CN114844667B - Intelligent security analysis management decision system and method based on network equipment - Google Patents
Intelligent security analysis management decision system and method based on network equipment Download PDFInfo
- Publication number
- CN114844667B CN114844667B CN202210261857.3A CN202210261857A CN114844667B CN 114844667 B CN114844667 B CN 114844667B CN 202210261857 A CN202210261857 A CN 202210261857A CN 114844667 B CN114844667 B CN 114844667B
- Authority
- CN
- China
- Prior art keywords
- security
- event
- security event
- network
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 56
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000008569 process Effects 0.000 claims abstract description 15
- 238000007726 management method Methods 0.000 claims description 106
- 238000012545 processing Methods 0.000 claims description 85
- 230000008859 change Effects 0.000 claims description 7
- 238000010606 normalization Methods 0.000 claims description 5
- 238000004806 packaging method and process Methods 0.000 claims 6
- 238000013486 operation strategy Methods 0.000 claims 1
- 238000004891 communication Methods 0.000 description 9
- 239000000243 solution Substances 0.000 description 8
- 238000001514 detection method Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000011144 upstream manufacturing Methods 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 5
- 230000007123 defense Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
技术领域technical field
本发明属于网络安全技术领域,尤其涉及一种基于网络设备智能安全分析管理决策系统及其管理方法。The invention belongs to the technical field of network security, and in particular relates to a management decision-making system based on intelligent security analysis of network equipment and a management method thereof.
背景技术Background technique
互联网的发展不仅为信息化社会带来了数据传输的便利性,随之而来的亦有类型多种多样的网络安全问题。The development of the Internet not only brings the convenience of data transmission to the information society, but also brings various types of network security issues.
通常而言,网络安全是指保护计算机、服务器、移动设备、电子系统、网络和数据免受恶意攻击的技术,这种技术也称为信息技术安全或电子信息安全。网络安全,通常指计算机网络的安全,实际上也可以指计算机通信网络的安全。计算机通信网络是将若干台具有独立功能的计算机通过通信设备及传输媒体互连起来,在通信软件的支持下,实现计算机间的信息传输与交换的系统。而计算机网络是指以共享资源为目的,利用通信手段把地域上相对分散的若干独立的计算机系统、终端设备和数据设备连接起来,并在协议的控制下进行数据交换的系统。计算机网络的根本目的在于资源共享,通信网络是实现网络资源共享的途径,因此,计算机网络是安全的,相应的计算机通信网络也必须是安全的,应该能为网络用户实现信息交换与资源共享。该术语适用于从业务到移动计算的各种环境,可以分为几个常见类别。网络安全的最普遍意义是一种保护计算机网络免受入侵者无论是定向攻击还是条件恶意软件攻击的技术。应用程序安全侧重于保护软件和设备免受威胁。受到侵害的应用程序可能会对其旨在保护的数据提供访问权限。并且,早在应用程序设计阶段而非部署程序或设备之前,就决定了此应用程序能否成功保障安全。信息安全设计用于在存储和传输过程中保护数据的完整和私密。运营安全包括处理和保护数据资产的过程和决策。用户在访问网络时所具有的权限与确定存储/共享数据的时间和位置的步骤均包含在此保护伞下。灾难恢复和业务连续性定义了组织如何应对网络安全事件或任何其它导致运营/数据损失的事件。灾难恢复策略规定了组织如何恢复其运营和信息,以恢复到事件发生之前的等同运营能力。业务连续性指组织在没有某些资源的情况下尝试运营时所依靠的计划。Generally speaking, cybersecurity refers to technologies that protect computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. This technology is also known as information technology security or electronic information security. Network security usually refers to the security of computer networks, but in fact it can also refer to the security of computer communication networks. Computer communication network is a system that interconnects several computers with independent functions through communication equipment and transmission media, and realizes information transmission and exchange between computers with the support of communication software. The computer network refers to a system that uses communication means to connect several independent computer systems, terminal devices and data devices that are relatively dispersed in the region for the purpose of sharing resources, and exchanges data under the control of the protocol. The fundamental purpose of computer network is resource sharing, communication network is the way to realize network resource sharing, therefore, computer network is safe, the corresponding computer communication network must also be safe, it should be able to realize information exchange and resource sharing for network users. The term applies to a variety of contexts from business to mobile computing and can be broken down into several common categories. Network security in its most general sense is a technique for protecting computer networks from intruders, whether through targeted attacks or conditional malware attacks. Application security focuses on protecting software and devices from threats. A compromised application may provide access to data it was designed to protect. And, the success of an application's security is determined early in the design phase of the application, not before the program or device is deployed. Information Security is designed to protect the integrity and privacy of data during storage and transmission. Operational security includes processes and decisions for handling and protecting data assets. The permissions users have when accessing the network and the steps to determine when and where data is stored/shared are included under this umbrella. Disaster recovery and business continuity define how an organization responds to a cyber security incident or any other event that results in loss of operations/data. A disaster recovery strategy specifies how an organization restores its operations and information to the same operational capacity it was in before the event. Business continuity refers to the plans an organization relies on when trying to operate without certain resources.
网络安全往往同时包含了硬件安全和软件安全,需要两方面偕行来进行维护,硬件需要选择合适的产品来进行组装,并定期进行测试检查,软件需要进行杀毒维护和升级。互联网中,最重要的一个环节就是资源信息的共享,共享这个环节就需要网络安全来保障安全,由于设备、数据、计算机系统相连接,在协议的控制下进行数据交换,从而进行信息的反馈。所以,网络安全也是通讯与信息的安全。Network security often includes hardware security and software security at the same time. Both sides need to be maintained together. Hardware needs to be assembled with suitable products and tested regularly. Software needs to be anti-virus maintenance and upgrades. In the Internet, the most important link is the sharing of resource information. This link requires network security to ensure safety. Since equipment, data, and computer systems are connected, data exchange is performed under the control of the protocol, so as to carry out information feedback. Therefore, network security is also the security of communication and information.
对于网络安全的最有效方法,就是进行基于网络安全形式分析的网络安全防御。The most effective method for network security is to conduct network security defense based on network security formal analysis.
网络安全防御,或称为网络安全防护,通常意义上具有如下几大基本安全方面,如果结合得当,将能够有效地制止针对企业的数据、网络和用户的攻击。防火墙:这块十多年来网络防御的基石,如今对于稳固的基础安全来说,仍然十分需要。如果没有防火墙屏蔽有害的流量,那么企业保护自己网络资产的工作就会成倍增加。防火墙必须部署在企业的外部边界上,但是它也可以安置在企业网络的内部,保护各网络段的数据安全。在企业内部部署防火墙还是一种相对新鲜但却很好的实践。之所以会出现这种实践,主要是因为可以区分可信任流量和有害流量的任何有形的、可靠的网络边界正在消失的缘故。旧有的所谓清晰的互联网边界的概念在现代网络中已不复存在。最新的变化是,防火墙正变得越来越智能,颗粒度也更细,能够在数据流中进行定义。如今,防火墙基于应用类型甚至应用的某个功能来控制数据流已很平常。举例来说,防火墙可以根据来电号码屏蔽一个SIP语音呼叫。安全路由器:路由器在大多数网络中几乎到处都有。按照惯例,它们只是被用来作为监控流量的交通警察而已。但是现代的路由器能够做的事情比这多多了。路由器具备了完备的安全功能,有时候甚至要比防火墙的功能还全。今天的大多数路由器都具备了健壮的防火墙功能,还有一些有用的IDS/IPS功能,健壮的QoS和流量管理工具,当然还有很强大的VPN数据加密功能。这样的功能列表还可以列出很多。现代的路由器完全有能力为网络增加安全性。而利用现代的VPN技术,它可以相当简单地为企业WAN上的所有数据流进行加密,却不必为此增加人手。有些人还可充分利用到它的一些非典型用途,比如防火墙功能和IPS功能。打开路由器,就能看到安全状况改善了很多。无线WPA2:如果还没有采用WPA2无线安全,开始改用带AES加密的WPA2将较好地提升网络安全性。邮件安全:邮件是最易受攻击的对象。病毒、恶意软件和蠕虫都喜欢利用邮件作为其传播渠道。邮件还是我们最容易泄露敏感数据的渠道。Web安全:有鉴于基于Web的攻击越来越复杂化,所以企业就必须部署一个健壮的Web安全解决方案。多年来一直在使用简单的URL过滤,这种办法的确是Web安全的一项核心内容。但是Web安全还远不止URL过滤这么简单,它还需要有注入AV扫描、恶意软件扫描、IP信誉识别、动态URL分类技巧和数据泄密防范等功能。攻击者们正在以惊人的速度侵袭着很多高知名度的网站,假如只依靠URL黑白名单来过滤的话,那可能就只剩下白名单的URL可供访问。任何Web安全解决方案都必须能够动态地扫描Web流量。Network security defense, or network security protection, generally has the following basic security aspects. If combined properly, it will be able to effectively stop attacks on enterprise data, networks and users. Firewall: This cornerstone of network defense for more than a decade is still very much needed for solid foundational security today. Without a firewall to block harmful traffic, the work of a business to protect its own network assets is multiplied. The firewall must be deployed on the external border of the enterprise, but it can also be placed inside the enterprise network to protect the data security of each network segment. Deploying a firewall inside an enterprise is a relatively new but good practice. This practice has arisen primarily because any tangible, reliable network perimeter that can distinguish trusted traffic from harmful traffic is disappearing. The old concept of so-called clear Internet boundaries no longer exists in the modern network. The latest change is that firewalls are getting smarter and more granular, being able to define them at the flow of data. Today, it is common for firewalls to control the flow of data based on the type of application or even a function of the application. For example, a firewall can block a SIP voice call based on the calling number. Secure Routers: Routers are found almost everywhere on most networks. Conventionally, they are only used as traffic cops to monitor traffic. But modern routers can do a lot more than that. Routers have complete security functions, sometimes even more complete than firewalls. Most routers today come with a robust firewall, some useful IDS/IPS features, robust QoS and traffic management tools, and of course strong VPN data encryption. The list of such features could go on and on. Modern routers are perfectly capable of adding security to a network. And with modern VPN technology, it's fairly simple to encrypt all traffic on the corporate WAN without having to add manpower to it. Some people also take advantage of its atypical uses, such as firewall functions and IPS functions. Turn on the router and you can see that the security situation has improved a lot. Wireless WPA2: If you have not adopted WPA2 wireless security, starting to switch to WPA2 with AES encryption will better improve network security. Email Security: Email is the most vulnerable object. Viruses, malware, and worms love to use email as their distribution channel. Email is also the most common channel through which we can leak sensitive data. Web Security: In view of the increasing complexity of Web-based attacks, it is imperative for enterprises to deploy a robust Web security solution. Simple URL filtering has been used for many years and is indeed a core element of web security. But web security is far more than just URL filtering. It also needs functions such as injection AV scanning, malware scanning, IP reputation identification, dynamic URL classification techniques, and data leakage prevention. Attackers are attacking many high-profile websites at an alarming rate. If only relying on URL blacklist and whitelist to filter, then only whitelist URLs may be left for access. Any web security solution must be able to dynamically scan web traffic.
对网络安全攻击的防御往往遵从传统意义上的安全防护规则,未能很好地适配网络设备本身的特征,以及网络安全事件的事件特征、防护层级考量来从系统层面综合决策网络安全管理和防御,导致对网络安全的防护总是亡羊补牢,过于关注局部和暂态的数据防护。The defense of network security attacks often follows the traditional security protection rules, and fails to adapt well to the characteristics of network equipment itself, as well as the characteristics of network security events and the consideration of protection levels to comprehensively make decisions on network security management and security at the system level. Defense, resulting in the protection of network security is always a remedy for the past, paying too much attention to local and transient data protection.
本发明提出了一种基于网络设备智能安全分析管理决策的方法及系统,基于网络设备在在云系统运行过程中可能出现的网络安全攻击或网络安全系统设置故障,提出基于安全事件数据包的安全分析和管理决策方法及系统,通过将安全事件转化为相应的安全事件数据包并执行数据包归一化解析,使得安全事件分析和决策基于可设备置信度、处理层级信息以及安全事件参数集等三方入口参数,智能化地基于安全策略归集来实现网络设备的安全智能分析以及全局决策。The present invention proposes a method and system based on network equipment intelligent security analysis management decision-making, based on network security attacks or network security system setting failures that may occur during the operation of the network equipment in the cloud system, and proposes security events based on security event data packets. Analysis and management decision-making methods and systems, by converting security events into corresponding security event data packets and performing normalized analysis of data packets, making security event analysis and decision-making based on device confidence, processing level information, and security event parameter sets, etc. Three-party entry parameters are intelligently based on security policy collection to realize security intelligence analysis and global decision-making of network devices.
发明内容Contents of the invention
本发明旨在提供一种优于现有技术的基于网络设备智能安全分析管理决策系统及方法。The invention aims to provide a management decision-making system and method based on intelligent security analysis of network equipment, which is superior to the prior art.
为了实现上述目的,本发明的技术方案如下:In order to achieve the above object, the technical scheme of the present invention is as follows:
一种基于网络设备智能安全分析管理决策系统,所述系统包括:A management and decision-making system based on intelligent security analysis of network equipment, the system includes:
多个网络设备,每个所述网络设备运行于云计算网络中,处理客户端提出的网络数据处理请求并返回数据处理结果;A plurality of network devices, each of which runs in a cloud computing network, processes a network data processing request from a client and returns a data processing result;
所述网络设备还用于在遭遇网络安全事件时,向所述基于网络设备智能安全分析管理决策系统的安全事件归一器发送安全事件报文;The network device is also configured to send a security event message to the security event normalizer based on the network device intelligent security analysis management decision-making system when encountering a network security event;
所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息;The security event message is used to record the collection record information when the network device encounters a network security event;
其中,所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息,具体为:所述安全事件报文在网络设备A遭遇网络安全事件时,至少记录所述网络设备的网络设备ID、安全事件第一参数集、安全事件发生层级与关联层级;Wherein, the security event message is used to record the collection record information when the network device encounters a network security event, specifically: when the network device A encounters a network security event, the security event message at least records the network device The network device ID, the first parameter set of the security event, the occurrence level and the correlation level of the security event;
安全事件归一器,所述安全事件归一器用于将所述网络设备发送的安全事件报文进行基于事件的报文归一处理,将所述安全事件报文至少拆解为所述网络设备的网络设备ID字段、安全事件第一参数集字段、安全事件发生层级与关联层级字段;A security event normalizer, the security event normalizer is used to perform event-based message normalization processing on the security event message sent by the network device, and disassemble the security event message into at least the network device The network device ID field, the security event first parameter set field, the security event occurrence level and associated level field;
所述安全事件归一器还用于将所述网络设备的网络设备ID字段封包为第一事件决策数据,并发送至设备置信模块;将所述安全事件第一参数集字段封包为第二事件决策数据,并发送至策略归集模块;将所述安全事件发生层级与关联层级封包为第三事件决策数据,并发送至处理层级模块;The security event normalizer is also used to pack the network device ID field of the network device into the first event decision data, and send it to the device confidence module; pack the first parameter set field of the security event into the second event Decision data, and send to the policy collection module; package the security event occurrence level and associated level into third event decision data, and send to the processing level module;
设备置信模块,所述设备置信模块用于接收所述第一事件决策数据,并解析其中网络设备的网络设备ID,基于网络设备ID查找网络设备安全事件置信表,并确定网络设备安全事件置信值,发送至智能管理决策模块;A device confidence module, the device confidence module is used to receive the first event decision data, and analyze the network device ID of the network device, search the network device security event confidence table based on the network device ID, and determine the network device security event confidence value , sent to the intelligent management decision-making module;
策略归集模块,所述策略归集模块用于接收并解析所述第二事件决策数据,基于所述安全事件第一参数集字段确定对应的安全策略归集,并将所述对应的安全策略归集发送至智能管理决策模块;A policy collection module, the policy collection module is configured to receive and parse the second event decision data, determine the corresponding security policy collection based on the first parameter set field of the security event, and collect the corresponding security policy The collection is sent to the intelligent management decision-making module;
处理层级模块;所述处理层级模块用于接收所述第三事件决策数据,并解析其中的安全事件发生层级与关联层级,基于安全事件发生层级与关联层级确定对应的安全事件处理操作层级权限需求,并将确定的对应的安全事件处理操作层级权限需求,发送至智能管理决策模块;A processing level module; the processing level module is used to receive the third event decision data, analyze the security event occurrence level and the associated level therein, and determine the corresponding security event processing operation level permission requirements based on the security event occurrence level and the associated level , and send the determined corresponding security event processing operation-level authority requirements to the intelligent management decision-making module;
其中,所述对应的安全事件处理操作层级权限需求至少高于或等于安全事件的关联层级;Wherein, the permission requirement of the corresponding security event processing operation level is at least higher than or equal to the correlation level of the security event;
智能管理决策模块,所述智能管理决策模块接收所述网络设备安全事件置信值、安全策略归集以及对应的安全事件处理操作层级权限需求,基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策;An intelligent management decision-making module, the intelligent management decision-making module receives the security event confidence value of the network device, the collection of security policies, and the corresponding security event processing operation level permission requirements, and determines whether to execute security based on the comparison between the security event confidence value and the confidence threshold. Event intelligent management decision-making;
其中,所述基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策,具体为:Wherein, the comparison of the security event confidence value and the confidence threshold determines whether to execute the security event intelligent management decision, specifically:
当安全事件置信值大于置信阈值时,直接执行安全事件智能管理决策;当安全事件置信值小于置信阈值时,以所述安全事件置信值K1为概率采用随机算法,判别在[0,1]范围内选取随机数结果是否落在[0,K1]内,若是,则执行安全事件智能管理决策若否,则不执行安全事件智能管理决策,确认为安全事件误报;When the confidence value of the security event is greater than the confidence threshold, the intelligent management decision of the security event is directly executed; when the confidence value of the security event is less than the confidence threshold, a random algorithm is used with the probability of the security event confidence K1, and the judgment is in the range of [0,1] Whether the result of the selected random number falls within [0, K1], if so, execute the intelligent management decision of the security event;
所述安全事件智能管理决策至少包含:向安全事件处理对象开通安全事件处理操作层级权限需求所要求的处理操作层级权限,并基于所述安全策略归集,采用对应的安全策略处理所述安全事件,并记录至数据库。The security event intelligent management decision at least includes: enabling the processing operation level authority required by the security event processing operation level authority requirement to the security event processing object, and based on the security policy collection, using the corresponding security policy to process the security event , and record to the database.
较佳地,所述网络设备可以为云计算边缘服务器、路由器、网关或服务主机。Preferably, the network device may be a cloud computing edge server, router, gateway or service host.
较佳地,所述网络安全事件至少包含以下事件之一:网络攻击事件、非攻击类网络故障事件、网络信息安全等级变更事件。Preferably, the network security events include at least one of the following events: network attack events, non-attack network failure events, and network information security level change events.
较佳地,所述网络设备安全事件置信表由所述基于网络设备智能安全分析管理决策系统预置,所述网络设备安全事件置信表至少包含网络设备ID信息及与所述网络设备ID信息一一对应的网络设备安全事件置信值,基于系统数据库存储的网络设备的历史安全事件可信度计算网络设备安全事件置信值。Preferably, the network device security event confidence table is preset by the management decision-making system based on network device intelligent security analysis, and the network device security event confidence table at least includes network device ID information and a A corresponding network device security event confidence value, the network device security event confidence value is calculated based on the historical security event credibility of the network device stored in the system database.
较佳地,所述系统数据库存储的网络设备的历史安全事件可信度等于所述网络设备历史安全事件的误报概率,并随网络设备的安全事件持续上报进行更新并动态变化。Preferably, the reliability of the historical security events of the network equipment stored in the system database is equal to the false positive probability of the historical security incidents of the network equipment, and is updated and dynamically changed as the security incidents of the network equipment are continuously reported.
同时,本申请还诉求保护一种基于网络设备智能安全分析管理方法,所述方法包括如下步骤:At the same time, this application also seeks to protect a management method based on intelligent security analysis of network equipment, and the method includes the following steps:
步骤一:操作多个网络设备中的每个所述网络设备,使其运行于云计算网络中,处理客户端提出的网络数据处理请求并返回数据处理结果;Step 1: Operate each of the network devices in the plurality of network devices to run in the cloud computing network, process the network data processing request proposed by the client and return the data processing result;
所述网络设备还用于在遭遇网络安全事件时,向所述基于网络设备智能安全分析管理决策系统的安全事件归一器发送安全事件报文;The network device is also configured to send a security event message to the security event normalizer based on the network device intelligent security analysis management decision-making system when encountering a network security event;
所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息;The security event message is used to record the collection record information when the network device encounters a network security event;
其中,所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息,具体为:所述安全事件报文在网络设备A遭遇网络安全事件时,至少记录所述网络设备的网络设备ID、安全事件第一参数集、安全事件发生层级与关联层级;Wherein, the security event message is used to record the collection record information when the network device encounters a network security event, specifically: when the network device A encounters a network security event, the security event message at least records the network device The network device ID, the first parameter set of the security event, the occurrence level and the correlation level of the security event;
步骤二:操作安全事件归一器将所述网络设备发送的安全事件报文进行基于事件的报文归一处理,将所述安全事件报文至少拆解为所述网络设备的网络设备ID字段、安全事件第一参数集字段、安全事件发生层级与关联层级字段;Step 2: Operate the security event normalizer to perform event-based message normalization processing on the security event message sent by the network device, and disassemble the security event message into at least the network device ID field of the network device , security event first parameter set field, security event occurrence level and associated level field;
所述安全事件归一器还用于将所述网络设备的网络设备ID字段封包为第一事件决策数据,并发送至设备置信模块;将所述安全事件第一参数集字段封包为第二事件决策数据,并发送至策略归集模块;将所述安全事件发生层级与关联层级封包为第三事件决策数据,并发送至处理层级模块;The security event normalizer is also used to pack the network device ID field of the network device into the first event decision data, and send it to the device confidence module; pack the first parameter set field of the security event into the second event Decision data, and send to the policy collection module; package the security event occurrence level and associated level into third event decision data, and send to the processing level module;
步骤三:操作设备置信模块接收所述第一事件决策数据,并解析其中网络设备的网络设备ID,基于网络设备ID查找网络设备安全事件置信表,并确定网络设备安全事件置信值,发送至智能管理决策模块;Step 3: The operating device confidence module receives the first event decision data, and analyzes the network device ID of the network device, searches the network device security event confidence table based on the network device ID, determines the network device security event confidence value, and sends it to the intelligent Management decision-making module;
步骤四:操作策略归集模块接收并解析所述第二事件决策数据,基于所述安全事件第一参数集字段确定对应的安全策略归集,并将所述对应的安全策略归集发送至智能管理决策模块;Step 4: The operation policy collection module receives and analyzes the second event decision data, determines the corresponding security policy collection based on the first parameter set field of the security event, and sends the corresponding security policy collection to the intelligent Management decision-making module;
步骤五:操作处理层级模块接收所述第三事件决策数据,并解析其中的安全事件发生层级与关联层级,基于安全事件发生层级与关联层级确定对应的安全事件处理操作层级权限需求,并将确定的对应的安全事件处理操作层级权限需求,发送至智能管理决策模块;Step 5: The operation processing level module receives the third event decision data, and analyzes the security event occurrence level and correlation level, determines the corresponding security event processing operation level permission requirements based on the security event occurrence level and correlation level, and determines The corresponding security event processing operation-level permission requirements are sent to the intelligent management decision-making module;
其中,所述对应的安全事件处理操作层级权限需求至少高于或等于安全事件的关联层级;Wherein, the permission requirement of the corresponding security event processing operation level is at least higher than or equal to the correlation level of the security event;
步骤六:操作智能管理决策模块接收所述网络设备安全事件置信值、安全策略归集以及对应的安全事件处理操作层级权限需求,基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策;Step 6: The operation intelligent management decision-making module receives the confidence value of the security event of the network device, the collection of security policies, and the corresponding permission requirements of the security event processing operation level, and determines whether to perform intelligent management of security events based on the comparison of the security event confidence value and the confidence threshold decision making;
其中,所述基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策,具体为:Wherein, the comparison of the security event confidence value and the confidence threshold determines whether to execute the security event intelligent management decision, specifically:
当安全事件置信值大于置信阈值时,直接执行安全事件智能管理决策;当安全事件置信值小于置信阈值时,以所述安全事件置信值K1为概率采用随机算法,判别在[0,1]范围内选取随机数结果是否落在[0,K1]内,若是,则执行安全事件智能管理决策若否,则不执行安全事件智能管理决策,确认为安全事件误报;When the confidence value of the security event is greater than the confidence threshold, the intelligent management decision of the security event is directly executed; when the confidence value of the security event is less than the confidence threshold, a random algorithm is used with the probability of the security event confidence K1, and the judgment is in the range of [0,1] Whether the result of the selected random number falls within [0, K1], if so, execute the intelligent management decision of the security event;
所述安全事件智能管理决策至少包含:向安全事件处理对象开通安全事件处理操作层级权限需求所要求的处理操作层级权限,并基于所述安全策略归集,采用对应的安全策略处理所述安全事件,并记录至数据库。The security event intelligent management decision at least includes: enabling the processing operation level authority required by the security event processing operation level authority requirement to the security event processing object, and based on the security policy collection, using the corresponding security policy to process the security event , and record to the database.
较佳地,所述网络设备可以为云计算边缘服务器、路由器、网关或服务主机。Preferably, the network device may be a cloud computing edge server, router, gateway or service host.
较佳地,所述网络安全事件至少包含以下事件之一:网络攻击事件、非攻击类网络故障事件、网络信息安全等级变更事件。Preferably, the network security events include at least one of the following events: network attack events, non-attack network failure events, and network information security level change events.
较佳地,所述网络设备安全事件置信表由所述基于网络设备智能安全分析管理决策系统预置,所述网络设备安全事件置信表至少包含网络设备ID信息及与所述网络设备ID信息一一对应的网络设备安全事件置信值,基于系统数据库存储的网络设备的历史安全事件可信度计算网络设备安全事件置信值。Preferably, the network device security event confidence table is preset by the management decision-making system based on network device intelligent security analysis, and the network device security event confidence table at least includes network device ID information and a A corresponding network device security event confidence value, the network device security event confidence value is calculated based on the historical security event credibility of the network device stored in the system database.
较佳地,所述系统数据库存储的网络设备的历史安全事件可信度等于所述网络设备历史安全事件的误报概率,并随网络设备的安全事件持续上报进行更新并动态变化。Preferably, the reliability of the historical security events of the network equipment stored in the system database is equal to the false positive probability of the historical security incidents of the network equipment, and is updated and dynamically changed as the security incidents of the network equipment are continuously reported.
本发明提出了一种基于网络设备智能安全分析管理决策的方法及系统,基于网络设备在在云系统运行过程中可能出现的网络安全攻击或网络安全系统设置故障,提出基于安全事件数据包的安全分析和管理决策方法及系统,通过将安全事件转化为相应的安全事件数据包并执行数据包归一化解析,使得安全事件分析和决策基于可设备置信度、处理层级信息以及安全事件参数集等三方入口参数,智能化地基于安全策略归集来实现网络设备的安全智能分析以及全局决策。The present invention proposes a method and system based on network equipment intelligent security analysis management decision-making, based on network security attacks or network security system setting failures that may occur during the operation of the network equipment in the cloud system, and proposes security events based on security event data packets. Analysis and management decision-making methods and systems, by converting security events into corresponding security event data packets and performing normalized analysis of data packets, making security event analysis and decision-making based on device confidence, processing level information, and security event parameter sets, etc. Three-party entry parameters are intelligently based on security policy collection to realize security intelligence analysis and global decision-making of network devices.
附图说明Description of drawings
图1是本发明示出的基于网络设备智能安全分析管理决策系统的一种基本系统结构图;Fig. 1 is a kind of basic system structural diagram of the intelligent security analysis management decision-making system based on network equipment shown in the present invention;
图2是本发明示出的基于网络设备智能安全分析管理决策系统中安全事件归一器的一种基本系统结构图;Fig. 2 is a kind of basic system structure diagram of the security event normalizer in the intelligent security analysis management decision-making system based on the network equipment shown in the present invention;
图3是本发明示出的基于网络设备智能安全分析管理决策系统中安全事件归一器模块与设备置信模块、策略归集模块、处理层级模块互联的一种基本系统结构图;Fig. 3 is a basic system structure diagram of the interconnection between the security event normalizer module, the device confidence module, the policy collection module, and the processing level module in the intelligent security analysis management decision-making system based on network equipment shown in the present invention;
图4是本发明示出的基于网络设备智能安全分析管理方法步骤流程图的一种较佳实施例;Fig. 4 is a preferred embodiment of the step flow chart of the method for intelligent security analysis and management based on network equipment shown in the present invention;
图5是本发明示出基于网络设备智能安全分析管理方法执行安全事件智能管理决策步骤的一种优选显示实施例示意图。Fig. 5 is a schematic diagram of a preferred display embodiment of the present invention showing the intelligent security event management decision-making steps based on the network device intelligent security analysis management method.
具体实施方式Detailed ways
以下具体描述本发明所请求保护的一种基于网络设备智能安全分析管理决策系统的若干实施例和有益效果,以有助于对本发明进行更细致的审查和分解。The following specifically describes several embodiments and beneficial effects of a management decision-making system based on intelligent security analysis of network equipment claimed in the present invention, so as to facilitate a more detailed examination and decomposition of the present invention.
为了更好的理解本发明的技术方案,下面结合附图对本发明实施例进行详细描述。In order to better understand the technical solutions of the present invention, the embodiments of the present invention will be described in detail below in conjunction with the accompanying drawings.
应当明确,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。It should be clear that the described embodiments are only some of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.
在本发明实施例中使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本发明。在本发明实施例和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。Terms used in the embodiments of the present invention are only for the purpose of describing specific embodiments, and are not intended to limit the present invention. As used in the embodiments of the present invention and the appended claims, the singular forms "a", "said" and "the" are also intended to include the plural forms unless the context clearly indicates otherwise.
应当理解,本文中使用的术语“和/或”仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。It should be understood that the term "and/or" used herein is only an association relationship describing associated objects, which means that there may be three relationships, for example, A and/or B, which may mean that A exists alone, and A and B exist simultaneously. B, there are three situations of B alone. In addition, the character "/" in this article generally indicates that the contextual objects are an "or" relationship.
应当理解,尽管在本发明实施例中可能采用术语第一、第二等来描述方法和相应装置,但这些关键词不应限于这些术语。这些术语仅用来将关键词彼此区分开。例如,在不脱离本发明实施例范围的情况下,第一参数集、第一事件决策数据等也可以被称为第二参数集、第二事件决策数据,类似地,第二参数集、第二事件决策数据等也可以被称为第一参数集、第一事件决策数据。It should be understood that although the terms first, second, etc. may be used in the embodiments of the present invention to describe methods and corresponding devices, these keywords should not be limited to these terms. These terms are only used to distinguish keywords from one another. For example, without departing from the scope of the embodiments of the present invention, the first parameter set, the first event decision data, etc. may also be referred to as the second parameter set, the second event decision data, similarly, the second parameter set, the first event decision data, etc. Second-event decision data and the like may also be referred to as first parameter set, first-event decision data.
取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”或“响应于检测”。类似地,取决于语境,短语“如果确定”或“如果检测(陈述的条件或事件)”可以被解释成为“当确定时”或“响应于确定”或“当检测(陈述的条件或事件)时”或“响应于检测(陈述的条件或事件)”。Depending on the context, the word "if" as used herein may be interpreted as "at" or "when" or "in response to determining" or "in response to detecting". Similarly, depending on the context, the phrases "if determined" or "if detected (the stated condition or event)" could be interpreted as "when determined" or "in response to the determination" or "when detected (the stated condition or event) )" or "in response to detection of (a stated condition or event)".
如说明书附图1-3所示,说明书附图1-3为本发明所请求保护的一种基于网络设备智能安全分析管理决策系统及其具体内含模块互联关系的实施例之一,所述系统包括:As shown in Figures 1-3 of the description, Figures 1-3 of the description are one of the embodiments of a management decision-making system based on intelligent security analysis of network equipment and its specific internal module interconnection relationship claimed in the present invention. The system includes:
多个网络设备,每个所述网络设备运行于云计算网络中,处理客户端提出的网络数据处理请求并返回数据处理结果;A plurality of network devices, each of which runs in a cloud computing network, processes a network data processing request from a client and returns a data processing result;
所述网络设备还用于在遭遇网络安全事件时,向所述基于网络设备智能安全分析管理决策系统的安全事件归一器发送安全事件报文;The network device is also configured to send a security event message to the security event normalizer based on the network device intelligent security analysis management decision-making system when encountering a network security event;
所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息;The security event message is used to record the collection record information when the network device encounters a network security event;
其中,所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息,具体为:所述安全事件报文在网络设备A遭遇网络安全事件时,至少记录所述网络设备的网络设备ID、安全事件第一参数集、安全事件发生层级与关联层级;Wherein, the security event message is used to record the collection record information when the network device encounters a network security event, specifically: when the network device A encounters a network security event, the security event message at least records the network device The network device ID, the first parameter set of the security event, the occurrence level and the correlation level of the security event;
作为一种可叠加的优选实施例,所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息,具体可为:所述安全事件报文在网络设备A遭遇网络安全事件时,至少记录所述网络设备的网络设备ID、安全事件第一参数集、安全事件发生层级与关联层级。其中,所述网络设备ID用于表征网络设备的各异性并标识网络设备,所述安全事件第一参数集至少包含本次安全事件数据报文协议流表,用于记录并汇总传输错误的数据报文协议簇类型;安全故障范围,用于确定安全故障的并发范围;安全故障新发指标,用于确定本次安全故障是否为特定周期内的新发故障。作为另一种可叠加的优选实施例,所述安全故障的并发范围用于在本网络设备A发生故障时,网络设备A向直接连接或上下游的同类型网络设备发送故障探测报文,用于检测直接连接或上下游的同类型网络设备是否发生同类型故障,并在网络设备A直接连接或上下游的同类型网络设备是发生同类型故障时,继续向网络设备A直接连接或上下游的同类型网络设备的直接连接或上下游的同类型网络设备发送故障探测报文用于检测网络设备A直接连接或上下游的同类型网络设备的直接连接或上下游的同类型网络设备是否发生同类型故障,直至未发生故障或故障探测报文已被发送至少三次,则停止发送故障探测报文。安全故障范围的值为故障探测报文发送次数,若故障探测报文已被发送至少三次,达到上限,则此时,安全故障范围的值也即等于3。所述安全故障新发指标用于在特定维护周期内,例如3day,确定特定网络设备是否为第一次新发故障,用于确定该网络设备的故障发生率,并基于所述网络设备的故障发生率确定返修概率,所述返修概率与所述安全故障新发指标成正比例关系。若特定周期内该网络设备故障新发,则所述安全故障新发指标为1,用以表征此次故障,若特定周期内该网络设备故障非新发且已发生K次,则所述安全故障新发指标为K+1。作为另一种可叠加的优选实施例,所述安全事件发生层级与关联层级用于表征所述安全事件所发生的层级与关联层级,作为另一种可叠加的优选实施例,所述发生层级用于表征所述安全事件的故障来自于云计算系统的交付层,也即底层客户端层;或边缘连接层,也即从底层客户端(不包含)到云边缘设备的网络设备层;或云中心层,也即从所述基于网络设备智能安全分析管理决策系统的云计算中心到各个云边缘设备(不包含)的中心计算层之一,并将该网络安全事件的发生层级的上一层级(若有)作为安全事件的关联层级,记录在安全事件报文的安全事件发生层级与关联层级字段中。As a preferred embodiment that can be superimposed, the security event message is used to record the collection and record information when the network device encounters a network security event, specifically: the security event message when network device A encounters a network security event When an event occurs, at least record the network device ID of the network device, the first parameter set of the security event, the occurrence level and the association level of the security event. Wherein, the network device ID is used to characterize the heterogeneity of the network device and to identify the network device, and the first parameter set of the security event at least includes a data message protocol flow table of the security event, which is used to record and summarize data transmitted incorrectly Message protocol cluster type; security fault range, used to determine the concurrency range of security faults; security fault new indicator, used to determine whether this security fault is a new fault within a specific period. As another preferred embodiment that can be superimposed, the concurrency range of the safety fault is used to send a fault detection message to the directly connected or upstream and downstream network devices of the same type when the local network device A fails. To detect whether the same type of failure occurs in the same type of network equipment that is directly connected or upstream and downstream, and when network equipment A is directly connected or the same type of upstream and downstream network equipment has the same type of failure, continue to directly connect to network equipment A or upstream and downstream The direct connection of the same type of network device or the upstream and downstream network device of the same type sends a fault detection message to detect whether the direct connection of network device A or the direct connection of the upstream and downstream network device of the same type or the upstream and downstream network device of the same type occurs For the same type of faults, until no fault occurs or the fault detection message has been sent at least three times, then stop sending the fault detection message. The value of the safe fault range is the number of times the fault detection message is sent. If the fault detection message has been sent at least three times and reaches the upper limit, then the value of the safe fault range is equal to 3 at this time. The new safety fault indicator is used to determine whether a specific network device is the first new fault within a specific maintenance period, such as 3 days, and is used to determine the fault occurrence rate of the network device, and based on the fault of the network device The occurrence rate determines the probability of repair, and the probability of repair is proportional to the index of new security faults. If the fault of the network device is new in a specific period, the security fault new index is 1, which is used to characterize this fault; The index of new faults is K+1. As another preferred embodiment that can be superimposed, the occurrence level and associated level of the security event are used to characterize the level and associated level where the security event occurs. As another preferred embodiment that can be superimposed, the occurrence level The fault used to characterize the security event comes from the delivery layer of the cloud computing system, that is, the bottom client layer; or the edge connection layer, that is, the network device layer from the bottom client (not included) to the cloud edge device; or The cloud center layer, that is, from the cloud computing center based on the intelligent security analysis management decision system of network equipment to one of the central computing layers of each cloud edge device (not included), and the occurrence level of the network security event The level (if any) is used as the associated level of the security event, and is recorded in the security event occurrence level and associated level fields of the security event message.
安全事件归一器,所述安全事件归一器用于将所述网络设备发送的安全事件报文进行基于事件的报文归一处理,将所述安全事件报文至少拆解为所述网络设备的网络设备ID字段、安全事件第一参数集字段、安全事件发生层级与关联层级字段;A security event normalizer, the security event normalizer is used to perform event-based message normalization processing on the security event message sent by the network device, and disassemble the security event message into at least the network device The network device ID field, the security event first parameter set field, the security event occurrence level and associated level field;
所述安全事件归一器还用于将所述网络设备的网络设备ID字段封包为第一事件决策数据,并发送至设备置信模块;将所述安全事件第一参数集字段封包为第二事件决策数据,并发送至策略归集模块;将所述安全事件发生层级与关联层级封包为第三事件决策数据,并发送至处理层级模块;The security event normalizer is also used to pack the network device ID field of the network device into the first event decision data, and send it to the device confidence module; pack the first parameter set field of the security event into the second event Decision data, and send to the policy collection module; package the security event occurrence level and associated level into third event decision data, and send to the processing level module;
设备置信模块,所述设备置信模块用于接收所述第一事件决策数据,并解析其中网络设备的网络设备ID,基于网络设备ID查找网络设备安全事件置信表,并确定网络设备安全事件置信值,发送至智能管理决策模块;A device confidence module, the device confidence module is used to receive the first event decision data, and analyze the network device ID of the network device, search the network device security event confidence table based on the network device ID, and determine the network device security event confidence value , sent to the intelligent management decision-making module;
策略归集模块,所述策略归集模块用于接收并解析所述第二事件决策数据,基于所述安全事件第一参数集字段确定对应的安全策略归集,并将所述对应的安全策略归集发送至智能管理决策模块;A policy collection module, the policy collection module is configured to receive and parse the second event decision data, determine the corresponding security policy collection based on the first parameter set field of the security event, and collect the corresponding security policy The collection is sent to the intelligent management decision-making module;
作为一种可叠加的优选实施例,所述策略归集模块,所述策略归集模块用于接收并解析所述第二事件决策数据,基于所述安全事件第一参数集字段确定对应的安全策略归集,具体为:所述策略归集模块解析所述安全事件数据报文协议流表、安全故障范围字段以及安全故障新发指标,并基于所述安全事件数据报文协议流表、安全故障范围字段以及安全故障新发指标,共同确定对应的安全事件管理策略,所述安全事件管理策略可由系统管理员依据上述指标决策,也可由系统自动基于安全策略归集查询表决策。作为一种可叠加的优选实施例,所述安全策略归集模块存储有系统预置安全策略归集查询表,所述安全策略归集查询表至少包含每一安全策略及其对应的安全事件数据报文协议流表、安全故障范围字段以及安全故障新发指标范围,通过查询安全事件报文所携带的安全事件数据报文协议流表、安全故障范围字段以及安全故障新发指标,则可在所述安全策略归集查询表中查询对应的安全策略归集,并将所述对应的安全策略归集发送至智能管理决策模块。As a preferred embodiment that can be superimposed, the policy collection module is configured to receive and parse the second event decision data, and determine the corresponding security event based on the first parameter set field of the security event. Policy collection, specifically: the policy collection module analyzes the security event data message protocol flow table, the security fault range field, and the new security fault indicator, and based on the security event data message protocol flow table, security The fault range field and the newly issued security fault index jointly determine the corresponding security event management strategy. The security event management strategy can be decided by the system administrator based on the above indicators, or can be automatically decided by the system based on the security policy collection query table. As a preferred embodiment that can be superimposed, the security policy collection module stores a system preset security policy collection query table, and the security policy collection query table at least includes each security policy and its corresponding security event data Message protocol flow table, security fault range field, and security fault newly issued index range, by querying the security event data message protocol flow table, security fault range field, and security fault newly issued index carried by the security event message, you can find The corresponding security policy collection is queried in the security policy collection query table, and the corresponding security policy collection is sent to the intelligent management decision-making module.
处理层级模块;所述处理层级模块用于接收所述第三事件决策数据,并解析其中的安全事件发生层级与关联层级,基于安全事件发生层级与关联层级确定对应的安全事件处理操作层级权限需求,并将确定的对应的安全事件处理操作层级权限需求,发送至智能管理决策模块;A processing level module; the processing level module is used to receive the third event decision data, analyze the security event occurrence level and the associated level therein, and determine the corresponding security event processing operation level permission requirements based on the security event occurrence level and the associated level , and send the determined corresponding security event processing operation-level authority requirements to the intelligent management decision-making module;
其中,所述对应的安全事件处理操作层级权限需求至少高于或等于安全事件的关联层级;Wherein, the permission requirement of the corresponding security event processing operation level is at least higher than or equal to the correlation level of the security event;
智能管理决策模块,所述智能管理决策模块接收所述网络设备安全事件置信值、安全策略归集以及对应的安全事件处理操作层级权限需求,基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策;An intelligent management decision-making module, the intelligent management decision-making module receives the security event confidence value of the network device, the collection of security policies, and the corresponding security event processing operation level permission requirements, and determines whether to execute security based on the comparison between the security event confidence value and the confidence threshold. Event intelligent management decision-making;
其中,所述基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策,具体为:Wherein, the comparison of the security event confidence value and the confidence threshold determines whether to execute the security event intelligent management decision, specifically:
当安全事件置信值大于置信阈值时,直接执行安全事件智能管理决策;当安全事件置信值小于置信阈值时,以所述安全事件置信值K1为概率采用随机算法,判别在[0,1]范围内选取随机数结果是否落在[0,K1]内,若是,则执行安全事件智能管理决策若否,则不执行安全事件智能管理决策,确认为安全事件误报;When the confidence value of the security event is greater than the confidence threshold, the intelligent management decision of the security event is directly executed; when the confidence value of the security event is less than the confidence threshold, a random algorithm is used with the probability of the security event confidence K1, and the judgment is in the range of [0,1] Whether the result of the selected random number falls within [0, K1], if so, execute the intelligent management decision of the security event;
所述安全事件智能管理决策至少包含:向安全事件处理对象开通安全事件处理操作层级权限需求所要求的处理操作层级权限,并基于所述安全策略归集,采用对应的安全策略处理所述安全事件,并记录至数据库。The security event intelligent management decision at least includes: enabling the processing operation level authority required by the security event processing operation level authority requirement to the security event processing object, and based on the security policy collection, using the corresponding security policy to process the security event , and record to the database.
作为一种可叠加的实施例,所述网络设备可以为云计算边缘服务器、路由器、网关或服务主机。As a superimposed embodiment, the network device may be a cloud computing edge server, router, gateway or service host.
作为另一种可叠加的实施例,所述网络安全事件至少包含以下事件之一:网络攻击事件、非攻击类网络故障事件、网络信息安全等级变更事件。As another superimposed embodiment, the network security event includes at least one of the following events: a network attack event, a non-attack network failure event, and a network information security level change event.
作为另一种可叠加的实施例,所述网络设备安全事件置信表由所述基于网络设备智能安全分析管理决策系统预置,所述网络设备安全事件置信表至少包含网络设备ID信息及与所述网络设备ID信息一一对应的网络设备安全事件置信值,基于系统数据库存储的网络设备的历史安全事件可信度计算网络设备安全事件置信值。As another superimposed embodiment, the network device security event confidence table is preset by the network device intelligent security analysis management decision-making system, and the network device security event confidence table at least includes network device ID information and The confidence value of the network device security event corresponding to the network device ID information is one-to-one, and the network device security event confidence value is calculated based on the historical security event credibility of the network device stored in the system database.
作为另一种可叠加的实施例,所述系统数据库存储的网络设备的历史安全事件可信度等于所述网络设备历史安全事件的误报概率,并随网络设备的安全事件持续上报进行更新并动态变化。As another superimposed embodiment, the reliability of the historical security events of the network equipment stored in the system database is equal to the false positive probability of the historical security incidents of the network equipment, and is updated along with the continuous reporting of the security incidents of the network equipment and Dynamic changes.
如说明书附图4-5所示,说明书附图4-5为本发明所请求保护的基于网络设备智能安全分析管理方法及其执行安全事件智能管理决策步骤的优选显示实施例示意图,所述方法包括如下步骤:As shown in Figures 4-5 of the description, Figures 4-5 of the description are schematic diagrams of preferred display embodiments of the method for intelligent security analysis and management based on network equipment and its implementation of intelligent management decision-making steps for security incidents claimed in the present invention, the method Including the following steps:
步骤S102:操作多个网络设备中的每个所述网络设备,使其运行于云计算网络中,处理客户端提出的网络数据处理请求并返回数据处理结果;Step S102: Operate each of the network devices in the plurality of network devices to run in the cloud computing network, process the network data processing request from the client and return the data processing result;
所述网络设备还用于在遭遇网络安全事件时,向所述基于网络设备智能安全分析管理决策系统的安全事件归一器发送安全事件报文;The network device is also configured to send a security event message to the security event normalizer based on the network device intelligent security analysis management decision-making system when encountering a network security event;
所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息;The security event message is used to record the collection record information when the network device encounters a network security event;
其中,所述安全事件报文用于记录所述网络设备遭遇网络安全事件时的采集记录信息,具体为:所述安全事件报文在网络设备A遭遇网络安全事件时,至少记录所述网络设备的网络设备ID、安全事件第一参数集、安全事件发生层级与关联层级;Wherein, the security event message is used to record the collection record information when the network device encounters a network security event, specifically: when the network device A encounters a network security event, the security event message at least records the network device The network device ID, the first parameter set of the security event, the occurrence level and the correlation level of the security event;
步骤S104:操作安全事件归一器将所述网络设备发送的安全事件报文进行基于事件的报文归一处理,将所述安全事件报文至少拆解为所述网络设备的网络设备ID字段、安全事件第一参数集字段、安全事件发生层级与关联层级字段;Step S104: Operate the security event normalizer to perform event-based message normalization processing on the security event message sent by the network device, and disassemble the security event message into at least the network device ID field of the network device , security event first parameter set field, security event occurrence level and associated level field;
所述安全事件归一器还用于将所述网络设备的网络设备ID字段封包为第一事件决策数据,并发送至设备置信模块;将所述安全事件第一参数集字段封包为第二事件决策数据,并发送至策略归集模块;将所述安全事件发生层级与关联层级封包为第三事件决策数据,并发送至处理层级模块;The security event normalizer is also used to pack the network device ID field of the network device into the first event decision data, and send it to the device confidence module; pack the first parameter set field of the security event into the second event Decision data, and send to the policy collection module; package the security event occurrence level and associated level into third event decision data, and send to the processing level module;
步骤S106:操作设备置信模块接收所述第一事件决策数据,并解析其中网络设备的网络设备ID,基于网络设备ID查找网络设备安全事件置信表,并确定网络设备安全事件置信值,发送至智能管理决策模块;Step S106: The operating device confidence module receives the first event decision data, and analyzes the network device ID of the network device, searches the network device security event confidence table based on the network device ID, determines the network device security event confidence value, and sends it to the intelligent Management decision-making module;
步骤S108:操作策略归集模块接收并解析所述第二事件决策数据,基于所述安全事件第一参数集字段确定对应的安全策略归集,并将所述对应的安全策略归集发送至智能管理决策模块;Step S108: The operation policy collection module receives and analyzes the second event decision data, determines the corresponding security policy collection based on the first parameter set field of the security event, and sends the corresponding security policy collection to the intelligent Management decision-making module;
步骤S110:操作处理层级模块接收所述第三事件决策数据,并解析其中的安全事件发生层级与关联层级,基于安全事件发生层级与关联层级确定对应的安全事件处理操作层级权限需求,并将确定的对应的安全事件处理操作层级权限需求,发送至智能管理决策模块;Step S110: The operation processing level module receives the third event decision-making data, and analyzes the security event occurrence level and association level therein, determines the corresponding security event processing operation level permission requirement based on the security event occurrence level and association level, and determines The corresponding security event processing operation-level permission requirements are sent to the intelligent management decision-making module;
其中,所述对应的安全事件处理操作层级权限需求至少高于或等于安全事件的关联层级;Wherein, the permission requirement of the corresponding security event processing operation level is at least higher than or equal to the correlation level of the security event;
步骤S112:操作智能管理决策模块接收所述网络设备安全事件置信值、安全策略归集以及对应的安全事件处理操作层级权限需求,基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策;Step S112: The operation intelligent management decision-making module receives the security event confidence value of the network device, the collection of security policies, and the corresponding security event processing operation level authority requirements, and determines whether to implement security event intelligent management based on the comparison between the security event confidence value and the confidence threshold decision making;
其中,所述基于安全事件置信值与置信阈值的比较确定是否执行安全事件智能管理决策,具体为:Wherein, the comparison of the security event confidence value and the confidence threshold determines whether to execute the security event intelligent management decision, specifically:
当安全事件置信值大于置信阈值时,直接执行安全事件智能管理决策;当安全事件置信值小于置信阈值时,以所述安全事件置信值K1为概率采用随机算法,判别在[0,1]范围内选取随机数结果是否落在[0,K1]内,若是,则执行安全事件智能管理决策若否,则不执行安全事件智能管理决策,确认为安全事件误报;When the confidence value of the security event is greater than the confidence threshold, the intelligent management decision of the security event is directly executed; when the confidence value of the security event is less than the confidence threshold, a random algorithm is used with the probability of the security event confidence K1, and the judgment is in the range of [0,1] Whether the result of the selected random number falls within [0, K1], if so, execute the intelligent management decision of the security event;
所述安全事件智能管理决策至少包含:向安全事件处理对象开通安全事件处理操作层级权限需求所要求的处理操作层级权限,并基于所述安全策略归集,采用对应的安全策略处理所述安全事件,并记录至数据库。The security event intelligent management decision at least includes: enabling the processing operation level authority required by the security event processing operation level authority requirement to the security event processing object, and based on the security policy collection, using the corresponding security policy to process the security event , and record to the database.
作为另一种可叠加的实施例,所述网络设备可以为云计算边缘服务器、路由器、网关或服务主机。As another superimposed embodiment, the network device may be a cloud computing edge server, router, gateway or service host.
作为另一种可叠加的实施例,所述网络安全事件至少包含以下事件之一:网络攻击事件、非攻击类网络故障事件、网络信息安全等级变更事件。As another superimposed embodiment, the network security event includes at least one of the following events: a network attack event, a non-attack network failure event, and a network information security level change event.
作为另一种可叠加的实施例,所述网络设备安全事件置信表由所述基于网络设备智能安全分析管理决策系统预置,所述网络设备安全事件置信表至少包含网络设备ID信息及与所述网络设备ID信息一一对应的网络设备安全事件置信值,基于系统数据库存储的网络设备的历史安全事件可信度计算网络设备安全事件置信值。As another superimposed embodiment, the network device security event confidence table is preset by the network device intelligent security analysis management decision-making system, and the network device security event confidence table at least includes network device ID information and The confidence value of the network device security event corresponding to the network device ID information is one-to-one, and the network device security event confidence value is calculated based on the historical security event credibility of the network device stored in the system database.
作为另一种可叠加的实施例,所述系统数据库存储的网络设备的历史安全事件可信度等于所述网络设备历史安全事件的误报概率,并随网络设备的安全事件持续上报进行更新并动态变化。As another superimposed embodiment, the reliability of the historical security events of the network equipment stored in the system database is equal to the false positive probability of the historical security incidents of the network equipment, and is updated along with the continuous reporting of the security incidents of the network equipment and Dynamic changes.
本发明提出了一种基于网络设备智能安全分析管理决策的方法及系统,基于网络设备在在云系统运行过程中可能出现的网络安全攻击或网络安全系统设置故障,提出基于安全事件数据包的安全分析和管理决策方法及系统,通过将安全事件转化为相应的安全事件数据包并执行数据包归一化解析,使得安全事件分析和决策基于可设备置信度、处理层级信息以及安全事件参数集等三方入口参数,智能化地基于安全策略归集来实现网络设备的安全智能分析以及全局决策。The present invention proposes a method and system based on network equipment intelligent security analysis management decision-making, based on network security attacks or network security system setting failures that may occur during the operation of the network equipment in the cloud system, and proposes security events based on security event data packets. Analysis and management decision-making methods and systems, by converting security events into corresponding security event data packets and performing normalized analysis of data packets, making security event analysis and decision-making based on device confidence, processing level information, and security event parameter sets, etc. Three-party entry parameters are intelligently based on security policy collection to realize security intelligence analysis and global decision-making of network devices.
在所有上述实施方式中,为实现一些特殊的数据传输、读/写功能的要求,上述方法操作过程中及其相应装置可以增加装置、模块、器件、硬件、引脚连接或存储器、处理器差异来扩展功能。In all the above-mentioned embodiments, in order to realize some special data transmission, read/write function requirements, during the operation of the above-mentioned method and its corresponding devices, devices, modules, devices, hardware, pin connections or differences in memory and processors can be added to extend the functionality.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的方法,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the method, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本发明所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述方法步骤的划分,仅仅为一种逻辑或功能划分,实际实现时可以有另外的划分方式,例如,多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present invention, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the method steps is only a logical or functional division, and there may be other divisions in actual implementation, for example, multiple units or components May be combined or may be integrated into another system, or some features may be omitted, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为方法的各个步骤、装置分离部件说明的单元可以是或者也可以不是逻辑或物理上分开的,也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as the various steps of the method and the separate components of the device may or may not be logically or physically separated, and may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本发明各个实施例中的各方法步骤及其实现、功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, the method steps and their implementations and functional units in each embodiment of the present invention can be integrated into one processing unit, or each unit can exist separately physically, or two or more units can be integrated into one unit . The above-mentioned integrated units can be implemented in the form of hardware, or in the form of hardware plus software functional units.
上述方法和装置可以以软件功能单元的形式实现的集成的单元,可以存储在一个计算机可读取存储介质中。上述软件功能单元存储在一个存储介质中,包括若干指令用以使得一台计算机装置(可以是个人计算机,服务器,或者网络装置等)或处理器(Processor)执行本发明各个实施例所述方法的部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、NVRAM、磁碟或者光盘等各种可以存储程序代码的介质。The above methods and devices can be implemented as integrated units in the form of software functional units, and can be stored in a computer-readable storage medium. The above-mentioned software functional units are stored in a storage medium, and include several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) or a processor (Processor) execute the methods described in various embodiments of the present invention. partial steps. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), NVRAM, magnetic disk or optical disk, etc. can store program codes. medium.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the present invention. within the scope of protection.
应说明的是:以上实施例仅用以更清晰地解释、阐述本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。It should be noted that: the above embodiments are only used to more clearly explain and set forth the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand : It can still modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. spirit and scope.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210261857.3A CN114844667B (en) | 2022-03-16 | 2022-03-16 | Intelligent security analysis management decision system and method based on network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210261857.3A CN114844667B (en) | 2022-03-16 | 2022-03-16 | Intelligent security analysis management decision system and method based on network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114844667A CN114844667A (en) | 2022-08-02 |
| CN114844667B true CN114844667B (en) | 2023-04-07 |
Family
ID=82562052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210261857.3A Active CN114844667B (en) | 2022-03-16 | 2022-03-16 | Intelligent security analysis management decision system and method based on network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114844667B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN110011849A (en) * | 2019-04-08 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of association analysis alarm method based on normalization event format |
| CN114219374A (en) * | 2022-02-21 | 2022-03-22 | 济南法诺商贸有限公司 | Big data analysis decision system and method based on block chain |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| RU2762528C1 (en) * | 2020-06-19 | 2021-12-21 | Акционерное общество "Лаборатория Касперского" | Method for processing information security events prior to transmission for analysis |
-
2022
- 2022-03-16 CN CN202210261857.3A patent/CN114844667B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104901960A (en) * | 2015-05-26 | 2015-09-09 | 汉柏科技有限公司 | Device and method for network security management based on alarm strategy |
| CN110011849A (en) * | 2019-04-08 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of association analysis alarm method based on normalization event format |
| CN114219374A (en) * | 2022-02-21 | 2022-03-22 | 济南法诺商贸有限公司 | Big data analysis decision system and method based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114844667A (en) | 2022-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Patel et al. | An intrusion detection and prevention system in cloud computing: A systematic review | |
| US8230505B1 (en) | Method for cooperative intrusion prevention through collaborative inference | |
| Sandhu et al. | A survey of intrusion detection & prevention techniques | |
| CN114553537A (en) | An abnormal flow monitoring method and system for industrial Internet | |
| CN118523922B (en) | Network damage activity monitoring system and activity analyzer thereof, computer-implemented method, and non-transitory computer-readable medium | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| Coulibaly | An overview of intrusion detection and prevention systems | |
| Adeleke | Intrusion detection: issues, problems and solutions | |
| Patel et al. | Autonomic agent-based self-managed intrusion detection and prevention system | |
| Miloslavskaya et al. | Taxonomy for unsecure big data processing in security operations centers | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN116781380A (en) | Campus network security risk terminal interception traceability system | |
| KR20130033161A (en) | Intrusion detection system for cloud computing service | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor | |
| CN114844667B (en) | Intelligent security analysis management decision system and method based on network equipment | |
| CN116232613A (en) | A Zero Trust Protection Method for Rail Transit Network | |
| Rizvi et al. | A review on intrusion detection system | |
| Yeboah | Detecting and safeguarding against cybersecurity attacks targeting wireless networks: a comprehensive approach to integrate IDS/IPS, SIEM and SOAR | |
| Xiao | Research on computer network information security based on big data technology | |
| Lin et al. | VNGuarder: An internal threat detection approach for virtual network in cloud computing environment | |
| Sivaraman | Behavior-Based DDoS Detection for Multi-Vector Attacks in Hybrid Cloud Environments | |
| KR102818364B1 (en) | Method for handling security incident and system therefor | |
| Nalavade et al. | Intrusion prevention systems: data mining approach | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| Karthikeyan et al. | NETWORK INTRUSION DETECTION SYSTEM BASED ON PACKET FILTERS. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 250101 814, block D, Sanqing century wealth center, No. 359, Shunhua Road, Jinan area, China (Shandong) pilot Free Trade Zone, Jinan City, Shandong Province Patentee after: Fano Information Industry Co.,Ltd. Address before: 250101 814, block D, Sanqing century wealth center, No. 359, Shunhua Road, Jinan area, China (Shandong) pilot Free Trade Zone, Jinan City, Shandong Province Patentee before: Jinan fanuo Trading Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20241026 Address after: 250000, Floor 3, Building 1, Baowei Science and Technology Park, No. 3003 Xinluo Street, Jinan Area, China (Shandong) Pilot Free Trade Zone, Jinan City, Shandong Province, China Patentee after: Jinan Jubang Information Technology Co.,Ltd. Country or region after: China Address before: 250101 814, block D, Sanqing century wealth center, No. 359, Shunhua Road, Jinan area, China (Shandong) pilot Free Trade Zone, Jinan City, Shandong Province Patentee before: Fano Information Industry Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |