node or the destination resource node into the topological graph;
2.3, if an access source node and a destination resource node corresponding to a network access event exist in the topological graph, judging whether to cross the safety equipment according to the access type, and if not, adding an access source node to the edge of the destination resource node; if the node crosses the safety device, an edge from the access source node to the safety device and an edge from the safety device to the destination resource node are respectively added.
3. Dividing the network event graph and generating a network event sub-graph sequence; the specific process comprises the following steps:
3.1, traversing the network access event, and if the access type of the network access event is the crossing safety device, generating a network event subgraph
Figure 940831DEST_PATH_IMAGE001
Figure 752929DEST_PATH_IMAGE002
Figure 192000DEST_PATH_IMAGE003
In the formula (I), the compound is shown in the specification,
Figure 671523DEST_PATH_IMAGE004
in the form of a set of nodes, the nodes,
Figure 92009DEST_PATH_IMAGE005
in the form of a set of edges,
Figure 453720DEST_PATH_IMAGE006
for network event subgraphs
Figure 103008DEST_PATH_IMAGE001
To middle
Figure 499354DEST_PATH_IMAGE007
Each side; to the edge
Figure 841473DEST_PATH_IMAGE006
When is coming into contact with
Figure 893743DEST_PATH_IMAGE008
If so, the access type of the corresponding network access event is a spanning safety device; when in use
Figure 409038DEST_PATH_IMAGE009
If so, the access type of the corresponding network access event is not to cross the security equipment;
3.2, summarizing the network event subgraphs in sequence to generate a network event subgraph sequence
Figure 348306DEST_PATH_IMAGE010
Figure 923644DEST_PATH_IMAGE011
Is the number of network event subgraphs.
4. Inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the construction of the classification model comprises the following steps:
(1) Collecting network access events in a training stage and mapping the network access events to a topological graph to form a network event graph;
(2) Dividing the network event graph and generating a network event subgraph sequence;
(3) Adding marks to the network event sub-graph sequence to generate a training data set; the training data set was:
Figure 197631DEST_PATH_IMAGE012
in the formula (I), the compound is shown in the specification,
Figure 516617DEST_PATH_IMAGE013
for network event subgraphs
Figure 559659DEST_PATH_IMAGE015
The flag of (1) is normal access or abnormal access;
(4) And inputting the training data set into an improved Graphormer network for training to obtain a classification model.
Wherein the improved Graphormer network comprises:
introducing a coder-decoder structure of Graphormer network, only using a coder and cutting off a decoder module; in the self-attention mechanism calculation process of an encoder, central coding and spatial coding introduced into a Graphorrmer network are improved; adding an MLP layer at the output of the encoder;
the embedding of the center code is represented as:
Figure 509160DEST_PATH_IMAGE016
in the formula (I), the compound is shown in the specification,
Figure 67181DEST_PATH_IMAGE017
is as follows
Figure 376808DEST_PATH_IMAGE018
Sub-iterative network event subgraph
Figure 336674DEST_PATH_IMAGE001
Middle node
Figure 191497DEST_PATH_IMAGE019
The center-coded value of (a) is,
Figure 502393DEST_PATH_IMAGE020
is as follows
Figure 100865DEST_PATH_IMAGE021
Sub-iterative network event subgraph
Figure 118499DEST_PATH_IMAGE022
Middle node
Figure 472120DEST_PATH_IMAGE023
The center code value of (a); if network event subgraph
Figure 690219DEST_PATH_IMAGE022
In which there is no node
Figure 889119DEST_PATH_IMAGE023
Then, then
Figure 761260DEST_PATH_IMAGE041
The embedding of the spatial coding is represented as:
Figure 489044DEST_PATH_IMAGE042
Figure 243374DEST_PATH_IMAGE025
in the formula (I), the compound is shown in the specification,
Figure 449227DEST_PATH_IMAGE026
for network event subgraphs
Figure 238192DEST_PATH_IMAGE001
Middle node
Figure 854987DEST_PATH_IMAGE027
The center-coded value of (a) is,
Figure 362191DEST_PATH_IMAGE028
as a parameter matrix for the Graphormer network,
Figure 371736DEST_PATH_IMAGE030
to pass through
Figure 952890DEST_PATH_IMAGE031
A matrix of weights that can be learned,
Figure 819214DEST_PATH_IMAGE032
subgraph of network events
Figure 485819DEST_PATH_IMAGE001
Middle node
Figure 95792DEST_PATH_IMAGE033
The spatial relationship between the two or more of the two,
Figure 813343DEST_PATH_IMAGE034
subgraph of network events
Figure 522673DEST_PATH_IMAGE022
Middle node
Figure 4470DEST_PATH_IMAGE035
The spatial relationship between the two components is that,
Figure 355817DEST_PATH_IMAGE036
for network event subgraphs
Figure 911564DEST_PATH_IMAGE022
Middle node
Figure 306642DEST_PATH_IMAGE023
Network event subgraph
Figure 213418DEST_PATH_IMAGE001
Middle node
Figure 165193DEST_PATH_IMAGE037
The spatial relationship between the two components is that,
Figure 575446DEST_PATH_IMAGE038
for network event subgraphs
Figure 954475DEST_PATH_IMAGE001
Middle node
Figure 348547DEST_PATH_IMAGE019
Network event subgraph
Figure 529779DEST_PATH_IMAGE022
Middle node
Figure 122435DEST_PATH_IMAGE039
The spatial relationship between them; if the spatial relationship is not connected, the corresponding relationship is
Figure 610048DEST_PATH_IMAGE043
The value is-1.
5. Generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph; the method specifically comprises the following steps:
5.1 if network event subgraph
Figure 22575DEST_PATH_IMAGE001
If the classification result is abnormal access, searching the network event subgraph
Figure 519415DEST_PATH_IMAGE001
The increased edge crossing corresponding to the safety device is judgedDetermining as an abnormal edge;
5.2, searching the safety equipment crossed by the abnormal edge, and generating a safety strategy of the safety equipment crossed by the abnormal edge;
5.3 searching network event subgraph
Figure 904260DEST_PATH_IMAGE001
Adjacent network event subgraphs
Figure 77621DEST_PATH_IMAGE022
Figure 243023DEST_PATH_IMAGE040
Taking nodes and edges which have time precedence and spatial relation correlation with the abnormal edges as tracing results;
the method for generating the security policy of the security device crossed by the abnormal edge comprises the following steps:
during the battle, the IP of the access security equipment is forbidden;
when the user does not fight, the Port or URL corresponding to the IP of the access security equipment is forbidden;
6. and generating a network security linkage response combat map according to the security strategy and the tracing result.
Example two:
the embodiment of the invention provides a network security linkage response combat map generation system, which comprises:
the topological graph module is used for constructing a topological graph containing network defense information according to the service system;
the network event graph module is used for acquiring network access events in a detection stage and mapping the network access events to the topological graph to form a network event graph;
the network time subgraph module is used for dividing the network event graph and generating a network event subgraph sequence;
the classification module is used for inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the processing module is used for generating a corresponding security strategy and a tracing result according to the classification result of the network event subgraph;
and the operation diagram module is used for generating a network security linkage response operation diagram according to the security strategy and the source tracing result.
Example three:
based on the first embodiment, the embodiment of the invention provides a network security linkage response combat map generation device, which comprises a processor and a storage medium, wherein the processor is used for processing a network security linkage response combat map;
a storage medium to store instructions;
the processor is configured to operate in accordance with instructions to perform steps in accordance with the above-described method.
Example four:
according to a first embodiment, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (8)

1. A network security linkage response combat map generation method is characterized by comprising the following steps:
constructing a topological graph containing network defense information according to a service system; the network defense information comprises security equipment which is connected in series in a network, wherein the security equipment comprises a firewall and a gateway;
collecting network access events in a detection stage and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event subgraph sequence;
inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
generating a corresponding security policy and a tracing result according to the classification result of the network event subgraph;
generating a network security linkage response combat drawing according to the security strategy and the tracing result;
the acquiring and mapping the network access events in the detection stage into the topological graph to form the network event graph comprises the following steps:
acquiring a network access event, and describing the acquired network access event according to an access source node, a destination resource node and an access type; the access type comprises spanning the security device and not spanning the security device;
if the access source node or the destination resource node corresponding to the network access event does not exist in the topological graph, adding the access source node or the destination resource node into the topological graph;
if an access source node and a destination resource node corresponding to a network access event exist in the topological graph, judging whether to cross the safety equipment according to the access type, and if not, adding an access source node to the edge of the destination resource node; if the node crosses the safety equipment, an access source node is respectively added to the safety equipment, and the safety equipment is respectively added to the edge of the destination resource node.
2. The method for generating the network security linkage response combat map according to claim 1, wherein the step of dividing the network event map and generating the network event sub-map sequence comprises the steps of:
traversing the network access event, if the access type of the network access event is a crossing safety device, generating a network event subgraph
Figure QLYQS_2
:/>
Figure QLYQS_6
In the formula (II)>
Figure QLYQS_10
For a set of nodes,>
Figure QLYQS_3
is set for side, is asserted>
Figure QLYQS_5
Sub-map for a network event>
Figure QLYQS_8
In a fifth or fifth sun>
Figure QLYQS_9
Each side; for side->
Figure QLYQS_1
When is greater than or equal to>
Figure QLYQS_4
If so, the access type of the corresponding network access event is a spanning safety device; when +>
Figure QLYQS_7
If so, the access type of the corresponding network access event is not to cross the safety equipment;
summarizing the network event subgraphs in sequence to generate a network event subgraph sequence
Figure QLYQS_11
,/>
Figure QLYQS_12
Is the number of network event subgraphs.
3. The method for generating the network security linkage response combat map according to claim 2, wherein the construction of the classification model comprises:
collecting network access events in a training stage and mapping the network access events to a topological graph to form a network event graph;
dividing the network event graph and generating a network event sub-graph sequence;
adding a mark to the network event sub-graph sequence to generate a training data set; the training data set is:
Figure QLYQS_13
in the formula (II)>
Figure QLYQS_14
Sub-figure for a network event>
Figure QLYQS_15
The flag being normal access or abnormal access;
and inputting the training data set into an improved Graphormer network for training to obtain a classification model.
4. The method as claimed in claim 3, wherein the improved Graphormer network comprises:
introducing a coder-decoder structure of a Graphormer network, only using a coder and cutting off a decoder module; in the self-attention mechanism calculation process of an encoder, central coding and spatial coding introduced into a Graphorrmer network are improved; adding an MLP layer at the output of the encoder;
the embedding of the center code is represented as:
Figure QLYQS_17
in the formula (II)>
Figure QLYQS_21
Is a first->
Figure QLYQS_23
Sub-iterative network event sub-diagram>
Figure QLYQS_19
Middle node->
Figure QLYQS_20
Is coded by the central coding value of (4), is selected>
Figure QLYQS_22
Is the first->
Figure QLYQS_24
Sub-iterated network event sub-graph>
Figure QLYQS_16
Middle node->
Figure QLYQS_18
The center code value of (a);
the embedding of the spatial coding is represented as:
Figure QLYQS_27
(ii) a In the formula (I), the compound is shown in the specification,
Figure QLYQS_31
sub-figure for a network event>
Figure QLYQS_34
Middle node->
Figure QLYQS_26
Is coded by the central coding value of (4), is selected>
Figure QLYQS_30
Is a parameter matrix of a Graphormer network, is based on the value of the parameter matrix>
Figure QLYQS_36
For a dimension parameter, <' >>
Figure QLYQS_40
Is passed>
Figure QLYQS_25
A matrix of weights that can be learned is determined,
Figure QLYQS_29
sub-figure for a network event>
Figure QLYQS_33
Middle node->
Figure QLYQS_37
In a spatial relationship therewith, is taken up or taken up>
Figure QLYQS_38
Sub-figure for a network event>
Figure QLYQS_41
Middle node->
Figure QLYQS_44
In a spatial relationship therewith, is taken up or taken up>
Figure QLYQS_46
For network event subgraphs
Figure QLYQS_43
Middle node->
Figure QLYQS_45
Network event sub-graph>
Figure QLYQS_47
Middle node->
Figure QLYQS_48
In a spatial relationship therewith, is taken up or taken up>
Figure QLYQS_28
Sub-figure for a network event>
Figure QLYQS_32
Central node->
Figure QLYQS_35
Network event sub-graph>
Figure QLYQS_39
Middle node->
Figure QLYQS_42
The spatial relationship between them.
5. The method for generating the network security linkage response combat map according to claim 4, wherein the step of generating the corresponding security policy and the traceability result according to the classification result of the network event subgraph comprises the following steps:
if network event subgraph
Figure QLYQS_49
If the classification result is abnormal access, searching the network event sub-graph>
Figure QLYQS_50
The added edges crossing the corresponding edges of the safety equipment are judged as abnormal edges;
searching the safety equipment crossed by the abnormal edge, and generating a safety strategy of the safety equipment crossed by the abnormal edge;
lookup network event subgraph
Figure QLYQS_51
Adjacent network event sub-map>
Figure QLYQS_52
、/>
Figure QLYQS_53
Taking nodes and edges which have time precedence and spatial relation correlation with the abnormal edges as tracing results;
the generating of the security policy of the security device crossed by the abnormal edge comprises the following steps:
during the battle, the IP of the access security equipment is forbidden;
and when the user does not fight, the Port or the URL corresponding to the IP of the access security device is forbidden.
6. A network security linkage response combat map generation system is characterized by comprising:
the topological graph module is used for constructing a topological graph containing network defense information according to the service system; the network defense information comprises security equipment which is connected in series in a network, wherein the security equipment comprises a firewall and a gateway;
the network event graph module is used for acquiring network access events in a detection stage and mapping the network access events to the topological graph to form a network event graph; the collecting and mapping the network access events in the detection stage into the topological graph to form the network event graph comprises the following steps: acquiring a network access event, and describing the acquired network access event according to an access source node, a destination resource node and an access type; the access type comprises spanning the security device and not spanning the security device; if the access source node or the destination resource node corresponding to the network access event does not exist in the topological graph, adding the access source node or the destination resource node into the topological graph; if an access source node and a destination resource node corresponding to a network access event exist in the topological graph, judging whether to cross the safety equipment according to the access type, and if not, adding an access source node to the edge of the destination resource node; if the safety equipment is crossed, respectively adding an access source node to the safety equipment and an edge of the safety equipment to a target resource node;
the network time subgraph module is used for dividing the network event graph and generating a network event subgraph sequence;
the classification module is used for inputting the network event subgraph sequence into a pre-constructed classification model to classify the network event subgraph;
the processing module is used for generating a corresponding security strategy and a tracing result according to the classification result of the network event subgraph;
and the operation diagram module is used for generating a network security linkage response operation diagram according to the security strategy and the tracing result.
7. A network security linkage response combat map generation system is characterized by comprising a processor and a storage medium;
the storage medium is used for storing instructions;
the processor is configured to operate in accordance with the instructions to perform the steps of the method according to any one of claims 1 to 5.
8. Computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 5.
CN202211436979.8A 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium Active CN115622796B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211436979.8A CN115622796B (en) 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211436979.8A CN115622796B (en) 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium

Publications (2)

Publication Number Publication Date
CN115622796A CN115622796A (en) 2023-01-17
CN115622796B true CN115622796B (en) 2023-04-07

Family

ID=84878692

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211436979.8A Active CN115622796B (en) 2022-11-16 2022-11-16 Network security linkage response combat map generation method, system, device and medium

Country Status (1)

Country Link
CN (1) CN115622796B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587174A (en) * 2019-01-10 2019-04-05 广东电网有限责任公司信息中心 Composite defense method and system for network protection
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU4833300A (en) * 1999-05-14 2000-12-05 L-3 Communications Corporation Apparatus and methods for analyzing multiple network security vulnerabilities
CN101820357B (en) * 2010-02-11 2012-10-10 哈尔滨工业大学 Network security incident visualization system
CN108494810B (en) * 2018-06-11 2021-01-26 中国人民解放军战略支援部队信息工程大学 Attack-oriented network security situation prediction method, device and system
CN109302380B (en) * 2018-08-15 2022-10-25 全球能源互联网研究院有限公司 Intelligent decision-making method and system for linkage defense strategy of safety protection equipment
CN110290120B (en) * 2019-06-12 2021-09-17 西安邮电大学 Time sequence evolution network security early warning method of cloud platform
CN110764969A (en) * 2019-10-25 2020-02-07 新华三信息安全技术有限公司 Network attack tracing method and device
CN113067728B (en) * 2021-03-17 2022-10-14 中国人民解放军海军工程大学 Network security attack and defense test platform
CN114090374B (en) * 2021-11-08 2024-05-28 北京许继电气有限公司 Network security operation management platform
CN113824643B (en) * 2021-11-25 2022-02-22 中国科学院信息工程研究所 Ubiquitous network topological graph construction method and network security protection method
CN115277102B (en) * 2022-06-29 2023-04-07 北京天融信网络安全技术有限公司 Network attack detection method and device, electronic equipment and storage medium
CN115037561B (en) * 2022-08-10 2022-11-22 杭州悦数科技有限公司 Network security detection method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109587174A (en) * 2019-01-10 2019-04-05 广东电网有限责任公司信息中心 Composite defense method and system for network protection
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data

Also Published As

Publication number Publication date
CN115622796A (en) 2023-01-17

Similar Documents

Publication Publication Date Title
US11637853B2 (en) Operational network risk mitigation system and method
CN115296924B (en) Network attack prediction method and device based on knowledge graph
AU2013272211B2 (en) Path scanning for the detection of anomalous subgraphs, anomaly/change detection and network situational awareness
RU2757597C1 (en) Systems and methods for reporting computer security incidents
Wang et al. Constructing robust community structure against edge-based attacks
Pan et al. Anomaly based intrusion detection for building automation and control networks
Al-Utaibi et al. Intrusion detection taxonomy and data preprocessing mechanisms
CN112019523A (en) Network auditing method and device for industrial control system
CN113595790A (en) Security access assessment method and device for power terminal equipment
Pan et al. Anomaly behavior analysis for building automation systems
CN115622796B (en) Network security linkage response combat map generation method, system, device and medium
CN113032774B (en) Training method, device and equipment of anomaly detection model and computer storage medium
Sridevi et al. Genetic algorithm and artificial immune systems: A combinational approach for network intrusion detection
CN114205146B (en) Processing method and device for multi-source heterogeneous security log
Guruprasad et al. Development of an evolutionary framework for autonomous rule creation for intrusion detection
Sabri et al. Hybrid of rough set theory and artificial immune recognition system as a solution to decrease false alarm rate in intrusion detection system
Yu et al. Mining anomaly communication patterns for industrial control systems
Sampath et al. Intrusion detection in software defined networking using genetic algorithm
Mohamed et al. An operational framework for alert correlation using a novel clustering approach
Troesch et al. Machine learning for network intrusion detection
CN117978476B (en) Attack chain generation method and device based on ATT &amp; CK knowledge graph
CN115098602B (en) Data processing method, device and equipment based on big data platform and storage medium
Xie et al. A network intrusion detection system based on self-supervised co-contrastive learning
Shi et al. (Retracted) Software development and design of network security system based on log data
Li et al. A novel machine learning based intrusion detection method for 5G empowered CBTC systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant