+

CN117811824A - Network path analysis system and method for network security anomaly detection - Google Patents

Network path analysis system and method for network security anomaly detection Download PDF

Info

Publication number
CN117811824A
CN117811824A CN202410025208.2A CN202410025208A CN117811824A CN 117811824 A CN117811824 A CN 117811824A CN 202410025208 A CN202410025208 A CN 202410025208A CN 117811824 A CN117811824 A CN 117811824A
Authority
CN
China
Prior art keywords
threshold
network
traffic
analysis system
network path
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410025208.2A
Other languages
Chinese (zh)
Inventor
何军红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202410025208.2A priority Critical patent/CN117811824A/en
Publication of CN117811824A publication Critical patent/CN117811824A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了用于网络安全异常检测的网络路径分析系统及方法,涉及网络分析系统技术领域,分析系统定时进行自检分析自身的运行状况,并判断当前运行状况是否支持网络路径的安全异常检测,获取网络路径运营环境中的所有特殊场景,将所有特殊场景基于回归分析模型分析后获取回归系数,将回归系数与分析系统的运行状况相结合生成修正指数,通过修正指数调节初始流量阈值后获取动态流量阈值。该分析系统在使用过程中实时进行自检,以保障对网络路径检测的稳定性,且根据运营环境中的特殊场景和分析系统运行状况来调节初始流量阈值后获取动态流量阈值,有效避免分析系统在特殊场景时出现频繁误报等问题。

The present invention discloses a network path analysis system and method for network security anomaly detection, which relates to the technical field of network analysis systems. The analysis system periodically performs self-checking and analyzing its own operating status, and determines whether the current operating status supports the security anomaly detection of the network path, obtains all special scenarios in the network path operation environment, obtains regression coefficients after analyzing all special scenarios based on a regression analysis model, combines the regression coefficients with the operating status of the analysis system to generate a correction index, and obtains a dynamic flow threshold after adjusting the initial flow threshold by the correction index. The analysis system performs self-checking in real time during use to ensure the stability of network path detection, and obtains a dynamic flow threshold after adjusting the initial flow threshold according to the special scenarios in the operating environment and the operating status of the analysis system, effectively avoiding the problems of frequent false alarms in the analysis system in special scenarios.

Description

Network path analysis system and method for network security anomaly detection
Technical Field
The invention relates to the technical field of network analysis systems, in particular to a network path analysis system and method for network security anomaly detection.
Background
With the popularization of the internet and the continuous development of technologies, network security threats become more complex and hidden, traditional security protection means may not effectively cope with new attacks and threats, so that more advanced and intelligent security technologies are needed to cope with these challenges, network security anomaly detection is a key component for protecting computer systems and networks from malicious attacks, and network path analysis systems are an important technology for network security anomaly detection, which identifies abnormal behaviors and potential security threats in networks by monitoring and analyzing network traffic, data packets, logs and other relevant information.
The prior art has the following defects:
1. in the conventional analysis system, security anomaly detection is usually performed on a network path, but in practical application, if the analysis system itself is abnormal, the security anomaly detection is overdetected or overdetected, the overdetection can cause frequent false alarm of the analysis system, and the overdetection can cause degradation of detection accuracy;
2. if the analysis system itself is not abnormal, the existing analysis system usually analyzes the flow of the network path, compares the real-time flow with a preset flow threshold after acquiring the flow of the network path in real time, and analyzes the abnormal flow of the network path when the real-time flow exceeds the flow threshold, however, when the network path encounters a special scene in use, the flow of the network path is increased at this time, and when the fixed flow threshold is used as a reference value for analysis, the analysis system frequently gives rise to false alarm.
Disclosure of Invention
The invention aims to provide a network path analysis system and a network path analysis method for network security anomaly detection, which are used for solving the defects in the background technology.
In order to achieve the above object, the present invention provides the following technical solutions: a network path analysis method for network security anomaly detection, the analysis method comprising the steps of:
s1: the method comprises the steps that an analysis system port obtains historical flow data of a network path operation environment, the historical flow data comprise normal flow data and abnormal flow data, and an initial flow threshold of the current operation environment is generated through a threshold algorithm based on the normal flow data and the abnormal flow data;
s2: the analysis system performs self-checking on timing to analyze the running condition of the analysis system, judges whether the current running condition supports the safety abnormality detection of the network path, and sends an alarm signal to a network administrator if the current running condition does not support the safety abnormality detection of the network path;
s3: if the running condition supports the security abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time;
s4: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, and combining the regression coefficients with the operation condition of an analysis system to generate a correction index;
s5: the analysis system acquires a dynamic flow threshold value after adjusting an initial flow threshold value through the correction index, compares the network flow acquired in real time with the dynamic flow threshold value, generates a corresponding management strategy when the network flow exceeds the dynamic flow threshold value, and sends a warning signal to an administrator.
In a preferred embodiment, in step S1, generating an initial traffic threshold of the current operation environment by a threshold algorithm based on the normal traffic data and the abnormal traffic data includes the steps of:
s101: acquiring the average flow and the standard deviation of the normal flow of the network path when the network path is used in the current operation environment;
s102: acquiring the average flow of abnormal flow of a network path when the network path is used in the current operation environment;
s103: calculating and obtaining an initial flow threshold value through the average flow value of the abnormal flow, the flow standard deviation of the normal flow and the average flow value of the normal flow, wherein the expression is as follows:
in yz Initial initiation For initial flow threshold, Y avg Is the average flow value of abnormal flow, Y max The maximum flow rate value of the abnormal flow rate is represented by P, which is the average flow rate value of the normal flow rate, and LQ, which is the standard deviation of the normal flow rate.
In a preferred embodiment, the flow standard deviation LQ of the normal flow is calculated as:in (1) the->Representation ofAverage flow value of normal flow, and +.> i= {1, 2, 3,..and n }, n represents the number of normal flow sampling points, n is a positive integer, and P i Representing the flow value at the ith normal flow sampling point;
the calculation expression of the average flow value of the abnormal flow is as follows:
where j= {1, 2, 3,..m }, m represents the number of abnormal flow sampling points, m is a positive integer, Y j Represents the flow value at the jth abnormal flow sampling point, Y avg Average flow value representing abnormal flow.
In a preferred embodiment, in step S2, the analysis system performs self-checking analysis on timing to analyze the operation status of the analysis system, and determines whether the current operation status supports security anomaly detection of the network path, including the following steps:
s201: acquiring a time period of calculation force early warning and a time period of error reporting early warning;
s202: integrating the time period of the calculation force early warning and the time period of the error reporting early warning to obtain a self-checking coefficient zj of the analysis system x The expression is as follows:z (t) represents the response time variation of the analysis system, [ t ] x ,t y ]For the time period of early warning of calculation force, [ t ] i ,t j ]A time period for error warning;
s203: obtaining self-checking coefficient zj x After that, the self-checking coefficient zj x Comparing with a preset first self-checking threshold value and a second self-checking threshold value, wherein the second self-checking threshold value is used for judging whether the analysis system supports the safety abnormality detection of the network path, and the first self-checking threshold value is used for judging the classificationAnalyzing whether the system has slight abnormality;
s204: if self-checking coefficient zj x Judging that the analysis system does not support the safety abnormality detection of the network path, and sending a warning signal to a network administrator;
s205: if self-checking coefficient zj x Judging whether the analysis system supports the security anomaly detection of the network path or not by the second self-checking threshold value;
s206: if the first self-checking threshold value is less than the self-checking coefficient zj x Judging whether the analysis system supports the safety abnormality detection of the network path or not and judging whether the analysis system has slight abnormality or not according to the second self-detection threshold value, wherein the initial threshold value is required to be dynamically adjusted;
s207: if self-checking coefficient zj x And judging that the first self-checking threshold value is less than or equal to the first self-checking threshold value, wherein the analysis system supports the safety abnormality detection of the network path, and no abnormality exists in the analysis system.
In a preferred embodiment, the analysis system monitors the real-time computing power, when the real-time computing power is lower than the computing power threshold value, records the time period, and the longer the real-time computing power is lower than the computing power threshold value, the less the analysis system supports the safety abnormality detection of the network path, and the time period of the real-time computing power lower than the computing power threshold value is used as the time period of computing power early warning;
when the analysis system reports errors, the continuous error reporting times are recorded, and when the continuous error reporting times exceed a time threshold, the time period of the continuous error reporting times exceeding the time threshold is the error reporting early warning time period.
In a preferred embodiment, in step S4, acquiring all special scenes in the network path operation environment, and acquiring regression coefficients after analyzing all special scenes based on the regression analysis model includes the following steps:
acquiring all special scenes influencing network traffic growth in the current operation environment, wherein the special scenes comprise a main special scene and a secondary special scene, establishing and setting all the main special scenes as an s set, and respectively representing all the main special scenes in the s set as { s } 1 、s 2 、...、s k And (2) calculating back through a Logistic regression analysis method, wherein k is the number of main special scenes in the set sThe coefficient expression is as follows:
wherein hg z For regression coefficients, Q is a constant term, and the value of Q is 0.442, which represents the influence amplitude of the secondary special scene on the regression coefficients when the primary special scene does not exist, { s 1 、s 2 、...、s k And } is a variable, { omega } 1 、ω 2 、...、ω k Regression coefficient of each variable, and regression coefficient w>0。
In a preferred embodiment, in step S4, combining the regression coefficients with the operating conditions of the analysis system to generate the correction index comprises the steps of:
if the first self-checking threshold value is less than the self-checking coefficient zj x Judging whether the analysis system supports the safety abnormality detection of the network path or not, wherein the analysis system has slight abnormality, and dynamically adjusting the initial threshold;
obtaining self-checking coefficient zj when slight abnormality exists in analysis system x Value, self-checking coefficient zj when slight abnormality exists in analysis system x Value and regression coefficient hg z And generating a correction index by combining, wherein the calculation expression is as follows:wherein zj is x As self-test coefficient hg z As regression coefficient, xz s To correct the index.
In a preferred embodiment, in step S4, the step of obtaining the dynamic flow threshold after adjusting the initial flow threshold by the correction index includes the steps of: the dynamic flow threshold is obtained after the initial flow threshold is corrected by the correction index, and the expression is as follows:in yz Dynamic state Yz is the dynamic flow threshold Initial initiation Xz is the initial flow threshold s To correct the index.
In a preferred embodiment, in step S5, the analysis system compares the network traffic acquired in real time with the dynamic traffic threshold value, including the following steps:
s501: after the analysis system acquires the dynamic flow threshold, comparing the network flow of the network path acquired in real time with the dynamic flow threshold;
s502: if the network traffic is less than or equal to the dynamic traffic threshold, analyzing that the current network path has no security abnormality;
s503: if the network flow is greater than the dynamic flow threshold, analyzing that the current network path has safety abnormality, generating a corresponding management strategy and sending an alarm signal to an administrator.
The invention also provides a network path analysis system for network security anomaly detection, which comprises a port module, an initialization module, a self-checking module, a flow monitoring module, a scene analysis module, a threshold optimization module and a warning module:
port module: acquiring historical flow data of a network path operation environment, wherein the historical flow data comprises normal flow data and abnormal flow data, and the normal flow data and the abnormal flow data are sent to an initialization module;
an initialization module: generating an initial flow threshold of the current operation environment through a threshold algorithm based on the normal flow data and the abnormal flow data, and sending the initial flow threshold to a threshold optimization module;
and a self-checking module: the self-checking analysis is carried out at regular time to analyze the running condition of the self-checking system, and whether the current running condition supports the safety abnormality detection of the network path is judged, if the current running condition does not support the safety abnormality detection of the network path, an alarm signal is sent to a network administrator, and the network path judging result is sent to a flow monitoring module;
and a flow monitoring module: if the running condition supports the safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, and the network flow is sent to the warning module;
scene analysis module: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, combining the regression coefficients with the operation condition of an analysis system to generate a correction index, and transmitting the correction index to a threshold optimization module;
threshold optimization module: the dynamic flow threshold is obtained after the initial flow threshold is regulated through the correction index;
and the warning module is used for: and comparing the network traffic acquired in real time with a dynamic traffic threshold, and generating a corresponding management strategy and sending a warning signal to an administrator when the network traffic exceeds the dynamic traffic threshold.
In the technical scheme, the invention has the technical effects and advantages that:
1. the invention carries out self-checking analysis on the running condition of the self-checking system by the analysis system at regular time, judges whether the current running condition supports the safety abnormality detection of the network path, sends a warning signal to a network manager if the current running condition does not support the safety abnormality detection of the network path, monitors the network flow of the network path in real time by the analysis system if the running condition supports the safety abnormality detection of the network path, acquires all special scenes in the running environment of the network path, acquires regression coefficients after all special scenes are analyzed based on a regression analysis model, combines the regression coefficients with the running condition of the analysis system to generate a correction index, and acquires a dynamic flow threshold after the initial flow threshold is regulated by the correction index. The analysis system performs self-check in real time in the use process so as to ensure the stability of network path detection, and obtains a dynamic flow threshold after the initial flow threshold is regulated according to a special scene in an operation environment and the operation condition of the analysis system, thereby effectively avoiding the problems of frequent false alarm and the like of the analysis system in the special scene.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1: referring to fig. 1, the network path analysis method for network security anomaly detection according to the present embodiment includes the following steps:
the method comprises the steps that an analysis system port obtains historical flow data of a network path operation environment, the historical flow data comprises normal flow data and abnormal flow data, an initial flow threshold of the current operation environment is generated through a threshold algorithm based on the normal flow data and the abnormal flow data, the analysis system conducts self-checking analysis on the operation condition of the analysis system at regular time, judges whether the current operation condition supports safety abnormality detection of a network path, sends warning signals to a network manager if the current operation condition does not support the safety abnormality detection of the network path, monitors the network flow of the network path in real time if the operation condition supports the safety abnormality detection of the network path, obtains all special scenes in the network path operation environment, obtains regression coefficients after analyzing all the special scenes based on a regression analysis model, combines the regression coefficients with the operation condition of the analysis system to generate correction indexes, obtains a dynamic flow threshold after the initial flow threshold is adjusted through the correction indexes, and compares the network flow obtained in real time with the dynamic flow threshold.
According to the method, the running condition of the self is automatically analyzed through the analysis system at regular time, whether the current running condition supports safety abnormality detection of the network path is judged, if the current running condition does not support safety abnormality detection of the network path, a warning signal is sent to a network manager, if the running condition supports safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, all special scenes in the running environment of the network path are obtained, regression coefficients are obtained after all special scenes are analyzed based on a regression analysis model, the regression coefficients are combined with the running condition of the analysis system to generate a correction index, and a dynamic flow threshold is obtained after an initial flow threshold is regulated through the correction index. The analysis system performs self-check in real time in the use process so as to ensure the stability of network path detection, and obtains a dynamic flow threshold after the initial flow threshold is regulated according to a special scene in an operation environment and the operation condition of the analysis system, thereby effectively avoiding the problems of frequent false alarm and the like of the analysis system in the special scene.
The analysis system port obtains historical flow data of a network path operation environment, wherein the historical flow data comprises normal flow data and abnormal flow data, and specifically comprises the following steps:
normal flow data: knowing the pattern of normal traffic, including peak and valley periods, common communication patterns, and periodicity of traffic, helps to establish a benchmark for normal traffic, more easily detect abnormal traffic that does not correspond to normal patterns, analyze ports involved in normal traffic, including common service ports and application ports, know the frequency of use and communication patterns of different ports so that unusual port activity can be identified in subsequent anomaly detection, analyze users and devices associated with traffic, know their normal behavior patterns, including login frequency, data transmission pattern, etc., which helps to detect anomalous activity that is different from normal behavior;
abnormal traffic data: investigation of port-related security event logs, including denial of connections, malware propagation attempts, port scanning, etc., helps identify specific port activities associated with abnormal behavior, detects illegal access behavior, e.g., using unauthorized ports, illegal port scanning, intrusion attempts, etc., which may be accomplished by examining port activity-related weblogs and security event logs, analyzing abnormal data traffic, including large-scale data transfers, abnormal data transfer patterns, abnormally frequent connections and disconnects, etc., which helps discover potential data leakage or attack behavior.
Generating an initial flow threshold of the current operation environment through a threshold algorithm based on the normal flow data and the abnormal flow data, wherein the initial flow threshold is specifically:
acquiring the average flow and the standard deviation of the normal flow (namely, the attack or abnormality is not detected by a security tool of the current operation environment) of the network path when the current operation environment is used;
wherein:
the flow standard deviation LQ of the normal flow is calculated as:in (1) the->Average flow value representing normal flow, and +.>i= {1, 2, 3..once, n }, n represents the number of normal flow sampling points (i.e. flow values acquired daily or hourly), n is a positive integer, P i Representing the flow value at the ith normal flow sampling point;
the method comprises the steps of obtaining the average flow of abnormal flow (namely, attack or abnormality detected by a security tool of the current operation environment) of a network path when the current operation environment is used, wherein the calculation expression is as follows:
where j= {1, 2, 3,..m }, m represents the number of abnormal flow sampling points (i.e., flow values acquired every day or hour), m is a positive integer, Y j Represents the flow value at the jth abnormal flow sampling point, Y avg Average flow value representing abnormal flow;
average flow through abnormal trafficMagnitude Y avg Flow standard deviation LQ of normal flow and average flow value of normal flowCalculating and acquiring an initial flow threshold, wherein the expression is as follows:
in yz Initial initiation For initial flow threshold, Y avg Is the average flow value of abnormal flow, Y max The maximum flow rate value of the abnormal flow rate is represented by P, which is the average flow rate value of the normal flow rate, and LQ, which is the standard deviation of the normal flow rate.
The analysis system carries out self-checking analysis on the running condition of the analysis system at regular time, judges whether the current running condition supports safety abnormality detection of the network path, if the current running condition does not support the safety abnormality detection of the network path, sends a warning signal to a network administrator, if the running condition supports the safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, acquires all special scenes in the running environment of the network path, acquires regression coefficients after all the special scenes are analyzed based on a regression analysis model, combines the regression coefficients with the running condition of the analysis system to generate a correction index, acquires a dynamic flow threshold after the initial flow threshold is regulated through the correction index, compares the network flow acquired in real time with the dynamic flow threshold, and generates a corresponding management strategy and sends a warning signal to the administrator when the network flow exceeds the dynamic flow threshold.
Example 2: the analysis system carries out self-checking analysis on the running condition at regular time, judges whether the current running condition supports the safety abnormality detection of the network path, sends an alarm signal to a network administrator if the current running condition does not support the safety abnormality detection of the network path, and monitors the network flow of the network path in real time if the running condition supports the safety abnormality detection of the network path, specifically:
when the analysis system detects the safety abnormality of the network path, a certain calculation force is required to be maintained so as to avoid analysis delay and even suspension, so that the analysis system monitors real-time calculation force, when the real-time calculation force is lower than a calculation force threshold value, the time period is recorded, the longer the real-time calculation force is lower than the calculation force threshold value, the less the analysis system supports the safety abnormality detection of the network path, and therefore, the time period when the real-time calculation force is lower than the calculation force threshold value is taken as a calculation force early warning time period;
when the analysis system frequently reports errors in the operation process, the analysis system is indicated to possibly have the problems of data loss, breakdown or blocking, and the like, so when the analysis system reports errors, the continuous error reporting times of the analysis system are recorded (the time interval of the continuous error reporting is within 5min, when the time interval of the next error reporting and the last error reporting exceeds 5min, the continuous error reporting is not recorded), and when the continuous error reporting times exceed a time threshold, the analysis system can not continuously monitor network paths or the analysis system is directly disconnected, and therefore, the time period of the continuous error reporting times exceeding the time threshold is the error reporting early warning time period;
integrating the time period of the calculation force early warning and the time period of the error reporting early warning to obtain a self-checking coefficient zj of the analysis system x The expression is as follows:z (t) represents the response time variation of the analysis system, [ t ] x ,t y ]For the time period of early warning of calculation force, [ t ] i ,t j ]A time period for error warning;
obtaining self-checking coefficient zj x After that, the self-checking coefficient zj x Comparing the first self-checking threshold value with a second self-checking threshold value which is preset, wherein the second self-checking threshold value is used for judging whether the analysis system supports the safety abnormality detection of the network path, and the first self-checking threshold value is used for judging whether the analysis system has slight abnormality;
if self-checking coefficient zj x Judging that the analysis system does not support the security anomaly detection of the network path according to the second self-checking threshold value;
if self-checking coefficient zj x Judging the security abnormality detection of the network path supported by the analysis system by the second self-checking threshold value which is less than or equal to, and real-time judging the security abnormality detection of the network path supported by the analysis systemMonitoring network traffic of the network path;
if the first self-checking threshold value is less than the self-checking coefficient zj x Judging whether the analysis system supports the safety abnormality detection of the network path or not and judging whether the analysis system has slight abnormality or not according to the second self-detection threshold value, wherein the initial threshold value is required to be dynamically adjusted;
if self-checking coefficient zj x And judging that the first self-checking threshold value is less than or equal to the first self-checking threshold value, wherein the analysis system supports the safety abnormality detection of the network path, and no abnormality exists in the analysis system.
Acquiring all special scenes in a network path operation environment, analyzing all special scenes based on a regression analysis model, and acquiring regression coefficients, wherein the method specifically comprises the following steps:
acquiring all special scenes influencing network traffic growth in the current operation environment, wherein the special scenes comprise a main special scene and a secondary special scene, establishing and setting all the main special scenes as an s set, and respectively representing all the main special scenes in the s set as { s } 1 、s 2 、...、s k And (2) calculating regression coefficients by using a Logistic regression analysis method, wherein k is the number of main special scenes in the set s, and the coefficient expression is as follows:
wherein hg z For regression coefficients, Q is a constant term, and the value of Q is 0.442, which represents the influence amplitude of the secondary special scene on the regression coefficients when the primary special scene does not exist, { s 1 、s 2 、...、s k The variable } (number of main special scenes), { omega } 1 、ω 2 、...、ω k Regression coefficient of each variable, and regression coefficient w>0;
To better illustrate the Logistic regression analysis method, we exemplify the following:
for example, for an e-commerce platform, when in some special scenes (for example, when the e-commerce platform is used for carrying out various large promotions, the flow of the e-commerce platform is rapidly increased at the moment), the flow of the e-commerce platform in the special scenes is rapidly increased due to the increase of the online population of users, so that the online population of the users in the special scenes for a period of time on the pre-e-commerce platform is acquired for carrying out regression analysis;
q is a constant term, and takes a value of 0.442, which indicates the influence amplitude of the secondary special scene on the regression coefficient when the primary special scene does not exist, for example, an e-commerce platform is taken as an example for analysis, and when the user is in holidays, the online number of users is usually higher than that of users in non-holidays;
regression coefficient hg when the invention is used z Is composed of logic factors of: taking the influence of a main special scene on network traffic as an example, the first is an index, namely a factor causing the special scene to change (the invention refers to the influence of the main special scene on the network traffic growth); the weight of the indexes, namely the proportion of each main special scene; thirdly, the operation equation, i.e. the result is obtained by what mathematical operation process, the regression coefficient hg is obtained by the operation of the operation equation with the index of the respective weight z
Performing data conversion and processing on the main special scene acquired from the sample, and converting the main special scene into a data language identified by computer software; secondly, carrying out Logistic regression analysis on the evaluation factors by using SPSS software, and screening out factors and weights thereof which have important correlation with the results; thirdly, carrying the evaluation factors and the weights into a Logistic regression equation for operation, thereby obtaining a result, specifically:
firstly, ensuring the integrity of a main special scene, processing missing values and abnormal values, converting data into a format which can be identified by SPSS software, generally storing the data into a format such as csv, xlsx and the like, then importing the data into the SPSS, opening the SPSS software, importing the processed data files, converting the variables according to requirements, for example, carrying out standardization or normalization on continuous variables, selecting an analysis menu, then selecting a binary Logistic option under regression, adding dependent variables (results) and independent variables (the main special scene) into corresponding boxes in a dialog box, fitting a Logistic regression model according to the selected variables, viewing information such as coefficients, standard errors, p values and the like of the model in output results, judging which variables have significant correlations with the results, generally, the p values are smaller than 0.05 and are considered to be significant, using a variable selection method, such as gradual regression, helping to screen most relevant factors, calculating the influence coefficient of the regression equation according to the magnitude of the regression coefficient, and the influence coefficient of each influence coefficient of the regression equation, and the influence coefficient of the positive and the regression coefficient of each model are calculated, and the influence coefficient of the positive and the coefficient of the result is obtained.
Combining the regression coefficient with the running condition of the analysis system to generate a correction index, and acquiring a dynamic flow threshold after adjusting an initial flow threshold through the correction index, wherein the method specifically comprises the following steps:
if the first self-checking threshold value is less than the self-checking coefficient zj x Judging whether the analysis system supports the safety abnormality detection of the network path or not and judging whether the analysis system has slight abnormality or not according to the second self-detection threshold value, wherein the initial threshold value is required to be dynamically adjusted;
when the analysis system is slightly abnormal, the analysis efficiency of the analysis system is reduced, and at the moment, in order to ensure the timeliness of the analysis system for detecting the network path security abnormality, the initial threshold value is required to be reduced, so that the untimely detection of the analysis system is avoided;
from regression coefficient hg z The regression coefficient hg can be found from the calculated expression of (a) z The method is mainly used for analyzing the special scene with increased network path flow, and when the special scene appears in the operation environment, the initial threshold value is required to be enlarged, so that frequent false alarm of an analysis system is avoided;
obtaining self-checking coefficient zj when slight abnormality exists in analysis system x Value, self-checking coefficient zj when slight abnormality exists in analysis system x Value and regression coefficient hg z And generating a correction index by combining, wherein the calculation expression is as follows:wherein zj is x As self-test coefficient hg z As regression coefficient, xz s For the correction index, the larger the correction index is, the more the initial flow threshold is required to be increased;
the dynamic flow threshold is obtained after the initial flow threshold is corrected by the correction index, and the expression is as follows:in yz Dynamic state Yz is the dynamic flow threshold Initial initiation Xz is the initial flow threshold s To correct the index.
The analysis system compares the network flow acquired in real time with a dynamic flow threshold, and when the network flow exceeds the dynamic flow threshold, a corresponding management strategy is generated and an alarm signal is sent to an administrator, specifically:
after the analysis system acquires the dynamic flow threshold, comparing the network flow of the network path acquired in real time with the dynamic flow threshold;
if the network traffic is less than or equal to the dynamic traffic threshold, analyzing that the current network path has no security abnormality;
if the network flow is greater than the dynamic flow threshold, analyzing that the current network path has security abnormality, generating a corresponding management strategy and sending a warning signal to an administrator, specifically:
based on the results of the anomaly analysis, generating a corresponding management policy, which may include blocking specific IP addresses, closing specific ports, quarantining infected systems, etc., which may also include updating firewall rules, adjusting Access Control Lists (ACLs), etc., configuring a real-time response mechanism to ensure that the system can take action quickly when anomalies are detected, which may involve automated scripts, API calls, or integration with other security devices, ensuring that the response policy is refined to minimize interference with normal business operations, taking into account overall network security;
after confirming that the security abnormality exists, generating detailed reports and warning information, including description of the abnormality, influence range, threat level and the like, sending real-time warning notification to an administrator, generating detailed security reports, including the adopted management strategy, time axis of the abnormality, influence range and the like, usually through an email, a short message, instant messaging or integration into a security information and event management System (SIEM) and the like, wherein the reports are easy to understand so as to assist the administrator in quickly understanding and handling the security event, collecting and analyzing feedback of the administrator to the warning, ensuring the accuracy and effectiveness of the system, constantly optimizing and adjusting the system so as to adapt to new threat and change of network environment, ensuring that the generated management strategy and warning meet relevant compliance and regulation requirements, and providing relevant compliance information when notifying the administrator so as to ensure that the organization meets the regulation requirements in the handling process of the security event.
Example 3: the network path analysis system for network security anomaly detection in this embodiment includes a port module, an initialization module, a self-checking module, a flow monitoring module, a scene analysis module, a threshold optimization module, and a warning module:
port module: acquiring historical flow data of a network path operation environment, wherein the historical flow data comprises normal flow data and abnormal flow data, and the normal flow data and the abnormal flow data are sent to an initialization module;
an initialization module: generating an initial flow threshold of the current operation environment through a threshold algorithm based on the normal flow data and the abnormal flow data, and sending the initial flow threshold to a threshold optimization module;
and a self-checking module: the self-checking analysis is carried out at regular time to analyze the running condition of the self-checking system, and whether the current running condition supports the safety abnormality detection of the network path is judged, if the current running condition does not support the safety abnormality detection of the network path, an alarm signal is sent to a network administrator, and the network path judging result is sent to a flow monitoring module;
and a flow monitoring module: if the running condition supports the safety abnormality detection of the network path, the analysis system monitors the network flow of the network path in real time, and the network flow is sent to the warning module;
scene analysis module: acquiring all special scenes in the network path operation environment, analyzing all special scenes based on a regression analysis model, acquiring regression coefficients, combining the regression coefficients with the operation condition of an analysis system to generate a correction index, and transmitting the correction index to a threshold optimization module;
threshold optimization module: the dynamic flow threshold is obtained after the initial flow threshold is regulated through the correction index;
and the warning module is used for: and comparing the network traffic acquired in real time with a dynamic traffic threshold, and generating a corresponding management strategy and sending a warning signal to an administrator when the network traffic exceeds the dynamic traffic threshold.
The above formulas are all formulas with dimensions removed and numerical values calculated, the formulas are formulas with a large amount of data collected for software simulation to obtain the latest real situation, and preset parameters in the formulas are set by those skilled in the art according to the actual situation.
It should be understood that the term "and/or" is merely an association relationship describing the associated object, and means that three relationships may exist, for example, a and/or B may mean: there are three cases, a alone, a and B together, and B alone, wherein a, B may be singular or plural. In addition, the character "/" herein generally indicates that the associated object is an "or" relationship, but may also indicate an "and/or" relationship, and may be understood by referring to the context.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1.用于网络安全异常检测的网络路径分析方法,其特征在于:所述分析方法包括以下步骤:1. A network path analysis method for network security anomaly detection, characterized in that: the analysis method includes the following steps: S1:分析系统端口获取网络路径运营环境的历史流量数据,历史流量数据包括正常流量数据以及异常流量数据,基于正常流量数据以及异常流量数据通过阈值算法生成当前运营环境的初始流量阈值;S1: Analyze the system port to obtain the historical traffic data of the network path operating environment. The historical traffic data includes normal traffic data and abnormal traffic data. Based on the normal traffic data and abnormal traffic data, the initial traffic threshold of the current operating environment is generated through a threshold algorithm; S2:分析系统定时进行自检分析自身的运行状况,并判断当前运行状况是否支持网络路径的安全异常检测,若当前运行状况不支持网络路径的安全异常检测,向网络管理员发送警示信号;S2: The analysis system regularly conducts self-tests to analyze its own operating status, and determines whether the current operating status supports security anomaly detection of the network path. If the current operating status does not support security anomaly detection of the network path, a warning signal is sent to the network administrator; S3:若运行状况支持网络路径的安全异常检测,则分析系统实时监测网络路径的网络流量;S3: If the operating status supports security anomaly detection of the network path, the analysis system monitors the network traffic of the network path in real time; S4:获取网络路径运营环境中所有特殊场景,将所有特殊场景基于回归分析模型分析后获取回归系数,将回归系数与分析系统的运行状况相结合生成修正指数;S4: Obtain all special scenarios in the network path operation environment, analyze all special scenarios based on the regression analysis model to obtain the regression coefficients, and combine the regression coefficients with the operating status of the analyzed system to generate a correction index; S5:分析系统通过修正指数调节初始流量阈值后获取动态流量阈值,将实时获取的网络流量与动态流量阈值进行对比,当网络流量超过动态流量阈值时,生成相应的管理策略并向管理员发送警示信号。S5: The analysis system adjusts the initial traffic threshold through the correction index to obtain the dynamic traffic threshold, compares the network traffic obtained in real time with the dynamic traffic threshold, and when the network traffic exceeds the dynamic traffic threshold, generates a corresponding management policy and sends a warning to the administrator Signal. 2.根据权利要求1所述的用于网络安全异常检测的网络路径分析方法,其特征在于:步骤S1中,基于正常流量数据以及异常流量数据通过阈值算法生成当前运营环境的初始流量阈值包括以下步骤:2. The network path analysis method for network security anomaly detection according to claim 1, characterized in that: in step S1, generating the initial traffic threshold of the current operating environment through a threshold algorithm based on normal traffic data and abnormal traffic data includes the following: step: S101:获取网络路径在当前运营环境使用时正常流量的平均流量以及流量标准差;S101: Obtain the average traffic and traffic standard deviation of normal traffic when the network path is used in the current operating environment; S102:获取网络路径在当前运营环境使用时异常流量的平均流量;S102: Obtain the average traffic of abnormal traffic when the network path is used in the current operating environment; S103:通过异常流量的平均流量值、正常流量的流量标准差以及正常流量的平均流量值计算获取初始流量阈值,表达式为:S103: Obtain the initial flow threshold by calculating the average flow value of abnormal flow, the flow standard deviation of normal flow, and the average flow value of normal flow. The expression is: 式中,yz初始为初始流量阈值,Yavg为异常流量的平均流量值,Ymax为异常流量的最大流量值,/>表示正常流量的平均流量值,LQ表示正常流量的流量标准差。 In the formula, yz is initially the initial flow threshold, Y avg is the average flow value of abnormal flow, Y max is the maximum flow value of abnormal flow,/> represents the average flow value of normal flow, and LQ represents the flow standard deviation of normal flow. 3.根据权利要求2所述的用于网络安全异常检测的网络路径分析方法,其特征在于:所述正常流量的流量标准差LQ计算表达式为: 式中,/>表示正常流量的平均流量值,且/> n表示正常流量取样点的数量,n为正整数,Pi表示第i个正常流量取样点处的流量值;3. The network path analysis method for network security anomaly detection according to claim 2, characterized in that: the traffic standard deviation LQ calculation expression of the normal traffic is: In the formula,/> Represents the average flow value of normal flow, and/> n represents the number of normal flow sampling points, n is a positive integer, and Pi represents the flow value at the i-th normal flow sampling point; 所述异常流量的平均流量值的计算表达式为: The calculation expression of the average flow value of the abnormal flow is: 式中,j={1、2、3、...、m},m表示异常流量取样点的数量,m为正整数,Yj表示第j个异常流量取样点处的流量值,Yavg表示异常流量的平均流量值。In the formula, j={1, 2, 3, ..., m}, m represents the number of abnormal flow sampling points, m is a positive integer, Y j represents the flow value at the jth abnormal flow sampling point, Y avg The average flow value representing abnormal flow. 4.根据权利要求3所述的用于网络安全异常检测的网络路径分析方法,其特征在于:步骤S2中,分析系统定时进行自检分析自身的运行状况,并判断当前运行状况是否支持网络路径的安全异常检测包括以下步骤:4. The network path analysis method for network security anomaly detection according to claim 3, characterized in that: in step S2, the analysis system regularly performs self-checks to analyze its own operating status, and determines whether the current operating status supports the network path. Security anomaly detection includes the following steps: S201:获取算力预警的时段以及报错预警的时段;S201: The time period for obtaining the computing power warning and the time period for reporting the error warning; S202:对算力预警的时段以及报错预警的时段进行积分处理,获取分析系统的自检系数zjx,表达为:Z(t)表示分析系统的响应时间变化量,[tx,ty]为算力预警的时段,[ti,tj]为报错预警的时段;S202: Perform integral processing on the computing power warning period and the error warning period to obtain the self-test coefficient zj x of the analysis system, which is expressed as: Z(t) represents the change in response time of the analysis system, [t x , t y ] is the period of computing power warning, [t i , t j ] is the period of error warning; S203:获取自检系数zjx后,将自检系数zjx与预设的第一自检阈值以及第二自检阈值进行对比,第二自检阈值用于判断分析系统是否支持网络路径的安全异常检测,第一自检阈值用于判断分析系统是否存在轻微异常;S203: After obtaining the self-check coefficient zj x , the self-check coefficient zj x is compared with a preset first self-check threshold and a second self-check threshold, the second self-check threshold is used to determine whether the analysis system supports security anomaly detection of the network path, and the first self-check threshold is used to determine whether the analysis system has a slight anomaly; S204:若自检系数zjx>第二自检阈值,判断分析系统不支持网络路径的安全异常检测,向网络管理员发送警示信号;S204: If the self-test coefficient zj x > the second self-test threshold, it is judged that the analysis system does not support security anomaly detection of the network path, and a warning signal is sent to the network administrator; S205:若自检系数zjx≤第二自检阈值,判断分析系统支持网络路径的安全异常检测;S205: If the self-test coefficient zj x ≤ the second self-test threshold, determine that the analysis system supports security anomaly detection of the network path; S206:若第一自检阈值<自检系数zjx≤第二自检阈值,判断分析系统支持网络路径的安全异常检测,但分析系统存在轻度异常,需要对初始阈值进行动态调节;S206: If the first self-check threshold < self-check coefficient zj x ≤ second self-check threshold, it is determined that the analysis system supports security anomaly detection of network paths, but there is a slight anomaly in the analysis system, and the initial threshold needs to be dynamically adjusted; S207:若自检系数zjx≤第一自检阈值,判断分析系统支持网络路径的安全异常检测,且分析系统不存在异常。S207: If the self-test coefficient zj x ≤ the first self-test threshold, it is determined that the analysis system supports security anomaly detection of network paths, and there is no abnormality in the analysis system. 5.根据权利要求4所述的用于网络安全异常检测的网络路径分析方法,其特征在于:所述分析系统监测实时算力,当实时算力低于算力阈值时,记录此时间段,实时算力低于算力阈值的时间越长,分析系统越不支持网络路径的安全异常检测,实时算力低于算力阈值的时间段作为算力预警的时段;5. The network path analysis method for network security anomaly detection according to claim 4 is characterized in that: the analysis system monitors the real-time computing power, and when the real-time computing power is lower than the computing power threshold, this time period is recorded, and the longer the real-time computing power is lower than the computing power threshold, the less the analysis system supports the security anomaly detection of the network path, and the time period when the real-time computing power is lower than the computing power threshold is used as the computing power warning period; 所述分析系统报错时,记录连续报错次数,当连续报错次数超过次数阈值时,连续报错次数超过次数阈值的时间段为报错预警的时段。When the analysis system reports an error, it records the number of consecutive error reports. When the number of consecutive error reports exceeds the threshold, the time period in which the number of continuous error reports exceeds the threshold is the period of error warning. 6.根据权利要求5所述的用于网络安全异常检测的网络路径分析方法,其特征在于:步骤S4中,获取网络路径运营环境中所有特殊场景,将所有特殊场景基于回归分析模型分析后获取回归系数包括以下步骤:6. The network path analysis method for network security anomaly detection according to claim 5, characterized in that: in step S4, all special scenarios in the network path operating environment are obtained, and all special scenarios are obtained after analysis based on the regression analysis model Regression coefficients include the following steps: 获取当前运营环境中影响网络流量增长的所有特殊场景,特殊场景包括主要特殊场景以及次要特殊场景,将所有主要特殊场景建立设置为s集合,集合s中的各个主要特殊场景分别表示为{s1、s2、...、sk},k为集合s中主要特殊场景的数量,通过Logistic回归分析方法计算回归系数,系数表达式为:Obtain all special scenarios that affect the growth of network traffic in the current operating environment. Special scenarios include main special scenarios and secondary special scenarios. All main special scenarios are established as a set s. Each main special scenario in the set s is represented as {s 1 , s 2 ,..., s k }, k is the number of main special scenes in the set s. The regression coefficient is calculated through the logistic regression analysis method. The coefficient expression is: 式中,hgz为回归系数,Q为常数项,取值0.442,表示主要特殊场景不存在时次要特殊场景对回归系数的影响幅度,{s1、s2、...、sk}为变量,{ω1、ω2、...、ωk}为各个变量的回归系数,且回归系数w>0。In the formula, hg z is the regression coefficient, Q is a constant term with a value of 0.442, which indicates the influence of the secondary special scenario on the regression coefficient when the primary special scenario does not exist, {s 1 , s 2 , ..., s k } are variables, {ω 1 , ω 2 , ..., ω k } are the regression coefficients of each variable, and the regression coefficient w>0. 7.根据权利要求6所述的用于网络安全异常检测的网络路径分析方法,其特征在于:步骤S4中,将回归系数与分析系统的运行状况相结合生成修正指数包括以下步骤:7. The network path analysis method for network security anomaly detection according to claim 6, characterized in that: in step S4, combining the regression coefficient with the operating status of the analysis system to generate a correction index includes the following steps: 若第一自检阈值<自检系数zjx≤第二自检阈值,判断分析系统支持网络路径的安全异常检测,但分析系统存在轻度异常,对初始阈值进行动态调节;If the first self-test threshold < self-test coefficient zj 获取分析系统存在轻度异常时的自检系数zjx值,将分析系统存在轻度异常时的自检系数zjx值与回归系数hgz相结合生成修正指数,计算表达式为:式中,zjx为自检系数,hgz为回归系数,xzs为修正指数。Obtain the self-test coefficient zj x value when the analysis system has mild abnormalities, and combine the self-test coefficient zj x value when the analysis system has mild abnormalities with the regression coefficient hg z to generate a correction index. The calculation expression is: In the formula, zj x is the self-test coefficient, hg z is the regression coefficient, and xz s is the correction index. 8.根据权利要求7所述的用于网络安全异常检测的网络路径分析方法,其特征在于:步骤S4中,通过修正指数调节初始流量阈值后获取动态流量阈值包括以下步骤:通过修正指数修正初始流量阈值后获取动态流量阈值,表达式为:式中,yz动态为动态流量阈值,yz初始为初始流量阈值,xzs为修正指数。8. The network path analysis method for network security anomaly detection according to claim 7, characterized in that: in step S4, obtaining the dynamic traffic threshold after adjusting the initial traffic threshold through a correction index includes the following steps: correcting the initial flow through a correction index Get the dynamic traffic threshold after the traffic threshold. The expression is: In the formula, yz dynamic is the dynamic flow threshold, yz initial is the initial flow threshold, and xz s is the correction index. 9.根据权利要求8所述的用于网络安全异常检测的网络路径分析方法,其特征在于:步骤S5中,分析系统将实时获取的网络流量与动态流量阈值进行对比包括以下步骤:9. The network path analysis method for network security anomaly detection according to claim 8, characterized in that: in step S5, the analysis system compares the network traffic obtained in real time with the dynamic traffic threshold and includes the following steps: S501:分析系统获取动态流量阈值后,将实时获取的网络路径的网络流量与动态流量阈值进行对比;S501: After the analysis system obtains the dynamic traffic threshold, it compares the network traffic of the network path obtained in real time with the dynamic traffic threshold; S502:若网络流量≤动态流量阈值,分析当前网络路径不存在安全异常;S502: If network traffic ≤ dynamic traffic threshold, analyze that there is no security abnormality in the current network path; S503:若网络流量>动态流量阈值,分析当前网络路径存在安全异常,生成相应的管理策略并向管理员发送警示信号。S503: If the network traffic volume is greater than the dynamic traffic volume threshold, the current network path is analyzed to determine if there is a security anomaly, a corresponding management strategy is generated, and a warning signal is sent to the administrator. 10.用于网络安全异常检测的网络路径分析系统,用于实现权利要求1-9任一项所述的分析方法,其特征在于:包括端口模块、初始化模块、自检模块、流量监测模块、场景分析模块、阈值优化模块、警示模块:10. A network path analysis system for network security anomaly detection, used to implement the analysis method according to any one of claims 1 to 9, characterized in that it includes a port module, an initialization module, a self-check module, a traffic monitoring module, a scenario analysis module, a threshold optimization module, and a warning module: 端口模块:获取网络路径运营环境的历史流量数据,历史流量数据包括正常流量数据以及异常流量数据,正常流量数据以及异常流量数据发送至初始化模块;Port module: Obtain historical traffic data of the network path operating environment. Historical traffic data includes normal traffic data and abnormal traffic data. Normal traffic data and abnormal traffic data are sent to the initialization module; 初始化模块:基于正常流量数据以及异常流量数据通过阈值算法生成当前运营环境的初始流量阈值,初始流量阈值发送至阈值优化模块;Initialization module: Generates the initial traffic threshold of the current operating environment through the threshold algorithm based on normal traffic data and abnormal traffic data, and sends the initial traffic threshold to the threshold optimization module; 自检模块:定时进行自检分析自身的运行状况,并判断当前运行状况是否支持网络路径的安全异常检测,若当前运行状况不支持网络路径的安全异常检测,向网络管理员发送警示信号,网络路径判断结果发送至流量监测模块;Self-check module: Perform self-check regularly to analyze its own operating status, and determine whether the current operating status supports security anomaly detection of network paths. If the current operating status does not support security anomaly detection of network paths, a warning signal is sent to the network administrator, and the network The path judgment results are sent to the traffic monitoring module; 流量监测模块:若运行状况支持网络路径的安全异常检测,则分析系统实时监测网络路径的网络流量,网络流量发送至警示模块;Traffic monitoring module: If the operating status supports security anomaly detection of the network path, the analysis system monitors the network traffic of the network path in real time, and the network traffic is sent to the warning module; 场景分析模块:获取网络路径运营环境中的所有特殊场景,将所有特殊场景基于回归分析模型分析后获取回归系数,将回归系数与分析系统的运行状况相结合生成修正指数,修正指数发送至阈值优化模块;Scenario analysis module: Obtain all special scenarios in the network path operating environment, analyze all special scenarios based on the regression analysis model to obtain regression coefficients, combine the regression coefficients with the operating status of the analysis system to generate a correction index, and send the correction index to threshold optimization module; 阈值优化模块:通过修正指数调节初始流量阈值后获取动态流量阈值;Threshold optimization module: obtains dynamic flow threshold by adjusting the initial flow threshold through the correction index; 警示模块:将实时获取的网络流量与动态流量阈值进行对比,当网络流量超过动态流量阈值时,生成相应的管理策略并向管理员发送警示信号。Warning module: Compares the network traffic obtained in real time with the dynamic traffic threshold. When the network traffic exceeds the dynamic traffic threshold, a corresponding management policy is generated and a warning signal is sent to the administrator.
CN202410025208.2A 2024-01-08 2024-01-08 Network path analysis system and method for network security anomaly detection Pending CN117811824A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410025208.2A CN117811824A (en) 2024-01-08 2024-01-08 Network path analysis system and method for network security anomaly detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410025208.2A CN117811824A (en) 2024-01-08 2024-01-08 Network path analysis system and method for network security anomaly detection

Publications (1)

Publication Number Publication Date
CN117811824A true CN117811824A (en) 2024-04-02

Family

ID=90433224

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410025208.2A Pending CN117811824A (en) 2024-01-08 2024-01-08 Network path analysis system and method for network security anomaly detection

Country Status (1)

Country Link
CN (1) CN117811824A (en)

Similar Documents

Publication Publication Date Title
US11693964B2 (en) Cyber security using one or more models trained on a normal behavior
EP3528462B1 (en) A method for sharing cybersecurity threat analysis and defensive measures amongst a community
US8418247B2 (en) Intrusion detection method and system
Xie et al. Using Bayesian networks for cyber security analysis
EP2566130B1 (en) Automatic analysis of security related incidents in computer networks
CN118118258A (en) Network security monitoring and response system
CN111245793A (en) Method and device for analyzing abnormity of network data
US20060010493A1 (en) Attack impact prediction system
US9961047B2 (en) Network security management
CN119276602B (en) An artificial intelligence-based substation network security defense system
CN117240526A (en) Artificial intelligence-based automated defense system against cyberattacks
CN118018231A (en) Security policy management method, device, equipment and storage medium for isolation area
CN119966659A (en) A multi-level dynamic network attack detection and response method
CN117118660A (en) Gateway intelligent arrangement method and system based on zero trust network
CN114124516A (en) Situation awareness prediction method, device and system
Bolzoni et al. ATLANTIDES: an architecture for alert verification in network intrusion detection systems
CN117811824A (en) Network path analysis system and method for network security anomaly detection
Bamhdi FLORA: Fuzzy Logic-Objective Risk Analysis for Intrusion Detection and Prevention
CN118520472B (en) Computer data safety monitoring method and system based on big data technology
CN119834994B (en) Computer network communication security monitoring method and system
CN115348042B (en) Monitoring method, device, electronic device and storage medium
CN120639472A (en) Method, device and equipment for managing computing power resources
KR20090071502A (en) Threat Detection Method Using Behavioral Characteristics of Intelligent Software Robot and Its System
Teles et al. Autonomic computing applied to network security: A survey
CN119484085A (en) Malicious code intelligent detection and killing method and platform based on situation awareness system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载