[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN113098827A - Network security early warning method and device based on situation awareness - Google Patents

Network security early warning method and device based on situation awareness Download PDF

Info

Publication number
CN113098827A
CN113098827A CN201911338769.3A CN201911338769A CN113098827A CN 113098827 A CN113098827 A CN 113098827A CN 201911338769 A CN201911338769 A CN 201911338769A CN 113098827 A CN113098827 A CN 113098827A
Authority
CN
China
Prior art keywords
network
node
security
situation
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911338769.3A
Other languages
Chinese (zh)
Other versions
CN113098827B (en
Inventor
徐金阳
刘冬岩
高琛
郭旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
China Mobile Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Liaoning Co Ltd
China Mobile Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Liaoning Co Ltd, China Mobile Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201911338769.3A priority Critical patent/CN113098827B/en
Publication of CN113098827A publication Critical patent/CN113098827A/en
Application granted granted Critical
Publication of CN113098827B publication Critical patent/CN113098827B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a situation awareness-based network security early warning method and device, wherein the method comprises the following steps: acquiring security scene information depending on network activities, analyzing the security scene information through a processor, and determining a security guarantee value; extracting network information of each device from the network log, wherein the network information comprises: the identification of the equipment, the attack number of the equipment and historical operation data; for each node in the network topology, determining the security posture of the node according to the degree of the node and the network information of the equipment at the node; and determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning. Through the safety guarantee value required by the analysis of the safety scene information, the network situation is predicted through the safety of the nodes in the network topology and the vulnerability of the passing degree response, and then safety alarm is carried out.

Description

Network security early warning method and device based on situation awareness
Technical Field
The invention relates to the technical field of network security, in particular to a situation awareness-based network security early warning method and device.
Background
With the rapid development of computer and communication technologies, computer networks are more and more widely applied and have larger and larger scales, network security threats and security risks in multiple layers are continuously increased, threats and losses formed by network viruses, Dos/DDos attacks and the like are larger and larger, network attack behaviors develop towards the trends of distribution, scale, complexity and the like, the requirements of network security cannot be met only by means of single network security protection technologies such as firewalls, intrusion detection, virus prevention, access control and the like, new technologies are urgently needed, abnormal events in the networks are timely discovered, network security conditions are mastered in real time, and the most of the prior time sheep death is firmly mended in and after processing, the automatic assessment and prediction in advance is turned to, security early warning is timely carried out, the network security risks are reduced, and the network security protection capability is improved.
The inventor discovers that in the process of implementing the invention: in the prior art, a uniform security early warning strategy is generally adopted for different activity scenes, the different activity scenes have different network security requirements, the security guarantee may be too tight or too loose according to the uniform security early warning strategy, the accuracy of security early warning is poor, and the prior art cannot meet the network security early warning requirements of the different activity scenes.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a situation awareness based network security early warning method and apparatus that overcomes or at least partially solves the above problems.
According to one aspect of the invention, a situation awareness-based network security early warning method is provided, which comprises the following steps:
acquiring security scene information depending on network activities, analyzing the security scene information through at least one processor, and determining a security guarantee value;
extracting network information of each device from the network log, wherein the network information comprises: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data;
for each node in the network topology, determining the security posture of the node according to the degree of the node and the network information of the equipment at the node;
and determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning.
Optionally, determining the security posture of the node according to the degree of the node and the network information of the device at the node specifically includes:
determining the operation condition of the equipment at the node according to the historical operation data, and screening a corresponding safety situation evaluation rule;
and determining the security situation of the node based on the corresponding security situation evaluation rule.
Optionally, determining whether the network is secure according to the security posture of each node specifically includes:
determining the weight of the security situation of each node, calculating the weighted sum of the security situation of each node, and judging whether the weighted sum is greater than a preset value;
if yes, the network is determined to be unsafe.
Optionally, the security context information comprises one or more of activity level, activity duration, activity impact range;
wherein, the higher the activity level is, the higher the security guarantee value is; the longer the activity duration, the higher the safety guarantee value; the larger the range of influence of the activity is, the higher the safety guarantee value is.
Optionally, the historical operating data includes one or more of the following information: traffic characteristic information, IP identification and behavior characteristic information.
According to another aspect of the present invention, there is provided a situation awareness-based network security early warning apparatus, including:
the safety guarantee analysis module is suitable for acquiring safety scene information depending on network activities, analyzing the safety scene information through at least one processor and determining a safety guarantee value;
the data extraction module is suitable for extracting network information of each device from the weblog, and the network information comprises: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data;
the security situation processing module is suitable for determining the security situation of each node in the network topology according to the degree of the node and the network information of the equipment at the node;
and the early warning module is suitable for determining whether the network is safe according to the safety situation of each node, and if the network is not safe, performing safety early warning.
Optionally, the security posture processing module is further adapted to:
determining the operation condition of the equipment at the node according to the historical operation data, and screening a corresponding safety situation evaluation rule;
and determining the security situation of the node based on the corresponding security situation evaluation rule.
Optionally, the early warning module is further adapted to:
determining the weight of the security situation of each node, calculating the weighted sum of the security situation of each node, and judging whether the weighted sum is greater than a preset value;
if yes, the network is determined to be unsafe.
Optionally, the security context information comprises one or more of activity level, activity duration, activity impact range;
wherein, the higher the activity level is, the higher the security guarantee value is; the longer the activity duration, the higher the safety guarantee value; the larger the range of influence of the activity is, the higher the safety guarantee value is.
Optionally, the historical operating data includes one or more of the following information: traffic characteristic information, IP identification and behavior characteristic information.
According to yet another aspect of the present invention, there is provided a computing device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the network security early warning method based on situation awareness.
According to still another aspect of the present invention, a computer storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to perform operations corresponding to the above situation awareness-based network security early warning method.
According to the situation awareness-based network security early warning method and device disclosed by the invention, security scene information depending on network activities is obtained, and the security scene information is analyzed through at least one processor to determine a security guarantee value; extracting network information of each device from the network log, wherein the network information comprises: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data; for each node in the network topology, determining the security posture of the node according to the degree of the node and the network information of the equipment at the node; and determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning. According to the method, the network situation is predicted through the safety guarantee value required by dynamic analysis of the safety scene information, the safety of each node in the network topology and the vulnerability of the passing degree response, whether the network is safe or not is judged through the network situation, safety is carried out under the unsafe condition, the method is more flexible and accurate, and the accuracy of network safety early warning can be improved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 shows a flowchart of a situation awareness-based network security early warning method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a network topology in an embodiment of the invention;
fig. 3 is a schematic structural diagram illustrating a situation awareness-based network security early warning apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The situation awareness is an ability of understanding security risks dynamically and integrally based on environment, and is a mode of improving the capabilities of discovering, recognizing, understanding, analyzing and responding to handling security threats from a global perspective on the basis of security big data, and finally is a ground of security capabilities for decision and action. The network security situation awareness technology can integrate security factors of various aspects and dynamically reflect network security conditions on the whole.
Fig. 1 shows a flowchart of a situation awareness-based network security early warning method provided in an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S101, obtaining safety scene information depending on network activities, analyzing the safety scene information through at least one processor, and determining a safety guarantee value.
In the embodiment of the invention, the activities are all network-dependent, such as large-scale live webcasting activities and the like. Obtaining security context information for network-dependent activities, the security context information comprising: activity level, activity duration, activity impact range. The security scene information is automatically analyzed by at least one processor to determine a security assurance value for the activity, the security assurance value indicating a degree of security required for the activity.
In specific implementation, the safety guarantee value prediction model can be trained in a big data mode, the acquired safety scene information is input into the safety guarantee value prediction model for processing, and the model outputs a corresponding safety guarantee value. It should be noted that the present invention is not limited thereto.
In summary, determining the security and safety value should follow the following rules: the higher the activity level, the higher the security assurance value; the longer the activity duration, the higher the safety guarantee value; the larger the range of influence of the activity is, the larger the safety guarantee value is.
For example, the activity level, activity duration, and activity impact range are first assigned. The activity level is divided into multiple levels according to the importance degree of the activity, such as a special level, a high level, a middle level, a low level and the like, and each level is assigned with a value. The activity duration time is an assigned number of days, for example, if the activity time is one day, the number is 1, and if the activity time is three days, the number is 3. And the activity influence range is divided into a plurality of levels according to the influence degree of the activity, and each level is assigned. The assignment may be other values or in other forms, and the invention is not limited in this respect.
Then, calculating a security guarantee value according to the assignment of the activity level, the assignment of the activity duration and the assignment of the activity influence range, wherein a specific calculation formula is as follows:
security value ═ activity duration assignment ^ activity impact range assignment ^ activity level assignment
Step S102, extracting network information of each device from the network log, wherein the network information comprises: identification of the device, number of attacks the device has been subjected to, and historical operational data.
Wherein a device refers to a device in a network topology. Fig. 2 is a schematic diagram illustrating a network topology according to an embodiment of the present invention, and as shown in fig. 2, the device according to the embodiment of the present invention may refer to a host, a server, a router, and the like.
Extracting network information of each device from the network log, wherein the network information comprises an identifier of the device, the number of attacks to which the device is subjected and historical operation data, the historical operation data is log data acquired by security monitoring, and the historical operation data comprises one or more of the following information: traffic characteristic information, IP identification and behavior characteristic information.
Step S103, aiming at each node in the network topology, determining the security situation of the node according to the degree of the node and the network information of the equipment at the node.
The degree of a node reflects the number of nodes connected to the node, i.e. the number of affected nodes. If the degree is larger, once one node fails, all nodes connected with the node fail. The network stability can be effectively evaluated by the vulnerability of the throughput response node
For each node in the network topology, a security posture is determined, and the security posture of the node is determined according to the degree of the node and the network information of the device at the node. Therefore, the embodiment of the invention combines the security and guarantee value required by the activity and the vulnerability of the node to evaluate the security situation of the node.
Specifically, the operation condition of the equipment at the node is determined according to historical operation data, and a corresponding safety situation evaluation rule is screened; and determining the security situation of the node based on the corresponding security situation evaluation rule. In the method, firstly, the operation condition of the equipment is evaluated according to the historical operation data of the equipment, and then the corresponding safety situation evaluation rule is selected according to the operation condition of the equipment to determine the safety situation of the node.
For example, the current operating condition is determined based on a comparison between the operating data and a standard value.
And if the operation data is higher than the standard interval, which indicates that the operation condition is better, the situation value of the node is the degree of the node and the number of the devices which are attacked is the safety guarantee value.
And if the operation data is located in the standard interval and indicates that the operation condition is normal, the situation value of the node is the sum of the degree of the node and the number of the devices which are attacked and the situation values of the nodes which are directly connected with the node.
And if the operation data is lower than the standard interval and indicates that the operation condition is poor, the situation value of the node is the sum of the degree of the node and the product of the situation value of each node directly connected with the node and the degree of the node.
And step S104, determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning.
Finally, determining whether the network is safe according to the security situation of each node, for example, judging whether the average value of the security situation of each node is greater than a preset value, if so, determining that the network is unsafe; or whether the number of the nodes with the security posture larger than the preset value is larger than the number threshold value, and if so, determining that the network is not secure. Of course, this is merely an example, and the present invention is not limited thereto. And if the network is determined to be unsafe, carrying out safety alarm.
In an optional implementation manner, according to the weight for determining the security situation of each node, calculating the weighted sum of the security situations of each node, and judging whether the weighted sum is greater than a preset value; if yes, the network is determined to be unsafe. Wherein the weight of the security posture of the node is related to the degree of the node, the degree of each node directly connected with the node and the number of each node directly connected with the node. In short, the higher the degree of a node is, the higher the security posture weight of the node is, the larger the number of nodes directly connected with the node is, and the lower the security posture weight of the node is. For example, the sum of the products of the degrees of the nodes and the degrees of the nodes directly connected to the node is divided by the number of the nodes directly connected to the node, and the obtained numerical value is the weight of the security situation of the node.
According to the situation awareness-based network security early warning method provided by the embodiment, the network situation is predicted through the security guarantee value required by dynamic analysis of security scene information, the security of each node in the network topology and the vulnerability of the passing degree response, whether the network is safe or not is judged through the network situation, and the network is safe under the unsafe condition.
Fig. 3 shows a schematic structural diagram of a situation awareness-based network security early warning apparatus provided in an embodiment of the present invention, and as shown in fig. 3, the apparatus includes:
a security assurance analysis module 31 adapted to acquire security scene information depending on activities of a network, analyze the security scene information through at least one processor, and determine a security assurance value;
a data extraction module 32, adapted to extract network information of each device from the network log, the network information including: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data;
a security posture processing module 33, adapted to determine, for each node in the network topology, a security posture of the node according to the degree of the node and network information of the device at the node;
and the early warning module 34 is suitable for determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning.
Optionally, the security posture processing module 33 is further adapted to:
determining the operation condition of the equipment at the node according to the historical operation data, and screening a corresponding safety situation evaluation rule;
and determining the security situation of the node based on the corresponding security situation evaluation rule.
Optionally, the early warning module 34 is further adapted to:
determining the weight of the security situation of each node, calculating the weighted sum of the security situation of each node, and judging whether the weighted sum is greater than a preset value;
if yes, the network is determined to be unsafe.
Optionally, the security context information comprises one or more of activity level, activity duration, activity impact range;
wherein, the higher the activity level is, the higher the security guarantee value is; the longer the activity duration, the higher the safety guarantee value; the larger the range of influence of the activity is, the higher the safety guarantee value is.
Optionally, the historical operating data includes one or more of the following information: traffic characteristic information, IP identification and behavior characteristic information.
The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the network security early warning method based on situation awareness in any method embodiment.
The executable instructions may be specifically configured to cause the processor to:
acquiring security scene information depending on network activities, analyzing the security scene information through at least one processor, and determining a security guarantee value;
extracting network information of each device from the network log, wherein the network information comprises: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data;
for each node in the network topology, determining the security posture of the node according to the degree of the node and the network information of the equipment at the node;
and determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning.
In an alternative, the executable instructions cause the processor to:
determining the operation condition of the equipment at the node according to the historical operation data, and screening a corresponding safety situation evaluation rule;
and determining the security situation of the node based on the corresponding security situation evaluation rule.
In an alternative, the executable instructions cause the processor to: determining the weight of the security situation of each node, calculating the weighted sum of the security situation of each node, and judging whether the weighted sum is greater than a preset value;
if yes, the network is determined to be unsafe.
In an optional manner, the security context information includes one or more of activity level, activity duration, activity impact range;
wherein, the higher the activity level is, the higher the security guarantee value is; the longer the activity duration, the higher the safety guarantee value; the larger the range of influence of the activity is, the higher the safety guarantee value is.
In an alternative, the executable instructions cause the processor to: the historical operating data includes one or more of the following information: traffic characteristic information, IP identification and behavior characteristic information.
Fig. 4 is a schematic structural diagram of an embodiment of a computing device according to the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402 is configured to execute the program 410, and may specifically execute relevant steps in the above-described situation awareness-based network security early warning method embodiment for a computing device.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the following operations:
acquiring security scene information depending on network activities, analyzing the security scene information through at least one processor, and determining a security guarantee value;
extracting network information of each device from the network log, wherein the network information comprises: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data;
for each node in the network topology, determining the security posture of the node according to the degree of the node and the network information of the equipment at the node;
and determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning.
In an alternative, the program 410 causes the processor 402 to:
determining the operation condition of the equipment at the node according to the historical operation data, and screening a corresponding safety situation evaluation rule;
and determining the security situation of the node based on the corresponding security situation evaluation rule.
In an alternative, the program 410 causes the processor 402 to: determining the weight of the security situation of each node, calculating the weighted sum of the security situation of each node, and judging whether the weighted sum is greater than a preset value;
if yes, the network is determined to be unsafe.
In an optional manner, the security context information includes one or more of activity level, activity duration, activity impact range;
wherein, the higher the activity level is, the higher the security guarantee value is; the longer the activity duration, the higher the safety guarantee value; the larger the range of influence of the activity is, the higher the safety guarantee value is.
In an alternative approach, the historical operating data includes one or more of the following information: traffic characteristic information, IP identification and behavior characteristic information.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form. It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.

Claims (10)

1. A network security early warning method based on situation awareness comprises the following steps:
acquiring security scene information depending on network activities, analyzing the security scene information through at least one processor, and determining a security guarantee value;
extracting network information of each device from a network log, wherein the network information comprises: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data;
for each node in the network topology, determining the security posture of the node according to the degree of the node and the network information of the equipment at the node;
and determining whether the network is safe according to the safety situation of each node, and if not, performing safety early warning.
2. The method of claim 1, wherein determining the security posture of the node based on the degree of the node and the network information of the device at the node specifically comprises:
determining the operation condition of the equipment at the node according to the historical operation data, and screening a corresponding safety situation evaluation rule;
and determining the security situation of the node based on the corresponding security situation evaluation rule.
3. The method according to claim 1, wherein the determining whether the network is secure according to the security posture of each node specifically comprises:
determining the weight of the security situation of each node, calculating the weighted sum of the security situation of each node, and judging whether the weighted sum is greater than a preset value;
if yes, the network is determined to be unsafe.
4. The method of claim 1, wherein the security context information comprises one or more of an activity level, an activity duration, an activity impact range;
wherein, the higher the activity level is, the higher the security guarantee value is; the longer the activity duration, the higher the safety guarantee value; the larger the range of influence of the activity is, the higher the safety guarantee value is.
5. The method of claim 1, wherein the historical operating data includes one or more of the following information: traffic characteristic information, IP identification and behavior characteristic information.
6. A situation awareness-based network security early warning device comprises:
the system comprises a safety guarantee analysis module, a safety guarantee analysis module and a safety guarantee analysis module, wherein the safety guarantee analysis module is suitable for acquiring safety scene information depending on activities of a network, analyzing the safety scene information through at least one processor and determining a safety guarantee value;
a data extraction module adapted to extract network information of each device from the weblog, the network information including: the identification of the equipment, the attack quantity suffered by the equipment and historical operation data;
the security situation processing module is suitable for determining the security situation of each node in the network topology according to the degree of the node and the network information of the equipment at the node;
and the early warning module is suitable for determining whether the network is safe according to the safety situation of each node, and if the network is not safe, performing safety early warning.
7. The apparatus of claim 6, wherein the security posture processing module is further adapted to:
determining the operation condition of the equipment at the node according to the historical operation data, and screening a corresponding safety situation evaluation rule;
and determining the security situation of the node based on the corresponding security situation evaluation rule.
8. The apparatus of claim 1, wherein the early warning module is further adapted to:
determining the weight of the security situation of each node, calculating the weighted sum of the security situation of each node, and judging whether the weighted sum is greater than a preset value;
if yes, the network is determined to be unsafe.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the situation awareness-based network security early warning method as claimed in any one of claims 1 to 5.
10. A computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the situational awareness-based network security pre-warning method of any one of claims 1-5.
CN201911338769.3A 2019-12-23 2019-12-23 Network security early warning method and device based on situation awareness Active CN113098827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911338769.3A CN113098827B (en) 2019-12-23 2019-12-23 Network security early warning method and device based on situation awareness

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911338769.3A CN113098827B (en) 2019-12-23 2019-12-23 Network security early warning method and device based on situation awareness

Publications (2)

Publication Number Publication Date
CN113098827A true CN113098827A (en) 2021-07-09
CN113098827B CN113098827B (en) 2023-06-16

Family

ID=76663008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911338769.3A Active CN113098827B (en) 2019-12-23 2019-12-23 Network security early warning method and device based on situation awareness

Country Status (1)

Country Link
CN (1) CN113098827B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114006719A (en) * 2021-09-14 2022-02-01 国科信创科技有限公司 AI verification method, device and system based on situation awareness
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060236401A1 (en) * 2005-04-14 2006-10-19 International Business Machines Corporation System, method and program product to identify a distributed denial of service attack
CN101951329A (en) * 2010-09-27 2011-01-19 北京系统工程研究所 Network security situation evaluation method and system
US20170318046A1 (en) * 2016-04-28 2017-11-02 Shevirah Inc. Method and system for assessing data security
CN108429766A (en) * 2018-05-29 2018-08-21 广西电网有限责任公司 Network safety situation analyzing and alarming system based on big data and WSN technology
CN108494791A (en) * 2018-04-08 2018-09-04 北京明朝万达科技股份有限公司 A kind of DDOS attack detection method and device based on Netflow daily record datas
CN108881179A (en) * 2018-05-29 2018-11-23 深圳大图科创技术开发有限公司 Transmission line of electricity applied to smart grid reliably monitors system
CN109302408A (en) * 2018-10-31 2019-02-01 西安交通大学 A kind of network security situation evaluating method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060236401A1 (en) * 2005-04-14 2006-10-19 International Business Machines Corporation System, method and program product to identify a distributed denial of service attack
CN101951329A (en) * 2010-09-27 2011-01-19 北京系统工程研究所 Network security situation evaluation method and system
US20170318046A1 (en) * 2016-04-28 2017-11-02 Shevirah Inc. Method and system for assessing data security
CN108494791A (en) * 2018-04-08 2018-09-04 北京明朝万达科技股份有限公司 A kind of DDOS attack detection method and device based on Netflow daily record datas
CN108429766A (en) * 2018-05-29 2018-08-21 广西电网有限责任公司 Network safety situation analyzing and alarming system based on big data and WSN technology
CN108881179A (en) * 2018-05-29 2018-11-23 深圳大图科创技术开发有限公司 Transmission line of electricity applied to smart grid reliably monitors system
CN109302408A (en) * 2018-10-31 2019-02-01 西安交通大学 A kind of network security situation evaluating method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
葛海慧等: "基于动态关联分析的网络安全风险评估方法", 《电子与信息学报》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114006719A (en) * 2021-09-14 2022-02-01 国科信创科技有限公司 AI verification method, device and system based on situation awareness
CN114006719B (en) * 2021-09-14 2023-10-13 国科信创科技有限公司 AI verification method, device and system based on situation awareness
CN114640548A (en) * 2022-05-18 2022-06-17 宁波市镇海区大数据投资发展有限公司 Network security sensing and early warning method and system based on big data

Also Published As

Publication number Publication date
CN113098827B (en) 2023-06-16

Similar Documents

Publication Publication Date Title
CN109922075B (en) Network security knowledge graph construction method and device and computer equipment
US8549645B2 (en) System and method for detection of denial of service attacks
AU2004289001B2 (en) Method and system for addressing intrusion attacks on a computer system
CN107465648B (en) Abnormal equipment identification method and device
CN112685682B (en) Method, device, equipment and medium for identifying forbidden object of attack event
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN113098828A (en) Network security alarm method and device
CN111600880A (en) Method, system, storage medium and terminal for detecting abnormal access behavior
CN104954188B (en) Web log file safety analytical method based on cloud, device and system
CN113691507A (en) Industrial control network security detection method and system
CN111277561B (en) Network attack path prediction method and device and security management platform
CN109144023A (en) A kind of safety detection method and equipment of industrial control system
CN114268452A (en) Network security protection method and system
CN116614287A (en) Network security event evaluation processing method, device, equipment and medium
CN113098827B (en) Network security early warning method and device based on situation awareness
CN112307469A (en) Kernel intrusion prevention method and device, computing equipment and computer storage medium
CN113765850B (en) Internet of things abnormality detection method and device, computing equipment and computer storage medium
CN112311728A (en) Host attack and sink judgment method and device, computing equipment and computer storage medium
US12063200B2 (en) Systems and methods for sensor trustworthiness
CN111147497B (en) Intrusion detection method, device and equipment based on knowledge inequality
CN117391214A (en) Model training method and device and related equipment
CN114567482A (en) Alarm classification method and device, electronic equipment and storage medium
CN116846570A (en) Vulnerability assessment method and analysis equipment
CN113779564A (en) Security event prediction method and device
KR101872406B1 (en) Method and apparatus for quantitavely determining risks of malicious code

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant