[go: up one dir, main page]

CN118972157A - A network security intelligent protection method and system based on intrinsic security mechanism - Google Patents

A network security intelligent protection method and system based on intrinsic security mechanism Download PDF

Info

Publication number
CN118972157A
CN118972157A CN202411355033.8A CN202411355033A CN118972157A CN 118972157 A CN118972157 A CN 118972157A CN 202411355033 A CN202411355033 A CN 202411355033A CN 118972157 A CN118972157 A CN 118972157A
Authority
CN
China
Prior art keywords
network
flow
port
index
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202411355033.8A
Other languages
Chinese (zh)
Other versions
CN118972157B (en
Inventor
王圣达
刘丹妮
窦增
武迪
杨宇
强晟
祁晗
陈鹤
史春辉
姜秀红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jilin Jineng Electric Power Communication Co ltd
Information and Telecommunication Branch of State Grid Jilin Electric Power Co Ltd
Original Assignee
Jilin Jineng Electric Power Communication Co ltd
Information and Telecommunication Branch of State Grid Jilin Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jilin Jineng Electric Power Communication Co ltd, Information and Telecommunication Branch of State Grid Jilin Electric Power Co Ltd filed Critical Jilin Jineng Electric Power Communication Co ltd
Priority to CN202411355033.8A priority Critical patent/CN118972157B/en
Publication of CN118972157A publication Critical patent/CN118972157A/en
Application granted granted Critical
Publication of CN118972157B publication Critical patent/CN118972157B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network security intelligent protection method and system based on an endophytic security mechanism, which relate to the technical field of network security and mainly adopt the following scheme: monitoring network data flow and network flow historical data in real time, respectively calculating a flow mutation index F m, a protocol abnormality index P a and a Port abnormality index Port a, and performing abnormality judgment; calculating a comprehensive abnormal index I, and judging a network flow state by a preset threshold value, wherein the protection of an endophytic safety mechanism is triggered when the network flow is seriously abnormal; calculating a risk evaluation value R and a rule strength ACL of access control, and taking different measures for network traffic abnormality; detecting an intrusion prevention system, calculating detection sensitivity S and current attack updating frequency F new, further calculating current network access control strategy strength C new, and updating the access control strategy of the network in real time; the method has an endogenous safety mechanism, can immediately protect against serious abnormality, and continuously learns to optimize a safety protection strategy so as to adapt to network environment change and new safety threat.

Description

Network security intelligent protection method and system based on endophytic security mechanism
Technical Field
The invention relates to the technical field of network security, in particular to a network security intelligent protection method and system based on an endophytic security mechanism.
Background
In the traditional network security protection system, the boundary protection means are often mainly relied on, and the technologies filter and monitor the traffic entering and exiting the network by setting a checkpoint at the boundary of the network so as to prevent external malicious attacks. However, with the continuous evolution of attack technology, attackers are increasingly adept at finding vulnerabilities of boundary protection, and penetrate into the network by utilizing various hidden channels; meanwhile, as another common traditional protection means, although the access rights of different users to network resources can be limited, the access control is often worry when facing the problems of complex internal attack and rights abuse; an insider performs a malicious operation using legal authority or negligence causes a security hole to be utilized.
In addition, with the wide application of the emerging technologies such as the internet of things, cloud computing, big data and the like, the scale and complexity of the network are increased explosively; the network boundary becomes fuzzy due to the large amount of access of the Internet of things equipment, and the risk point of being attacked is increased. Under a cloud computing environment, the sharing and dynamic allocation of resources to security management bring great challenges; the storage and processing of large data is also easily targeted by an attacker, and once the data is revealed, serious consequences are caused.
Most of the existing network security protection systems are passive, and mainly rely on known attack characteristics for detection; in the method, when facing a novel attack and an unknown threat, the attack cannot be found and prevented in time; moreover, the passive protection system responds after the attack occurs, the response time is long, the attack diffusion is difficult to be effectively restrained, and serious loss can be caused.
Disclosure of Invention
(One) solving the technical problems
Aiming at the defects of the prior art, the invention provides a network security intelligent protection method and system based on an endophytic security mechanism, which are used for judging abnormal states by calculating various indexes and triggering the endophytic security mechanism to protect serious abnormality; based on historical data, risk assessment, rule intensity calculation, intrusion system detection and access control policy intensity updating, protection measures are dynamically adjusted to cope with network changes and new security threats, and the problems of incomplete monitoring, passive defense, response lag and inflexible policy adjustment are solved.
(II) technical scheme
In order to achieve the above purpose, the invention is realized by the following technical scheme: an intelligent network security protection method based on an endophytic security mechanism comprises the following steps:
Acquiring real-time data of monitored network traffic and historical data of network traffic;
Based on the network flow real-time data, calculating a flow mutation index F m, a protocol abnormality index P a and a Port abnormality index Port a, and respectively performing abnormality judgment; when one of the indexes is abnormal, calculating a comprehensive abnormal index I according to the flow mutation index F m, the protocol abnormal index P a and the Port abnormal index Port a, presetting a comprehensive abnormal index threshold, comparing the comprehensive abnormal index I with the comprehensive abnormal index threshold, and judging the abnormal state of the network flow; when the network traffic is seriously abnormal, an endogenous safety mechanism is immediately triggered to carry out protection;
calculating a risk assessment value R based on the network traffic history data; calculating rule intensity ACL of access control according to the risk evaluation value R, presetting a rule intensity threshold, comparing the rule intensity ACL with the rule intensity threshold, and taking different measures for abnormal network traffic according to a comparison result; calculating detection sensitivity S and current attack update frequency F new based on network traffic history data, and evaluating a monitoring sensitivity state based on the detection sensitivity S; adjusting a network security policy based on the current attack update frequency F new; the current network access control policy strength C new is calculated based on the network traffic history data and the access control policy is adjusted based on the current network access control policy strength C new.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: the method for calculating the flow mutation index F m is as follows:
The average network flow F avg in the unit time T is calculated, and the calculation formula is as follows:
Wherein F (t) represents the network flow at the time point t, the value of t is 1, 2 and 3.
Calculating a standard flow difference sigma in unit time T according to the following formula:
The network flow data is monitored in real time, the current time flow F current is obtained, and the flow mutation index F m is calculated according to the average network flow F avg and the flow standard deviation sigma, and the following formula is adopted:
And presetting a flow mutation index threshold F th, and when the flow is |F m|>Fth, considering that the network flow has mutation abnormality.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: the method for calculating the protocol abnormality index P a is as follows:
Calculating the flow rate ratio P i of different protocol data in a period of time according to the following formula:
Wherein F i is the flow ratio of the ith protocol data, and the value of i is 1, 2, 3..n; n is the number of protocols, and the value is a positive integer;
The flow rate average value P i,avg of the historical protocol data is calculated, and the calculation formula is as follows:
wherein, The flow ratio of the ith protocol data in the kth historical time is set as k, wherein the value of k is 1, 2 and 3; m is the number of historical time periods, and the value is a positive integer;
The flow rate ratio P i,current of different protocol data at the current moment is obtained, the protocol abnormality index P a is calculated, and the formula is as follows:
a protocol data abnormality threshold P th is preset, and when P a>Pth, it is determined that a protocol abnormality exists in the network traffic.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: the method for calculating the Port abnormality index Port a is as follows:
Calculating the flow ratio Port s of the common Port in a period of time, wherein the calculation formula is as follows:
wherein F s' is the flow ratio of the s-th common port, and the values of s are 1,2 and 3.m; m is the number of common ports, and the value is a positive integer;
The average value Port s,avg of the historical common Port data is calculated according to the following formula:
wherein, The flow ratio of the s-th common port in the k-th historical time period is set as the value of k is 1,2 and 3;
network flow data are monitored in real time, different common Port flow ratio Port s,current at the current moment is obtained, port abnormality index Port a is calculated, and the formula is as follows:
The Port abnormality index threshold is preset, port th, and when Port a>Portth, network traffic is considered to have Port abnormality.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: based on the flow mutation index F m, the protocol abnormality index P a and the Port abnormality index Port a, the comprehensive abnormality index I is calculated according to the following formula:
I=α×Fm+β×Pa+γ×Porta
wherein alpha is the weight coefficient of the flow mutation index F m, and the value is 0.1-0.3; beta is the weight coefficient of the protocol abnormality index P a, and the value is 0.3-0.4; gamma is the weight coefficient of the Port anomaly index Port a, and the value is 0.3-0.5; and alpha+beta +γ=1;
The integrated anomaly index threshold comprises an anomaly index first threshold I 1 and an anomaly index second threshold I 2, and I 1<I2:
When I is less than or equal to I 1, the network flow is normal;
When I 1<I≤I2 is carried out, the network flow is slightly abnormal, and early warning measures are sent out;
When I > I 2, the network traffic is seriously abnormal, and an endogenous safety mechanism is started for protection.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: the network traffic history data includes a risk score S IP for the source IP address, a risk score S Protocol for the protocol type, a risk score S Port for the port, and a risk score S TrafficPattern for the traffic pattern;
calculating a risk evaluation value R according to the network flow historical data, wherein the formula is as follows:
R=λ×SIP+μ×SProtocol+ν×SPort+ξ×STrafficPattern
Wherein lambda is the weight coefficient of the risk score S IP of the source IP address, and the value is 0.2-0.4; mu is the weight coefficient of the risk score S Protocol of the protocol type, and the value is 0.1-0.4; v is the weight coefficient of the risk score S Port of the port, and the value is 0.2-0.4; ζ is the weight coefficient of the risk score S Tra in the flow mode, and the value is 0.2-0.3; and lambda+mu+ v+ζ=1.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: based on the risk assessment value R, the rule intensity ACL of the access control is calculated, and the calculation formula is as follows:
ACL=ρ×R+A
wherein ρ is a coefficient of the regular intensity ACL, and the value is [1,5]; a is the rule intensity value of the basic ACL, and the value is [1,3];
The rule intensity threshold includes a rule intensity threshold one ACL1 and a rule intensity threshold two ACL2:
when 0 is less than or equal to ACL < ACL1, recording abnormal traffic of the network but not blocking;
when ACL1 is less than or equal to ACL < ACL2, adopting flow rate limiting;
when ACL is more than or equal to ACL2, the flow is completely blocked.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: the method for detecting the intrusion detection and defense system comprises the following steps:
The network traffic history data further includes an initial detection sensitivity S 0, and the detection sensitivity S is calculated according to the initial detection sensitivity S 0, according to the following formula:
wherein, The value of the influence coefficient of the rule intensity ACL is 0-1;
Presetting a detection sensitivity threshold, wherein the detection sensitivity threshold comprises a detection sensitivity threshold I S low and a detection sensitivity threshold II S high, and S low<Shigh:
when S < S low, the monitoring sensitivity is low, and the risk of missing report exists;
when S low≤S≤Shigh, the monitoring sensitivity is in a reasonable range;
When S > S high, the detection sensitivity is high, and the false alarm risk is increased;
According to the update frequency of the system when not adjusted, the attack update frequency F z is obtained, the current attack update frequency F new is calculated, and the formula is as follows:
wherein, The value of the adjustment coefficient for the attack update frequency F z is 0 to 1;
the current attack update frequency threshold F th is preset:
When F new≤Fth, the current attack updating frequency is in a reasonable range, and the operation of the network security policy is maintained;
When F new>Fth is executed, the current attack updating frequency is high, and the network security policy adjustment and updating are quickened.
In the preferred scheme of the network security intelligent protection method based on the endophytic security mechanism, the following steps are: the method for calculating the current network access control policy strength C new comprises the following steps:
the network traffic history data also includes network access control policy strength C;
the current network access control policy strength C new is calculated according to the network access control policy strength C, and the formula according to the current network access control policy strength C is as follows:
Cnew=C+ω1×S+ω2×log(F+ε)
Wherein omega 1 is the adjustment coefficient of the detection sensitivity S, and the value is 0.4-0.5; omega 2 is the adjustment coefficient of the current attack update frequency F new, and the value is 0.5-0.6; and ω 12 =1; epsilon is a positive number;
if C new is more than or equal to C, reinforcing an access control strategy; if C new < C, the access control policy is relaxed.
The invention also discloses a network security intelligent protection system based on the endophytic security mechanism, which is used for realizing the network security intelligent protection method of the endophytic security mechanism, and comprises the following steps:
the flow monitoring module is used for acquiring real-time data of the monitored network flow and historical data of the network flow;
The abnormality judging module is used for calculating a flow mutation index F m, a protocol abnormality index P a and a Port abnormality index Port a based on the network flow real-time data and respectively judging abnormality; when one of the indexes is abnormal, calculating a comprehensive abnormal index I according to the flow mutation index F m, the protocol abnormal index P a and the Port abnormal index Port a, presetting a comprehensive abnormal index threshold, comparing the comprehensive abnormal index I with the comprehensive abnormal index threshold, and judging the abnormal state of the network flow; when the network traffic is seriously abnormal, an endogenous safety mechanism is immediately triggered to carry out protection;
The endophytic safety analysis module is used for calculating a risk assessment value R based on network flow historical data; calculating rule intensity ACL of access control according to the risk evaluation value R, presetting a rule intensity threshold, comparing the rule intensity ACL with the rule intensity threshold, and taking different measures for abnormal network traffic according to a comparison result; calculating detection sensitivity S and current attack update frequency F new based on network traffic history data, and evaluating a monitoring sensitivity state based on the detection sensitivity S; adjusting a network security policy based on the current attack update frequency F new; the current network access control policy strength C new is calculated based on the network traffic history data and the access control policy is adjusted based on the current network access control policy strength C new.
(III) beneficial effects
The invention provides a network security intelligent protection method and system based on an endophytic security mechanism, which have the following beneficial effects:
(1) The network flow data is monitored in real time, so that abnormal flow conditions in the network can be found in time, countermeasures can be rapidly taken, and the safety risk is reduced;
(2) Calculating various indexes of the network traffic data can comprehensively and accurately identify various abnormal conditions in the network traffic; the comprehensive abnormal index I is set, so that the health degree of the network flow can be estimated on the whole, and the situation of misjudgment of a single index is avoided; furthermore, the comparison of the preset threshold values provides a clear quantification standard for judging the abnormality, so that the judging process is more scientific and objective; finally, when serious abnormality is found, an endogenous safety mechanism is triggered in time to protect, network threat can be rapidly handled, the safe and stable operation of a network system is protected, risks such as data leakage and service interruption possibly caused by network attack or abnormal flow are reduced, and therefore user benefits and normal development of network related services are guaranteed;
(3) The risk assessment value is calculated based on the network flow historical data, so that the abnormal flow judgment is more scientific and accurate, and the potential risk can be better identified; the strength of the access control rule is determined according to the risk evaluation value, and different measures are adopted after the access control rule is compared with the threshold value, so that the method is beneficial to realizing the fine management of abnormal flow, avoiding excessive limiting of normal access and effectively preventing risks; the intrusion detection and defense system is detected and relevant parameters are calculated to determine the strength of the network access control strategy, so that the network security strategy is tightly adapted to the dynamic change of the network attack, and the capability of the network for coping with the attack is improved; the network access control strategy is updated in real time, so that the network security protection is always kept in the optimal state, network intrusion is effectively prevented, and the security and stability of the network and the integrity and confidentiality of data are guaranteed.
Drawings
FIG. 1 is a schematic diagram of steps of a network security intelligent protection method based on an endogenous security mechanism;
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the invention provides a network security intelligent protection method based on an endophytic security mechanism, which comprises the following steps:
step one: acquiring real-time data of monitored network traffic and historical data of network traffic;
Step 101: the method comprises the steps of deploying flow monitoring equipment at key nodes of a network by using a distributed sensor network, and collecting network flow data in real time, wherein the network flow data comprises information such as a source IP address, a destination IP address, a port number, a protocol type, a data packet size, a flow rate and the like.
The real-time monitoring of the network flow data can timely find out abnormal flow in the network, and is helpful for quick positioning and solving of potential network security problems; secondly, a network manager can be helped to better know the service condition of the network so as to perform reasonable resource allocation and optimization; furthermore, by continuously monitoring the network flow data, the network performance can be evaluated in real time, the problems of network congestion, delay and the like can be found in time, and the stability and the reliability of the network can be improved by adopting corresponding measures.
Step two: based on the network flow real-time data, calculating a flow mutation index F m, a protocol abnormality index P a and a Port abnormality index Port a, and respectively performing abnormality judgment; when one of the indexes is abnormal, calculating a comprehensive abnormal index I according to the flow mutation index F m, the protocol abnormal index P a and the Port abnormal index Port a, presetting a comprehensive abnormal index threshold, comparing the comprehensive abnormal index I with the comprehensive abnormal index threshold, and judging the abnormal state of the network flow; when the network traffic is seriously abnormal, the endogenous safety mechanism is immediately triggered to carry out protection.
Step 201: in the unit time T, recording the network traffic F9T of each time point T according to a time sequence by using a Nagios network monitoring tool, and calculating the average network traffic F avg according to the following formula:
Wherein F (T) represents the network traffic size at time T, T is the sequence number of the time T, the values are 1, 2 and 3..H, the unit time T is divided into H time points, and carrying out data acquisition once at each time point, wherein H is the number of time points divided in the unit time T, and the value is a positive integer.
It should be noted that the principle of this formula is: formula (VI)The principle of (2) is to calculate the average network traffic per unit time T; wherein F (T) represents the network traffic duty cycle at time T by cumulatively summing the network traffic at all time points per unit time T, i.eObtaining the total sum of the network flow in the whole time period; this sum is then divided by the unit time T, which is done in order to evenly distribute the total network traffic over each time unit, resulting in an average level of network traffic over this period, i.e. average network traffic F avg.
Step 202: according to the average network flow F avg, calculating the flow standard deviation sigma in the unit time T, wherein the formula is as follows:
It should be noted that the principle of this formula is: the average network flow F avg is obtained by summing the network flows at all time points in the unit time T and dividing the sum by the unit time T, and represents the average level of the network flows in the unit time T; for each time point t, calculating F (t) -F avg, wherein the difference value between the network flow at each time point and the average network flow is calculated, and the difference value reflects the deviation degree of the network flow at the time point relative to the average flow; squaring each difference to obtain (F (t) -F avg)2, the purpose of the squaring being to eliminate the sign effect of the difference, while making larger deviation values with greater weight in the calculation, because larger deviations have greater effect on the degree of dispersion of the whole, summing the squared differences at all time points This gives the sum of the degree of deviation at all time points; finally, dividing the sum by the time period length of the unit time T to obtain an average deviation square value; taking the square root again, the standard deviation sigma is obtained; the standard deviation sigma reflects the degree of fluctuation of the network traffic around the average network traffic F avg in the unit time T.
Step 203: network flow F current at the current moment is obtained by monitoring network flow in real time, and a flow mutation index F m is calculated according to the average network flow F avg and a flow standard deviation sigma, wherein the formula is as follows:
And according to statistical analysis on a large amount of network flow historical data, determining the distribution condition of the flow mutation index, presetting a flow mutation index threshold F th, and considering that the network flow has mutation abnormality when the value is |F m|>Fth.
It should be noted that the principle of this formula is: the difference between the network traffic F current at the current time and the average network traffic F avg over a period of time reflects the degree of deviation of the current traffic from the average traffic; if the current flow is greater than the average flow, the difference is positive, indicating that the current flow is higher than the average level; if the current flow is less than the average flow, the difference is negative, which means that the current flow is lower than the average level; the standard deviation sigma of the flow measures the fluctuation degree of the network flow around the average flow in a period of time; when the numerator is larger and the denominator is relatively smaller, the value of F m is larger, which indicates that the current network traffic has larger mutation compared with the average traffic; conversely, when the numerator is smaller or the denominator is larger, the value of F m will be smaller, indicating that the mutation of the current network traffic is not obvious.
Step 204: selecting Wireshark network flow analysis software to monitor network flow in real time, and recording the data flow ratio of each protocol; calculating the flow rate ratio P i of different protocol data in a period of time according to the following formula:
Wherein F i is the flow ratio of the ith protocol data, and the value of i is 1,2, 3..n; n is the number of protocols and takes the value of a positive integer.
It should be noted that the principle of this formula is: the formula is used for calculating the flow ratio of different protocol data in a period of time; the relative importance or the duty ratio of the protocol in the whole network flow is determined by comparing the flow of the specific protocol with the total flow of all protocols; f i is the traffic ratio of the ith protocol data, which reflects the amount of data transmitted by a specific protocol in a time period; The flow sum of all protocols is represented, wherein n is the number of the protocols and the value is a positive integer; the total flow of all protocols in the network in the whole time period is obtained by accumulating the flows of all protocols; when calculating P i, the i-th protocol traffic F i is divided by the total traffic of all protocols This ratio represents the proportion of the i-th protocol traffic in the overall network traffic.
Step 205: according to the flow rate ratio P i of different protocol data in a period of time, calculating the flow rate ratio average value P i,avg of historical protocol data, wherein the calculation formula is as follows:
wherein, The flow ratio of the ith protocol data in the kth historical time is set as k, wherein the value of k is 1, 2 and 3; m is the number of historical time periods, and the value is a positive integer;
It should be noted that the principle of this formula is: Representing summing the flow duty ratio of the ith protocol data in the M historical time periods; representing the traffic duty cycle of the ith protocol during the kth historical period; the traffic duty cycle within each historical time period reflects the relative importance or liveness of the protocol over a particular time period; the performance of the protocol at different time points can be comprehensively considered by summing the flow rates of a plurality of historical time periods; m is the number of historical time periods, which represents the total number of historical time periods used to calculate the average; dividing the numerator by the denominator to obtain a flow rate duty ratio average value P i,avg of the historical protocol data, wherein the average value reflects the historical average flow rate duty ratio condition of the ith protocol; if the flow ratio of the protocol in the current time period deviates greatly from the historical average value, the network environment changes, or the service condition of the protocol is abnormal, and further analysis and monitoring are needed.
Step 206: according to the network flow data, the flow ratio P i,current of different protocol data at the current moment is obtained, the protocol abnormality index P a is calculated, and the following formula is adopted:
It should be noted that the principle of this formula is: firstly, for each protocol i, calculating the difference between the current flow rate duty ratio P i,current and the historical average flow rate duty ratio P i,avg, wherein the difference reflects the deviation condition of the current flow rate duty ratio of the protocol relative to the historical average level; squaring the difference (P i,current-Pi,avg)2, which is done to ensure that the difference is always non-negative and to amplify the larger deviation value so that the anomaly is more pronounced; then summing the squared differences for all protocols Obtaining the total deviation degree; finally, dividing the sum by the number n of protocols to obtain an average deviation degree, and taking the square root of the average deviation degree to obtain a protocol abnormality index P a, wherein the larger the value of the index is, the larger the degree of deviation history average level of the protocol in the network traffic is, namely the higher the possibility of protocol abnormality is.
Step 207: collecting network flow data in a period of time, classifying and sorting the data, and dividing the data according to different protocol types so as to analyze the flow ratio condition of each protocol subsequently; calculating the average value and standard deviation of the flow ratio of each protocol in the historical time period; and presetting a protocol data abnormality threshold P th according to the mean value and the standard deviation, and judging that the network traffic has protocol abnormality when P a>Pth.
Step 208: the network monitoring tool is used for collecting flow data of each Port, the flow ratio Port s of the common Port in a period of time is calculated, and the calculation formula is as follows:
wherein F s' is the flow ratio of the s common port, and the value of s is 1, 2 and 3.m; m is the number of common ports, and the value is a positive integer;
it should be noted that the principle of this formula is: f s' is the flow rate ratio of the s-th common port, and reflects the data quantity transmitted through the port in a specific time; The total flow of all the common ports is obtained by adding the flow of all the common ports, and the total flow of the whole network transmitted through the common ports in the time period is obtained; when Port s is calculated, dividing the flow rate duty ratio F s' of the s-th common Port by the sum of the flows of all the common ports, and obtaining a result that the flow rate duty ratio of the Port; this ratio represents the proportion of the flow of the s-th port to the flow of all ports.
Step 209: according to the flow ratio Port s of the common Port in a period of time, calculating an average value Port s,avg of historical common Port data, wherein a calculation formula is as follows;
wherein, The flow ratio of the s-th common port in the k-th historical time period is set as the value of k is 1,2 and 3;
It should be noted that the principle of this formula is: first of all, Is the s in the kth historical period the flow ratio of the common ports; by cumulatively summing these flow duty cycles over M different historical time periods, i.e.Obtaining the sum of the common port flow rate duty ratios in all the historical time periods; then, dividing the sum by the number M of historical time periods to obtain an average Port s,avg of the historical common Port data; the average value can reflect the overall trend and average level of the traffic ratio of the common port in a plurality of historical time periods, is beneficial to analyzing the traffic characteristic change of the common port in the network, and if the traffic ratio of the common port in a specific time period is greatly different from the average value, the abnormal condition in the network is indicated, and further monitoring and analysis are needed.
Step 210: based on network flow data, acquiring the ratio Port s,current of each common Port flow at the current moment, and calculating the Port abnormality index Port a according to the formula:
It should be noted that the principle of this formula is: firstly, acquiring the ratio Port s,current of each common Port flow at the current moment based on network flow data, wherein the ratio of the flow of the s-th common Port in all the common Port flows at the current specific moment is shown; for each common Port s, a calculation (Port s,current-Ports,avg)2, sum the squares of the differences for all common ports, get The sum reflects the deviation degree of the flow ratio of all the common ports at the current moment relative to the historical average level; finally, dividing the sum by the number m of the common ports, and taking the square root to obtain a Port abnormality index Port a; the index comprehensively measures the overall abnormality degree of the common ports in the current network flow; the larger the value, the greater the deviation of the flow ratio of the current common port from the historical average level, the higher the probability of port abnormality.
Step 211: reviewing security events occurring in the past network, observing the performance of Port abnormality indexes in the events, analyzing Port abnormality index ranges corresponding to different types of security events, respectively taking the average value of the Port abnormality indexes as the reference of a preset Port abnormality index threshold Port th, and considering that the network traffic has Port abnormality when the Port a>Portth.
Step 212: based on the flow mutation index F m, the protocol abnormality index P a and the Port abnormality index Port a, the comprehensive abnormality index I is calculated according to the following formula:
I=α×Fm+β×Pa+γ×Porta
Wherein alpha is the weight coefficient of the flow mutation index F m, and the value is 0.1-0.3; beta is the weight coefficient of the protocol abnormality index P a, and the value is 0.3-0.4; gamma is the weight coefficient of the Port anomaly index Port a, and the value is 0.3-0.5; and alpha+beta +γ=1.
It should be noted that the principle of this formula is: the formula aims at constructing a comprehensive network anomaly index I; the flow mutation index F m reflects the sudden change condition of network flow in a period of time, and if the flow mutation is large, the abnormal events such as burst mass data transmission or network attack occur in the network are implied; the protocol anomaly index P a measures whether the use of different protocols in the network deviates from the normal mode, and when the traffic ratio of a certain protocol is abnormal, attack or network configuration problem aiming at a specific protocol can exist; port anomaly index Port a evaluates whether the traffic ratio of a common Port in the network is abnormal, and the abnormal Port traffic may mean that the Port scans or malicious software utilizes security problems such as a specific Port; the weight coefficients alpha, beta and gamma are respectively used for adjusting the importance degree of the flow mutation index, the protocol abnormality index and the port abnormality index in the comprehensive index; the three indexes are multiplied by the corresponding weight coefficients respectively and added, so that the obtained comprehensive network abnormality index I can reflect the current safety state of the network.
Step 213: collecting network flow data in a period of time, calculating the mean value and standard deviation of comprehensive abnormality indexes in historical data, determining the boundary of a normal range according to a certain confidence interval, thus obtaining a first threshold I 1, and analyzing the comprehensive abnormality index values when a major network security event occurs in history for serious abnormality conditions, thus determining a second threshold I 2;
Presetting a first threshold I 1 and a second threshold I 2 of a network traffic comprehensive abnormality index, and I 1<I2:
When I is less than or equal to I 1, the network flow is normal;
When I 1<I≤I2 is carried out, the network traffic is slightly abnormal, and an email, a short message or a system notification is sent;
When I > I 2, the network traffic is seriously abnormal, and an endogenous safety mechanism is started for protection.
By calculating the flow mutation index, the protocol abnormality index and the port abnormality index and respectively carrying out abnormality judgment, the state of the network flow can be comprehensively monitored from different angles. This helps to discover potential security problems in time, whether sudden changes in traffic, abnormal behavior of the protocol, or suspicious activity of the port can be accurately identified. When one index is abnormal, the comprehensive abnormal index I is further calculated and compared with a preset threshold value, so that the abnormal state of the network flow can be more comprehensively estimated, and the limitation of single index judgment is avoided. When the network flow is seriously abnormal, the endogenous safety mechanism is immediately triggered to protect, so that the safety threat can be responded quickly, and the potential loss is reduced to the greatest extent. The multi-index monitoring and rapid protection mechanism can improve the safety and stability of the network, ensure the normal operation of the network and the continuity of the service, and provide a reliable network environment for users.
Step three: calculating a risk assessment value R based on the network traffic history data; calculating rule intensity ACL of access control according to the risk evaluation value R, presetting a rule intensity threshold, comparing the rule intensity ACL with the rule intensity threshold, and taking different measures for abnormal network traffic according to a comparison result; calculating detection sensitivity S and current attack update frequency F new based on network traffic history data, and evaluating a monitoring sensitivity state based on the detection sensitivity S; adjusting a network security policy based on the current attack update frequency F new; the current network access control policy strength C new is calculated based on the network traffic history data and the access control policy is adjusted based on the current network access control policy strength C new.
Step 301: establishing a known malicious IP address library, comparing a source IP address with the malicious address library, and giving a corresponding risk score S IP according to the matched malicious degree; classifying various network protocols to determine the security level, wherein security protocols such as HTTPS can be endowed with lower risk scores, while some old or easily attacked protocols are endowed with higher risk scores; when the protocol type in the network traffic is monitored, giving a corresponding risk score S Protocol according to the classification of the protocol; establishing a high risk port list and a low risk port list, comparing the port list with the port list when the ports in the network traffic are monitored, and giving corresponding risk scores S Port; determining a risk score S TrafficPattern by analyzing the characteristics of time distribution, flow size change trend, data packet distribution and the like of network flow;
Step 302: according to the acquired risk score S IP of the source IP address, the risk score S Protocol of the protocol type, the risk score S Port of the port and the risk score S TrafficPattern of the traffic mode, a risk evaluation value R is calculated according to the following formula:
R=λ×SIP+μ×SProtocol+ν×SPort+ξ×STrafficPattern
Wherein lambda is the weight coefficient of risk score S IP of the IP address, and the value is 0.2-0.4; mu is the weight coefficient of the risk score S Protocol of the protocol type, and the value is 0.1-0.4; v is the weight coefficient of the risk score S Port of the port, and the value is 0.2-0.4; ζ is the weight coefficient of the risk score S Tra in the flow mode, and the value is 0.2-0.3; and lambda+mu+ v+ζ=1.
It should be noted that the principle of this formula is: the formula aims at comprehensively evaluating the security risk of the network; based on network traffic history data, the risk of four key aspects of a source IP address, a protocol type, a port and a traffic mode is considered respectively; a risk score for the source IP address S IP reflecting the potential risk exhibited by the particular IP in the historical data; the risk score S Protocol of the protocol type measures the risk degree of different protocols in network traffic, and certain protocols which are easy to be utilized by attack or have security holes have corresponding risk values; the risk score S Port of the ports evaluates the risk situation of different ports in the network traffic, and some frequently attacked ports or ports related to high risk applications may have specific risk scores; the risk score S TrafficPattern of the flow mode reflects whether the mode of the network flow is abnormal or not; the weight coefficients lambda, mu, v and xi in the formula respectively adjust the importance degree of each risk score in the overall risk assessment; the final risk evaluation value R is obtained by multiplying the scores of all risk factors by corresponding weight coefficients, and a lower R value means that the risk of the network in all aspects is smaller and the safety condition is better; a higher R value suggests that the network may have a higher risk in terms of source IP address, protocol, port or traffic pattern, etc., requiring further analysis and corresponding security measures to be taken.
Step 303: based on the risk assessment value R, the rule intensity ACL of the access control is calculated, and the calculation formula is as follows:
ACL=ρ×R+A
Wherein ρ is a coefficient of the regular intensity ACL, and the value is [1,5]; a is the rule intensity value of the basic ACL, and the value is [1,3].
It should be noted that the principle of this formula is: this formula aims at determining the rule intensity ACL of access control for the network security intelligent protection method based on an endogenous security mechanism; the risk assessment value R is a quantitative representation of the current security risk condition of the network, and integrates various factors; the coefficient rho is [1,5, which has the function of adjusting the influence degree of the risk assessment value on the final access control rule intensity; when the ρ value is larger, it indicates that the risk is more sensitive, and the influence of the risk evaluation value on the rule intensity is larger, meaning that the access control becomes stricter once the higher risk is detected; the rule intensity value A of the basic ACL is in the range of 1,3, which represents the default rule intensity level without considering specific risk assessment, and provides a basic guarantee for access control; the risk assessment value is multiplied by the coefficient to obtain a rule intensity increment based on the current risk condition, and the basic rule intensity value is added to determine the access control rule intensity adapting to the current security state of the network.
Step 304: collecting network traffic data and security event records of a long time span from an intrusion monitoring system, analyzing various security events historically occurring, and determining the value of the strength of access control rules at the time of occurrence of these events; calculating statistical indexes of occurrence frequency and influence degree of safety events under different rule intensities, and presetting rule intensity ACL thresholds according to the result of statistical analysis, wherein the rule intensity thresholds comprise a rule intensity threshold one ACL1 and a rule intensity threshold two ACL2:
when 0 is less than or equal to ACL < ACL1, recording abnormal traffic of the network but not blocking;
When ACL1 is less than or equal to ACL < ACL2, adopting flow rate limiting; limiting the flow rate to 50% of the original flow rate, and if the situation is not improved, further reducing the flow rate;
When the ACL is more than or equal to ACL2, the flow is completely blocked, an emergency response flow is started, the attack source and mode are further investigated and analyzed, recovery measures are taken, and the like.
Step 305: analyzing historical data of network traffic in the past period of time, including normal traffic and known attack traffic; the initial detection sensitivity S 0 is obtained by observing the performance of the intrusion detection and prevention system under different conditions.
Step 306: the method for detecting the intrusion detection and defense system comprises the following steps:
According to the initial detection sensitivity S 0, the detection sensitivity S is calculated according to the following formula:
wherein, The value of the influence coefficient of the rule intensity ACL is 0-1;
It should be noted that the principle of this formula is: the formula is used for calculating the detection sensitivity of the intrusion detection and defense system; the purpose of the formula is to dynamically adjust the detection sensitivity according to the rule intensity ACL of access control so as to improve the detection capability of the system on network security threats; s 0 represents an initial detection sensitivity determined based on network traffic history data; it reflects the basic detection capability of the system without considering the current rule strength; The value of the influence coefficient of the rule strength ACL is 0-1, and the coefficient is used for adjusting the influence degree of the rule strength on the detection sensitivity; when (when) When the rule intensity is close to 0, the influence of the rule intensity on the detection sensitivity is small; when (when)When the rule strength is close to 1, the influence of the rule strength on the detection sensitivity is larger; ACL is the rule intensity of access control, it is calculated according to the risk assessment value; the higher the rule strength, the greater the security risk the network faces; multiplying the initial detection sensitivity S 0 by the rule intensity ACL by the influence coefficientThe results of the steps are added to obtain the current detection sensitivity S; when the rule intensity ACL increases, ifThe detection sensitivity S will increase accordingly, which means that the system will detect a potential security threat more sensitively.
Step 307: collecting the attack number, false alarm number and missing report number of an intrusion detection and defense system in the past period, and observing the comparison condition of actually occurring security events and system detection results when the detection sensitivity is in different levels in different periods; calculating the missing report rate and the false report rate under different detection sensitivities; through analysis of a large amount of history data, detection sensitivity S thresholds including a detection sensitivity threshold three S low and a detection sensitivity threshold four S high are preset, and S low<Shigh:
when S < S low, the monitoring sensitivity is low, and the risk of missing report exists;
when S low≤S≤Shigh, the monitoring sensitivity is in a reasonable range;
When S > S high, the detection sensitivity is high, and the false alarm risk is increased.
Step 308: according to the update frequency of the system in the normal running state when not being adjusted, the attack update frequency F z is obtained, and the formula according to which the current attack update frequency F new is calculated is as follows:
wherein, The adjustment coefficient of the attack update frequency F z is 0 to 1.
It should be noted that the principle of this formula is: the formula is used for calculating the current attack update frequency; the purpose of the formula is to dynamically adjust the attack update frequency according to the risk assessment value, so that the system can cope with the constantly changing security threats more timely; f z is the update frequency of the system when the risk assessment value is not considered, and is taken as a basis for calculating the update frequency of the current attack; For the attack update frequency, the adjustment coefficient is 0-1, and the coefficient is used for adjusting the influence degree of the risk evaluation value on the attack update frequency; when (when) When the risk evaluation value is close to 0, the influence of the risk evaluation value on the attack update frequency is small; when (when)When the risk evaluation value is close to 1, the influence of the risk evaluation value on the attack update frequency is larger; the higher the risk assessment value is, the greater the security risk faced by the network is; in the formula, after the risk evaluation value is multiplied by the update frequency adjustment coefficient, 1 is added to multiply the risk evaluation value by the basic update frequency, so that the attack update frequency is improved; first calculateAnd this value represents an adjustment factor for the base update frequency after considering the risk assessment value, and then the current attack update frequency F z is multiplied by the adjustment factor to obtain the attack update frequency F new.
Step 309: collecting attack update frequency data of the system in different safety states in a past period, carrying out statistical analysis on historical data, determining distribution conditions of attack update frequencies in different safety states, and presetting a current attack update frequency F new threshold F th according to a result of the statistical analysis:
When F new≤Fth, the current attack update frequency is in a reasonable range, and the system runs stably;
When F new>Fth is executed, the current attack updating frequency is high, and the network security policy adjustment and updating are quickened.
Step 310: analyzing the implementation condition of the access control strategy of the network and the corresponding security event and network state in the past period of time, obtaining the historical strength C of the network access control strategy, and calculating the current strength C new of the network access control strategy according to the following formula:
Cnew=C+ω1S+ω2log(F+ε)
Wherein omega 1 is the adjustment coefficient of the detection sensitivity S, and the value is 0.4-0.5; omega 2 is the adjustment coefficient of the current attack update frequency F new, and the value is 0.5-0.6; and ω 12 =1; epsilon is a positive number;
if C new is more than or equal to C, reinforcing an access control strategy; if C new < C, the access control policy is relaxed.
It should be noted that the principle of this formula is: the formula is used for calculating the intensity of the current network access control strategy; the purpose of the formula is to dynamically adjust the access control strategy by comprehensively considering factors such as the strength, the detection sensitivity, the attack update frequency and the like of the historical access control strategy so as to improve the security of the network; c represents the network access control policy strength at other historical moments based on historical data acquisition; it is the basis for calculating the new policy strength; omega 1 is the adjustment coefficient of the detection sensitivity S, and the value is 0.4-0.5; it is used for adjusting the degree of influence of detection sensitivity on the strength of access control strategy; when the detection sensitivity is higher, the perception capability of the system to the security threat is higher, and an access control strategy may need to be enhanced; therefore, the product of the detection sensitivity S and the adjustment coefficient ω 1 increases the access control policy strength; omega 2 is the adjustment coefficient of the current attack update frequency F new, and the value is 0.5-0.6; the method is used for adjusting the influence degree of attack update frequency on the strength of the access control strategy; first, the current attack update frequency F new is added with a positive number epsilon in order to avoid the case that the logarithmic function is undefined when the attack update frequency is 0; then, taking the logarithm of (F new +epsilon), and multiplying the logarithm by an adjustment coefficient omega 2; when the attack update frequency is higher, the security threat faced by the network is continuously changed, and a stricter access control strategy is required; therefore, the product of the logarithm of the attack update frequency and the adjustment coefficient ω 2 also increases the access control policy strength.
According to the current attack updating frequency, the network security policy is adjusted, so that the network security protection system can more flexibly cope with the continuously changing security threat, and the adaptability and the effectiveness of the system are improved. The current network access control policy intensity is calculated based on the network flow historical data, and the access control policy is adjusted according to the current network access control policy intensity, so that dynamic management of network resources can be realized, the network is ensured to be in an optimal safety protection state all the time, and powerful guarantee is provided for stable operation of the network and smooth development of services.
On the other hand, the invention also discloses a network security intelligent protection system based on the endophytic security mechanism, which is used for realizing the network security intelligent protection method of the endophytic security mechanism, and comprises the following steps:
the flow monitoring module is used for acquiring real-time data of the monitored network flow and historical data of the network flow;
The abnormality judging module is used for calculating a flow mutation index F m, a protocol abnormality index P a and a Port abnormality index Port a based on the network flow real-time data and respectively judging abnormality; when one of the indexes is abnormal, calculating a comprehensive abnormal index I according to the flow mutation index F m, the protocol abnormal index P a and the Port abnormal index Port a, presetting a comprehensive abnormal index threshold, comparing the comprehensive abnormal index I with the comprehensive abnormal index threshold, and judging the abnormal state of the network flow; when the network traffic is seriously abnormal, an endogenous safety mechanism is immediately triggered to carry out protection;
The endophytic safety analysis module is used for calculating a risk assessment value R based on network flow historical data; calculating rule intensity ACL of access control according to the risk evaluation value R, presetting a rule intensity threshold, comparing the rule intensity ACL with the rule intensity threshold, and taking different measures for abnormal network traffic according to a comparison result; calculating detection sensitivity S and current attack update frequency F new based on network traffic history data, and evaluating a monitoring sensitivity state based on the detection sensitivity S; adjusting a network security policy based on the current attack update frequency F new; the current network access control policy strength C new is calculated based on the network traffic history data and the access control policy is adjusted based on the current network access control policy strength C new.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application.

Claims (10)

1. An intelligent network security protection method based on an endophytic security mechanism is characterized in that: comprising the following steps:
Acquiring real-time data of monitored network traffic and historical data of network traffic;
Based on the network flow real-time data, calculating a flow mutation index F m, a protocol abnormality index P a and a Port abnormality index Port a, and respectively performing abnormality judgment; when one of the indexes is abnormal, calculating a comprehensive abnormal index I according to the flow mutation index F m, the protocol abnormal index P a and the Port abnormal index Port a, presetting a comprehensive abnormal index threshold, comparing the comprehensive abnormal index I with the comprehensive abnormal index threshold, and judging the abnormal state of the network flow; when the network traffic is seriously abnormal, an endogenous safety mechanism is immediately triggered to carry out protection;
calculating a risk assessment value R based on the network traffic history data; calculating rule intensity ACL of access control according to the risk evaluation value R, presetting a rule intensity threshold, comparing the rule intensity ACL with the rule intensity threshold, and taking different measures for abnormal network traffic according to a comparison result; calculating detection sensitivity S and current attack update frequency F new based on network traffic history data, and evaluating a monitoring sensitivity state based on the detection sensitivity S; adjusting a network security policy based on the current attack update frequency F new; the current network access control policy strength C new is calculated based on the network traffic history data and the access control policy is adjusted based on the current network access control policy strength C new.
2. The network security intelligent protection method based on the endogenous security mechanism as claimed in claim 1, wherein: the method for calculating the flow mutation index F m is as follows:
The average network flow F avg in the unit time T is calculated, and the calculation formula is as follows:
Wherein F (t) represents the network flow at the time point t, the value of t is 1, 2 and 3.
Calculating a standard flow difference sigma in unit time T according to the following formula:
The network flow data is monitored in real time, the current time flow F current is obtained, and the flow mutation index F m is calculated according to the average network flow F avg and the flow standard deviation sigma, and the following formula is adopted:
And presetting a flow mutation index threshold F th, and when the flow is |F m|>Fth, considering that the network flow has mutation abnormality.
3. The network security intelligent protection method based on the endogenous security mechanism as claimed in claim 2, wherein: the method for calculating the protocol abnormality index P a is as follows:
Calculating the flow rate ratio P i of different protocol data in a period of time according to the following formula:
Wherein F i is the flow ratio of the ith protocol data, and the value of i is 1, 2, 3..n; n is the number of protocols, and the value is a positive integer;
The flow rate average value P i,avg of the historical protocol data is calculated, and the calculation formula is as follows:
wherein, The flow ratio of the ith protocol data in the kth historical time is set as k, wherein the value of k is 1, 2 and 3; m is the number of historical time periods, and the value is a positive integer;
The flow rate ratio P i,current of different protocol data at the current moment is obtained, the protocol abnormality index P a is calculated, and the formula is as follows:
a protocol data abnormality threshold P th is preset, and when P a>Pth, it is determined that a protocol abnormality exists in the network traffic.
4. The network security intelligent protection method based on the endogenous security mechanism according to claim 3, wherein the network security intelligent protection method is characterized in that: the method for calculating the Port abnormality index Port a is as follows:
Calculating the flow ratio Port s of the common Port in a period of time, wherein the calculation formula is as follows:
wherein F s' is the flow ratio of the s-th common port, and the values of s are 1,2 and 3.m; m is the number of common ports, and the value is a positive integer;
The average value Port s,avg of the historical common Port data is calculated according to the following formula:
wherein, The flow ratio of the s-th common port in the k-th historical time period is set as the value of k is 1,2 and 3;
network flow data are monitored in real time, different common Port flow ratio Port s,current at the current moment is obtained, port abnormality index Port a is calculated, and the formula is as follows:
The Port abnormality index threshold is preset, port th, and when Port a>Portth, network traffic is considered to have Port abnormality.
5. The network security intelligent protection method based on the endogenous security mechanism as claimed in claim 4, wherein: based on the flow mutation index F m, the protocol abnormality index P a and the Port abnormality index Port a, the comprehensive abnormality index I is calculated according to the following formula:
I=α×Fm+β×Pa+γ×Porta
wherein alpha is the weight coefficient of the flow mutation index F m, and the value is 0.1-0.3; beta is the weight coefficient of the protocol abnormality index P a, and the value is 0.3-0.4; gamma is the weight coefficient of the Port anomaly index Port a, and the value is 0.3-0.5; and alpha+beta +γ=1;
The integrated anomaly index threshold comprises an anomaly index first threshold I 1 and an anomaly index second threshold I 2, and I 1<I2:
When I is less than or equal to I 1, the network flow is normal;
When I 1<I≤I2 is carried out, the network flow is slightly abnormal, and early warning measures are sent out;
When I > I 2, the network traffic is seriously abnormal, and an endogenous safety mechanism is started for protection.
6. The network security intelligent protection method based on the endogenous security mechanism according to claim 5, wherein the network security intelligent protection method is characterized in that: the network traffic history data includes a risk score S IP for the source IP address, a risk score S Protocol for the protocol type, a risk score S Port for the port, and a risk score S TrafficPattern for the traffic pattern;
calculating a risk evaluation value R according to the network flow historical data, wherein the formula is as follows:
R=λ×SIP+μ×SProtocol+ν×SPort+ξ×STrafficPattern
Wherein lambda is the weight coefficient of the risk score S IP of the source IP address, and the value is 0.2-0.4; mu is the weight coefficient of the risk score S Protocol of the protocol type, and the value is 0.1-0.4; v is the weight coefficient of the risk score S Port of the port, and the value is 0.2-0.4; ζ is the weight coefficient of the risk score S Tra in the flow mode, and the value is 0.2-0.3; and lambda+mu+ v+ζ=1.
7. The network security intelligent protection method based on the endogenous security mechanism as claimed in claim 6, wherein: based on the risk assessment value R, the rule intensity ACL of the access control is calculated, and the calculation formula is as follows:
ACL=ρ×R+A
wherein ρ is a coefficient of the regular intensity ACL, and the value is [1,5]; a is the rule intensity value of the basic ACL, and the value is [1,3];
The rule intensity threshold includes a rule intensity threshold one ACL1 and a rule intensity threshold two ACL2:
when 0 is less than or equal to ACL < ACL1, recording abnormal traffic of the network but not blocking;
when ACL1 is less than or equal to ACL < ACL2, adopting flow rate limiting;
when ACL is more than or equal to ACL2, the flow is completely blocked.
8. The network security intelligent protection method based on the endogenous security mechanism as claimed in claim 7, wherein: the method for detecting the intrusion detection and defense system comprises the following steps:
The network traffic history data further includes an initial detection sensitivity S 0, and the detection sensitivity S is calculated according to the initial detection sensitivity S 0, according to the following formula:
wherein, The value of the influence coefficient of the rule intensity ACL is 0-1;
Presetting a detection sensitivity threshold, wherein the detection sensitivity threshold comprises a detection sensitivity threshold I S low and a detection sensitivity threshold II S high, and S low<Shigh:
when S < S low, the monitoring sensitivity is low, and the risk of missing report exists;
when S low≤S≤Shigh, the monitoring sensitivity is in a reasonable range;
When S > S high, the detection sensitivity is high, and the false alarm risk is increased;
According to the update frequency of the system when not adjusted, the attack update frequency F z is obtained, the current attack update frequency F new is calculated, and the formula is as follows:
wherein, The value of the adjustment coefficient for the attack update frequency F z is 0 to 1;
the current attack update frequency threshold F th is preset:
When F new≤Fth, the current attack updating frequency is in a reasonable range, and the operation of the network security policy is maintained;
When F new>Fth is executed, the current attack updating frequency is high, and the network security policy adjustment and updating are quickened.
9. The network security intelligent protection method based on the endogenous security mechanism as claimed in claim 8, wherein: the method for calculating the current network access control policy strength C new comprises the following steps:
the network traffic history data also includes network access control policy strength C;
the current network access control policy strength C new is calculated according to the network access control policy strength C, and the formula according to the current network access control policy strength C is as follows:
Cnew=C+ω1×S+ω2×log(F+ε)
Wherein omega 1 is the adjustment coefficient of the detection sensitivity S, and the value is 0.4-0.5; omega 2 is the adjustment coefficient of the current attack update frequency F new, and the value is 0.5-0.6; and ω 12 =1; epsilon is a positive number;
if C new is more than or equal to C, reinforcing an access control strategy; if C new < C, the access control policy is relaxed.
10. An intelligent network security protection system based on an endophytic security mechanism is characterized in that:
the flow monitoring module is used for acquiring real-time data of the monitored network flow and historical data of the network flow;
The abnormality judging module is used for calculating a flow mutation index F m, a protocol abnormality index P a and a Port abnormality index Port a based on the network flow real-time data and respectively judging abnormality; when one of the indexes is abnormal, calculating a comprehensive abnormal index I according to the flow mutation index F m, the protocol abnormal index P a and the Port abnormal index Port a, presetting a comprehensive abnormal index threshold, comparing the comprehensive abnormal index I with the comprehensive abnormal index threshold, and judging the abnormal state of the network flow; when the network traffic is seriously abnormal, an endogenous safety mechanism is immediately triggered to carry out protection;
The endophytic safety analysis module is used for calculating a risk assessment value R based on network flow historical data; calculating rule intensity ACL of access control according to the risk evaluation value R, presetting a rule intensity threshold, comparing the rule intensity ACL with the rule intensity threshold, and taking different measures for abnormal network traffic according to a comparison result; calculating detection sensitivity S and current attack update frequency F new based on network traffic history data, and evaluating a monitoring sensitivity state based on the detection sensitivity S; adjusting a network security policy based on the current attack update frequency F new; the current network access control policy strength C new is calculated based on the network traffic history data and the access control policy is adjusted based on the current network access control policy strength C new.
CN202411355033.8A 2024-09-27 2024-09-27 A network security intelligent protection method and system based on intrinsic security mechanism Active CN118972157B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411355033.8A CN118972157B (en) 2024-09-27 2024-09-27 A network security intelligent protection method and system based on intrinsic security mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411355033.8A CN118972157B (en) 2024-09-27 2024-09-27 A network security intelligent protection method and system based on intrinsic security mechanism

Publications (2)

Publication Number Publication Date
CN118972157A true CN118972157A (en) 2024-11-15
CN118972157B CN118972157B (en) 2025-02-28

Family

ID=93383789

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411355033.8A Active CN118972157B (en) 2024-09-27 2024-09-27 A network security intelligent protection method and system based on intrinsic security mechanism

Country Status (1)

Country Link
CN (1) CN118972157B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119484111A (en) * 2024-11-18 2025-02-18 北京芯盾时代科技有限公司 Intelligent construction method, device and readable medium for network security protection based on big data
CN119603069A (en) * 2024-12-30 2025-03-11 重庆印源科技发展有限公司 A computer network information security monitoring method
CN119906581A (en) * 2025-02-27 2025-04-29 河南财政金融学院 A computer network security protection system based on big data
CN120546955A (en) * 2025-06-06 2025-08-26 北京格尔国信科技有限公司 A data security monitoring method based on risk warning

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764126A (en) * 2005-11-11 2006-04-26 上海交通大学 Detection and monitoring method of sudden abnormal network traffic
CN106789352A (en) * 2017-01-25 2017-05-31 北京兰云科技有限公司 A kind of exception flow of network detection method and device
CN112822184A (en) * 2020-12-31 2021-05-18 网络通信与安全紫金山实验室 Unsupervised autonomous attack detection method in endogenous security system
CN115688117A (en) * 2022-10-27 2023-02-03 北京邮电大学 An Evaluation Method for Smart Grid Security Resilience Based on Attack and Defense Evolution
CN118041661A (en) * 2024-03-07 2024-05-14 武汉众维亿方大数据科技有限公司 Abnormal network flow monitoring method, device and equipment based on deep learning and readable storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764126A (en) * 2005-11-11 2006-04-26 上海交通大学 Detection and monitoring method of sudden abnormal network traffic
CN106789352A (en) * 2017-01-25 2017-05-31 北京兰云科技有限公司 A kind of exception flow of network detection method and device
CN112822184A (en) * 2020-12-31 2021-05-18 网络通信与安全紫金山实验室 Unsupervised autonomous attack detection method in endogenous security system
CN115688117A (en) * 2022-10-27 2023-02-03 北京邮电大学 An Evaluation Method for Smart Grid Security Resilience Based on Attack and Defense Evolution
CN118041661A (en) * 2024-03-07 2024-05-14 武汉众维亿方大数据科技有限公司 Abnormal network flow monitoring method, device and equipment based on deep learning and readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张博文,李冬,赵贻竹,于俊清: "IPv6地址驱动的云网络内生安全机制研究", 《理论研究》, 31 January 2024 (2024-01-31), pages 113 - 120 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119484111A (en) * 2024-11-18 2025-02-18 北京芯盾时代科技有限公司 Intelligent construction method, device and readable medium for network security protection based on big data
CN119603069A (en) * 2024-12-30 2025-03-11 重庆印源科技发展有限公司 A computer network information security monitoring method
CN119906581A (en) * 2025-02-27 2025-04-29 河南财政金融学院 A computer network security protection system based on big data
CN120546955A (en) * 2025-06-06 2025-08-26 北京格尔国信科技有限公司 A data security monitoring method based on risk warning

Also Published As

Publication number Publication date
CN118972157B (en) 2025-02-28

Similar Documents

Publication Publication Date Title
CN118972157B (en) A network security intelligent protection method and system based on intrinsic security mechanism
Ye et al. An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems
Lunt et al. Knowledge-based intrusion detection
CN117081868B (en) Network security operation method based on security policy
CN118337512B (en) A network information intrusion detection and early warning system and method based on deep learning
CN117614745B (en) Cooperative defense method and system for processor network protection
US20040215972A1 (en) Computationally intelligent agents for distributed intrusion detection system and method of practicing same
Gómez et al. Design of a snort-based hybrid intrusion detection system
US12113810B2 (en) Autonomic incident response system
CN118828514B (en) A smart terminal security risk assessment system and method
CN119966659A (en) A multi-level dynamic network attack detection and response method
CN119945804B (en) Industrial control network threat information analysis method based on large model driving
CN119544381A (en) A large-scale network security defense system based on collaborative intrusion detection
CN119232442A (en) A server security monitoring method and system
CN120029857A (en) A computer security monitoring method and system based on big data
CN119210896B (en) A network security situation prediction method and system
CN119449421B (en) An adaptive abnormal behavior detection and response method for industrial control networks
CN108667642A (en) A kind of risk balance device of the server based on risk assessment
CN119989353A (en) Computer information security processing method and system based on big data
Kuswara et al. Intrusion detection system using incremental learning method
CN117811839B (en) Network security monitoring device and method for monitoring Internet of things equipment
Jaber et al. Methods for preventing distributed denial of service attacks in cloud computing
Hassanzadeh et al. Intrusion detection with data correlation relation graph
CN119293795B (en) Intelligent penetration detection method and system for electric power system
CN120301665B (en) Network security threat perception recognition response method based on security knowledge graph

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant