CN119172119A - A multi-modal network security situation awareness and fusion analysis method and system - Google Patents
A multi-modal network security situation awareness and fusion analysis method and system Download PDFInfo
- Publication number
- CN119172119A CN119172119A CN202411195722.7A CN202411195722A CN119172119A CN 119172119 A CN119172119 A CN 119172119A CN 202411195722 A CN202411195722 A CN 202411195722A CN 119172119 A CN119172119 A CN 119172119A
- Authority
- CN
- China
- Prior art keywords
- auc
- data
- mode data
- extracting
- modal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/0464—Convolutional networks [CNN, ConvNet]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/06—Generation of reports
- H04L43/065—Generation of reports related to network devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Artificial Intelligence (AREA)
- Signal Processing (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Networks & Wireless Communication (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Hardware Design (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Biomedical Technology (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application relates to a multimode network security situation sensing and fusion analysis method and system, comprising the following steps: S10, collecting historical multi-mode data in a preset time period; and S20, preprocessing the historical multi-mode data, extracting the characteristics of the historical multi-mode data based on a preset algorithm, and S30, merging the characteristics of the historical multi-mode data based on a convolutional neural network, optimizing the merged characteristics based on a characteristic weighting method, and carrying out normalization processing on the merged characteristics. And S40, drawing four ROC curves, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation perception model. S50, when an acquisition instruction is received, acquiring real-time multi-modal data, preprocessing the real-time multi-modal data, extracting features, and inputting a situation awareness model. And S60, when the abnormal event is identified, an alarm is sent out, and a network security report is generated and sent to the user side. The application has the effect of reducing false alarm risk events.
Description
Technical Field
The application relates to the technical field of network security, in particular to a multimode network security situation sensing and fusion analysis method and system.
Background
Existing network security situational awareness techniques typically focus on only a single type of data source, such as network traffic data. But the network environment is complex and variable, and the attack may involve multiple layers and multiple means. If only a single type of data source is relied upon, such as only network traffic data, other important information, such as system logs, user behavior, application logs, etc., may be ignored. The incompleteness of the information easily causes the deviation of analysis results, and the normal network activity is misjudged as an attack behavior, so that the misinformation risk is caused, and therefore, improvement is needed.
Disclosure of Invention
In order to reduce false alarm risk events, the application provides a multimode network security situation sensing and fusion analysis method and system.
The first object of the application is realized by the following technical scheme:
A multimode network security situation sensing and fusion analysis method comprises the following steps:
S10, collecting historical multi-mode data in a preset time period, wherein the historical multi-mode data comprises network flow data, a system log, user behaviors and an application program log;
s20, preprocessing the historical multi-mode data, and extracting the characteristics of the historical multi-mode data based on a preset algorithm;
s30, based on a convolutional neural network, historical multi-mode data features are fused, the fused features are optimized based on a feature weighting method, and normalization processing is carried out on the fused features.
And S40, drawing four ROC curves based on the historical multi-mode data characteristics, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation perception model.
S50, when an acquisition instruction is received, acquiring real-time multi-mode data, preprocessing and extracting features of the real-time multi-mode data, inputting a situation awareness model, and identifying an abnormal event when the AUC of the real-time multi-mode data is higher than the AUC maximum value.
And S60, when the abnormal event is identified, an alarm is sent out, a network security report is generated and sent to the user side, and the network security report comprises the abnormal event, the predicted result and the threat level.
In a preferred embodiment of the present application, the step of preprocessing the historical multi-modal data and extracting the characteristics of the historical multi-modal data based on a preset algorithm includes the steps of:
deleting invalid, erroneous and missing historical multi-modal data;
converting the data with different formats into data with uniform formats;
extracting statistical characteristics of flow data, wherein the statistical characteristics comprise flow size, flow quantity and protocol type;
Extracting a log level, keywords and an event sequence of a system log;
extracting user login behavior, file access and system configuration change of user behavior;
Extracting performance indexes, error modes and resource use of the application program log.
In a preferred embodiment of the present application, the step of merging historical multi-mode data features based on a convolutional neural network, optimizing the merged features based on a feature weighting method, and normalizing the merged features includes the steps of
Splicing the preprocessed multi-mode data features to form a high-dimensional feature vector;
Assigning an initial weight to each modal feature in the high-dimensional feature vector;
Based on a gradient descent algorithm, assigning a final weight for each modality feature;
Normalizing the weighted modal characteristics;
And screening out optimal characteristics based on the final weight.
In a preferred embodiment of the present application, based on historical multi-modal data characteristics, four ROC curves are drawn, AUC is calculated, AUC is compared, AUC maximum value of each ROC curve is output, and a situation awareness model is constructed, including the steps of:
Determining an input layer and an output layer of a situation awareness model based on a deep neural network;
The input layer includes various features from network traffic, system logs, user behavior, and application logs;
the output layer comprises an abnormal event, a predicted result and a threat level;
And training the network through the preprocessed training set, and optimizing the network weight through multiple iterations.
In a preferred embodiment of the present application, based on the historical multi-modal data characteristics, four ROC curves are drawn, AUCs are calculated, AUCs are compared, AUC maximum values of each ROC curve are output, and a situation awareness model is constructed, and the method further comprises the steps of:
Comparing AUC, using AUC 1 to represent the AUC maximum of the first ROC curve, AUC 1 being the threshold of flow data;
Comparing AUC, using AUC 2 to represent the maximum AUC value of the second ROC curve, AUC 2 being the threshold of the system log;
Comparing AUC, using AUC 3 to represent the maximum AUC value of the third ROC curve, AUC 3 being the threshold of user behavior;
AUC is compared, with AUC 4 representing the AUC value maximum for the fourth ROC curve, AUC 4 being the threshold for the application log.
In a preferred embodiment of the present application, when an acquisition instruction is received, acquiring real-time multi-modal data, preprocessing and feature extracting the real-time multi-modal data, inputting a situation awareness model, and when an AUC of the real-time multi-modal data is higher than an AUC maximum value, identifying an abnormal event, including the steps of:
When the flow data is higher than AUC 1, identifying that the flow data is abnormal;
above AUC 2, identifying a system log anomaly;
above AUC 3, identifying user behavioral anomalies;
An application log anomaly is identified above AUC 4,.
The second object of the present application is achieved by the following technical solutions:
A multi-modal network security posture awareness and fusion analysis system comprising:
S10, collecting historical multi-mode data, wherein the historical multi-mode data comprises network flow data, a system log, user behaviors and an application program log in a preset time period;
S20, preprocessing the historical multi-mode data, and extracting the characteristics of the historical multi-mode data based on a preset algorithm;
And S30, merging different mode characteristic modules, namely merging historical multi-mode data characteristics based on a convolutional neural network, optimizing the merged characteristics based on a characteristic weighting method, and carrying out normalization processing on the merged characteristics.
S40, drawing four ROC curves based on historical multi-mode data characteristics, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation perception model.
And S50, when an acquisition instruction is received, acquiring real-time multi-mode data, preprocessing the real-time multi-mode data, extracting features, inputting a situation awareness model, and when the AUC of the real-time multi-mode data is higher than the AUC maximum value, identifying an abnormal event.
And the feedback module is used for sending out an alarm and generating a network security report to be sent to the user side when the abnormal event is identified, wherein the network security report comprises the abnormal event, a predicted result and a threat level.
Optionally, the method further comprises:
the cleaning module is used for deleting invalid, wrong and missing historical multi-mode data;
the conversion module is used for converting the data with different formats into data with uniform formats;
the flow data feature extracting module is used for extracting statistical features of flow data, wherein the statistical features comprise flow size, flow quantity and protocol type;
the system log feature extracting module is used for extracting log levels, keywords and event sequences of the system log;
Extracting user behavior feature module, extracting user login behavior, file access and system configuration change of user behavior;
and the application program log feature extracting module is used for extracting performance indexes, error modes and resource use of the application program log.
The third object of the application is realized by the following technical scheme:
A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of a multimodal network security posture awareness and fusion analysis method as described above when executing the computer program.
The fourth object of the application is achieved by the following technical scheme:
A computer readable storage medium storing a computer program which when executed by a processor implements the steps of a multimodal network security posture awareness and fusion analysis method described above.
In summary, the present application includes at least one of the following beneficial technical effects:
1. After enough historical multi-mode data is acquired, invalid, wrong and missing data are removed by preprocessing the historical multi-mode data, key characteristics are extracted, and the data quality is improved. The historical multi-modal data features are fused together through the convolutional neural network, and the fused features are optimized by using a feature weighting method, so that the recognition capability of the model is improved. A situation awareness model is built based on the deep neural network, and the model can process and analyze multi-mode data and identify abnormal events. When an acquisition instruction is received, multi-mode data can be acquired in real time, and the data is input into a situation awareness model to identify abnormal events. When an abnormal event is identified, an alarm can be sent out and a network security report can be generated, so that detailed abnormal events, predicted results and threat levels are provided for users.
2. And deleting invalid, wrong and missing historical multi-modal data, thereby reducing noise and irrelevant information and improving the quality and usability of the data. The data in different formats are converted into data in a unified format, and the format of the data is unified, so that the data in different sources can be effectively integrated and analyzed. Key statistical features such as flow size, flow quantity and protocol type are extracted from the flow data, and important information is provided for the input of the model. Key information, such as log level, keywords, event sequences, is extracted from the system log, which aids in understanding the behavior and state of the system. Key patterns of behavior are extracted from the user's behavior, such as user login behavior, file access, system configuration changes, which are helpful in understanding the user's behavior and potential threats. Key performance indicators, error patterns, and resource usage are extracted from the application log, which information aids in understanding the state of the application and potential threats.
3. Combining features from historical multimodal data into one high-dimensional feature vector enables the model to process and analyze information from multiple sources simultaneously. The features of each modality are assigned initial weights that reflect the relative importance of the features in the model. The weights of each modal feature are iteratively adjusted by a gradient descent algorithm so that the model can better learn the relationships between the features. Through normalization processing, the weighted features are ensured to have the same dimension and range, and training and prediction performance of the model are improved. According to the final weight, the feature subset with the largest contribution to the performance of the model is screened out, the feature dimension is reduced, and the efficiency of the model is improved.
4. Clear input and output structures are defined for the situational awareness model, the input layers including various features from network traffic, system logs, user behavior, and application logs, and the output layers including abnormal events, predicted outcomes, threat levels. The model is trained through the training set data, and the network weight is optimized through multiple iterations, so that the model can learn and adapt to modes and trends in the data.
Drawings
FIG. 1 is a flowchart of an embodiment of a method for multi-modal network security situation awareness and fusion analysis according to the present application;
FIG. 2 is a flowchart showing an implementation of step S20 in an embodiment of a multi-modal network security situation awareness and fusion analysis method according to the present application;
FIG. 3 is a flowchart showing an implementation of step S30 in an embodiment of a multi-modal network security situation awareness and fusion analysis method according to the present application;
FIG. 4 is a flowchart showing an implementation of step S40 in an embodiment of a multi-modal network security situation awareness and fusion analysis method according to the present application;
FIG. 5 is a flowchart of another implementation of step S40 in an embodiment of a multi-modal network security posture awareness and fusion analysis method of the present application;
FIG. 6 is a flowchart showing an implementation of step S50 in an embodiment of a multi-modal network security situation awareness and fusion analysis method according to the present application;
fig. 7 is a schematic block diagram of a computer device of the present application.
Detailed Description
The application is described in further detail below with reference to fig. 1-7.
In one embodiment, as shown in fig. 1, the application discloses a multimode network security situation sensing and fusion analysis method, which specifically comprises the following steps:
S10, collecting historical multi-mode data in a preset time period, wherein the historical multi-mode data comprises network flow data, a system log, user behaviors and an application program log;
In this embodiment, historical multimodal data refers to multiple types of data collected over a preset period of time that typically originate from different parts of the network, including network traffic data, system logs, user behavior, and application logs. These data reflect the operational status and user behavior of the network over time. The network traffic data records information of data packets transmitted through the network, including the size, number, transmission time, etc. of the data packets. The system log records the operating system and application running status, errors, warnings, information, etc. User behavior records user operations in the network environment, such as login, file access, system configuration changes, and the like. The application log records the running state, performance index, errors, resource usage, etc. of the application.
S20, preprocessing the historical multi-mode data, and extracting the characteristics of the historical multi-mode data based on a preset algorithm;
In this embodiment, extracting the historical multimodal data features refers to extracting useful information from the historical multimodal data, which can be used for training and prediction of situational awareness models. The goal of feature extraction is to reduce the data dimension while retaining key information useful to situational awareness models.
S30, based on a convolutional neural network, historical multi-mode data features are fused, the fused features are optimized based on a feature weighting method, and normalization processing is carried out on the fused features.
In this embodiment, the convolutional neural network may be used to analyze network traffic data, system logs, user behavior, and application log data of different modalities. Fusing historical multi-modal data features refers to integrating features of data from different modalities so that the model can process and analyze information from multiple sources simultaneously.
And S40, drawing four ROC curves based on the historical multi-mode data characteristics, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation perception model.
In this embodiment, building a situational awareness model refers to using a deep neural network to design and implement a model that is capable of handling multimodal data and identifying abnormal events.
S50, when an acquisition instruction is received, acquiring real-time multi-mode data, preprocessing and extracting features of the real-time multi-mode data, inputting a situation awareness model, and identifying an abnormal event when the AUC of the real-time multi-mode data is higher than the AUC maximum value.
In this embodiment, the acquisition instruction refers to an instruction received by the system, and instructs the system to start acquiring real-time data. This instruction comes from the user interface. The real-time multi-mode data refers to various types of data collected at a specific moment, and reflects the state of the network at the current moment. An abnormal event refers to an abnormal or unexpected event in the network that may indicate a potential security threat.
And S60, when the abnormal event is identified, an alarm is sent out, a network security report is generated and sent to the user side, and the network security report comprises the abnormal event, the predicted result and the threat level.
In this embodiment, the alarm refers to an alarm mechanism that the system automatically triggers when an abnormal event is detected, and is used to notify relevant personnel. The alert may be conveyed by a short message, email, audible prompt, or other means. The network security report refers to that after the system identifies the abnormal event, a detailed report is automatically generated, and the occurrence time, position, type and other information of the abnormal event, the related prediction result and threat level are recorded. The user side refers to the destination of the report transmission, typically a workstation or mobile device of a network administrator or a person responsible for network security. The prediction result refers to prediction of future network security situations by the model according to historical data and real-time data. Threat level refers to classifying the severity of potential threats based on the prediction results and security situation assessment. Threat levels may help users understand the urgency of the current security conditions and guide the taking of corresponding countermeasures.
Referring to fig. 2, s20 includes the steps of:
s201, deleting invalid, wrong and missing historical multi-mode data;
S202, converting data in different formats into data in a unified format;
S203, extracting statistical characteristics of flow data, wherein the statistical characteristics comprise flow size, flow quantity and protocol type;
s204, extracting a log level, keywords and event sequences of a system log;
S205, extracting user login behaviors of user behaviors, file access and system configuration change;
And S206, extracting performance indexes, error modes and resource use of the application program log.
In this embodiment, records containing invalid, erroneous or missing data are removed from the historical multimodal dataset. Because historical multimodal data may come from different systems and devices, its format may not be uniform. Therefore, all data needs to be converted into a uniform format, and statistical features such as traffic size, traffic number, protocol type and the like are extracted from the network traffic data. These features may help the model learn of the load and communication mode of the network. Log levels (e.g., DEBUG, INFO, WARNING, ERROR, etc.), keywords, and event sequences are extracted from the system log. These features help the model identify the state of the system and potential anomalies. Features such as user login behavior, file access, system configuration change and the like are extracted from the user behavior data. These features help the model learn about the user's behavior patterns and possible threats. Features such as performance indicators (e.g., response time, error rate, etc.), error patterns, and resource usage are extracted from the application log. These features help the model to understand the running state of the application and potential threats.
Referring to fig. 3, the step s30 includes the steps of:
S301, splicing the preprocessed multi-mode data features to form a high-dimensional feature vector;
S302, distributing initial weights to each modal feature in the high-dimensional feature vector;
s303, based on a gradient descent algorithm, distributing the final weight of each modal feature;
s304, carrying out normalization processing on the weighted modal characteristics;
And S305, screening out optimal characteristics based on the final weight.
In this embodiment, data features (such as network traffic, system logs, user behavior, etc.) from different modalities are spliced together to form a vector containing multiple features. Each feature is assigned an initial weight that reflects the relative importance of the feature in the model. The weight of each feature is iteratively adjusted by a gradient descent algorithm to optimize model performance.
The weighted feature vectors are normalized to ensure that the feature values are within a specified range (typically [0,1] or [ -1,1 ]). And selecting a feature subset with the greatest contribution to the model performance according to the final weight so as to reduce feature dimensions and improve the model efficiency.
Referring to fig. 4, s40 includes the steps of:
s401, determining an input layer and an output layer of a situation awareness model based on a deep neural network;
s402, the input layer comprises various characteristics from network traffic, system logs, user behavior and application logs;
s403, the output layer comprises an abnormal event, a predicted result and a threat level;
s404, training the network through the preprocessed training set, and optimizing the network weight through multiple iterations.
In this embodiment, the design of the structure of the neural network is involved, including determining the input layer and the output layer. The input layer receives features from the multi-modal data, and the output layer generates a prediction result of the model. The data characteristics received by the input layer come from different parts of the network, and are the objects of the situation awareness model analysis. The result produced by the output layer is the output of the situational awareness model, which is used to indicate the security conditions of the network, including whether an abnormal event is detected, the predicted security situation, and the level of threat. The preprocessed data set is used for training the neural network, and the weights of the network are updated through multiple iterations, so that the network can learn patterns and rules in the data, and the prediction capability of the model is improved.
Referring to fig. 5, the step s40 further includes the steps of:
S405, comparing AUC, using AUC 1 to represent the AUC maximum value of the first ROC curve, AUC 1 being the threshold of flow data;
S406, comparing AUC, wherein AUC 2 is the maximum value of AUC values of the second ROC curve, and AUC 2 is the threshold value of the system log;
S407, comparing AUC, wherein AUC 3 is used for representing the maximum value of AUC values of a third ROC curve, and AUC 3 is a threshold value of user behavior;
And S408, comparing AUC, wherein AUC 4 is the maximum value of the AUC value of the fourth ROC curve, and AUC 4 is the threshold value of the application program log.
In this embodiment, the AUC values are compared to find the AUC maximum of the first ROC curve, referred to as AUC 1.AUC1, corresponding to the threshold of the flow data. Similarly, the comparison finds the AUC maximum for the second ROC curve, and is referred to as AUC 2,AUC2 corresponding to the threshold of the system log. The comparison finds the AUC maximum for the third ROC curve, referred to as AUC 3,AUC3, corresponding to the threshold of user behavior.
Finally, the comparison finds the AUC maximum for the fourth ROC curve, referred to as AUC 4,AUC4, corresponding to the threshold of the application log.
Referring to fig. 6, s50 includes the steps of:
s501, when the flow data is higher than AUC 1, identifying abnormal flow data;
S502, above AUC 2, identifying system log abnormality;
S503, higher than AUC 3, identifying abnormal user behavior;
s504, identifying the abnormal application program log above AUC 4,.
In this embodiment, if the predicted result of the flow data characteristic of a certain sample (i.e., the output of the model) is higher than the AUC 1 threshold, the flow data of the sample is considered to be abnormal. AUC 1 is the maximum of the AUC values corresponding to the flow data and represents the best performance of the model on the flow data. Likewise, if the prediction result of the system log characteristic of a certain sample is higher than the AUC 2 threshold, the system log of the sample is considered to be abnormal. AUC 2 is the maximum of the corresponding AUC values of the system log, representing the best performance of the model on the system log data. If the predicted result of the user behavior characteristic of a certain sample is higher than the AUC 3 threshold value, the user behavior of the sample is considered to be abnormal. AUC 3 is the maximum of the AUC values corresponding to the user behavior and represents the best performance of the model on the user behavior data. If the predicted result of the application log feature of a certain sample is higher than the AUC 4 threshold, the application log of the sample is considered to be abnormal. AUC 4 is the maximum value of the corresponding AUC value of the application log, representing the best performance of the model on the application log data.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
In an embodiment, a multimode network security situation awareness and fusion analysis system is provided, where the multimode network security situation awareness and fusion analysis system corresponds to one of the multimode network security situation awareness and fusion analysis methods in the foregoing embodiments. The multimode network security situation awareness and fusion analysis system comprises:
S10, collecting historical multi-mode data, wherein the historical multi-mode data comprises network flow data, a system log, user behaviors and an application program log in a preset time period;
S20, preprocessing the historical multi-mode data, and extracting the characteristics of the historical multi-mode data based on a preset algorithm;
And S30, merging different mode characteristic modules, namely merging historical multi-mode data characteristics based on a convolutional neural network, optimizing the merged characteristics based on a characteristic weighting method, and carrying out normalization processing on the merged characteristics.
S40, drawing four ROC curves based on historical multi-mode data characteristics, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation perception model.
And S50, when an acquisition instruction is received, acquiring real-time multi-mode data, preprocessing the real-time multi-mode data, extracting features, inputting a situation awareness model, and when the AUC of the real-time multi-mode data is higher than the AUC maximum value, identifying an abnormal event.
And the feedback module is used for sending out an alarm and generating a network security report to be sent to the user side when the abnormal event is identified, wherein the network security report comprises the abnormal event, a predicted result and a threat level.
Optionally, the method further comprises:
the cleaning module is used for deleting invalid, wrong and missing historical multi-mode data;
the conversion module is used for converting the data with different formats into data with uniform formats;
the flow data feature extracting module is used for extracting statistical features of flow data, wherein the statistical features comprise flow size, flow quantity and protocol type;
the system log feature extracting module is used for extracting log levels, keywords and event sequences of the system log;
Extracting user behavior feature module, extracting user login behavior, file access and system configuration change of user behavior;
and the application program log feature extracting module is used for extracting performance indexes, error modes and resource use of the application program log.
Optionally, the method further comprises:
the splicing module is used for splicing the preprocessed multi-mode data features to form a high-dimensional feature vector;
the initial weight distribution module distributes initial weight to each modal feature in the high-dimensional feature vector;
The final weight distribution module distributes the final weight of each modal feature based on a gradient descent algorithm;
the normalization module is used for carrying out normalization processing on the weighted modal characteristics;
and the screening module is used for screening out the optimal characteristics based on the final weight.
Optionally, the method further comprises:
the input and output determining module is used for determining an input layer and an output layer of the situation awareness model based on the deep neural network;
an input layer module including various features from network traffic, system logs, user behavior, and application logs;
the output layer module comprises an abnormal event, a prediction result and a threat level;
and the optimization module is used for training the network through the preprocessed training set and optimizing the network weight through multiple iterations.
Optionally, the method further comprises:
AUC 1 module compare AUC, represent AUC maximum value of the first ROC curve with AUC 1, AUC 1 is the threshold of flow data;
AUC 2 module, compare AUC, represent AUC value maximum of the second ROC curve with AUC 2, AUC 2 is threshold of system log;
AUC 3 module, comparing AUC, using AUC 3 to represent the maximum value of AUC value of the third ROC curve, AUC 3 being the threshold of user behavior;
AUC 4 module compare AUC, represent the maximum AUC value for the fourth ROC curve with AUC 4, AUC 4 is the threshold for the application log.
Optionally, further comprising;
The flow data abnormality module is used for identifying abnormal flow data when the flow data is higher than AUC 1;
The system log abnormality module is higher than the AUC 2 and is used for identifying system log abnormality;
the user behavior abnormality module is higher than the AUC 3 and is used for identifying user behavior abnormality;
the application log anomaly module identifies an application log anomaly above AUC 4,.
For specific limitation of a multi-modal network security situation awareness and fusion analysis system, reference may be made to the limitation of a multi-modal network security situation awareness and fusion analysis method hereinabove, and the description thereof will not be repeated here. The modules in the multi-mode network security situation awareness and fusion analysis system can be all or partially realized by software, hardware and combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used to store network traffic, system logs, user behavior, and application logs. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by the processor, implements a multi-modal network security situation awareness and fusion analysis method.
In one embodiment, a computer device is provided that includes a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing a multimodal network security posture awareness and fusion analysis method when executing the computer program.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor implements a multi-modal network security posture awareness and fusion analysis method.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions.
The foregoing embodiments are merely illustrative of the technical solutions of the present application, and not restrictive, and although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that modifications may still be made to the technical solutions described in the foregoing embodiments or equivalent substitutions of some technical features thereof, and that such modifications or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A multimode network security situation sensing and fusion analysis method is characterized by comprising the following steps:
S10, collecting historical multi-mode data in a preset time period, wherein the historical multi-mode data comprises network flow data, a system log, user behaviors and an application program log;
s20, preprocessing the historical multi-mode data, and extracting the characteristics of the historical multi-mode data based on a preset algorithm;
s30, based on a convolutional neural network, historical multi-mode data features are fused, the fused features are optimized based on a feature weighting method, and normalization processing is carried out on the fused features.
And S40, drawing four ROC curves based on the historical multi-mode data characteristics, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation perception model.
S50, when an acquisition instruction is received, acquiring real-time multi-mode data, preprocessing and extracting features of the real-time multi-mode data, inputting a situation awareness model, and identifying an abnormal event when the AUC of the real-time multi-mode data is higher than the AUC maximum value.
And S60, when the abnormal event is identified, an alarm is sent out, a network security report is generated and sent to the user side, and the network security report comprises the abnormal event, the predicted result and the threat level.
2. The method for sensing and fusion analysis of multi-modal network security situation as defined in claim 1, wherein the step of preprocessing the historical multi-modal data and extracting the characteristics of the historical multi-modal data based on a preset algorithm comprises the steps of:
deleting invalid, erroneous and missing historical multi-modal data;
converting the data with different formats into data with uniform formats;
extracting statistical characteristics of flow data, wherein the statistical characteristics comprise flow size, flow quantity and protocol type;
Extracting a log level, keywords and an event sequence of a system log;
extracting user login behavior, file access and system configuration change of user behavior;
Extracting performance indexes, error modes and resource use of the application program log.
3. The method for multi-modal network security situation awareness and fusion analysis according to claim 1, wherein the step of fusing historical multi-modal data features based on the convolutional neural network and optimizing the fused features based on the feature weighting method comprises the steps of
Splicing the preprocessed multi-mode data features to form a high-dimensional feature vector;
Assigning an initial weight to each modal feature in the high-dimensional feature vector;
Based on a gradient descent algorithm, assigning a final weight for each modality feature;
Normalizing the weighted modal characteristics;
And screening out optimal characteristics based on the final weight.
4. The method for multi-modal network security situation awareness and fusion analysis according to claim 1, wherein the step of drawing four ROC curves, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve and constructing a situation awareness model based on historical multi-modal data features comprises the steps of:
Determining an input layer and an output layer of a situation awareness model based on a deep neural network;
The input layer includes various features from network traffic, system logs, user behavior, and application logs;
the output layer comprises an abnormal event, a predicted result and a threat level;
And training the network through the preprocessed training set, and optimizing the network weight through multiple iterations.
5. The method for multi-modal network security situation awareness and fusion analysis according to claim 1, wherein the steps of drawing four ROC curves, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation awareness model based on historical multi-modal data features, further comprise the steps of:
Comparing AUC, using AUC 1 to represent the AUC maximum of the first ROC curve, AUC 1 being the threshold of flow data;
Comparing AUC, using AUC 2 to represent the maximum AUC value of the second ROC curve, AUC 2 being the threshold of the system log;
Comparing AUC, using AUC 3 to represent the maximum AUC value of the third ROC curve, AUC 3 being the threshold of user behavior;
AUC is compared, with AUC 4 representing the AUC value maximum for the fourth ROC curve, AUC 4 being the threshold for the application log.
6. The method for multi-modal network security situation awareness and fusion analysis according to claim 1, wherein when receiving the acquisition instruction, acquiring real-time multi-modal data, preprocessing and feature extraction the real-time multi-modal data, inputting a situation awareness model, and when the AUC of the real-time multi-modal data is higher than the AUC maximum value, identifying an abnormal event, comprising the steps of:
When the flow data is higher than AUC 1, identifying that the flow data is abnormal;
above AUC 2, identifying a system log anomaly;
above AUC 3, identifying user behavioral anomalies;
An application log anomaly is identified above AUC 4,.
7. A multimode network security situation sensing and fusion analysis system is characterized by comprising:
S10, collecting historical multi-mode data, wherein the historical multi-mode data comprises network flow data, a system log, user behaviors and an application program log in a preset time period;
S20, preprocessing the historical multi-mode data, and extracting the characteristics of the historical multi-mode data based on a preset algorithm;
And S30, merging different mode characteristic modules, namely merging historical multi-mode data characteristics based on a convolutional neural network, optimizing the merged characteristics based on a characteristic weighting method, and carrying out normalization processing on the merged characteristics.
S40, drawing four ROC curves based on historical multi-mode data characteristics, calculating AUC, comparing AUC, outputting the maximum value of AUC of each ROC curve, and constructing a situation perception model.
And S50, when an acquisition instruction is received, acquiring real-time multi-mode data, preprocessing the real-time multi-mode data, extracting features, inputting a situation awareness model, and when the AUC of the real-time multi-mode data is higher than the AUC maximum value, identifying an abnormal event.
And the feedback module is used for sending out an alarm and generating a network security report to be sent to the user side when the abnormal event is identified, wherein the network security report comprises the abnormal event, a predicted result and a threat level.
8. The multi-modal network security posture awareness and fusion analysis system of claim 7, further comprising:
the cleaning module is used for deleting invalid, wrong and missing historical multi-mode data;
the conversion module is used for converting the data with different formats into data with uniform formats;
the flow data feature extracting module is used for extracting statistical features of flow data, wherein the statistical features comprise flow size, flow quantity and protocol type;
the system log feature extracting module is used for extracting log levels, keywords and event sequences of the system log;
Extracting user behavior feature module, extracting user login behavior, file access and system configuration change of user behavior;
and the application program log feature extracting module is used for extracting performance indexes, error modes and resource use of the application program log.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the steps of the multimodal network security posture awareness and fusion analysis method of any of claims 1 to 6 when the computer program is executed.
10. A computer readable storage medium storing a computer program which when executed by a processor implements the steps of the multimodal network security posture awareness and fusion analysis method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411195722.7A CN119172119A (en) | 2024-08-29 | 2024-08-29 | A multi-modal network security situation awareness and fusion analysis method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411195722.7A CN119172119A (en) | 2024-08-29 | 2024-08-29 | A multi-modal network security situation awareness and fusion analysis method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119172119A true CN119172119A (en) | 2024-12-20 |
Family
ID=93877624
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411195722.7A Pending CN119172119A (en) | 2024-08-29 | 2024-08-29 | A multi-modal network security situation awareness and fusion analysis method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119172119A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN120010363A (en) * | 2025-04-22 | 2025-05-16 | 北京网藤科技有限公司 | A power plant control system network monitoring and early warning method, system and program product |
-
2024
- 2024-08-29 CN CN202411195722.7A patent/CN119172119A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN120010363A (en) * | 2025-04-22 | 2025-05-16 | 北京网藤科技有限公司 | A power plant control system network monitoring and early warning method, system and program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11868242B1 (en) | Method, apparatus, and computer program product for predictive API test suite selection | |
| US20200160230A1 (en) | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs | |
| JP2023551029A (en) | Proactive anomaly detection | |
| CN114580263A (en) | Knowledge graph-based information system fault prediction method and related equipment | |
| CN117436073B (en) | Security log alarming method, medium and equipment based on intelligent label | |
| CN113098715B (en) | Information processing method, device, system, medium and computing equipment | |
| CN118709184B (en) | Malicious code escape detection method and device | |
| CN119172119A (en) | A multi-modal network security situation awareness and fusion analysis method and system | |
| CN120029858B (en) | Comprehensive financial IT operation and maintenance management system and method based on artificial intelligence | |
| US20250094271A1 (en) | Log representation learning for automated system maintenance | |
| US20250238306A1 (en) | Interactive data processing system failure management using hidden knowledge from predictive models | |
| CN117390545A (en) | Risk assessment method | |
| KR20210046423A (en) | Method and Apparatus for Security Management Based on Machine Learning | |
| CN117725594A (en) | Multiple composite detection method, device, equipment and storage medium of intelligent contract | |
| US12348539B2 (en) | Systems, methods, and graphical user interfaces for configuring and executing one or more computer-executable threat hunting protocols in a cybersecurity threat detection and mitigation platform | |
| CN114385398A (en) | Request response state determination method, device, equipment and storage medium | |
| US20250238303A1 (en) | Interactive data processing system failure management using hidden knowledge from predictive models | |
| CN112307271A (en) | A safety monitoring method and device for remote control business of distribution automation system | |
| KR20240176041A (en) | Method and apparatus for managing redundant security threat data | |
| CN114265757A (en) | A device abnormality detection method, device, storage medium and device | |
| CN117828136A (en) | Causal weight graph generation method and device and root cause analysis method and device | |
| CN119938365A (en) | Log processing method, device and equipment | |
| CN116933335A (en) | Security data analysis method based on real-time aggregation anomaly detection | |
| CN115098326A (en) | System anomaly detection method and device, storage medium and electronic equipment | |
| CN120012107B (en) | Information security level protection evaluation system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |