[go: up one dir, main page]

CN119172100B - Network security processing method and system based on dynamic network - Google Patents

Network security processing method and system based on dynamic network Download PDF

Info

Publication number
CN119172100B
CN119172100B CN202411037888.6A CN202411037888A CN119172100B CN 119172100 B CN119172100 B CN 119172100B CN 202411037888 A CN202411037888 A CN 202411037888A CN 119172100 B CN119172100 B CN 119172100B
Authority
CN
China
Prior art keywords
network
dynamic
monitoring
security
data set
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411037888.6A
Other languages
Chinese (zh)
Other versions
CN119172100A (en
Inventor
林川
张昇鹏
龚国垌
沈金福
王春雁
刘信
梁泽伟
秦苠峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Blue Ocean Jushi Technology Co ltd
Original Assignee
Beijing Blue Ocean Jushi Technology Co ltd
Guangxi Ance Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Blue Ocean Jushi Technology Co ltd, Guangxi Ance Information Technology Co ltd filed Critical Beijing Blue Ocean Jushi Technology Co ltd
Priority to CN202411037888.6A priority Critical patent/CN119172100B/en
Publication of CN119172100A publication Critical patent/CN119172100A/en
Application granted granted Critical
Publication of CN119172100B publication Critical patent/CN119172100B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network security processing method and system based on a dynamic network, and relates to the technical field of network security. The method comprises the steps of executing configuration management of a network terminal in an intranet, establishing a monitoring data set, establishing a driving network, inputting the monitoring data set and time information into the driving network to execute driving evaluation, calling a virtual address, executing dynamic IP updating of the network terminal, performing node security impact score calculation of each monitoring point to generate a node security impact score calculation result, performing abnormal event association evaluation on the monitoring points, performing impact calculation on the node security impact score calculation result to generate a comprehensive security impact score, and performing network security processing according to the comprehensive security impact score and the dynamic IP updating result. The technical problem of inaccurate network risk identification under traditional static IP address management and untimely protection is solved, and the technical effect of improving the network safety protection capability is achieved through dynamic real-time network safety processing.

Description

Network security processing method and system based on dynamic network
Technical Field
The invention relates to the technical field of network security, in particular to a network security processing method and system based on a dynamic network.
Background
In the era of rapid development of digitalization, along with continuous deep information construction of enterprises, an intranet environment becomes a core support for enterprise operation and management. However, with the expansion of the network scale and the increase of the complexity, the intranet security problem is increasingly highlighted, and in the intranet environment, the network terminal carries key service data and sensitive information, and once the network terminal is attacked or data is revealed, immeasurable loss is caused to an enterprise. The traditional static IP address management mode has a plurality of limitations in the aspect of intranet security, such as easy tracking and positioning of IP addresses, immobilization of network topology structures and the like, and the problems can lead the network to be easily subjected to external attack and internal threat.
Disclosure of Invention
The application provides a network security processing method and system based on a dynamic network, which solve the technical problem of untimely protection caused by inaccurate network risk identification under the traditional static IP address management.
In view of the above problems, the present application provides a network security processing method and system based on a dynamic network.
In a first aspect of the present application, there is provided a dynamic network-based network security processing method, the method comprising:
The method comprises the steps of performing configuration management of a network terminal in an intranet, performing virtual address management of the network terminal, wherein the configuration management comprises a real IP address, an external network access IP address and a dynamic conversion unit, performing terminal monitoring of the network terminal based on configuration management results, establishing a monitoring data set, wherein the monitoring data set comprises a device data set and a user data set, establishing a driving network, the driving network comprises a time driving sub-network, an event driving sub-network and a load driving sub-network, inputting the monitoring data set and time information into the driving network to perform driving evaluation, calling the virtual address based on driving evaluation results, performing dynamic IP updating of the network terminal, performing node security impact score calculation of each monitoring point through the monitoring data set, generating node security impact score calculation results, performing abnormal event association evaluation on all monitoring points, performing impact calculation on the node security impact score calculation results based on association evaluation results, generating comprehensive security impact scores, and performing network security processing according to comprehensive security impact scores and dynamic IP updating results.
In a second aspect of the present application, there is provided a dynamic network-based network security processing system, the system comprising:
The system comprises a configuration management module, a monitoring module, an updating module and a processing module, wherein the configuration management module is used for executing configuration management of a network terminal in an intranet, the configuration management comprises a real IP address, an external network access IP address and virtual address management of a dynamic conversion unit, the monitoring module is used for carrying out terminal monitoring of the network terminal based on configuration management results, a monitoring data set is established, the monitoring data set comprises a device data set and a user data set, the updating module is used for establishing a driving network, the driving network comprises a time driving sub-network, an event driving sub-network and a load driving sub-network, the monitoring data set and time information are input into the driving network to execute driving evaluation, the virtual address is called based on the driving evaluation results, dynamic IP updating of the network terminal is executed, the first computing module is used for carrying out node security impact score calculation of all monitoring points through the monitoring data set to generate node security impact score calculation results, the second computing module is used for carrying out abnormal event association evaluation on all the monitoring points to carry out impact calculation on the node security impact score calculation results based on association evaluation results, and generating comprehensive security impact score processing modules are used for processing the comprehensive security impact score processing results.
One or more technical schemes provided by the application have at least the following technical effects or advantages:
Firstly, executing configuration management of network terminals in an intranet, wherein the configuration management comprises real IP addresses, external network access IP addresses and virtual address management of a dynamic conversion unit, and carrying out terminal monitoring of the network terminals based on configuration management results to establish a monitoring data set which comprises a device data set and a user data set. Then, a driving network is established, the driving network comprises a time driving sub-network, an event driving sub-network and a load driving sub-network, the monitoring data set and the time information are input into the driving network to execute driving evaluation, a virtual address is called based on a driving evaluation result, and dynamic IP updating of a network terminal is executed. And carrying out node security influence score calculation of each monitoring point through the monitoring data set, and generating a node security influence score calculation result. And then, carrying out abnormal event association evaluation on all monitoring points, carrying out influence calculation on the node security influence score calculation result based on the association evaluation result, and generating a comprehensive security influence score. And finally, carrying out network security processing according to the comprehensive security influence score and the dynamic IP updating result. The technical problem of inaccurate network risk identification under traditional static IP address management and untimely protection is solved, and the technical effect of improving the network safety protection capability is achieved through dynamic real-time network safety processing.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following description will briefly explain the drawings needed in the description of the embodiments, which are merely examples of the present invention, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a network security processing method based on a dynamic network according to an embodiment of the present application;
fig. 2 is a schematic diagram of a network security processing system based on a dynamic network according to an embodiment of the present application.
Reference numerals illustrate a configuration management module 11, a monitoring module 12, an updating module 13, a first calculation module 14, a second calculation module 15, and a processing module 16.
Detailed Description
The application solves the technical problem of untimely protection caused by inaccurate network risk identification under the traditional static IP address management by providing the network security processing method and system based on the dynamic network.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that the terms "comprises" and "comprising" are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
In a first embodiment, as shown in fig. 1, the present application provides a network security processing method based on a dynamic network, where the method includes:
And executing configuration management of the network terminal in the intranet, wherein the configuration management comprises real IP address, external network access IP address and virtual address management of the dynamic conversion unit.
The stable operation and the safety of the network are ensured by carrying out configuration management on the network terminal in the intranet, wherein the configuration management comprises real IP address, external network access IP address and virtual address management of the dynamic transformation unit. Specifically, a unique real IP address is allocated to each network terminal, and the real IP address information of each terminal is recorded, wherein the information comprises a terminal name, a MAC address, a sub-network to which the terminal belongs and the like; if a network terminal needs to access an external network, one or more external network access IP addresses are allocated to the network terminal, the IP addresses are usually obtained from a public IP address pool through NAT (network address translation) or VPN (virtual private network) and other technologies, according to service requirements and security policies, which terminals can access the external network, and access modes and authorities are formulated, external network access behaviors are recorded and monitored, and the access behaviors are ensured to meet the policy requirements.
And carrying out terminal monitoring on the network terminal based on the configuration management result, and establishing a monitoring data set, wherein the monitoring data set comprises a device data set and a user data set.
The configuration management result comprises a real IP address, an external network access IP address and a virtual address of a dynamic conversion unit, and the network terminal is monitored according to the configuration result so as to acquire the state and user activity of the network terminal in real time, and then a monitoring data set is established, wherein the monitoring data set comprises a device data set and a user data set, the device data set comprises fields of a device identifier (such as a MAC address and an IP address), a device type, a device state, configuration information, performance data and the like, and the user data set comprises fields of a user identifier (such as a user name and an account number), user behaviors (such as login time, login position and access record), user permission and the like. Specifically, the required device data set and user data set are collected by deploying a terminal monitoring tool or system, such as an SNMP (simple network management protocol) monitor, netFlow analysis tool, terminal security management software, and the like. By implementing terminal monitoring and establishing a monitoring data set comprising a device data set and a user data set, the state and performance of the network terminal can be known in time.
And establishing a driving network, wherein the driving network comprises a time driving sub-network, an event driving sub-network and a load driving sub-network, inputting the monitoring data set and the time information into the driving network to execute driving evaluation, calling the virtual address based on a driving evaluation result, and executing dynamic IP updating of a network terminal.
Dynamic IP updating of network terminals is supported by constructing a driving network, wherein the driving network comprises a time-driven sub-network, an event-driven sub-network and a load-driven sub-network. The time driving sub-network is used for receiving time information (such as current time, time interval and the like) and triggering a state check or update task of the network terminal according to the time information, the event driving sub-network is used for receiving events (such as login events, access abnormal events and the like) from the system and triggering corresponding processing logic according to event types, and the load driving sub-network is used for monitoring network loads (such as CPU utilization rate, bandwidth occupation and the like) and adjusting configuration or resource allocation of the network terminal according to load conditions. And inputting the monitoring data set and the time information into a driving network to execute driving evaluation, in the driving network, analyzing and evaluating the input monitoring data set and the time information according to the conditions and rules of time driving, event driving and load driving, evaluating the state, performance, safety condition and network load condition of the network terminal, determining whether dynamic IP updating of the network terminal is required or not based on a driving evaluation result, calling an available virtual address from a virtual address pool if updating is required, executing dynamic IP updating operation, and changing the IP address of the network terminal from an old address to a newly called virtual address. By establishing the driving network, the dynamic IP updating of the network terminal can be managed more flexibly and intelligently, the safety and stability of the network are improved, and the network performance and resource utilization are optimized.
And calculating the node security influence score of each monitoring point through the monitoring data set, and generating a node security influence score calculation result.
And carrying out node security influence score calculation on each monitoring point according to the monitoring data set, and generating a node security influence score calculation result.
Further, the calculating the node security impact score of each monitoring point by the monitoring data set, generating a node security impact score calculation result, further includes:
The node security impact score calculation formula is configured as follows:
The method comprises the steps of representing node safety influence scoring calculation results of an ith monitoring point by K i, wherein M i is the total number of events in the ith monitoring point, S ip is the severity score of a p-th event in the ith monitoring point, F ip is the occurrence frequency of the p-th event in the ith monitoring point, R ip is the response speed of the p-th event in the ith monitoring point, and the adaptability of the p-th event in the ith monitoring point of A ip.
Preferably, the calculation formula is calculated according to the node security impact score: The method comprises the steps of calculating a node security impact score, wherein K i represents a node security impact score calculation result of an ith monitoring point, K i is higher and represents the worse security condition of the monitoring point, M i represents the total number of events in the ith monitoring point, the number of events of each monitoring point can be counted from a monitoring data set, S ip is a severity score of the p-th event in the ith monitoring point, the severity score can be determined according to an organization security policy and historical experience, the severity score can be 1 (low), 2 (medium), 3 (high) and the like, F ip is the occurrence frequency of the p-th event in the ith monitoring point, the occurrence frequency can be quantified by counting the occurrence frequency of the event in a period of time, a proper period of time (such as day, week and month) can be selected, R ip is the response speed of the p-th event in the ith monitoring point, the response speed can be defined as the time length from the fact that the event is detected to the start of taking effective response measures, A ip is the p-th event, the p-th event is suitable for the security policy is matched with a security vulnerability of a certain security policy, the security policy is matched with a certain security policy, or a certain security vulnerability is matched with a certain security policy, and the security policy is matched with a certain security policy is low, for example.
And carrying out abnormal event association evaluation on all monitoring points, carrying out influence calculation on the node security influence score calculation result based on the association evaluation result, and generating a comprehensive security influence score.
The method comprises the steps of obtaining abnormal event data of all monitoring points, including time stamps, event types, source IP, target IP and the like, analyzing association relations of abnormal events among different monitoring points by using association rule learning, graph theory, time sequence analysis and other methods, including commonly occurring events, time correlation, spatial proximity and the like, constructing an abnormal event association network among the monitoring points based on association analysis results, wherein nodes in the abnormal event association network represent the monitoring points while representing the association relations among the monitoring points, distributing an association strength value for each association relation based on a plurality of factors such as common occurrence frequency, time interval and transmission path of the events, and quantifying the association degree of the abnormal events among the different monitoring points. And performing influence calculation on the node security influence score calculation result based on the association evaluation result to generate a comprehensive security influence score.
Further, the generating the comprehensive security impact score further includes:
Calculating a comprehensive safety impact score by the formula:
Wherein K is the comprehensive security impact score, N is the total number of monitoring points, W i represents the importance of the ith monitoring point, K i is the node security impact score calculation result of the ith monitoring point, K j is the node security impact score calculation result of the jth monitoring point, C ij represents the mutual impact coefficient of the ith monitoring point and the jth monitoring point, And normalizing the safety influence score calculation results of all the monitoring points as normalization factors.
Preferably, a comprehensive security impact score is calculated according to a formula, wherein K is the comprehensive security impact score and reflects the security condition of the whole network, N is the total number of monitoring points, W i represents the importance of the ith monitoring point and reflects the key degree of the monitoring point in the network, K i is the node security impact score calculation result of the ith monitoring point, K j is the node security impact score calculation result of the jth monitoring point, C ij represents the mutual impact coefficient of the ith monitoring point and the jth monitoring point and reflects the association degree between the two monitoring points; And (3) normalizing the safety influence score calculation results of all the monitoring points by using the normalization factors, wherein m and l represent any monitoring point.
And carrying out network security processing according to the comprehensive security influence score and the dynamic IP updating result.
According to the comprehensive security influence score, the security condition of the current network is evaluated, a security influence score threshold value can be set, when the score exceeds the set threshold value, a corresponding security response mechanism is triggered, according to a dynamic IP updating result, the access mode, the flow characteristics and the like of an IP address are analyzed, abnormal behaviors are identified, the potential network security risk is evaluated based on the behavior analysis of the IP address, and network security treatment is carried out on the IP address with higher comprehensive security influence score or abnormal behaviors, for example, isolation measures including blocking the IP, limiting the access and the like are adopted.
Further, the network security processing according to the comprehensive security impact score and the dynamic IP updating result further includes:
The scoring early warning grade of the comprehensive security influence score is obtained, the adaptation evaluation is updated according to the scoring early warning grade and the dynamic IP updating result, and the network security abnormality is reported based on the adaptation evaluation result.
Preferably, different pre-warning levels are defined according to the range of the comprehensive security impact score, such as security (low score), general risk (medium score), high risk (high score), emergency risk (extremely high score) and the like, corresponding scoring thresholds are set for each pre-warning level, the calculated comprehensive security impact score is compared with the thresholds to determine the current scoring pre-warning level, the update record of the dynamic IP is checked, whether abnormal update (such as unauthorized IP change, frequent IP change and the like) exists or not is analyzed, the dynamic IP update result is combined with the scoring pre-warning level to evaluate the current network state, for example, if the scoring pre-warning level is high risk or emergency risk and the dynamic IP update result also shows abnormality, more urgent response is possibly needed, specific network security abnormality types such as IP address conflict, unauthorized access, potential data leakage and the like are determined according to the updated adaptation evaluation result, and corresponding alarms including detailed information of abnormality, possible influence range, suggested countermeasures and the like are generated according to the abnormality types.
Further, the method further comprises:
The method comprises the steps of judging whether the scoring early warning level meets a preset level threshold, generating a dynamic topology conversion instruction if the scoring early warning level meets the preset level threshold, controlling a network terminal to perform physical structure conversion according to the dynamic topology conversion instruction, and performing network security processing based on a physical structure conversion result.
Preferably, the scoring early warning level of the comprehensive security impact score is obtained, the scoring early warning level is compared with a preset level threshold, if the scoring early warning level meets or exceeds the preset level threshold, one or more dynamic topology transformation instructions are generated, the dynamic topology transformation instructions describe how to adjust the network structure so as to reduce security risks, the dynamic topology transformation instructions can comprise operations of disconnecting certain connections, rerouting traffic, enabling or disabling certain devices and the like, the generated dynamic topology transformation instructions are sent to a network terminal, and after the network terminal (such as a router, a switch, a firewall and the like) receives the instructions, corresponding physical structure transformation is executed, including connection changing, routing table configuration, security policy updating and the like.
Further, the method further comprises:
Establishing a historical connection database of the network terminal, performing connection analysis of the historical connection database, establishing connection association coefficients, matching connection random numbers according to the connection association coefficients, performing physical structure transformation selection of the network terminal based on the connection random numbers, and establishing a physical structure transformation result.
Preferably, the method comprises the steps of obtaining historical connection data of network terminals (such as routers, switches, servers and the like), including the starting time, the ending time, the source address, the target address, the used protocols and the like of connection, storing the historical connection data in a database to form a historical connection database of the network terminals, analyzing the historical connection data, identifying frequent connection, abnormal connection, critical connection and the like, analyzing connection modes such as devices which are frequently communicated with each other and time periods in which connection is more frequent, defining an association coefficient for connection between each network terminal based on connection analysis results, wherein the association coefficient represents the connection frequency, importance, risk level and the like between two devices, calculating the association coefficient by using a proper algorithm (such as machine learning, graph theory and the like), for example, calculating the association coefficient according to the connection times, connection time lengths, the transmitted data quantity and the like between the two devices, generating a random connection number for each network terminal, ensuring that each device has a unique random number, obtaining the random connection number by mapping the random number to a relationship table, obtaining the random connection number and the connection association coefficient, selecting a physical conversion structure based on the connection table, and if the connection between the two devices are matched with each other, configuring the physical conversion structure, or deleting the physical conversion between the two devices, or the devices can be changed according to the physical conversion structure, and the physical conversion between the two devices is changed, or the physical conversion is performed, and the physical conversion is performed, if the connection is changed, or the physical conversion is changed, or is based on the a proper, or is or has a proper.
Further, the method further comprises:
the method comprises the steps of obtaining a historical data set of a user, extracting user behavior characteristics under multiple scales according to the historical data set, establishing a multi-scale characteristic extraction result, carrying out behavior authentication on the user data set through the multi-scale characteristic extraction result, establishing an additional abnormal value based on the behavior authentication result, and updating a comprehensive security influence score through the additional abnormal value.
Preferably, a historical data set of a user is obtained from a database, the historical data set comprises a login record, an operation record, an access record and the like of the user, a plurality of different time or space scales are determined, such as minutes, hours, days, weeks and the like, the historical data set of the user is used for analyzing different levels of behavior of the user, characteristics related to the behavior, including login frequency, access mode, operation type, abnormal behavior and the like of the user, are extracted from the historical data set of the user under each scale, the characteristic extraction results under each scale are integrated, scale trust identification is added to the characteristic extraction results under each scale according to the reliability and importance of each scale, a multi-scale characteristic set is formed, namely a multi-scale characteristic extraction result, a normal behavior model of the user is constructed by utilizing the multi-scale characteristic extraction results, the model can reflect typical behavior modes of the user under different scales, the real-time behavior of the user is compared with the normal behavior model, the degree of the user is evaluated, if the real-time behavior is larger than the model, abnormal behavior possibly exists is possibly represented, an additional abnormal behavior value is calculated for each user or the characteristic extraction result under the condition, the condition is based on the behavior authentication result, the condition is integrated, the additional abnormal behavior value is calculated, the additional weight value is different from the abnormal behavior value is calculated and the abnormal value is calculated, and the abnormal value is different from the normal behavior model is normally, and the abnormal value is calculated according to the normal value, and the abnormal value is calculated, and the abnormal value is normally.
In summary, the embodiment of the application has at least the following technical effects:
Firstly, executing configuration management of network terminals in an intranet, wherein the configuration management comprises real IP addresses, external network access IP addresses and virtual address management of a dynamic conversion unit, and carrying out terminal monitoring of the network terminals based on configuration management results to establish a monitoring data set which comprises a device data set and a user data set. Then, a driving network is established, the driving network comprises a time driving sub-network, an event driving sub-network and a load driving sub-network, the monitoring data set and the time information are input into the driving network to execute driving evaluation, a virtual address is called based on a driving evaluation result, and dynamic IP updating of a network terminal is executed. And carrying out node security influence score calculation of each monitoring point through the monitoring data set, and generating a node security influence score calculation result. And then, carrying out abnormal event association evaluation on all monitoring points, carrying out influence calculation on the node security influence score calculation result based on the association evaluation result, and generating a comprehensive security influence score. And finally, carrying out network security processing according to the comprehensive security influence score and the dynamic IP updating result. The technical problem of inaccurate network risk identification under traditional static IP address management and untimely protection is solved, and the technical effect of improving the network safety protection capability is achieved through dynamic real-time network safety processing.
In the second embodiment, based on the same inventive concept as the network security processing method based on the dynamic network in the foregoing embodiment, as shown in fig. 2, the present application provides a network security processing system based on the dynamic network, and the system and method embodiments in the embodiments of the present application are based on the same inventive concept. Wherein, the system includes:
The system comprises a configuration management module 11, a monitoring module 12, an updating module 13, a first calculation module 14, a second calculation module 15 and a comprehensive security impact score processing module 16, wherein the configuration management module 11 is used for executing configuration management of network terminals in an intranet, the configuration management comprises a real IP address, an external network access IP address and virtual address management of a dynamic conversion unit, the monitoring module 12 is used for monitoring terminals of the network terminals based on configuration management results, the monitoring data set comprises an equipment data set and a user data set, the updating module 13 is used for establishing a driving network, the driving network comprises a time driving sub-network, an event driving sub-network and a load driving sub-network, the monitoring data set and time information are input into the driving network to execute driving evaluation, the virtual address is called based on driving evaluation results to execute dynamic IP updating of the network terminals, the first calculation module 14 is used for calculating node security impact scores of all monitoring points through the monitoring data set to generate node security impact score calculation results, the second calculation module 15 is used for carrying out abnormal event association evaluation on the monitoring points, the node security impact calculation results based on the association evaluation results are used for carrying out comprehensive security impact score calculation results, and the comprehensive security impact processing module 16 is used for carrying out comprehensive security impact score processing and comprehensive security score processing module 16.
Further, the first computing module 14 is configured to perform the following method:
The node security impact score calculation formula is configured as follows: The method comprises the steps of representing node safety influence scoring calculation results of an ith monitoring point by K i, wherein M i is the total number of events in the ith monitoring point, S ip is the severity score of a p-th event in the ith monitoring point, F ip is the occurrence frequency of the p-th event in the ith monitoring point, R ip is the response speed of the p-th event in the ith monitoring point, and the adaptability of the p-th event in the ith monitoring point of A ip.
Further, the second computing module 15 is configured to perform the following method:
Calculating a comprehensive safety impact score by the formula:
Wherein K is the comprehensive security impact score, N is the total number of monitoring points, W i represents the importance of the ith monitoring point, K i is the node security impact score calculation result of the ith monitoring point, K j is the node security impact score calculation result of the jth monitoring point, C ij represents the mutual impact coefficient of the ith monitoring point and the jth monitoring point, And normalizing the safety influence score calculation results of all the monitoring points as normalization factors.
Further, the processing module 16 is configured to perform the following method:
The scoring early warning grade of the comprehensive security influence score is obtained, the adaptation evaluation is updated according to the scoring early warning grade and the dynamic IP updating result, and the network security abnormality is reported based on the adaptation evaluation result.
Further, the processing module 16 is configured to perform the following method:
The method comprises the steps of judging whether the scoring early warning level meets a preset level threshold, generating a dynamic topology conversion instruction if the scoring early warning level meets the preset level threshold, controlling a network terminal to perform physical structure conversion according to the dynamic topology conversion instruction, and performing network security processing based on a physical structure conversion result.
Further, the processing module 16 is configured to perform the following method:
Establishing a historical connection database of the network terminal, performing connection analysis of the historical connection database, establishing connection association coefficients, matching connection random numbers according to the connection association coefficients, performing physical structure transformation selection of the network terminal based on the connection random numbers, and establishing a physical structure transformation result.
Further, the processing module 16 is configured to perform the following method:
the method comprises the steps of obtaining a historical data set of a user, extracting user behavior characteristics under multiple scales according to the historical data set, establishing a multi-scale characteristic extraction result, carrying out behavior authentication on the user data set through the multi-scale characteristic extraction result, establishing an additional abnormal value based on the behavior authentication result, and updating a comprehensive security influence score through the additional abnormal value.
It should be noted that the sequence of the embodiments of the present application is only for description, and does not represent the advantages and disadvantages of the embodiments. And the foregoing description has been directed to specific embodiments of this specification. The processes depicted in the accompanying drawings do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the application are intended to be included within the scope of the application.
The specification and figures are merely exemplary illustrations of the present application and are considered to cover any and all modifications, variations, combinations, or equivalents that fall within the scope of the application. It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the scope of the application. Thus, the present application is intended to include such modifications and alterations insofar as they come within the scope of the application or the equivalents thereof.

Claims (8)

1.基于动态网络的网络安全处理方法,其特征在于,所述方法包括:1. A network security processing method based on a dynamic network, characterized in that the method comprises: 执行内网中网络终端的配置管理,配置管理包括真实IP地址、外网访问IP地址和动态变换单元的虚拟地址管理;Perform configuration management of network terminals in the intranet, including real IP addresses, external network access IP addresses and virtual addresses of dynamic conversion units; 基于配置管理结果进行网络终端的终端监测,建立监测数据集,所述监测数据集包括设备数据集和用户数据集;Perform terminal monitoring of network terminals based on the configuration management result and establish a monitoring data set, wherein the monitoring data set includes a device data set and a user data set; 建立驱动网络,所述驱动网络包括时间驱动子网络、事件驱动子网络和负载驱动子网络,将所述监测数据集和时间信息输入至所述驱动网络执行驱动评价,基于驱动评价结果调用所述虚拟地址,执行网络终端的动态IP更新;Establishing a driving network, the driving network comprising a time driving subnetwork, an event driving subnetwork and a load driving subnetwork, inputting the monitoring data set and time information into the driving network to perform driving evaluation, calling the virtual address based on the driving evaluation result, and performing dynamic IP update of the network terminal; 通过所述监测数据集进行各个监测点的节点安全影响评分计算,生成节点安全影响评分计算结果;Calculate the node safety impact score of each monitoring point through the monitoring data set to generate a node safety impact score calculation result; 对全部的监测点进行异常事件关联评价,基于关联评价结果对节点安全影响评分计算结果进行影响计算,生成综合安全影响评分;Conduct abnormal event correlation evaluation on all monitoring points, perform impact calculation on the node safety impact score calculation results based on the correlation evaluation results, and generate a comprehensive safety impact score; 根据综合安全影响评分和动态IP更新结果进行网络安全处理。Perform network security processing based on comprehensive security impact scores and dynamic IP update results. 2.如权利要求1所述的基于动态网络的网络安全处理方法,其特征在于,所述通过所述监测数据集进行各个监测点的节点安全影响评分计算,生成节点安全影响评分计算结果,还包括:2. The network security processing method based on a dynamic network according to claim 1, characterized in that the node security impact score calculation of each monitoring point is performed through the monitoring data set to generate the node security impact score calculation result, and further comprises: 配置节点安全影响评分计算公式,如下:The calculation formula for configuring the node security impact score is as follows: ; 其中,表征第个监测点的节点安全影响评分计算结果,为第个监测点中事件总数,为第个监测点中第个事件的严重性评分,为第个监测点中第个事件的发生频率,为第个监测点中第个事件的响应速度,个监测点中第个事件的适应度,适应度可以量化为该事件与当前安全策略、环境或配置的匹配程度。in, Characterization The node safety impact score calculation results of each monitoring point are: For the The total number of events in the monitoring points, For the Among the monitoring points The severity rating of the event, For the Among the monitoring points The frequency of an event, For the Among the monitoring points The response speed of an event, No. Among the monitoring points The fitness of an event can be quantified as the degree to which the event matches the current security policy, environment, or configuration. 3.如权利要求2所述的基于动态网络的网络安全处理方法,其特征在于,所述生成综合安全影响评分,还包括:3. The network security processing method based on a dynamic network according to claim 2, wherein the step of generating a comprehensive security impact score further comprises: 通过公式计算综合安全影响评分:The comprehensive security impact score is calculated using the formula: ; 其中,为综合安全影响评分,为监测点总数,表征第个监测点的重要性,为第个监测点的节点安全影响评分计算结果,为第个监测点的节点安全影响评分计算结果,表征第个监测点和第个监测点的相互影响系数,分别代表两个不同监测点的安全影响评分,为归一化因子,用于将所有监测点的安全影响评分计算结果归一化。in, For the overall security impact score, is the total number of monitoring points, Characterization The importance of each monitoring point For the The node safety impact score calculation results of each monitoring point are: For the The node safety impact score calculation results of each monitoring point are: Characterization Monitoring points and The mutual influence coefficient of the monitoring points is , Respectively represent , Safety impact scores at two different monitoring points, is the normalization factor, which is used to normalize the safety impact score calculation results of all monitoring points. 4.如权利要求1所述的基于动态网络的网络安全处理方法,其特征在于,所述根据综合安全影响评分和动态IP更新结果进行网络安全处理,还包括:4. The network security processing method based on dynamic network according to claim 1, characterized in that the network security processing according to the comprehensive security impact score and the dynamic IP update result further comprises: 获取所述综合安全影响评分的评分预警等级;Obtaining a score warning level of the comprehensive security impact score; 根据所述评分预警等级和动态IP更新结果进行更新适配评价;Perform update adaptation evaluation according to the scoring warning level and dynamic IP update result; 基于适配评价结果报出网络安全异常。Report network security anomalies based on the adaptation evaluation results. 5.如权利要求4所述的基于动态网络的网络安全处理方法,其特征在于,所述方法还包括:5. The network security processing method based on a dynamic network according to claim 4, characterized in that the method further comprises: 判断所述评分预警等级是否满足预设等级阈值;Determine whether the scoring warning level meets a preset level threshold; 若满足预设等级阈值,则生成动态拓扑变换指令;If the preset level threshold is met, a dynamic topology transformation instruction is generated; 以所述动态拓扑变换指令控制网络终端进行物理结构变换,基于物理结构变换结果进行网络安全处理。The network terminal is controlled by the dynamic topology transformation instruction to perform physical structure transformation, and network security processing is performed based on the physical structure transformation result. 6.如权利要求5所述的基于动态网络的网络安全处理方法,其特征在于,所述方法还包括:6. The network security processing method based on a dynamic network according to claim 5, characterized in that the method further comprises: 建立网络终端的历史连接数据库,并执行历史连接数据库的连接分析,建立连接关联系数;Establishing a historical connection database of the network terminal, and performing connection analysis on the historical connection database to establish a connection correlation coefficient; 根据所述连接关联系数匹配连接随机数,基于所述连接随机数进行网络终端的物理结构变换选择,建立物理结构变换结果。The connection random number is matched according to the connection association coefficient, and the physical structure transformation selection of the network terminal is performed based on the connection random number to establish a physical structure transformation result. 7.如权利要求1所述的基于动态网络的网络安全处理方法,其特征在于,所述方法还包括:7. The network security processing method based on a dynamic network according to claim 1, characterized in that the method further comprises: 获取用户的历史数据集;Get the user's historical data set; 根据所述历史数据集进行多尺度下的用户行为特征提取,建立多尺度特征提取结果,所述多尺度特征提取结果带有尺度信任标识;Extracting user behavior features at multiple scales according to the historical data set, and establishing a multi-scale feature extraction result, wherein the multi-scale feature extraction result carries a scale trust mark; 通过所述多尺度特征提取结果进行用户数据集的行为认证,基于行为认证结果建立附加异常值;Performing behavior authentication of the user data set through the multi-scale feature extraction result, and establishing additional outliers based on the behavior authentication result; 通过所述附加异常值对综合安全影响评分进行更新。The comprehensive safety impact score is updated by the additional outliers. 8.基于动态网络的网络安全处理系统,其特征在于,用于实施权利要求1-7任意一项所述的基于动态网络的网络安全处理方法,所述系统包括:8. A network security processing system based on a dynamic network, characterized in that it is used to implement the network security processing method based on a dynamic network according to any one of claims 1 to 7, and the system comprises: 配置管理模块,所述配置管理模块用于执行内网中网络终端的配置管理,配置管理包括真实IP地址、外网访问IP地址和动态变换单元的虚拟地址管理;A configuration management module, which is used to perform configuration management of network terminals in the intranet, including management of real IP addresses, external network access IP addresses and virtual addresses of dynamic conversion units; 监测模块,所述监测模块用于基于配置管理结果进行网络终端的终端监测,建立监测数据集,所述监测数据集包括设备数据集和用户数据集;A monitoring module, the monitoring module is used to perform terminal monitoring of network terminals based on the configuration management result and establish a monitoring data set, the monitoring data set includes a device data set and a user data set; 更新模块,所述更新模块用于建立驱动网络,所述驱动网络包括时间驱动子网络、事件驱动子网络和负载驱动子网络,将所述监测数据集和时间信息输入至所述驱动网络执行驱动评价,基于驱动评价结果调用所述虚拟地址,执行网络终端的动态IP更新;An update module, the update module is used to establish a drive network, the drive network includes a time drive subnetwork, an event drive subnetwork and a load drive subnetwork, input the monitoring data set and time information into the drive network to perform drive evaluation, call the virtual address based on the drive evaluation result, and perform dynamic IP update of the network terminal; 第一计算模块,所述第一计算模块用于通过所述监测数据集进行各个监测点的节点安全影响评分计算,生成节点安全影响评分计算结果;A first calculation module, the first calculation module is used to calculate the node security impact score of each monitoring point through the monitoring data set to generate a node security impact score calculation result; 第二计算模块,所述第二计算模块用于对全部的监测点进行异常事件关联评价,基于关联评价结果对节点安全影响评分计算结果进行影响计算,生成综合安全影响评分;A second calculation module, the second calculation module is used to perform abnormal event correlation evaluation on all monitoring points, perform impact calculation on the node safety impact score calculation result based on the correlation evaluation result, and generate a comprehensive safety impact score; 处理模块,所述处理模块用于根据综合安全影响评分和动态IP更新结果进行网络安全处理。A processing module is used to perform network security processing according to the comprehensive security impact score and the dynamic IP update result.
CN202411037888.6A 2024-07-31 2024-07-31 Network security processing method and system based on dynamic network Active CN119172100B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411037888.6A CN119172100B (en) 2024-07-31 2024-07-31 Network security processing method and system based on dynamic network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411037888.6A CN119172100B (en) 2024-07-31 2024-07-31 Network security processing method and system based on dynamic network

Publications (2)

Publication Number Publication Date
CN119172100A CN119172100A (en) 2024-12-20
CN119172100B true CN119172100B (en) 2025-04-29

Family

ID=93877528

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411037888.6A Active CN119172100B (en) 2024-07-31 2024-07-31 Network security processing method and system based on dynamic network

Country Status (1)

Country Link
CN (1) CN119172100B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101002427A (en) * 2004-06-30 2007-07-18 诺基亚公司 Method and system for dynamic device address management
CN105721457A (en) * 2016-01-30 2016-06-29 耿童童 Network security defense system and network security defense method based on dynamic transformation

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10122748B1 (en) * 2015-08-21 2018-11-06 InsCyt, LLC Network protection system and threat correlation engine
CN117544432B (en) * 2024-01-10 2024-03-22 天津市大数据管理中心 E-government external network access management method and device
CN117955245B (en) * 2024-03-25 2024-06-04 广东电网有限责任公司佛山供电局 Method and device for determining running state of power grid, storage medium and electronic equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101002427A (en) * 2004-06-30 2007-07-18 诺基亚公司 Method and system for dynamic device address management
CN105721457A (en) * 2016-01-30 2016-06-29 耿童童 Network security defense system and network security defense method based on dynamic transformation

Also Published As

Publication number Publication date
CN119172100A (en) 2024-12-20

Similar Documents

Publication Publication Date Title
US20230351027A1 (en) Intelligent adversary simulator
US7568232B2 (en) Malicious access-detecting apparatus, malicious access-detecting method, malicious access-detecting program, and distributed denial-of-service attack-detecting apparatus
Pan et al. Context aware intrusion detection for building automation systems
US7483972B2 (en) Network security monitoring system
US8020045B2 (en) Root cause analysis method, apparatus, and program for IT apparatuses from which event information is not obtained
CN116015983B (en) Network security vulnerability analysis method and system based on digital twin
CN110839031B (en) Malicious user behavior intelligent detection system based on reinforcement learning
Mcdaniel et al. Enterprise Security: A Community of Interest Based Approach.
JP2005513591A (en) Stateful distributed event processing and adaptive maintenance
EP2770688A1 (en) Method and apparatus for assessing the efficiency of rules of filtering devices protecting a network
CN117176476B (en) Network security assessment method and system based on node weight
CN118802195A (en) Network security situation assessment method, device, equipment and storage medium
CN119544335A (en) Method, device, and electronic equipment for building a data security situation awareness platform
Yusuf et al. Evaluating the effectiveness of security metrics for dynamic networks
WO2025081596A1 (en) Risk assessment method and apparatus
JP2023046316A (en) A method for automatically retrieving and managing asset information in a network
CN115296850A (en) Network attack and defense exercise distributed learning method based on artificial intelligence
CN119172100B (en) Network security processing method and system based on dynamic network
Ramanauskaitė et al. Modelling influence of Botnet features on effectiveness of DDoS attacks
CN116827690A (en) DDoS attack and cloud WAF defense method based on distribution type
Lange et al. Event Prioritization and Correlation based on Pattern Mining Techniques
JP2022024277A (en) Analysis system, analysis device, and analysis method
RU2625045C1 (en) Method of modeling damage evaluation caused by network and computer attacks to virtual private networks
CN120358099B (en) Safety evaluation method and device for network target range and related equipment
CN111107035A (en) Security situation sensing and protecting method and device based on behavior identification

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20250403

Address after: Room 1561, 1st Floor, Building 5, Courtyard A1, Banbidian, Haidian District, Beijing, 100000

Applicant after: Beijing Blue Ocean Jushi Technology Co.,Ltd.

Country or region after: China

Address before: Room 501, 5th Floor, Standard Factory Building No. 3, Industrial Park, No. 4 Keyuan Dongwu Road, Xixiangtang District, Nanning City, Guangxi Zhuang Autonomous Region 530000

Applicant before: Guangxi Ance Information Technology Co.,Ltd.

Country or region before: China

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant