CN116980202B - Network security operation and maintenance monitoring method and system - Google Patents
Network security operation and maintenance monitoring method and system Download PDFInfo
- Publication number
- CN116980202B CN116980202B CN202310933402.6A CN202310933402A CN116980202B CN 116980202 B CN116980202 B CN 116980202B CN 202310933402 A CN202310933402 A CN 202310933402A CN 116980202 B CN116980202 B CN 116980202B
- Authority
- CN
- China
- Prior art keywords
- fitting
- data
- state data
- function
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000012423 maintenance Methods 0.000 title claims abstract description 18
- 230000005540 biological transmission Effects 0.000 claims abstract description 49
- 238000000605 extraction Methods 0.000 claims abstract description 20
- 230000006870 function Effects 0.000 claims description 130
- 238000012795 verification Methods 0.000 claims description 17
- 238000010295 mobile communication Methods 0.000 claims description 2
- 230000002159 abnormal effect Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 238000013480 data collection Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000012888 cubic function Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The invention is applicable to the technical field of network security, and particularly relates to a network security operation and maintenance monitoring method and system, wherein the method comprises the following steps: sending information acquisition instructions to each computer device according to preset time intervals, and acquiring network transmission state monitoring data; dividing the device hardware operational status data into a plurality of types of accessory status data; constructing a state data curve, and performing curve fitting to obtain a fitting function; and carrying out risk prediction based on the fitting function, carrying out feature extraction based on the fitting function obtained by fitting, and carrying out safety recognition according to the extracted features to obtain a recognition result. The method and the device detect the computer equipment in the local area network through the gateway, and can acquire the running states of the computer equipment in real time, so that the state of the computer equipment is monitored through the outside, whether the equipment is in a normal working state is judged according to the running states of the computer equipment, and the problem that the computer equipment cannot be self-checked when abnormal occurs is avoided.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a network security operation and maintenance monitoring method and system.
Background
Network security, generally refers to the security of a computer network, and in fact may also refer to the security of a computer communication network. The computer communication network is a system for interconnecting a plurality of computers with independent functions through communication equipment and transmission media and realizing information transmission and exchange among the computers under the support of communication software. The computer network is a system in which a plurality of independent computer systems, terminal devices and data devices distributed in a region are connected by communication means for the purpose of sharing resources, and data exchange is performed under the control of a protocol. The fundamental purpose of computer networks is resource sharing, which is a way to achieve network resource sharing.
In the current network security operation and maintenance process, risk detection can only be carried out through the computer equipment, when the risk occurs in the computer equipment, the capability of risk detection is lost, and risk propagation is easy to cause.
Disclosure of Invention
The embodiment of the invention aims to provide a network security operation and maintenance monitoring method, which aims to solve the problems that in the current network security operation and maintenance process, risk detection can only be carried out through computer equipment, and when the computer equipment is at risk, the capability of risk detection is lost, and risk propagation is easy to cause.
The embodiment of the invention is realized in such a way that a network security operation and maintenance monitoring method comprises the following steps:
sending information acquisition instructions to each computer device according to preset time intervals, and acquiring network transmission state monitoring data;
receiving equipment hardware running state data based on the information acquisition instruction, and dividing the equipment hardware running state data into a plurality of types of accessory state data;
constructing a corresponding state data curve based on the accessory state data and the network transmission state monitoring data, and performing curve fitting to obtain a fitting function;
and carrying out risk prediction based on the fitting function, carrying out feature extraction based on the fitting function obtained by fitting, and carrying out safety recognition according to the extracted features to obtain a recognition result.
Preferably, the step of receiving the hardware running state data of the device based on the information collection instruction and dividing the hardware running state data of the device into a plurality of types of accessory state data specifically includes:
acquiring a local area network equipment list, and identifying the identity of each computer equipment based on the local area network equipment list to complete identity verification;
after the identity verification is completed, receiving device hardware running state data sent by each computer device;
the types of computer devices are counted, and the hardware running state data of the devices are divided into a plurality of types of accessory state data.
Preferably, the step of constructing a corresponding status data curve based on the accessory status data and the network transmission status monitoring data, and performing curve fitting to obtain a fitting function specifically includes:
extracting accessory state data and network transmission state monitoring data item by item, and converting the accessory state data and the network transmission state monitoring data into discrete point sets;
constructing a two-dimensional coordinate system, carrying out point tracing in the two-dimensional coordinate system based on a discrete point set, and completing curve fitting through smooth curve connection;
and extracting a plurality of coordinate points from the fitted curve according to a preset time interval, and performing function fitting based on the abscissa and the ordinate of the coordinate points to obtain a fitting function.
Preferably, the step of performing risk prediction based on the fitting function, performing feature extraction based on the fitting function obtained by fitting, and performing security recognition according to the extracted features to obtain a recognition result specifically includes:
carrying out data prediction based on the fitting function, and comparing the data prediction result with a safe operation interval to judge whether risk exists;
calling all fitting functions, extracting function features based on the fitting functions, and obtaining different types of function features;
and comparing the function characteristics with known risk items in the risk database according to a preset risk database, judging whether running risks exist or not, and identifying the risk type.
Preferably, the identification result includes at least the number of the computer device at which the risk occurs and the risk type of the computer device.
Preferably, the computer devices are all connected to a local area network and have no mobile communication function.
Another object of an embodiment of the present invention is to provide a network security operation and maintenance monitoring system, including:
the data acquisition module is used for sending information acquisition instructions to each computer device according to a preset time interval and acquiring network transmission state monitoring data;
the state data acquisition module is used for receiving the hardware operation state data of the equipment based on the information acquisition instruction and dividing the hardware operation state data of the equipment into a plurality of types of accessory state data;
the function fitting module is used for constructing a corresponding state data curve based on the accessory state data and the network transmission state monitoring data, and performing curve fitting to obtain a fitting function;
and the risk identification module is used for carrying out risk prediction based on the fitting function, carrying out feature extraction based on the fitting function obtained by fitting, and carrying out safety identification according to the extracted features to obtain an identification result.
Preferably, the status data acquisition module includes:
the identity verification unit is used for acquiring a local area network equipment list, identifying the identity of each computer equipment based on the local area network equipment list and completing identity verification;
the device state identification unit is used for receiving the device hardware running state data sent by each computer device after the identity verification is completed;
the data classification unit is used for counting the types of the computer equipment and dividing the equipment hardware running state data into a plurality of types of accessory state data.
Preferably, the function fitting module includes:
the data discrete unit is used for extracting accessory state data and network transmission state monitoring data item by item and converting the accessory state data and the network transmission state monitoring data into discrete point sets;
the curve fitting unit is used for constructing a two-dimensional coordinate system, carrying out point tracing in the two-dimensional coordinate system based on the discrete point set, and completing curve fitting through smooth curve connection;
and the coordinate fitting unit is used for extracting a plurality of coordinate points from the fitted curve according to a preset time interval, and performing function fitting based on the abscissa and the ordinate of the coordinate points to obtain a fitting function.
Preferably, the risk identification module includes:
the risk prediction unit is used for performing data prediction based on the fitting function, and comparing the data prediction result with the safe operation interval to judge whether risk exists;
the feature extraction unit is used for calling all fitting functions, extracting function features based on the fitting functions and obtaining different types of function features;
the risk judging unit is used for comparing the function characteristics with known risk items in the risk database according to a preset risk database, judging whether running risks exist or not and identifying risk types.
According to the network security operation and maintenance monitoring method provided by the embodiment of the invention, the gateway is used for detecting the computer equipment in the local area network, so that the running states of the computer equipment can be obtained in real time, the state of the computer equipment is monitored through the outside, whether the equipment is in a normal working state is judged according to the running states of the computer equipment, and the problem that the computer equipment cannot be self-checked when abnormal occurs is avoided.
Drawings
Fig. 1 is a flowchart of a network security operation and maintenance monitoring method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating steps for receiving hardware operation status data of a device based on an information acquisition instruction and dividing the hardware operation status data into a plurality of types of accessory status data according to an embodiment of the present invention;
FIG. 3 is a flowchart of the steps for constructing a corresponding status data curve based on accessory status data and network transmission status monitoring data, and performing curve fitting to obtain a fitting function according to an embodiment of the present invention;
FIG. 4 is a flowchart of the steps of performing risk prediction based on a fitting function, performing feature extraction based on the fitting function obtained by fitting, performing safety recognition according to the extracted features, and obtaining a recognition result, provided by the embodiment of the invention;
FIG. 5 is a schematic diagram of a network security operation and maintenance monitoring system according to an embodiment of the present invention;
FIG. 6 is a block diagram of a status data collection module according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a function fitting module according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a risk identification module according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
It will be understood that the terms "first," "second," and the like, as used herein, may be used to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element from another element. For example, a first xx script may be referred to as a second xx script, and similarly, a second xx script may be referred to as a first xx script, without departing from the scope of the present application.
As shown in fig. 1, a flowchart of a network security operation and maintenance monitoring method according to an embodiment of the present invention is provided, where the method includes:
s100, sending information acquisition instructions to each computer device according to preset time intervals, and acquiring network transmission state monitoring data.
In this step, an information acquisition instruction is sent to each computer device according to a preset time interval, in order to monitor each computer device, an information acquisition module may be inserted into each computer device, based on the information acquisition module, the running state of each computer device may be acquired in real time, the information acquisition instruction is sent through a gateway, the information acquisition instruction records a time node of information acquisition, then the information acquisition module located on each computer device performs information acquisition according to the time node, specifically, acquires the hardware running state of the computer device, such as CPU occupancy rate, hard disk occupancy rate, memory occupancy rate, display card occupancy rate, and the like, and acquires network transmission state monitoring data, in the running process of each computer device, the data transmission process may be monitored through the gateway, such as data transmission speed, data packet size, and data transmission delay.
S200, receiving equipment hardware running state data based on the information acquisition instruction, and dividing the equipment hardware running state data into a plurality of types of accessory state data.
In this step, based on the hardware running state data of the information collection instruction receiving device, when the information collection module receives the information collection instruction sent by the gateway, it starts to collect information on the computer device, based on a preset collection sequence, sequentially collects state data on each hardware of the computer device, for example, firstly, collects the CPU state, then collects the hard disk state, then collects the memory state, finally collects the display card state, and records the time of data collection, encapsulates the collected data and sends the encapsulated data to the gateway, where the information collection instruction may be sent once or sent according to a preset time interval, if the information collection instruction is sent once, then the information collection time sequence is recorded, and a time node for performing information collection for many times is recorded, if the information collection information sent each time is sent according to a time interval, then the information collection module performs one data collection when the collection time is reached, and divides the hardware running state data of the device into multiple types of accessory state data.
S300, constructing a corresponding state data curve based on the accessory state data and the network transmission state monitoring data, and performing curve fitting to obtain a fitting function.
In this step, a corresponding state data curve is constructed based on the accessory state data and the network transmission state monitoring data, the data is classified according to the type of hardware and the network transmission parameters, and is divided into CPU state data, hard disk state data, memory state data, graphics card state data, transmission speed state data, time delay state data and data transmission quantity data, which are all acquired at intervals, so that the data are discrete data related to time, each state data can be represented in a curve manner in a two-dimensional coordinate system by constructing the two-dimensional coordinate system, wherein time is taken as a horizontal axis, a variable of the state data is taken as a vertical axis, a scatter diagram is obtained, the scatter points are further connected in a time sequence by a smooth curve, and a fitting curve is obtained, and further, a fitting function corresponding to each fitting curve is determined in a function fitting manner.
S400, risk prediction is carried out based on the fitting function, feature extraction is carried out based on the fitting function obtained by fitting, safety recognition is carried out according to the extracted features, and a recognition result is obtained.
In this step, risk prediction is performed based on the fitting function, and since the fitting function is determined, the trend of the curve in a short time can be predicted according to the trend of the fitting function, specifically, the future time can be input as an independent variable, and an output result can be obtained to continue the fitting curve, so as to determine whether abnormality occurs in each state data in a short time, specifically, a determination can be set, if the CPU occupancy rate is higher than 90%, the predicted risk is considered to exist, meanwhile, since a plurality of fitting functions are obtained, parameter extraction is performed on the plurality of fitting functions, a plurality of function features are obtained, and the function features are compared with the features of the risk prediction, so as to determine whether the corresponding risk exists in the current computer equipment, so as to obtain the recognition result.
As shown in fig. 2, as a preferred embodiment of the present invention, the step of receiving the hardware operation status data of the device based on the information collection instruction and dividing the hardware operation status data of the device into a plurality of types of accessory status data specifically includes:
s201, acquiring a local area network equipment list, and identifying the identity of each computer equipment based on the local area network equipment list to complete identity verification.
In the step, a local area network equipment list is obtained, statistics is carried out on all computer equipment in a local area network, the computer equipment contained in the current local area network is determined, a number is set for each computer equipment, and identity verification is carried out when information acquisition is carried out.
S202, after the identity verification is completed, device hardware operation state data sent out by each computer device are received.
In this step, after the authentication is completed, the operation state data of the hardware of the device sent by each computer device is received, and the authentication is completed, which indicates that each computer device is safe and reliable, so that the data sent by the computer device can be received.
S203, counting the types of the computer equipment and dividing the equipment hardware running state data into a plurality of types of accessory state data.
In this step, the type of the computer device is counted, and if the computer device includes a desktop computer, a notebook computer or other printer devices, the hardware type is determined according to the device types, so as to determine classification items during classification, and the hardware running state data of the device is divided into a plurality of types of accessory state data.
As shown in fig. 3, as a preferred embodiment of the present invention, the steps of constructing a corresponding status data curve based on the accessory status data and the network transmission status monitoring data, and performing curve fitting to obtain a fitting function specifically include:
and S301, extracting accessory state data and network transmission state monitoring data item by item, and converting the accessory state data and the network transmission state monitoring data into discrete point sets.
In this step, accessory status data and network transmission status monitoring data are extracted item by item, specifically, extraction is performed according to a preset extraction sequence, such as a CPU, a hard disk, a graphics card, a memory, a network speed, a time delay and a book sequence of data volume, and the acquisition time corresponding to each data is determined so as to obtain a discrete point set by conversion.
S302, constructing a two-dimensional coordinate system, drawing points in the two-dimensional coordinate system based on the discrete point set, and completing curve fitting through smooth curve connection.
In this step, a two-dimensional coordinate system is constructed, specifically, a horizontal axis is taken as time, state data in each discrete point set is taken as a vertical axis, for example, a horizontal axis is taken as time, CPU occupancy is taken as a vertical axis, a plurality of lattices are obtained by marking according to a time sequence, and curve fitting is completed through smooth curve connection.
S303, extracting a plurality of coordinate points from the fitted curve according to a preset time interval, and performing function fitting based on the abscissa and the ordinate of the coordinate points to obtain a fitting function.
In this step, a plurality of coordinate points, that is, (X) are extracted from the fitted curve at preset time intervals i ,Y i ) And carrying out fitting treatment on the obtained fitting function to determine a function matched with the obtained fitting function, so that the fitting accuracy can be ensured.
As shown in fig. 4, as a preferred embodiment of the present invention, the steps of performing risk prediction based on a fitting function, performing feature extraction based on the fitting function obtained by fitting, performing security recognition according to the extracted features, and obtaining a recognition result specifically include:
s401, data are estimated based on the fitting function, and the result of the data estimation and the safe operation interval are compared to judge whether risk exists.
In the step, data are estimated based on a fitting function, time in a short time in the future is used as an independent variable to be imported into the fitting function to obtain a calculation result, the calculation result is compared with a preset safe operation interval, if the safe operation interval of the CPU occupancy rate is 10% -80%, and if the safe operation interval exceeds the range, the risk is judged.
S402, all fitting functions are called, function features are extracted based on the fitting functions, and different types of function features are obtained.
In this step, all fitting functions are called, and coefficients in each fitting function are extracted, for example, for a unitary cubic function, four coefficients are present, namely a cubic term coefficient, a quadratic term coefficient, a first term coefficient and a constant term, so as to obtain different types of function features.
S403, comparing the function features with known risk items in the risk database according to a preset risk database, judging whether running risks exist or not, and identifying risk types.
In this step, according to a preset risk database, features of a fitting function corresponding to each type of risk, such as a virus a, are recorded in the risk database, when the virus a infects a computer, the CPU occupancy rate of the computer device is affected, the feature corresponding to the fitting function is finally P, and the feature of the function obtained by extracting in real time is compared with P, the degree of overlap is calculated, and if the degree of overlap is greater than a preset value, the risk is determined to exist, so as to determine the risk type.
As shown in fig. 5, a network security operation and maintenance monitoring system provided by an embodiment of the present invention includes:
the data acquisition module 100 is configured to send information acquisition instructions to each computer device according to a preset time interval, and acquire network transmission state monitoring data.
In the system, the data acquisition module 100 sends information acquisition instructions to each computer device according to a preset time interval, in order to monitor each computer device, the information acquisition module can be inserted into each computer device, based on the information acquisition module, the running state of each computer device can be acquired in real time, the information acquisition instructions are sent out through the gateway, the information acquisition instruction records the time node of information acquisition, then the information acquisition module located on each computer device performs information acquisition according to the time node, specifically, the hardware running state of the computer device, such as CPU occupancy rate, hard disk occupancy rate, memory occupancy rate, display card occupancy rate and the like, acquires network transmission state monitoring data, and in the running process of each computer device, the data transmission is performed through the gateway, and the data transmission process, such as data transmission speed, data packet size, data transmission delay and the like, can be monitored through the gateway.
The status data acquisition module 200 is configured to receive device hardware operation status data based on the information acquisition instruction, and divide the device hardware operation status data into a plurality of types of accessory status data.
In the system, the state data acquisition module 200 starts to acquire information on the computer device based on the hardware running state data of the information acquisition instruction receiving device, when the information acquisition module receives the information acquisition instruction sent by the gateway, the state data acquisition is sequentially performed on each hardware of the computer device based on a preset acquisition sequence, if the CPU state is acquired first, then the hard disk state is acquired, then the memory state is acquired, finally the display card state is acquired, the data acquisition time is recorded, the acquired data is packaged and sent to the gateway, the information acquisition instruction can be sent once or according to a preset time interval, if the information acquisition instruction is sent once, an information acquisition time sequence is recorded, a time node for performing information acquisition for a plurality of times is recorded, if the information acquisition information is sent according to a time interval, the information acquisition module performs data acquisition once when the acquisition time is up, and the hardware running state data of the device is divided into a plurality of types of accessory state data.
The function fitting module 300 is configured to construct a corresponding status data curve based on the accessory status data and the network transmission status monitoring data, and perform curve fitting to obtain a fitting function.
In the system, the function fitting module 300 constructs a corresponding state data curve based on accessory state data and network transmission state monitoring data, classifies the data into CPU state data, hard disk state data, memory state data, graphics card state data, transmission speed state data, time delay state data and data transmission quantity data according to the types of hardware and network transmission parameters by classifying, the data are all acquired at intervals, so that the data are discrete data related to time, each state data can be represented in a curve mode in the two-dimensional coordinate system by constructing the two-dimensional coordinate system, wherein the time is taken as a horizontal axis, the variables of the state data are taken as vertical axes to obtain a scatter diagram, the scattered points are further connected in a smooth curve mode according to time sequence, and further, the fitting function corresponding to each fitting curve is determined in a function fitting mode.
The risk identification module 400 is configured to perform risk prediction based on the fitting function, perform feature extraction based on the fitting function obtained by fitting, and perform security identification according to the extracted features to obtain an identification result.
In the system, the risk recognition module 400 predicts the risk based on the fitting function, and because the fitting function is determined, the trend of the curve in a short time can be predicted according to the trend of the fitting function, specifically, the future time can be taken as an independent variable to be input into the fitting function, an output result can be obtained to continue the fitting curve, so as to judge whether the abnormality occurs in each state data in a short time, specifically, the judgment can be set, if the CPU occupancy rate is higher than 90%, the predicted risk exists, meanwhile, because a plurality of fitting functions are obtained, parameter extraction is performed on the plurality of fitting functions, a plurality of function features are obtained, and the function features are compared with the features of the predicted risk to judge whether the corresponding risk exists in the current computer equipment, so as to obtain the recognition result.
As shown in fig. 6, as a preferred embodiment of the present invention, the status data acquisition module 200 includes:
the identity verification unit 201 is configured to obtain a local area network device list, identify identities of respective computer devices based on the local area network device list, and complete identity verification.
In this step, the identity verification unit 201 obtains a local area network device list, in the local area network, counts each computer device, determines the computer device contained in the current local area network, sets a number for each computer device, and performs identity verification when information is acquired.
The device state identifying unit 202 is configured to receive device hardware operation state data sent from each computer device after the authentication is completed.
In this step, after the authentication is completed, the device state identifying unit 202 receives the device hardware operation state data sent from each computer device, and completes the authentication, which indicates that each computer device is safe and reliable, and then can receive the data sent from the computer device.
The data classifying unit 203 is configured to count types of computer devices, and divide the device hardware running state data into a plurality of types of accessory state data.
In this step, the data classifying unit 203 counts the types of computer devices, such as desktop computers, notebook computers or other printer devices, and determines the hardware types according to the device types, so as to determine classification items when classifying, and divide the hardware running state data of the device into a plurality of types of accessory state data.
As shown in fig. 7, as a preferred embodiment of the present invention, the function fitting module 300 includes:
a data discrete unit 301 for extracting the accessory status data and the network transmission status monitoring data item by item, and converting them into a discrete point set.
In this module, the data discrete unit 301 extracts accessory status data and network transmission status monitoring data item by item, specifically, extracts according to a preset extraction sequence, such as a CPU, a hard disk, a graphics card, a memory, a network speed, a time delay and a book sequence of data amount, and determines an acquisition time corresponding to each data, so as to obtain a discrete point set by conversion.
And the curve fitting unit 302 is configured to construct a two-dimensional coordinate system, perform point tracing in the two-dimensional coordinate system based on the discrete point set, and complete curve fitting through smooth curve connection.
In this module, the curve fitting unit 302 constructs a two-dimensional coordinate system, specifically, takes time as a horizontal axis, takes state data in each discrete point set as a vertical axis, takes time as a horizontal axis, takes CPU occupancy rate as a vertical axis, marks according to time sequence, and can obtain a plurality of lattices, and completes curve fitting through smooth curve connection.
The coordinate fitting unit 303 is configured to extract a plurality of coordinate points from the fitted curve according to a preset time interval, and perform function fitting based on the abscissa and the ordinate of the coordinate points, so as to obtain a fitting function.
In this module, the coordinate fitting unit 303 extracts a plurality of coordinate points, i.e. (X), from the fitted curve at preset time intervals i ,Y i ) For itAnd performing fitting processing to determine a function matched with the fitting function, wherein the obtained fitting function can ensure fitting accuracy.
As shown in fig. 8, as a preferred embodiment of the present invention, the risk identification module 400 includes:
the risk estimation unit 401 is configured to perform data estimation based on the fitting function, and compare the result of the data estimation with the safe operation interval to determine whether there is a risk.
In this module, the risk estimation unit 401 performs data estimation based on the fitting function, and introduces the time in a short time in the future as an independent variable into the fitting function to obtain a calculation result, and compares the calculation result with a preset safe operation interval, for example, the safe operation interval of the CPU occupancy rate is 10% -80%, and if the safe operation interval exceeds the above range, the risk is determined to exist.
The feature extraction unit 402 is configured to call all the fitting functions, extract feature of the function based on the fitting functions, and obtain feature of different types of functions.
In this module, the feature extraction unit 402 invokes all the fitting functions to extract the coefficients in each fitting function, for example, for a unitary cubic function, there are four coefficients, which are a cubic term coefficient, a quadratic term coefficient, a first order term coefficient, and a constant term, respectively, to obtain different types of function features.
The risk determination unit 403 is configured to compare the function feature with known risk items in the risk database according to a preset risk database, determine whether there is a running risk, and identify a risk type.
In this module, the risk determination unit 403 records, in the risk database, features of a fitting function corresponding to each type of risk, such as a virus a, when the virus a infects a computer, the CPU occupancy rate of the computer device will be affected, and finally the feature corresponding to the fitting function is P, and the feature of the function obtained by extracting in real time is compared with P, so as to calculate the degree of overlap, and if the degree of overlap is greater than a preset value, it is determined that the risk exists, so as to determine the risk type.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, nor do the order in which the sub-steps or stages are performed necessarily performed in sequence, but may be performed alternately or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the invention and are described in detail herein without thereby limiting the scope of the invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of protection of the present invention is to be determined by the appended claims.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, and alternatives falling within the spirit and principles of the invention.
Claims (6)
1. A method for monitoring network security operation and maintenance, which is applied to a gateway, the method comprising:
sending information acquisition instructions to each computer device according to preset time intervals, and acquiring network transmission state monitoring data;
receiving equipment hardware running state data based on the information acquisition instruction, and dividing the equipment hardware running state data into a plurality of types of accessory state data;
constructing a corresponding state data curve based on the accessory state data and the network transmission state monitoring data, and performing curve fitting to obtain a fitting function;
performing risk prediction based on the fitting function, performing feature extraction based on the fitting function obtained by fitting, and performing safety recognition according to the extracted features to obtain a recognition result;
the step of constructing a corresponding state data curve based on the accessory state data and the network transmission state monitoring data and performing curve fitting to obtain a fitting function specifically comprises the following steps:
extracting accessory state data and network transmission state monitoring data item by item, and converting the accessory state data and the network transmission state monitoring data into discrete point sets;
constructing a two-dimensional coordinate system, carrying out point tracing in the two-dimensional coordinate system based on a discrete point set, and completing curve fitting through smooth curve connection;
extracting a plurality of coordinate points from a curve obtained by fitting according to a preset time interval, and performing function fitting based on the abscissa and the ordinate of the coordinate points to obtain a fitting function;
the step of carrying out risk prediction based on the fitting function, carrying out feature extraction based on the fitting function obtained by fitting, and carrying out safety recognition according to the extracted features to obtain a recognition result, specifically comprises the following steps:
carrying out data prediction based on the fitting function, and comparing the data prediction result with a safe operation interval to judge whether risk exists;
calling all fitting functions, extracting function features based on the fitting functions, and obtaining different types of function features;
and comparing the function characteristics with known risk items in the risk database according to a preset risk database, judging whether running risks exist or not, and identifying the risk type.
2. The network security operation and maintenance monitoring method according to claim 1, wherein the step of receiving the hardware operation state data of the device based on the information collection instruction and dividing the hardware operation state data of the device into a plurality of types of accessory state data specifically comprises:
acquiring a local area network equipment list, and identifying the identity of each computer equipment based on the local area network equipment list to complete identity verification;
after the identity verification is completed, receiving device hardware running state data sent by each computer device;
the types of computer devices are counted, and the hardware running state data of the devices are divided into a plurality of types of accessory state data.
3. The network security operation monitoring method according to claim 1, wherein the identification result includes at least a number of a computer device at which a risk occurs and a risk type of the computer device.
4. The method of claim 1, wherein the computer devices are connected to a local area network and have no mobile communication function.
5. A network security operation and maintenance monitoring system, for use with a gateway, the system comprising:
the data acquisition module is used for sending information acquisition instructions to each computer device according to a preset time interval and acquiring network transmission state monitoring data;
the state data acquisition module is used for receiving the hardware operation state data of the equipment based on the information acquisition instruction and dividing the hardware operation state data of the equipment into a plurality of types of accessory state data;
the function fitting module is used for constructing a corresponding state data curve based on the accessory state data and the network transmission state monitoring data, and performing curve fitting to obtain a fitting function;
the risk identification module is used for carrying out risk prediction based on the fitting function, carrying out feature extraction based on the fitting function obtained by fitting, and carrying out safety identification according to the extracted features to obtain an identification result;
the function fitting module comprises:
the data discrete unit is used for extracting accessory state data and network transmission state monitoring data item by item and converting the accessory state data and the network transmission state monitoring data into discrete point sets;
the curve fitting unit is used for constructing a two-dimensional coordinate system, carrying out point tracing in the two-dimensional coordinate system based on the discrete point set, and completing curve fitting through smooth curve connection;
the coordinate fitting unit is used for extracting a plurality of coordinate points from a curve obtained by fitting according to a preset time interval, and performing function fitting based on the abscissa and the ordinate of the coordinate points to obtain a fitting function;
the risk identification module comprises:
the risk prediction unit is used for performing data prediction based on the fitting function, and comparing the data prediction result with the safe operation interval to judge whether risk exists;
the feature extraction unit is used for calling all fitting functions, extracting function features based on the fitting functions and obtaining different types of function features;
the risk judging unit is used for comparing the function characteristics with known risk items in the risk database according to a preset risk database, judging whether running risks exist or not and identifying risk types.
6. The network security operation and maintenance monitoring system of claim 5, wherein the status data acquisition module comprises:
the identity verification unit is used for acquiring a local area network equipment list, identifying the identity of each computer equipment based on the local area network equipment list and completing identity verification;
the device state identification unit is used for receiving the device hardware running state data sent by each computer device after the identity verification is completed;
the data classification unit is used for counting the types of the computer equipment and dividing the equipment hardware running state data into a plurality of types of accessory state data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310933402.6A CN116980202B (en) | 2023-07-27 | 2023-07-27 | Network security operation and maintenance monitoring method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310933402.6A CN116980202B (en) | 2023-07-27 | 2023-07-27 | Network security operation and maintenance monitoring method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116980202A CN116980202A (en) | 2023-10-31 |
CN116980202B true CN116980202B (en) | 2023-12-26 |
Family
ID=88484497
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310933402.6A Active CN116980202B (en) | 2023-07-27 | 2023-07-27 | Network security operation and maintenance monitoring method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116980202B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107329930A (en) * | 2016-04-29 | 2017-11-07 | 中国科学院微电子研究所 | Least square fitting method and least square fitting system |
CN108667912A (en) * | 2018-04-23 | 2018-10-16 | 中国人民解放军战略支援部队信息工程大学 | A kind of cloud resource distribution method and device |
CN112594142A (en) * | 2020-11-23 | 2021-04-02 | 东方电气集团科学技术研究院有限公司 | Terminal cloud collaborative wind power operation and maintenance diagnosis system based on 5G |
CN113537658A (en) * | 2020-04-14 | 2021-10-22 | 南京南瑞继保电气有限公司 | Equipment risk assessment and maintenance system and method |
CN113570826A (en) * | 2021-07-15 | 2021-10-29 | 长视科技股份有限公司 | Method and system for realizing disaster early warning by river landslide deformation recognition |
CN113887861A (en) * | 2021-08-23 | 2022-01-04 | 广西电网有限责任公司电力科学研究院 | Power transmission and transformation main equipment quasi-real-time data monitoring system |
CN114978604A (en) * | 2022-04-25 | 2022-08-30 | 西南大学 | Security gateway system for software defined service perception |
CN116132326A (en) * | 2023-01-17 | 2023-05-16 | 无锡锐泰节能系统科学有限公司 | Comprehensive energy efficiency data management method and system |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US12073942B2 (en) * | 2020-04-30 | 2024-08-27 | Kpn Innovations, Llc. | Methods and systems for dynamic constitutional guidance using artificial intelligence |
US11436615B2 (en) * | 2020-08-28 | 2022-09-06 | Anchain.ai Inc. | System and method for blockchain transaction risk management using machine learning |
-
2023
- 2023-07-27 CN CN202310933402.6A patent/CN116980202B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107329930A (en) * | 2016-04-29 | 2017-11-07 | 中国科学院微电子研究所 | Least square fitting method and least square fitting system |
CN108667912A (en) * | 2018-04-23 | 2018-10-16 | 中国人民解放军战略支援部队信息工程大学 | A kind of cloud resource distribution method and device |
CN113537658A (en) * | 2020-04-14 | 2021-10-22 | 南京南瑞继保电气有限公司 | Equipment risk assessment and maintenance system and method |
CN112594142A (en) * | 2020-11-23 | 2021-04-02 | 东方电气集团科学技术研究院有限公司 | Terminal cloud collaborative wind power operation and maintenance diagnosis system based on 5G |
CN113570826A (en) * | 2021-07-15 | 2021-10-29 | 长视科技股份有限公司 | Method and system for realizing disaster early warning by river landslide deformation recognition |
CN113887861A (en) * | 2021-08-23 | 2022-01-04 | 广西电网有限责任公司电力科学研究院 | Power transmission and transformation main equipment quasi-real-time data monitoring system |
CN114978604A (en) * | 2022-04-25 | 2022-08-30 | 西南大学 | Security gateway system for software defined service perception |
CN116132326A (en) * | 2023-01-17 | 2023-05-16 | 无锡锐泰节能系统科学有限公司 | Comprehensive energy efficiency data management method and system |
Non-Patent Citations (1)
Title |
---|
人工智能技术在电力设备运维检修中的研究及应用;蒲天骄;乔骥;韩笑;张国宾;王新迎;;高电压技术(第02期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN116980202A (en) | 2023-10-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111262722B (en) | Safety monitoring method for industrial control system network | |
US8850582B2 (en) | Security monitoring system and security monitoring method | |
CN106462702B (en) | Method and system for acquiring and analyzing electronic forensic data in a distributed computer infrastructure | |
CN112953971A (en) | Network security traffic intrusion detection method and system | |
CN110892675B (en) | Method and apparatus for monitoring block chains | |
CN108647106B (en) | Application exception handling method, storage medium and computer device | |
CN111224782A (en) | Data verification method based on digital signature, intelligent device and storage medium | |
CN113132297A (en) | Data leakage detection method and device | |
CN116980202B (en) | Network security operation and maintenance monitoring method and system | |
CN111107079A (en) | Method and device for detecting uploaded files | |
CN111064719A (en) | Method and device for detecting abnormal downloading behavior of file | |
CN110597693A (en) | Alarm information sending method, device, equipment, system and storage medium | |
CN116881882B (en) | Intelligent risk control system based on big data | |
CN116305105A (en) | Information security monitoring method and system based on big data | |
CN114422186A (en) | Attack detection method and device, electronic equipment and storage medium | |
CN111741004B (en) | Network security situation awareness method and related device | |
CN113988867A (en) | Fraud detection method and device, computer equipment and storage medium | |
CN114567482A (en) | Alarm classification method and device, electronic equipment and storage medium | |
CN113807697A (en) | Alarm association-based order dispatching method and device | |
CN113676560A (en) | Data sharing method and system based on Internet of things | |
Linghu et al. | Weighted local outlier factor for detecting anomaly on in-vehicle network | |
CN117896186B (en) | Vulnerability scanning method, system and storage medium based on log analysis | |
CN117176470B (en) | Block chain data supervision method and system | |
CN114706737B (en) | Crash alarm method, device, system, equipment and readable storage medium | |
Botvinko et al. | Evaluation of firewall performance when ranging a filtration rule set |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |