CN118200057B - Automatic scanning and early warning system and method for network security vulnerability information - Google Patents

Abstract

The application relates to the field of scanning early warning, and particularly discloses an automatic scanning early warning system and method for network security vulnerability information.

Description

Automatic scanning and early warning system and method for network security vulnerability information

Technical Field

The application relates to the field of scanning early warning, in particular to an automatic scanning early warning system and method for network security vulnerability information.

Background

Network security vulnerabilities refer to vulnerabilities or flaws in a system, network, or application that may be exploited by an attacker to gain unauthorized access, destroy data, or interfere with system operation. These vulnerabilities may result from software bugs, configuration errors, or inadequate security control, and may lead to serious consequences such as data leakage, financial loss, or reputation damage. It is important to discover and repair network security vulnerabilities in time to protect an organization from network attacks.

With the rapid development of the internet, the number and variety of security holes in the system have been increasing explosively. Common security hole types include buffer overflows, formatting string holes, code injection, file containment, etc., which are hidden from certain risks and hazards. However, some problems exist in the aspect of repairing and preventing security vulnerabilities of a system, such as low coverage rate of vulnerability detection, long period, and incapability of realizing comprehensive vulnerability detection to cover a whole network, so that the vulnerability risk condition of the whole network cannot be comprehensively known, and the situation of vulnerability change is difficult to effectively track.

Therefore, an automatic scanning and early warning system and method for network security vulnerability information are desired.

Disclosure of Invention

The present application has been made to solve the above-mentioned technical problems. The embodiment of the application provides a network security vulnerability information automatic scanning early warning system and method, which firstly acquire network data packets in a preset time period acquired by monitoring equipment, abnormal router flows in a plurality of preset time points acquired by the monitoring equipment and the running states of a monitoring server in a plurality of preset time points acquired from a monitoring log, then perform feature extraction and association analysis on the three by using a deep learning technology, and finally obtain a network security vulnerability dangerous level by using a classifier so as to realize real-time monitoring and analysis on network security conditions, discover potential security threats as soon as possible, and help to take measures in time to strengthen network security protection and reduce the risk of network attack.

According to one aspect of the present application, there is provided an automatic scanning and early warning system for network security vulnerability information, comprising:

The network security vulnerability information acquisition module is used for acquiring network data packets of a preset time period acquired by the monitoring equipment, abnormal router traffic of a plurality of preset time points acquired by the monitoring equipment and the running states of the monitoring server of a plurality of preset time points acquired from the monitoring log;

The network security vulnerability information extraction module is used for extracting network data security association feature vectors and operation state feature vectors from the network data packets of the preset time period acquired by the monitoring equipment, the router abnormal traffic of the preset time points acquired by the monitoring equipment and the operation states of the monitoring servers of the preset time points acquired from the monitoring log;

the vulnerability information feature fusion module is used for fusing the network data security association feature vector and the running state feature vector to obtain a vulnerability risk level classification feature vector;

the vulnerability information feature optimization module is used for optimizing the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector;

And the network security vulnerability risk level generation module is used for obtaining the network security vulnerability risk level based on the optimized vulnerability risk level classification feature vector.

According to another aspect of the present application, there is provided an automatic scanning and early warning method for network security vulnerability information, including:

acquiring network data packets of a preset time period acquired by monitoring equipment, abnormal router traffic of a plurality of preset time points acquired by the monitoring equipment and the running state of a monitoring server of a plurality of preset time points acquired from a monitoring log;

extracting network data security association feature vectors and operation state feature vectors from the network data packets of the preset time period acquired by the monitoring equipment, the router abnormal traffic of the preset time points acquired by the monitoring equipment and the operation states of the monitoring servers of the preset time points acquired from the monitoring log;

Fusing the network data security association feature vector and the running state feature vector to obtain a vulnerability risk level classification feature vector;

optimizing the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector;

And obtaining the network security vulnerability risk level based on the optimized vulnerability risk level classification feature vector.

Compared with the prior art, the automatic scanning and early warning system and method for the network security vulnerability information provided by the application have the advantages that firstly, network data packets in a preset time period, router abnormal traffic in a plurality of preset time points and operation states of a monitoring server in a plurality of preset time points are acquired by monitoring equipment, the router abnormal traffic is acquired by the monitoring equipment, the operation states of the monitoring server in a plurality of preset time points are acquired from a monitoring log, then, the three are subjected to feature extraction and association analysis by utilizing a deep learning technology, and finally, the dangerous level of the network security vulnerability is obtained through a classifier, so that real-time monitoring and analysis of the network security condition are realized, potential security threats are discovered as soon as possible, measures are taken timely to strengthen network security protection, and the risk of network attack is reduced.

Drawings

The above and other objects, features and advantages of the present application will become more apparent by describing embodiments of the present application in more detail with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of embodiments of the application and are incorporated in and constitute a part of this specification, illustrate the application and together with the embodiments of the application, and not constitute a limitation to the application. In the drawings, like reference numerals generally refer to like parts or steps.

Fig. 1 is a block diagram of an automatic network security breach information scanning and early warning system according to an embodiment of the present application.

Fig. 2 is a block diagram of a network security breach information extraction module in an automatic network security breach information scanning and early warning system according to an embodiment of the present application.

Fig. 3 is a block diagram of a network data packet semantic coding unit in the network security hole information automatic scanning and early warning system according to an embodiment of the present application.

Fig. 4 is a flowchart of an automatic network security vulnerability information scanning and early warning method according to an embodiment of the application.

Fig. 5 is a block diagram of an electronic device according to an embodiment of the application.

Detailed Description

Hereinafter, exemplary embodiments according to the present application will be described in detail with reference to the accompanying drawings. It should be apparent that the described embodiments are only some embodiments of the present application and not all embodiments of the present application, and it should be understood that the present application is not limited by the example embodiments described herein.

Exemplary System

Fig. 1 is a block diagram of an automatic network security breach information scanning and early warning system according to an embodiment of the present application. As shown in fig. 1, a network security breach information automatic scanning and early warning system 100 according to an embodiment of the present application includes: a network security vulnerability information acquisition module 110, configured to acquire network data packets of a predetermined time period acquired by a monitoring device, abnormal router traffic of a plurality of predetermined time points acquired by the monitoring device, and operation states of a monitoring server of a plurality of predetermined time points acquired from a monitoring log; a network security vulnerability information extraction module 120, configured to extract a network data security association feature vector and an operation state feature vector from the network data packet of the predetermined time period collected by the monitoring device, the router abnormal traffic of the plurality of predetermined time points collected by the monitoring device, and the operation state of the monitoring server of the plurality of predetermined time points collected from the monitoring log; the vulnerability information feature fusion module 130 is configured to fuse the network data security association feature vector and the running state feature vector to obtain a vulnerability risk level classification feature vector; the vulnerability information feature optimization module 140 is configured to optimize the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector; the network security vulnerability risk level generation module 150 is configured to obtain a network security vulnerability risk level based on the optimized vulnerability risk level classification feature vector.

In the above-mentioned network security hole information automatic scanning and early warning system 100, the network security hole information obtaining module 110 is configured to obtain the network data packet of the predetermined time period collected by the monitoring device, the abnormal router traffic of the plurality of predetermined time points collected by the monitoring device, and the operation states of the monitoring server of the plurality of predetermined time points collected from the monitoring log. It should be understood that a network security vulnerability refers to a potential vulnerability or vulnerability that exists in a system or application that may be exploited by malicious attackers, resulting in the system suffering from unauthorized access, data leakage, service interruption, or other security threats. These vulnerabilities may be caused by programming errors, design flaws, or configuration issues, common types including buffer overflows, cross-site scripting, SQL injection, etc. Identifying and repairing network security vulnerabilities in time is critical to maintaining system security, protecting user data and business continuity. With the rapid expansion of the internet, the number and variety of security holes in systems has increased dramatically. However, because the coverage rate of the vulnerability detection is not high, the repair period is long, and the overall vulnerability detection coverage of the whole network cannot be realized, so that the vulnerability risk condition of the network cannot be comprehensively known, and the situation of vulnerability change is difficult to effectively track. Therefore, the applicant of the application obtains the dangerous level of the network security vulnerability by combining the deep learning technology so as to realize the real-time monitoring and analysis of the network security condition and discover the potential security threat as soon as possible. Specifically, in the technical scheme of the application, acquiring the network data packet of the preset time period acquired by the monitoring equipment, the abnormal router traffic of a plurality of preset time points acquired by the monitoring equipment and the running state of the monitoring server of a plurality of preset time points acquired from the monitoring log are vital steps in the network security hole information automatic scanning and early warning system. These data sources provide the information base required by the system to allow the system to fully monitor and analyze the network security status. The network data packet in the predetermined time period is obtained to understand network communication conditions, including information in aspects of data transmission, communication protocol, data content and the like. These packets can reveal potential risks and abnormal activities in the network, helping the system to discover security vulnerabilities that may exist in time. And the router abnormal traffic at a plurality of time points is collected to monitor the change condition of the network traffic. Abnormal traffic may suggest the existence of a network attack, denial of service attack, or other security threat. By analyzing the abnormal traffic, the system can identify potential network security problems and take corresponding countermeasures. In addition, monitoring the running state of the server is critical to the stability and security of the overall network security system. By monitoring the running state of the server, the system can know the information such as the working condition, the load condition, the running abnormality and the like of the server. Timely discovering server operation anomalies can help system administrators to quickly handle problems, and prevent more serious consequences caused by the utilization of security vulnerabilities. The acquisition of the data sources is the basis of the automatic scanning and early warning system of the network security vulnerability information, and through the analysis and the processing of the data, the system can discover potential network security threats in time, strengthen network security protection and guarantee the normal operation of the network system and the security of the data.

In the above-mentioned network security hole information automatic scanning and early warning system 100, the network security hole information extraction module 120 is configured to extract a network data security association feature vector and an operation state feature vector from the network data packet of the predetermined time period collected by the monitoring device, the router abnormal traffic of the plurality of predetermined time points collected by the monitoring device, and the operation state of the monitoring server of the plurality of predetermined time points collected from the monitoring log. It should be appreciated that extracting the network data security association feature vector is to identify key features in the network data packet, such as communication protocol, source address, destination address, etc., so that the system can analyze the network communication pattern, identify abnormal behavior, and detect potential attacks. The operation state feature vector is extracted to monitor the operation state of the monitoring server, including server load, service operation state, abnormal log and other information. By extracting the running state feature vector, the system can monitor the health state of the server in real time, discover abnormal conditions in time and take corresponding countermeasures to ensure the safe and stable running of the server. Through analysis of the feature vectors, the system can early warn and cope with possible safety risks in time, and safety operation and data integrity of the network system are guaranteed.

Fig. 2 is a block diagram of a network security breach information extraction module in an automatic network security breach information scanning and early warning system according to an embodiment of the present application. As shown in fig. 2, in a specific embodiment of the present application, the network security hole information extraction module 120 includes: a network data packet semantic coding unit 121, configured to perform semantic coding on the network data packet in a predetermined period of time acquired by the monitoring device to obtain a network data multi-scale text understanding feature vector; a router abnormal traffic feature extraction unit 122, configured to perform feature extraction on the router abnormal traffic at a plurality of predetermined time points acquired by the monitoring device to obtain a router abnormal traffic global feature vector; a network data security feature association unit 123, configured to associate the network data multi-scale text understanding feature vector with the router abnormal traffic global feature vector to obtain the network data security association feature vector; and a monitoring server running state feature extraction unit 124, configured to perform feature extraction on the running states of the monitoring server at a plurality of predetermined time points acquired from the monitoring log, so as to obtain the running state feature vector. It should be understood that by encoding text, the system may convert key information in the network data packet into a vector form, thereby implementing quantitative processing of the text data. The obtained multi-scale text understanding feature vector of the network data can understand the meaning of the network data at different levels.

Further, features having representativeness and distinctiveness, such as a flow size, a flow distribution, a protocol type, and the like, can be extracted from the abnormal flow data at a plurality of points in time by feature extraction. The features can reflect the overall situation of the abnormal flow of the router, and help the system to establish a feature model of the abnormal flow, so that the abnormal situation can be identified more accurately.

Furthermore, the text understanding feature vector and the abnormal traffic global feature vector are associated, text information in the network data packet can be combined with the router abnormal traffic data, and an association model between the text data and the network traffic can be established. This helps the system to more accurately understand the meaning of the network data, discover potential associations between text information and abnormal traffic, and thus identify network security events more timely.

In particular, feature extraction is performed on the operation states of the monitoring server at a plurality of predetermined time points acquired from the monitoring log, so that key features are extracted to comprehensively understand the operation states of the server by analyzing and mining the operation state data of the server, thereby realizing monitoring and management of the performance and stability of the server. The feature extraction can extract features with representative and key meanings from the monitoring log data of a plurality of time points, such as CPU utilization rate, memory occupation, network flow and the like. These features can reflect the running state and performance behavior of the server, helping the system build a running state feature model, thereby more accurately assessing the health of the server.

Fig. 3 is a block diagram of a network data packet semantic coding unit in the network security hole information automatic scanning and early warning system according to an embodiment of the present application. As shown in fig. 3, in a specific embodiment of the present application, the network packet semantic coding unit 121 includes: a network data packet data preprocessing subunit 1211, configured to perform data preprocessing on the network data packet in the predetermined period acquired by the monitoring device to obtain a network data item feature matrix; and the network data item feature extraction subunit 1212 is configured to perform feature extraction on the network data item feature matrix to obtain the network data multi-scale text understanding feature vector. It should be appreciated that data preprocessing may help remove noise and anomalous data from the network data, improving the quality and accuracy of the data. Through preprocessing, operations such as data cleaning, missing value processing, abnormal value detection and the like can be performed, so that network data is more standard and reliable, and subsequent feature extraction and analysis work is facilitated.

Further, through feature extraction, features with semantic information, such as word frequency, word vector and the like, can be extracted from the network data item feature matrix so as to realize understanding and characterization of network data content. The features can help the system to identify key information and topics in the network data, so that tasks such as text classification, emotion analysis and the like are supported, and the intelligent processing capacity of the network data is improved.

In a specific embodiment of the present application, the network packet data preprocessing subunit 1211 includes: performing word segmentation processing on the network data packet in the preset time period acquired by the monitoring equipment to obtain a plurality of network data items; passing the plurality of network data items through a network data item embedding layer to obtain a sequence of network data item embedding vectors; and constructing the sequence of the network data item embedding vectors into a network data item feature matrix. It should be understood that the word segmentation processing is performed on the network data packet in the predetermined period acquired by the monitoring device to obtain a plurality of network data items, so that the original network data packet is segmented and extracted according to a certain rule to obtain a network data item with finer granularity and semantic information, which provides a basis for subsequent text analysis and mining. The word segmentation process can divide the original network data packet according to rules such as space, punctuation marks and the like, and divide a continuous character sequence into words or phrases with independent meanings. This helps to extract key information elements, such as words, phrases, etc., in the network data, making the network data easier to understand and process. Through word segmentation, text information in a network data packet can be converted into a plurality of network data items, and each data item represents a word or phrase, so that the content and structure of the network data can be better characterized.

Further, the purpose of passing multiple network data items through the network data item embedding layer to obtain a sequence of network data item embedding vectors is to convert discrete network data items into a continuous vector representation, thereby enabling semantic understanding and characterization of the network data. Such embedded vector sequences are better able to capture semantic relationships and characteristic information between network data items. The network data item embedding layer may map each network data item to dense vector representations in a high-dimensional vector space that better capture semantic similarity and relevance between network data items. Through the conversion of the embedded layer, semantic information among network data items can be better expressed, so that the representation capability and generalization capability of a subsequent deep learning model are improved.

Further, constructing the network data item feature matrix may arrange the embedded vectors of each network data item in a sequence of different rows or columns in the matrix to form a structured data representation. The resulting network data item feature matrix may reflect the relationships and interactions between different network data items by positions and values in the matrix.

In a specific embodiment of the present application, the network data item feature extraction subunit 1212 includes: the network data item feature matrix is subjected to a network data item multi-scale neighborhood feature extraction module to obtain a network data text understanding feature matrix; and carrying out global average pooling on the network data text understanding feature matrix to obtain the network data multi-scale text understanding feature vector. It should be understood that, through the network data item multi-scale neighborhood feature extraction module, feature extraction and fusion can be performed on the network data item feature matrix under different scales. This multi-scale feature extraction enables capturing information of network data items at different levels and granularities, thereby better understanding the structure and semantic features of the network data text. The network data item multi-scale neighborhood feature extraction module can realize modeling of relevance and semantic consistency among network data item features by introducing neighborhood information and context association. By considering the neighborhood relation of the network data item on the local and global, the semantic information and the context characteristics of the network data text can be better captured, and the accuracy and the effect of text understanding are improved. Specifically, the network data item multi-scale neighborhood feature extraction module comprises: the device comprises a first convolution layer, a second convolution layer parallel to the first convolution layer and a cascade layer connected with the first convolution layer and the second convolution layer, wherein the first convolution layer uses a one-dimensional convolution kernel with a first scale, and the second convolution layer uses a one-dimensional convolution kernel with a second scale.

Further, the purpose of global average pooling is performed on the network data text understanding feature matrix to obtain the network data multi-scale text understanding feature vector is to compress and integrate complex feature matrix information, and global semantic information of the network data text is extracted. The global averaging operation can summarize the information in the feature matrix to generate a global feature vector, so that semantic information of the whole network data text is better represented. The global averaging operation can effectively reduce the dimension of the feature matrix, compress the rich information in the feature matrix, and reduce the complexity and the calculation cost of data.

In a specific embodiment of the present application, the router abnormal traffic feature extraction unit 122 includes: arranging the abnormal router traffic of a plurality of preset time points acquired by the monitoring equipment according to a time dimension and a sample dimension to obtain a two-dimensional input matrix of the abnormal router traffic; performing explicit space coding on the router abnormal traffic two-dimensional input matrix to obtain a router abnormal traffic association characteristic matrix; and pooling the router abnormal traffic association feature matrix along the channel dimension to obtain the router abnormal traffic global feature vector. It should be appreciated that by constructing a two-dimensional input matrix of router abnormal traffic, the abnormal traffic data may be arranged in a sequence to form a more structured data representation. This arrangement helps to compare abnormal traffic conditions between different samples, and to find similarities or differences between samples, providing more clues for anomaly detection and analysis.

Further, explicit space coding is performed on the two-dimensional input matrix of the abnormal router traffic to obtain an association characteristic matrix of the abnormal router traffic, so that space association characteristics among abnormal traffic of different routers are better captured and represented through a specific coding mode, and the accuracy and the efficiency of abnormality detection and analysis are improved. Such spatial encoding can help the system better understand the spatial relationship between router anomaly traffic data. The explicit space coding can convert the abnormal traffic data of the router into a feature matrix with a space structure, so that the space association information in the data is embodied. Through a specific coding mode, information such as spatial position relation, relative distance and the like among abnormal traffic data of different routers can be coded into a feature matrix, so that spatial correlation features among the data can be captured better. Specifically, the method is further used for respectively carrying out the following steps in forward transfer of layers by using the convolutional neural network model: carrying out convolution processing on input data to obtain a convolution characteristic diagram; carrying out local channel dimension-based mean pooling on the convolution feature map to obtain a pooled feature map; performing nonlinear activation on the pooled feature map to obtain an activated feature map; the output of the last layer of the convolutional neural network model is the router abnormal flow association characteristic matrix, and the input of the first layer of the convolutional neural network model is the router abnormal flow two-dimensional input matrix.

Furthermore, the process of pooling the router abnormal traffic correlation feature matrix along the channel dimension to obtain the router abnormal traffic global feature vector aims at obtaining the global feature vector capable of comprehensively representing the overall abnormal traffic situation by effectively summarizing and extracting the feature matrix. This pooling operation helps reduce feature dimensions, increase computational efficiency, and capture important global features in router anomaly traffic data. Pooling the router abnormal traffic association feature matrix along the channel dimension can sum up and extract the feature information in each channel to obtain the representative feature of each channel. This operation helps to reduce feature dimensions, reduce data complexity, and retain important feature information, making subsequent data processing more efficient and compact.

In a specific embodiment of the present application, the monitoring server operation status feature extraction unit 124 includes: arranging the operation states of the monitoring servers at a plurality of preset time points acquired from the monitoring log to obtain operation state input vectors; and passing the running state input vector through a running state sequence encoder comprising a one-dimensional convolution layer to obtain the running state characteristic vector. It should be appreciated that by arranging the operational status data of the monitoring server at a plurality of predetermined points in time, the monitoring information at different points in time may be integrated into one input vector in a certain order. This helps to transform time series data into a more structured and unified data representation that facilitates subsequent data analysis and modeling.

Further, the process of converting an operational state input vector into an operational state feature vector by an operational state sequence encoder comprising a one-dimensional convolution layer aims to effectively capture local features and patterns in the input vector by convolution operations and extract higher-level feature representations. Such an encoder structure can help the system better understand and utilize timing information in the monitored data, thereby improving the performance and effectiveness of the monitoring system. Specifically, the full-connection layer of the running state sequence encoder comprising the one-dimensional convolution layer is used for carrying out full-connection encoding on the running state input vector so as to extract high-dimensional implicit features of feature values of all positions in the running state input vector; and carrying out one-dimensional convolution coding on the running state input vector by using the one-dimensional convolution layer of the running state sequence coder comprising the one-dimensional convolution layer so as to extract high-dimensional implicit correlation features among feature values of all positions in the running state input vector.

In the above network security vulnerability information automatic scanning and early warning system 100, the vulnerability information feature fusion module 130 is configured to fuse the network data security association feature vector and the running state feature vector to obtain a vulnerability risk level classification feature vector. It should be appreciated that the network data security association feature vector provides important information about network data security, such as network traffic, packet analysis, etc., while the operational state feature vector provides information about system operational state, such as system load, operational process, etc. By fusing these two types of feature vectors, the security of the network system can be more fully understood. By comprehensively considering the information of the network data security and the system running state, the accurate assessment of the vulnerability risk level can be improved, and the potential security risk can be found and dealt with in time, so that the security protection capability of the network system is enhanced.

In the above network security vulnerability information automatic scanning and early warning system 100, the vulnerability information feature optimization module 140 is configured to optimize the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector. It should be understood that in the technical solution of the present application, on one hand, it is considered that the network data security association feature vector focuses on capturing security related information at the network layer, such as the content of the network data packet and the abnormal traffic pattern of the router. The running state feature vector focuses on monitoring the running state of the server and provides information on the operating level of the server. The location complementary information refers to unique information provided by two different types of data. Network data characteristics may be more focused on abnormal behavior at the network level, while server operating states are focused on the health and performance metrics of the server itself. By utilizing the position complementary information of different feature sets, the system can evaluate the network security condition more comprehensively, thereby improving the accuracy of vulnerability risk level classification. On the other hand, it is considered that in actual network security data, normal or low risk level data may be much more than high risk level data, resulting in uneven tag distribution. Such non-uniformities may cause the model to bias toward predicting the majority class (normal or low risk level) and disregard the minority class (high risk level). Based on this, in the technical scheme of the application, the feature vector stack based on the label driving is performed on the network data security association feature vector and the running state feature vector, and the robustness of the model can be enhanced by utilizing the position complementary information and processing label distribution non-uniformity, and the model can still provide accurate risk level classification even when the model faces incomplete data or network security condition changes.

In particular, stacking the network data security association feature vector and the running state feature vector based on a tag-driven feature vector to obtain a corrected feature vector; and calculating the point-by-point multiplication between the correction feature vector and the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector.

Specifically, stacking the network data security association feature vector and the running state feature vector based on a tag driving feature vector to obtain a correction feature vector includes: calculating a per-position mean value vector between the network data security association feature vector and the running state feature vector; calculating the mean and variance of a feature set consisting of all feature values of the per-position mean vector; calculating an exponential function value based on a natural constant by taking the average value of the characteristic values of the preset positions of the network data safety association characteristic vector and the running state characteristic vector as an index of the natural constant to obtain a first exponential function value; calculating an index function value based on a natural constant by taking the inverse number of the variance of the feature set as an index of the natural constant, and subtracting one from the index function value to obtain an index adjustment difference; dividing the first index function value by the index adjustment difference value and subtracting the average value of the feature set, and activating the calculated difference value through a ReLU function to obtain a first activation value; taking the absolute value of the first activation value, and then activating the first activation value through Selu functions to obtain a second activation value; and the second activation value is set.

More specifically, stacking the network data security association feature vector and the operational state feature vector based on tag-driven feature vectors to obtain a corrected feature vector includes:

And stacking the characteristic vector based on label driving on the network data security association characteristic vector and the running state characteristic vector according to the following formula:

Wherein, Representing the network data security association feature vectorThe characteristic value of the individual position is used,Representing the first of the operating state feature vectorsThe characteristic value of the individual position is used,AndIs the mean and variance of a feature set consisting of all feature values of the per-location mean vector between the network data security association feature vector and the operational state feature vector,A linear rectification function is represented and is used,The representation Selu activates the function,Representing the first corrected feature vectorCharacteristic values of the individual positions.

Here, the feature vector stack based on the label driving is performed on the network data security association feature vector and the running state feature vector, and by stacking different feature vectors and considering their distribution in the feature space, the model can better understand and process the unseen data, and the generalization capability of the model is enhanced; meanwhile, the sensitivity of the label position is considered, so that the model can more accurately identify and classify data points, especially in the case of obvious boundaries or groups, and the classification accuracy is improved; moreover, feature representation of the data can be optimized based on label-driven feature vector stacking, so that similar data points are closer in feature space, and different data points are more scattered, thereby facilitating decision-making of the classifier.

In the above-mentioned network security vulnerability information automatic scanning and early warning system 100, the network security vulnerability risk level generating module 150 is configured to obtain a network security vulnerability risk level based on the optimized vulnerability risk level classification feature vector. It should be appreciated that based on optimizing vulnerability risk level classification feature vectors, the system may consider vulnerability-related features comprehensively. These features may include information on the type of vulnerability, scope of impact, ease of use, complexity of attack, etc., and by integrating these features, the risk level of the vulnerability can be more accurately assessed. The determination of the vulnerability risk level can help the security team to effectively allocate resources and prioritize vulnerabilities in view of factors such as vulnerability likelihood and scope of influence. High-risk vulnerabilities can cause serious system losses, so early identification and resolution of these vulnerabilities is of paramount importance. The assessment based on the risk level classification feature vector can help security teams to process vulnerabilities in a targeted manner, and the security protection effect is improved.

In summary, the embodiment of the application firstly acquires the network data packet in the preset time period acquired by the monitoring equipment, the abnormal router flow in a plurality of preset time points acquired by the monitoring equipment and the running state of the monitoring server in a plurality of preset time points acquired from the monitoring log, then performs characteristic extraction and association analysis on the three by using a deep learning technology, and finally obtains the dangerous level of the network security vulnerability through the classifier, thereby realizing the real-time monitoring and analysis of the network security condition, finding out the potential security threat as early as possible, being beneficial to taking measures in time to strengthen the network security protection and reducing the risk of network attack.

As described above, the automatic network security breach information scanning and early warning system 100 according to the embodiment of the present application may be implemented in various terminal devices, for example, a server deployed with an automatic network security breach information scanning and early warning algorithm, etc. In one example, the automatic scanning early warning system 100 based on network security vulnerability information may be integrated into the terminal device as a software module and/or hardware module. For example, the network security vulnerability information automatic scanning early warning system 100 may be a software module in the operating system of the terminal device or may be an application developed for the terminal device; of course, the network security breach information automatic scanning and early warning system 100 can also be one of a plurality of hardware modules of the terminal device.

Alternatively, in another example, the network security breach information automatic scanning and early warning system 100 and the terminal device may be separate devices, and the network security breach information automatic scanning and early warning system 100 may be connected to the terminal device through a wired and/or wireless network and transmit interactive information according to a agreed data format.

Exemplary method

Fig. 4 is a flowchart of an automatic network security vulnerability information scanning and early warning method according to an embodiment of the application. As shown in fig. 4, the network security vulnerability information automatic scanning and early warning method according to the embodiment of the application includes: s110, acquiring network data packets of a preset time period acquired by monitoring equipment, abnormal router flow of a plurality of preset time points acquired by the monitoring equipment and the running state of a monitoring server of a plurality of preset time points acquired from a monitoring log; s120, extracting network data security association feature vectors and operation state feature vectors from the network data packets of the preset time period acquired by the monitoring equipment, the abnormal router traffic of the preset time points acquired by the monitoring equipment and the operation states of the monitoring servers of the preset time points acquired from the monitoring log; s130, fusing the network data security association feature vector and the running state feature vector to obtain a vulnerability risk level classification feature vector; s140, optimizing the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector; and S150, classifying feature vectors based on the optimized vulnerability risk level to obtain a network security vulnerability risk level.

Here, it will be understood by those skilled in the art that the specific operations of the respective steps in the above-described network security hole information automatic scanning early warning method have been described in detail in the above description of the network security hole information automatic scanning early warning system with reference to fig. 1 to 3, and thus, repetitive descriptions thereof will be omitted.

Exemplary electronic device

Next, an electronic device according to an embodiment of the present application is described with reference to fig. 5.

Fig. 5 is a block diagram of an electronic device according to an embodiment of the present invention.

As shown in fig. 5, the electronic device 10 includes: a processor 11 and a memory 13. Wherein the processor 11 is coupled to a memory 13, such as via a bus 12. Optionally, the electronic device 10 may also include a transceiver 14. It should be noted that, in practical applications, the transceiver 14 is not limited to one, and the structure of the electronic device 10 is not limited to the embodiment of the present invention.

The processor 11 may be a CPU (central processing unit), general purpose processor, DSP (digital signal processor), ASIC (ApplicationSpecificIntegratedCircuit ), FPGA (FieldProgrammableGateArray, field programmable gate array) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various exemplary logical blocks, modules, and circuits described in connection with the present disclosure. The processor 11 may also be a combination for performing computing functions, e.g. comprising one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

Bus 12 may include a path to transfer information between the aforementioned components. Bus 12 may be a PCI (PeripheralComponentInterconnect, peripheral component interconnect standard) bus, or an EISA (ExtendedIndustryStandardArchitecture ) bus, or the like. The bus 12 may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, only one thick line is shown in fig. 5, but not only one bus or one type of bus.

The memory 13 is used for storing a computer program corresponding to the network security hole information automatic scanning early warning method according to the above embodiment of the present invention, and the computer program is controlled to be executed by the processor 11. The processor 11 is arranged to execute a computer program stored in the memory 13 for realizing what is shown in the previous method embodiments.

Among other things, the electronic device 10 includes, but is not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device 10 shown in fig. 5 is only an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.

It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, for example, may be considered as a ordered listing of executable instructions for implementing logical functions, and may be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.

It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

In the description of the present invention, it should be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", "clockwise", "counterclockwise", "axial", "radial", "circumferential", etc. indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings are merely for convenience in describing the present invention and simplifying the description, and do not indicate or imply that the device or element being referred to must have a specific orientation, be configured and operated in a specific orientation, and therefore should not be construed as limiting the present invention.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.

In the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured," and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; either directly or indirectly, through intermediaries, or both, may be in communication with each other or in interaction with each other, unless expressly defined otherwise. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.

In the present invention, unless expressly stated or limited otherwise, a first feature "up" or "down" a second feature may be the first and second features in direct contact, or the first and second features in indirect contact via an intervening medium. Moreover, a first feature being "above," "over" and "on" a second feature may be a first feature being directly above or obliquely above the second feature, or simply indicating that the first feature is level higher than the second feature. The first feature being "under", "below" and "beneath" the second feature may be the first feature being directly under or obliquely below the second feature, or simply indicating that the first feature is less level than the second feature.

While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (8)

1. The utility model provides a network security hole information automatic scanning early warning system which characterized in that includes:

The network security vulnerability information acquisition module is used for acquiring network data packets of a preset time period acquired by the monitoring equipment, abnormal router traffic of a plurality of preset time points acquired by the monitoring equipment and the running states of the monitoring server of a plurality of preset time points acquired from the monitoring log;

The network security vulnerability information extraction module is used for extracting network data security association feature vectors and operation state feature vectors from the network data packets of the preset time period acquired by the monitoring equipment, the router abnormal traffic of the preset time points acquired by the monitoring equipment and the operation states of the monitoring servers of the preset time points acquired from the monitoring log;

the vulnerability information feature fusion module is used for fusing the network data security association feature vector and the running state feature vector to obtain a vulnerability risk level classification feature vector;

the vulnerability information feature optimization module is used for optimizing the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector;

The network security vulnerability risk level generation module is used for obtaining the network security vulnerability risk level based on the optimized vulnerability risk level classification feature vector;

the vulnerability information feature optimization module comprises:

Stacking the network data security association feature vector and the running state feature vector based on a feature vector driven by a label to obtain a correction feature vector; and

Calculating the position-based point multiplication between the correction feature vector and the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector;

wherein stacking the network data security association feature vector and the running state feature vector based on tag driving to obtain a correction feature vector comprises:

calculating a per-position mean value vector between the network data security association feature vector and the running state feature vector;

Calculating the mean and variance of a feature set consisting of all feature values of the per-position mean vector;

Calculating an exponential function value based on a natural constant by taking the average value of the characteristic values of the preset positions of the network data safety association characteristic vector and the running state characteristic vector as an index of the natural constant to obtain a first exponential function value;

Calculating an index function value based on a natural constant by taking the inverse number of the variance of the feature set as an index of the natural constant, and subtracting one from the index function value to obtain an index adjustment difference;

Dividing the first index function value by the index adjustment difference value and subtracting the average value of the feature set, and activating the calculated difference value through a ReLU function to obtain a first activation value;

taking the absolute value of the first activation value, and then activating the first activation value through Selu functions to obtain a second activation value;

multiplying the second activation value by the first exponential function value to obtain a feature value for a predetermined position of the correction feature vector.

2. The automatic scanning and early warning system for network security vulnerabilities of claim 1, wherein the network security vulnerabilities information extraction module comprises:

The network data packet semantic coding unit is used for carrying out semantic coding on the network data packet in the preset time period acquired by the monitoring equipment so as to obtain a network data multi-scale text understanding feature vector;

the router abnormal flow characteristic extraction unit is used for carrying out characteristic extraction on the router abnormal flow at a plurality of preset time points acquired by the monitoring equipment so as to obtain a router abnormal flow global characteristic vector;

The network data security feature association unit is used for associating the network data multi-scale text understanding feature vector with the router abnormal traffic global feature vector to obtain the network data security association feature vector;

And the monitoring server running state feature extraction unit is used for carrying out feature extraction on the running states of the monitoring server at a plurality of preset time points acquired from the monitoring log so as to obtain the running state feature vector.

3. The automatic scanning and early warning system for network security vulnerabilities according to claim 2, wherein the network data packet semantic coding unit comprises:

the network data packet data preprocessing subunit is used for carrying out data preprocessing on the network data packet in the preset time period acquired by the monitoring equipment so as to obtain a network data item feature matrix;

And the network data item feature extraction subunit is used for carrying out feature extraction on the network data item feature matrix to obtain the network data multi-scale text understanding feature vector.

4. The automatic scanning and early warning system for network security vulnerabilities of claim 3, wherein the network packet data preprocessing subunit comprises:

performing word segmentation processing on the network data packet in the preset time period acquired by the monitoring equipment to obtain a plurality of network data items;

Passing the plurality of network data items through a network data item embedding layer to obtain a sequence of network data item embedding vectors;

and constructing the sequence of the network data item embedding vectors into a network data item feature matrix.

5. The network security vulnerability information automatic scanning pre-warning system of claim 4, wherein the network data item feature extraction subunit comprises:

the network data item feature matrix is subjected to a network data item multi-scale neighborhood feature extraction module to obtain a network data text understanding feature matrix;

And carrying out global average pooling on the network data text understanding feature matrix to obtain the network data multi-scale text understanding feature vector.

6. The automatic network security vulnerability information scanning and early warning system of claim 5, wherein the router abnormal traffic feature extraction unit comprises:

Arranging the abnormal router traffic of a plurality of preset time points acquired by the monitoring equipment according to a time dimension and a sample dimension to obtain a two-dimensional input matrix of the abnormal router traffic;

performing explicit space coding on the router abnormal traffic two-dimensional input matrix to obtain a router abnormal traffic association characteristic matrix;

and pooling the router abnormal traffic association feature matrix along the channel dimension to obtain the router abnormal traffic global feature vector.

7. The automatic scanning and early warning system for network security vulnerabilities of claim 6, wherein the monitoring server operation state feature extraction unit comprises:

arranging the operation states of the monitoring servers at a plurality of preset time points acquired from the monitoring log to obtain operation state input vectors;

And passing the running state input vector through a running state sequence encoder comprising a one-dimensional convolution layer to obtain the running state characteristic vector.

8. The automatic scanning and early warning method for the network security vulnerability information is characterized by comprising the following steps of:

acquiring network data packets of a preset time period acquired by monitoring equipment, abnormal router traffic of a plurality of preset time points acquired by the monitoring equipment and the running state of a monitoring server of a plurality of preset time points acquired from a monitoring log;

extracting network data security association feature vectors and operation state feature vectors from the network data packets of the preset time period acquired by the monitoring equipment, the router abnormal traffic of the preset time points acquired by the monitoring equipment and the operation states of the monitoring servers of the preset time points acquired from the monitoring log;

Fusing the network data security association feature vector and the running state feature vector to obtain a vulnerability risk level classification feature vector;

optimizing the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector;

classifying feature vectors based on the optimized vulnerability risk level to obtain a network security vulnerability risk level;

The optimizing the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector includes:

Stacking the network data security association feature vector and the running state feature vector based on a feature vector driven by a label to obtain a correction feature vector; and

Calculating the position-based point multiplication between the correction feature vector and the vulnerability risk level classification feature vector to obtain an optimized vulnerability risk level classification feature vector;

wherein stacking the network data security association feature vector and the running state feature vector based on tag driving to obtain a correction feature vector comprises:

calculating a per-position mean value vector between the network data security association feature vector and the running state feature vector;

Calculating the mean and variance of a feature set consisting of all feature values of the per-position mean vector;

Calculating an exponential function value based on a natural constant by taking the average value of the characteristic values of the preset positions of the network data safety association characteristic vector and the running state characteristic vector as an index of the natural constant to obtain a first exponential function value;

Calculating an index function value based on a natural constant by taking the inverse number of the variance of the feature set as an index of the natural constant, and subtracting one from the index function value to obtain an index adjustment difference;

Dividing the first index function value by the index adjustment difference value and subtracting the average value of the feature set, and activating the calculated difference value through a ReLU function to obtain a first activation value;

taking the absolute value of the first activation value, and then activating the first activation value through Selu functions to obtain a second activation value;

multiplying the second activation value by the first exponential function value to obtain a feature value for a predetermined position of the correction feature vector.