[go: up one dir, main page]

CN119966659A - A multi-level dynamic network attack detection and response method - Google Patents

A multi-level dynamic network attack detection and response method Download PDF

Info

Publication number
CN119966659A
CN119966659A CN202411924855.3A CN202411924855A CN119966659A CN 119966659 A CN119966659 A CN 119966659A CN 202411924855 A CN202411924855 A CN 202411924855A CN 119966659 A CN119966659 A CN 119966659A
Authority
CN
China
Prior art keywords
behavior
network
level
score
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411924855.3A
Other languages
Chinese (zh)
Inventor
杨贻宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Artificial Intelligence Network System Engineering Technology Research Center Co ltd
Original Assignee
Shanghai Artificial Intelligence Network System Engineering Technology Research Center Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Artificial Intelligence Network System Engineering Technology Research Center Co ltd filed Critical Shanghai Artificial Intelligence Network System Engineering Technology Research Center Co ltd
Priority to CN202411924855.3A priority Critical patent/CN119966659A/en
Publication of CN119966659A publication Critical patent/CN119966659A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种多层次动态网络攻击检测与响应方法,所述方法包括S1:通过入侵检测系统监测网络流量中的异常模式以识别潜在攻击,S2:利用机器学习算法对用户及设备的行为进行分析以发现偏离正常基线的活动,S3:基于所述入侵检测结果及行为分析的结果评估网络风险,并制定相应策略,S4:动态调整防火墙规则和网络安全设备配置来阻断已确认的威胁,该多层次动态网络攻击检测与响应方法,实现了各类检测技术的有机融合,能够更高效、准确地识别复杂攻击链中的潜在威胁,实现了自动化调整防御策略,使得系统能够根据攻击的变化进行实时响应,提升了整体防御架构的敏捷性,使各层次间的联动响应更加高效。

The present invention discloses a multi-level dynamic network attack detection and response method, which includes S1: monitoring abnormal patterns in network traffic through an intrusion detection system to identify potential attacks, S2: using a machine learning algorithm to analyze the behavior of users and devices to discover activities that deviate from a normal baseline, S3: evaluating network risks based on the intrusion detection results and the results of the behavior analysis, and formulating corresponding strategies, S4: dynamically adjusting firewall rules and network security device configurations to block confirmed threats. The multi-level dynamic network attack detection and response method realizes the organic integration of various detection technologies, can more efficiently and accurately identify potential threats in complex attack chains, and realizes automatic adjustment of defense strategies, so that the system can respond in real time according to changes in attacks, improves the agility of the overall defense architecture, and makes the linkage response between levels more efficient.

Description

Multi-level dynamic network attack detection and response method
Technical Field
The invention relates to the technical field of information security, in particular to a multi-level dynamic network attack detection and response method.
Background
In the field of modern network security defense, a multi-level dynamic network attack detection and response method is a widely applied technical means, and aims to improve the detection capability and response efficiency of complex attacks. Existing cyber-attack detection techniques typically include signature-based Intrusion Detection Systems (IDS) that identify threats by matching features of known attack patterns, and behavior analysis-based detection systems that discover potential attacks by analyzing deviations in the behavior of the system or user. However, in the face of complex and varied attack chains, detection means relying on only a single technology have been difficult to effectively cope with.
Signature-based detection methods have higher accuracy in dealing with known attacks, but are not sufficiently capable of facing unknown threats or zero-day attacks. While the behavior analysis detection based on machine learning can adapt to novel attacks, the problems of high false alarm rate, complex model training and updating and the like exist. In addition, how to organically integrate different detection technologies to mutually cooperate in multi-level and multi-dimensional safety protection to form a synergistic effect is still one of the difficulties of the current technology. Existing multi-level detection systems also face other challenges in implementation, such as cross-system interoperability issues. The data sharing mechanism among different security systems is not perfect enough, so that the detection and response measures cannot be performed in a linkage manner on multiple levels. Meanwhile, the existing system lacks flexible response capability to a dynamic attack chain, and cannot adjust the defense strategy in real time according to the change of the attack, so that the overall protection effect is reduced, and therefore, how to realize cross-platform data sharing and automatic response while improving the technical integration level is a problem to be solved in the prior art.
Disclosure of Invention
The invention aims to provide a multi-level dynamic network attack detection and response method, which solves the problem of how to realize cross-platform data sharing and automatic response while improving the technical integration level.
In order to achieve the above purpose, the invention provides a multi-level dynamic network attack detection and response method, which comprises the following steps:
s1, monitoring an abnormal mode in network traffic through an intrusion detection system to identify potential attacks;
The step S1 comprises the steps of collecting an original data packet from a network interface, analyzing the data packet by using a deep packet inspection technology, extracting characteristics, analyzing the characteristics by using an anomaly detection algorithm and generating a security event record;
s2, analyzing the behaviors of the user and the equipment by using a machine learning algorithm to find activities deviating from a normal baseline;
step S2 comprises the steps of executing feature engineering on operation data of a user to construct a user behavior model, utilizing historical normal behavior as a training data set to train a supervised learning model, comparing the difference between the current behavior of the user and expected behavior predicted by the model, and sending a deviation normal activity alarm when the comparison shows statistical significance;
S3, evaluating network risks based on the intrusion detection results and the behavior analysis results, and formulating corresponding strategies;
and S4, dynamically adjusting firewall rules and network security equipment configuration to block the confirmed threat.
Preferably, the step S3 includes:
synthesizing abnormal frequencies and potential influences thereof in the security event record;
Scoring the overall network health status in combination with deviation from normal activity alert conditions;
Automatically defining the emergency degree and the priority level through an expert rule system;
a list of policy suggestions is established for adjusting the guard settings.
Preferably, the step S4 includes:
updating a blacklist library containing known threat feature signatures against the policy suggestions;
the automation application configuration changes to all applicable devices within the affected range;
verifying the validity and compatibility of the new rule by adopting an automatic test script;
and starting a real-time log tracking and monitoring the adjusted running state and preparing a rollback mechanism.
Preferably, the step S3 further includes:
Acquiring alarm information of the intrusion detection system;
Analyzing the behavior records of the user and the equipment;
carrying out risk quantification assessment on alarm information and behavior deviation records of the comprehensive intrusion detection system;
and setting a risk level and planning a corresponding scheme based on the risk quantification evaluation result.
Preferably, the risk quantification evaluation of the alarm information and the behavior deviation record of the comprehensive intrusion detection system includes:
Converting the alarm information level into a numerical score to represent the severity of the alarm information level;
calculating the deviation times of the behavior of the equipment or the user in a specific time period;
If the deviation times of the user behaviors multiplied by the weight factors and the alarm information score are larger than the preset score, the user behaviors are considered to have obvious threat;
the scores are corresponding to different network risk levels, and corresponding coping scheme design principles are determined.
Preferably, if the number of deviations of the user behavior multiplied by the weight factor and the alarm information score are greater than the preset score, the step of considering that the significant threat includes:
setting the corresponding score as A when the alarm information grade is a serious grade;
setting weight factors, and setting different values as W according to the importance of behaviors;
calculating the deviation times C of the user in the T period and converting the deviation times C into a score f=c×w;
When the calculated total of f+a exceeds a predefined threshold (T > f+a), then it is determined that the network activity has a threat level.
Preferably, when the calculated total of f+a exceeds a predefined threshold (T > f+a), then determining that the network activity is likely to have a higher threat level further comprises:
Checking whether F+A always maintains a high risk level under a T time window;
If the F value in T is added with the A value and the S value is larger than or equal to the safety boundary value, triggering an alarm;
the safety boundary is adjusted regularly according to historical data analysis;
and finally, deciding to adopt a security policy based on the judgment to protect sensitive resources.
Preferably, the step of triggering an alarm specifically includes:
calculating whether the average S under historical statistics continuously rises to a certain range or not compared with the current time S;
if the S increasing proportion R exceeds the average proportion N plus the allowable fluctuation range V, the trend is identified to be obvious;
when the above conditions are met, indicating that a new high frequency high risk event may be occurring or imminent;
at this point emergency measures are automatically enabled, the level of protection is enhanced until the event is resolved and the safe and stable state is re-entered.
According to the technical scheme, the invention has the following beneficial effects:
According to the multi-level dynamic network attack detection and response method, an intrusion detection system is used for monitoring an abnormal mode in network traffic to identify potential attacks, a machine learning algorithm is used for analyzing behaviors of users and devices to find activities deviating from a normal baseline, network risks are estimated based on intrusion detection results and behavior analysis results, corresponding strategies are formulated, firewall rules and network safety device configurations are dynamically adjusted to block confirmed threats, organic integration of various detection technologies is achieved, potential threats in complex attack chains can be more efficiently and accurately identified, automatic adjustment defense strategies are achieved, the system can respond in real time according to changes of the attacks, the agility of the overall defense architecture is improved, linkage response among layers is more efficient, the overall reliability and the intelligent level of a network safety protection system are enhanced, and the problem of how to achieve cross-platform data sharing and automatic response while the technical integration is improved is solved.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, a multi-level dynamic network attack detection and response method includes:
s1, monitoring an abnormal mode in network traffic through an intrusion detection system to identify potential attacks;
s2, analyzing the behaviors of the user and the equipment by using a machine learning algorithm to find activities deviating from a normal baseline;
S3, evaluating network risks based on the intrusion detection results and the behavior analysis results, and formulating corresponding strategies;
and S4, dynamically adjusting firewall rules and network security equipment configuration to block the confirmed threat.
The present approach aims to address multi-dimensional and dynamic cyber-security threats by integrating multiple security mechanisms. The first step of the method comprises continuously monitoring the data flow inside the network by means of an Intrusion Detection System (IDS), monitoring and recording all data packet information entering the network by comparing preset rules or using abnormal behavior pattern analysis. For example, the signature of the intrusion detection system may match the data flow into the internal system, and once data consistent with a known attack pattern is found, an alarm may be generated and logged into the IDS log for subsequent analysis. The second step is to execute detailed statistics and records on host behavior patterns of hosts, users and the like in the network by using a host-based method and a network-based method on the basis of the first step, and search a trend consistent with malicious intentions from a massive normal activity pattern database by using technologies such as machine learning classification or clustering model and the like. Specifically, an administrator is considered to be a failed attempt and will not cause a warning when it fails to log in within its regular log-in time, however if a brute force attack attempting to access a large number of erroneous credentials during a period of inactivity or from an unseen terminal is automatically identified as abnormal and the next ambulatory instruction is triggered. The third step, after collecting and identifying the information at the two levels, requires a comprehensive and accurate evaluation and processing of the obtained data, determining whether a potential risk occurs and providing an early warning to the administrator, and then designing and implementing a complete set of automated response schemes in advance, which may involve notifying I T to support team intervention or immediately enabling specific measures to cut off the network link. For example, after a specific IP address is found to be subject to continuous scanning activity in an attempt to find potential vulnerabilities and conduct targeted attacks, existing protection rules can be quickly adjusted based on previously collected analysis results to mask the address from further compromising company resources and facilities security, and a fourth step is to make immediate adjustments and controls based on specific conclusions drawn from the previous three steps of analysis, implementing blocking measures for the identified hazard and keeping track of subsequent development until risk is resolved, while continuing to optimize the overall system protection strategy to improve efficiency and maintain flexibility.
Therefore, the novel framework integrating various means and being capable of flexibly adjusting and adapting to the newly-appearing threat characteristics well solves various defects existing in the traditional single mode, and effectively controls and controls risks of various different types and levels through a cross-layer linkage forming closed-loop mechanism, and reduces the possibility of damaging the stable operation of an enterprise network.
The specific steps of the present invention for monitoring abnormal patterns in network traffic to identify potential attacks by an intrusion detection system will be described, wherein first, raw data packets are collected from a network interface, which typically involves deploying one or more sensors on critical nodes of the network, such as routers, switches, or servers, to capture all incoming and outgoing traffic; in the process of acquisition, the integrity and the instantaneity of data are required to be ensured, and each data unit possibly carrying attack information is ensured to be captured;
Specific examples are, for example, a hardware-based network probe deployed in an e-commerce company' S data center, the device being configured to monitor all incoming and outgoing data center network edge data packets, capturing all inbound or outbound HTTP (S) requests through such a setup to further analyze if malicious traffic is present, ensuring proper transaction procedures;
then analyzing the data packet by using a deep packet detection technology and extracting features, namely obtaining attributes such as a protocol and a header field value of the data packet by carrying out deep analysis on a load part in the collected original data packet;
Specifically, it may be found in the extracted feature list that a non-standard HTTP connection request is continuously initiated on a port (e.g., attempting to establish 8889 instead of a Web request on the default 80 or 443 port), and the anomaly may be part of the DOS attack precursor, and at this stage it is also necessary to build a mathematical model to quantify the importance of the feature; at this time, some common formulas, such as information entropy H (X) = - Σ [ P (X) ×log2 (P (X)) ] can be introduced, wherein the parameter P (X) is the probability of observing the data X;
then the characteristics are analyzed by using an anomaly detection algorithm and a security event record is generated, the condition that an anomaly identification model is adopted to calculate scores is indicated for the extracted metadata, the data are put into a model (such as a machine learning model or a rule engine), the gap between the currently collected data and a normal flow model is judged according to a pre-trained knowledge base, an alarm mechanism is triggered by setting a reasonable threshold condition, and a defense mechanism is started or an alarm message is sent to a manager to remind the manager to take necessary measures to protect the network from damage.
Continuing with the example, during the analysis process, it is found that the SYN connection request amount sent from an IP address to a target machine in a unit time far exceeds the historical average value, by setting an anomaly detection threshold value (i.e., an alarm threshold line), when the anomaly detection threshold value exceeds a predefined threshold value, an alarm signal is generated and recorded in a database of an intrusion detection system to become evidence for security team investigation, and in this example, an algorithm, such as a type of supervision algorithm called an isolated forest, is used to judge whether the host is likely to suffer DDoS attack, so as to provide timely information reference for the network security department to formulate a targeted measure.
Next, the steps of analyzing the behavior of the user and the device to find the activities deviating from the normal baseline using the machine learning algorithm of the present invention will be described in detail, firstly, the process of constructing the user behavior model by performing the feature engineering on the operation data of the user. This process involves data collection for various user activities, such as login points in time, commonly used software applications, and used web services. This data is processed and transformed by selection and extraction and corresponding feature vectors are created. For example, in a banking system, this may be expressed as daily login times per customer, using a particular service or transaction frequency to be converted into a numeric or typed format as an input feature for subsequent algorithm modeling.
In the second step, we will extract the training dataset from the sorted dataset of normal activities of the user, which is used to construct our supervised learning model. This step requires us to select the appropriate historical pattern of behavior as reference data representing the normalcy of the user's behavior, such as all account activities for which no security issues have been reported in the past month. In our example, it might be that log entries of actions such as logging in normally on a banking website, browsing account information, etc. within a month are used for training, in order to teach the machine the ability to learn and distinguish between normal activities and atypical, suspicious modes of operation.
The comparison link is then entered, which is a stage of comparing by training the learner to evaluate whether the behavior actions newly observed in the actual situation follow the predicted behavior trend. In the actual use situation, the model can score in real time according to the latest generated user behavior event and compare with the learned behavior rule. For example, when a customer makes login attempts from abroad during a very unusual period of time, the abnormal situation can be detected and recorded.
If the analysis shows that the result has obvious significance in the statistical sense, the last step is activated, namely, if the behavior deviation degree is found to be above the set safety threshold in the comparison, an alarm mechanism is immediately triggered to inform the corresponding safety department to pay attention to and process, and a coping process plan is started to avoid the continuous diffusion or occurrence of potential safety attack. Assuming here that the alert threshold in the banking case has been set (e.g. the situation where no overseas login was recorded in the past week and login activity occurred after 11 pm) is determined to be abnormal), then a notification message should be pushed by the monitoring platform to the relevant responsible person at this time in order for the latter to react quickly and verify the legitimacy of the logger. The method can not only prevent unauthorized access in time, but also help to improve the safety and user experience of the whole system.
Next, specific steps of the step of evaluating the network risk based on the intrusion detection result and the result of the behavior analysis and formulating the corresponding policy according to the present invention will be described. Firstly, the frequency of anomalies in security event records and their potential impact are integrated, this step is to aggregate log information from firewalls, antivirus software and Intrusion Detection Systems (IDS), count the number of anomalies in these data and their possible impact on the enterprise or individual, and, for example, determine that such frequency is high when the system records multiple unauthorized access attempts and malware activity within a week, and evaluate the overall risk based on its impact level.
And then scoring the overall network health status in combination with the deviation from the normal activity alarm condition, wherein a weighting algorithm (such as a formula of X=A×alpha+I×beta, wherein A is the abnormal number, I represents the potential influence, and alpha and beta are respectively the weighting coefficients of the two factors and are greater than zero but less than or equal to 1, and the sum of the two factors is greater than 0 but less than or equal to 2) is applied to obtain a quantitative evaluation index of the health zhuang of the overall network system based on the data collected and counted before, and the overall network score. For example, in a practical environment, when a certain day of intranet encounters a large number of abnormal behavior warnings (a=10), and each warning carries a high risk level (i=7, assuming that the weight α is set to 0.6 and β is set to 0.8 as a common configuration), we can calculate from this equation that x=10×0.6+7×0.8=6+5.6=11.6, where a score of 11.6 indicates that the current network is in a relatively high risk state and that corresponding measures need to be taken as soon as possible to prevent the situation from deteriorating.
The emergency degree and priority level are then automatically defined by expert rule system, which involves specifying a process order of urgency for each security threat or vulnerability discovered, and risk index calculated for the first two steps, using a pre-written set of rules libraries (typically formulated based on I T security officers or security advisors' experiences). For example, when a score of 11.6 occurs in the foregoing case, the alarm level in the numerical interval may be extremely high according to a preset rule, and the priority is set to red (highest level).
Finally, a policy suggestion list is established for adjusting the protection setting, and a system forms a series of specific defending action suggestions (possibly including increasing the monitoring frequency/enhancing the firewall filtering logic/changing the user password strength policy and the like) according to the evaluated risk level, the alarm type and the priority order in the final link, and provides the suggestions for managers to audit and implement so as to enhance the protection of the system and improve the previously discovered risk area to prevent more serious infringement in the future. If the extremely high-level, highest-processing urgency anomalies mentioned in the case require immediate feedback measures to protect critical resources from threat, the possible policies that may be formed would include improving firewall recognition and filtering accuracy for external IP addresses or enforcing a strong authentication system operating on all important servers to ensure safe operation of the core services.
Next, the steps of dynamically adjusting firewall rules and network security device configuration to block validated threats of the present invention will be described with particular details, namely, first updating the blacklist library against policy suggestions, where the latest threat signature extracted from the most recently captured attack by machine learning or other analysis methods is integrated into the existing blacklist database, and a specific example may be that an IP address validated as the source of a DDoS attack is added to the blacklist in the firewall rules. The automated configuration change work is then performed on the applicable network devices, during which the network administrator can apply predefined updates to all relevant routers, switches or firewalls through a centralized security management software one-touch, enabling these network devices to instantly recognize and block potentially dangerous connection requests, e.g., when an external server is found to be attempting to illegally access a database inside the company, the automated system will deploy a new firewall rule to the whole company in a matter of minutes. In the process, certain security detection scenes are preset as the running content of the script to ensure that the rule change is correctly executed, and the malicious activities can be correctly blocked to continuously influence the system under the condition of no misjudgment, for example, when the script simulates legal users and suspicious attack behaviors to try to connect to a protected data center server, the former is not interfered and the latter is refused under normal conditions. Finally, starting a real-time log function for continuously monitoring the effect after configuration change and preparing an emergency means capable of recovering the front version at any time; the rollback mechanism is kept in an activated state at any time before a network technician observes a new rule running result for a period of time so as to prevent damage caused by unexpected events from further expanding, and the network team can quickly take rollback previous modification to recover the normal functions or applications provided for the outside as soon as possible on the assumption that users reflect that certain specific services of the intranet are suddenly unable to be successfully connected. The related formulas refer to specific numerical comparison for quantitatively measuring various network indexes such as bandwidth utilization rate and delay change before and after configuration modification to judge optimal setting, and generally, the indexes are set with a threshold value to avoid great influence on daily operation efficiency, so that the aims of protecting network safety and ensuring normal service are achieved.
The specific steps of evaluating network risk based on the intrusion detection result and the result of behavior analysis and formulating corresponding strategies of the present invention are described next, namely, firstly, acquiring alarm information of the intrusion detection system, which is mainly to capture all generated alarms from IDS (intrusion detection system) installed on key nodes of the network, and preprocessing them to extract relevant parameters. For example, when a computer attempts to access a known malicious server, the IDS will issue an alarm, which includes data elements such as a timestamp, a source address, a destination address, and an attack type;
The behavior records of the user and device are analyzed to establish a baseline of normal behavior and the current observed behavior is compared to the baseline to determine potential anomalies. Such as by analyzing the time and operational patterns of regular login by an administrator and matching their login attempts to those patterns to find out that attempting to login during non-working hours may indicate that the account is abused. The behavior deviation record involved in this process typically includes changes in login time, abnormal increases in resource requests, etc.;
The comprehensive intrusion detection system alarm information and behavior deviation record risk quantification evaluation relates to the process of converting alarms into digital network security event possibility levels according to the frequency, urgency, past abnormal behavior history and other information of the alarms. At this stage we can use the formula r=f×v, where R represents the risk index, F is the frequency of occurrence of this type of threat and V is the loss of value caused by this intrusion, the optimal risk level should be kept in the lowest possible range to reduce the impact on the overall network operation, in this hypothetical example if the frequency is higher (say f=0.8) and the potential value impact is greater (say v=20 vowels), the calculated overall risk score gets a higher score (i.e. r=16), which indicates that it should be dealt with rapidly;
Finally, setting a risk level and planning a coping scheme based on a risk quantification evaluation result refers to setting priority labels for various risks in combination with specific situations obtained by previous analysis, and selecting the most suitable response measures according to the specific situations, for example, a low-level event can be processed by an automation tool, and a serious invasion needs to be immediately notified to a high-level analyst and a detailed defending process is started, taking a real scene as an example, and assuming that one endpoint in an enterprise intranet is confirmed to be attacked by Leuch software and has propagated to a few other workstations, measures such as improving the security boundary strength of the network need to be taken to prevent further diffusion of the attack range besides disconnecting an infected host, and meanwhile professional technicians need to be further investigated to ensure that all traces of invaders can be found.
Next, the specific steps of risk quantification assessment of alarm information and behavior deviation records of the comprehensive intrusion detection system of the present invention will be described, wherein the first step to be executed is to convert all alarm information levels generated by the intrusion detection system into numerical score form convenient for calculation, and the purpose of this step is to clearly and intuitively reflect the security influence degree of different levels of each alarm by the quantified score, for example, the low, medium and high three different levels of alarms possibly sent by IDS will be converted into 1,2 and 3 scores as the quantification index of severity.
Following the above steps is a statistical analysis of the frequency of changes in the patterns of behavior of the system devices and users occurring over a specified period of time, which is aimed at measuring the frequency of abnormal behavior activity in the network environment, i.e. if a user's login behavior or network activity is found to be far away from a given regular pattern and how many times these deviations occur is recorded, thereby obtaining the number of abnormal behavior records for weighting consideration in subsequent analysis. Assuming that ten attempts of an attack have occurred (unusual operation) by a system during a day, this record is counted as a basis for counting the number of deviations of the system or account from behavior during the evaluation period.
The next step after the alarm severity and behavior deviation are calculated is to construct threat level based on the two data obtained above, which is realized by a pre-established risk algorithm formula. The formula may be represented by an alarm score plus a weight factor previously set to emphasize the importance of such abnormal behavior via the frequency of occurrence of behavior deviation, the resulting total value may then be considered as a risk assessment score for the whole system or for a single subject over a period of time, a daily risk score for a system is set, if the amount of risk score found exceeds a predetermined safety threshold, such as 15 or more (this predetermined safety score may be adjusted by a safety policy maker to reflect different safety situations), the threat situation for the system is considered to have been fairly urgent, and immediate countermeasures must be taken.
The last task is to classify the obtained security evaluation values, correspond to different risk levels established by the company, and take appropriate security measures accordingly to reduce the harmfulness of these discovered hidden dangers. If the result obtained after risk assessment indicates a high-risk threat situation, the organization should immediately implement a corresponding emergency plan according to pre-designed principles, such as temporarily interrupting the connection of the infected service node to the outside until the potential security threat factors are cleared to protect the integrity of the network asset. These pre-programmed treatment measures should be adjusted in time to accommodate the current network security situation more effectively and to prevent threat event flooding upgrades from affecting a wider range of information technology facility operational capabilities.
Next, the specific steps of the present invention are described, wherein if the number of deviations of the user behavior times the weight factor plus the alert information score is greater than the preset score, the specific steps are considered to be significant threats. Firstly, setting the corresponding score as A when the alarm information grade is the severity grade. This is to distinguish between the different levels of risk that may be associated with various levels of alert information. For example, the system may identify a situation in which the user is attempting to access a web site marked as malicious. The alarm corresponding to such behavior is assumed to be of a serious level and is assigned an a value as a score, where a may be any positive value set according to actual risk conditions and experience.
The weighting factor is then set to a different value W depending on the importance of the behavior. The weighting factor reflects the degree of risk represented by a particular behavior or operation in the environment in which it occurs, and may be adjusted and optimized based on the importance of that behavior, the frequency of occurrence in the historical data, and the like. For example, if a certain login pattern historically resulted in a large record of security problems, the corresponding weights may be increased to highlight their importance, the weights typically taking values from zero to a maximum value, depending on different evaluations of different behaviors.
The number of deviations C of the user over the period T is then calculated and converted into a score f=c×w. The T period here refers to the estimated unit time, possibly hourly, daily or weekly, during which time if a user fails to log in a number of times, these off-normal mode events will be represented by C and further converted into a score F by multiplying it with a predetermined importance weight W. In the case of a one week statistical unit, the number of failed attempts to log in by a certain user is ten and the behavior weight for this term is determined to be 1.5, then f=10×1.5=15.
When the calculated total of f+a exceeds a predefined threshold (T > f+a), then it is determined that this network activity is likely to have a higher threat level. Finally, once the result of the comprehensive calculation exceeds a previously established risk threshold, the system can identify that there is currently a potential risk, and either a survey is required or a response mechanism is initiated to perform mitigation control. In this hypothetical example, assuming that the security pre-alarm threshold of the system is set to 30 points, if the severity score (set to a=20) and the calculated risk score 15 are added, then f+a=15+20=35 is greater than the security guard line, and it is determined that the network activity constitutes a higher security threat.
Next, the specific step of the invention is described when the calculated total of f+a exceeds a predefined threshold (T > f+a), then determining that this network activity is likely to present a higher threat level. Firstly, in a given time window T, the risk score F and the activity score A of the network behavior are summed to form a comprehensive evaluation index S. Here, F may represent a potential security threat assessment score brought about by a certain behavior pattern (such as a data access frequency), and its value may be from 0 to 10 (where 0 means completely secure, and 10 is the least secure case), and a represents an occurrence frequency or an intensity assessment value of the corresponding network behavior, which is also set to be within the same interval in practice. T is set to a time interval window determined in advance by analysis, which may vary from ten minutes to several hours, depending on the specific monitoring requirements.
Further, during this preset period of time T, the sum of the F and a values, the so-called sum of risk activity scores (S for short), is continuously monitored. The purpose of this monitoring is to see if this value is high for the whole period. If the overall assessment result is thus kept above a high level throughout the monitoring period, meaning that there is a sustained, possibly highly dangerous network operation in progress, further action needs to be taken immediately for preventive control.
After confirming that S exceeds a certain preset threshold, this generally refers to a statistical standard summarized by combining a large number of network attack activity cases in the past or a safety reference limit set based on experience rules, and then triggers a safety pre-warning mechanism built in the system. The alarm starts not only depending on a static single digital standard value, but also continuously updates the numerical value range of the safety threshold of evolution along with the daily business activities of enterprises and the faced novel network safety hidden trouble, so that the protection system can better adapt to the attack technical characteristics of external continuous change development, and the network safety defense line of the protection system is ensured to be firmer.
As a simple example, consider that the number of data extraction times and the corresponding abnormal risk index for an important database resource are significantly increased within a continuous half hour of an internal network system of a certain company, and the accumulated value of F and a at this time far exceeds the upper limit of the empirical value under the preset normal operation condition. Therefore, the method automatically generates the emergency warning notice, adopts more strict information management and control measures according to the judgment, limits the opening range of unnecessary contact authorities of related key systems, and can not restore to a normal state until confirming that the danger is relieved. This example fully demonstrates how the present solution utilizes intelligent decision flows to promote the effective processing level and emergency response efficiency of an enterprise facing unknown security challenges.
Next, specific steps of triggering an alarm specific implementation step are described, wherein the S is greater than or equal to a safety boundary value. The first step is to calculate the average S value of the historical statistical data of the network system under the normal running condition, and compare and judge whether the historical statistical data continuously shows an upward trend or not with the data S at the current moment, and the increment reaches a predefined safety interval range. This step is accomplished by analyzing the normal behavior pattern of the system and taking it as a standard baseline, any deviation being indicative of a possible attack or abnormal activity.
The next step is to evaluate whether the current value of the increasing proportion R exceeds the expected fluctuation in comparison with the system long-term statistical average proportion N when the increasing trend is present. The specific judgment rule is to check whether the sum of R (N) and the historical proportional average V exceeds the allowable maximum variation amplitude. The N refers to the median ratio of the variation trend of S under the security environment obtained by long-term observation, the optimal value is different according to the specific network environment, R refers to the growth rate ratio of the actual variation value of the security parameter obtained by monitoring in the latest time period, and V is used as a variable to represent the allowable upper limit of error to consider the uncertainty caused by the influence of noise and other non-invasive events in the actual network operation, and the optimal setting range of the V needs to be determined by analyzing a large amount of experimental data in the early stage.
Once it is determined that the growth of the system S exceeds the allowable variation interval, i.e. RSV logic is established, it is considered possible to face a new emerging potential security event of high threat level, at which point the system immediately activates a preset emergency protection scheme. Such countering actions may involve increasing the frequency of monitoring, deploying more firewalls, or taking more stringent filtering means on network traffic until the threat is resolved and can again run smoothly. For example, assuming that the historical security index S of a certain in-enterprise network monitoring platform averages 8 minutes and the recent surge of this value to more than 10 minutes due to malware outbreaks has a rate of 14%, if N is 9 and is set around 5% according to the environment-specific tolerance threshold V, it is apparent that RS (14) is significantly higher than NV (n+5%) as a result to trigger a corresponding warning mechanism to initiate an emergency response procedure. This ensures that even in the event of unexpected attack in the network environment, the rapid reaction is avoided causing greater damage and loss.
In summary, the multi-level dynamic network attack detection and response method includes the steps of firstly monitoring data flow changes in a network in real time, utilizing an intrusion detection system deployed at a network key node to identify and extract abnormal modes in a data stream which possibly indicates that the network is suffering from malicious attacks, then adopting a pre-trained machine learning model to conduct comparison learning on user activity records in a specific time window and interaction processes between devices, when the fact that current behavior data deviate from previous learning results is found, considering that a suspected hijacked or current operation environment of the user possibly does not accord with safety requirements, then calculating threat level of the whole system according to the obtained analysis results, ranking object lists and recommended protection measure lists which need to be processed immediately according to the priority order, and finally timely modifying rule items which are suitable for the internal security policy files according to collected information, so that the purposes of fast response to external illegal access requests and further spreading of potential hazards to an internal trusted area are achieved, and therefore a cyclic process architecture is formed. By means of the cooperation and application among the multi-level detection means and the flexible adjustment of the network boundary defense structure, suspicious movements can be found in early stage, further invasion actions can be prevented, meanwhile unnecessary interception frequency caused to non-dangerous events is reduced as much as possible, and the effective handling capacity of various sudden network security threat scenes can be formed.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (8)

1.一种多层次动态网络攻击检测与响应方法,其特征在于,所述方法包括:1. A multi-level dynamic network attack detection and response method, characterized in that the method comprises: S1:通过入侵检测系统监测网络流量中的异常模式以识别潜在攻击;S1: Monitor abnormal patterns in network traffic through intrusion detection systems to identify potential attacks; 所述步骤S1包括从网络接口采集原始数据包,使用深度包检测技术解析所述数据包并提取特征,应用异常检测算法分析所述特征并生成安全事件记录;The step S1 includes collecting original data packets from the network interface, parsing the data packets and extracting features using deep packet inspection technology, applying anomaly detection algorithms to analyze the features and generate security event records; S2:利用机器学习算法对用户及设备的行为进行分析以发现偏离正常基线的活动;S2: Use machine learning algorithms to analyze user and device behavior to detect activities that deviate from normal baselines; 所述步骤S2包括针对用户的操作数据执行特征工程来构建用户行为模型,利用历史正常行为作为训练数据集来训练监督学习模型,比较用户的当前行为与所述模型预测的期望行为差异,在所述比较显示出统计显著性时发出偏离正常活动告警;The step S2 includes performing feature engineering on the user's operation data to construct a user behavior model, using historical normal behavior as a training data set to train a supervised learning model, comparing the difference between the user's current behavior and the expected behavior predicted by the model, and issuing an alarm for deviation from normal activity when the comparison shows statistical significance; S3:基于所述入侵检测结果及行为分析的结果评估网络风险,并制定相应策略;S3: Evaluate network risks based on the intrusion detection results and behavior analysis results, and formulate corresponding strategies; S4:动态调整防火墙规则和网络安全设备配置来阻断已确认的威胁。S4: Dynamically adjust firewall rules and network security device configurations to block confirmed threats. 2.根据权利要求1所述的一种多层次动态网络攻击检测与响应方法,其特征在于:所述步骤S3包括:2. A multi-level dynamic network attack detection and response method according to claim 1, characterized in that: step S3 comprises: 综合安全事件记录中的异常频率及其潜在影响;The frequency of anomalies in the comprehensive security event log and their potential impact; 结合偏离正常活动告警情况对总体网络健康状况评分;Score overall network health status by combining alerts for deviations from normal activity; 通过专家规则系统自动定义紧急程度和优先级别;Automatically define urgency and priority levels through an expert rule system; 建立策略建议列表用于调整防护设置。Create a list of policy recommendations for adjusting protection settings. 3.根据权利要求1所述的一种多层次动态网络攻击检测与响应方法,其特征在于:所述步骤S4包括:3. A multi-level dynamic network attack detection and response method according to claim 1, characterized in that: step S4 comprises: 对照策略建议更新包含已知威胁特征签名的黑名单库;The control strategy recommends updating the blacklist library containing known threat feature signatures; 自动化应用配置更改到受影响范围内的所有适用设备;Automatically apply configuration changes to all applicable devices in the affected scope; 采用自动化测试脚本来验证新规则的有效性和兼容性;Use automated test scripts to verify the effectiveness and compatibility of new rules; 启动实时日志跟踪监控调整后的运行状态并准备回滚机制。Start real-time log tracking to monitor the adjusted operating status and prepare a rollback mechanism. 4.根据权利要求1所述的一种多层次动态网络攻击检测与响应方法,其特征在于:所述步骤S3还包括:4. The multi-level dynamic network attack detection and response method according to claim 1, characterized in that: step S3 further comprises: 获取所述入侵检测系统的告警信息;Obtaining alarm information from the intrusion detection system; 分析用户及设备的行为记录;Analyze user and device behavior records; 综合入侵检测系统告警信息及行为偏离记录进行风险量化评估;Comprehensive intrusion detection system alarm information and behavior deviation records to conduct risk quantitative assessment; 基于风险量化评估结果设定风险级别并规划应对方案。Set risk levels and plan response plans based on risk quantification assessment results. 5.根据权利要求4所述的一种多层次动态网络攻击检测与响应方法,其特征在于:所述综合入侵检测系统告警信息及行为偏离记录进行风险量化评估包括:5. A multi-level dynamic network attack detection and response method according to claim 4, characterized in that: the risk quantification assessment based on the integrated intrusion detection system alarm information and behavior deviation records includes: 将告警信息等级转换为数值分数表示其严重性;Convert the warning information level into a numerical score to indicate its severity; 计算特定时间段内设备或用户行为偏离次数;Count the number of device or user behavior deviations within a specific time period; 若用户行为偏离次数乘以权重因子加上告警信息得分大于预设分值时,认为有显著威胁;If the number of user behavior deviations multiplied by the weight factor plus the warning information score is greater than the preset score, it is considered a significant threat; 将此分值对应于不同的网络风险等级,确定相应的应对方案设计原则。Correspond this score to different network risk levels and determine the corresponding response plan design principles. 6.根据权利要求5所述的一种多层次动态网络攻击检测与响应方法,其特征在于:所述若用户行为偏离次数乘以权重因子加上告警信息得分大于预设分值时,认为有显著威胁包括:6. A multi-level dynamic network attack detection and response method according to claim 5, characterized in that: if the number of user behavior deviations multiplied by the weight factor plus the warning information score is greater than a preset score, it is considered that there is a significant threat including: 设定告警信息等级为严重级别时对应的分值为A;When the alarm information level is set to severe level, the corresponding score is A; 设定权重因子根据行为的重要性可设置不同数值为W;Set the weight factor to different values W according to the importance of the behavior; 计算用户在T时间段内的偏离次数C并将其转化为分数F=C×W;Calculate the number of deviations C of the user in the time period T and convert it into a score F = C × W; 当计算出F+A的总计超过预先定义的阈值时(T>F+A),则判断此网络活动存在威胁水平。When the calculated total of F+A exceeds a predefined threshold (T>F+A), it is determined that the network activity has a threat level. 7.根据权利要求6所述的一种多层次动态网络攻击检测与响应方法,其特征在于:所述当计算出F+A的总计超过预先定义的阈值时(T>F+A),则判断此网络活动可能存在较高威胁水平还包括:7. A multi-level dynamic network attack detection and response method according to claim 6, characterized in that: when the calculated total of F+A exceeds a predefined threshold (T>F+A), judging that the network activity may have a high threat level also includes: 在T时间窗口下检查F+A是否始终维持高风险等级;Check whether F+A always maintains a high risk level within the T time window; 假如T内F值加A值得到S,S大于等于安全边界值,则触发报警;If the F value plus the A value in T is S, and S is greater than or equal to the safety boundary value, an alarm is triggered; 安全边界根据历史数据分析定期调整;Safety margins are regularly adjusted based on historical data analysis; 最后基于此判断决定采用安全政策,保护敏感资源。Finally, based on this judgment, it was decided to adopt a security policy to protect sensitive resources. 8.根据权利要求7所述的一种多层次动态网络攻击检测与响应方法,其特征在于:所述S大于等于安全边界值,则触发报警具体实现步骤包括:8. A multi-level dynamic network attack detection and response method according to claim 7, characterized in that: if S is greater than or equal to the safety boundary value, the specific implementation steps of triggering an alarm include: 计算历史统计下的平均S与当前时刻S比较是否持续上升达到一定范围;Calculate the average S under historical statistics and compare it with the current S to see if it continues to rise to a certain range; 如果S增长比例R超过平均比例N加上允许波动范围V,则认定趋势明显;If the growth rate R of S exceeds the average rate N plus the allowable fluctuation range V, then the trend is considered obvious; 当上述条件成立表明可能有新的高频率高风险事件正在或即将发生;When the above conditions are met, it indicates that new high-frequency and high-risk events may be occurring or about to occur; 此时自动启用紧急措施,加强防护级别直到事件解决并重新进入安全稳定状态。At this time, emergency measures are automatically enabled to strengthen the protection level until the incident is resolved and a safe and stable state is restored.
CN202411924855.3A 2024-12-25 2024-12-25 A multi-level dynamic network attack detection and response method Pending CN119966659A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411924855.3A CN119966659A (en) 2024-12-25 2024-12-25 A multi-level dynamic network attack detection and response method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411924855.3A CN119966659A (en) 2024-12-25 2024-12-25 A multi-level dynamic network attack detection and response method

Publications (1)

Publication Number Publication Date
CN119966659A true CN119966659A (en) 2025-05-09

Family

ID=95591238

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411924855.3A Pending CN119966659A (en) 2024-12-25 2024-12-25 A multi-level dynamic network attack detection and response method

Country Status (1)

Country Link
CN (1) CN119966659A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240333729A1 (en) * 2023-03-31 2024-10-03 Hitachi, Ltd. Connection destination malignancy determination system, connection destination malignancy determination program, and connection destination malignancy determination method
CN120263556A (en) * 2025-06-05 2025-07-04 北京中超伟业信息安全技术股份有限公司 A computer information real-time security detection method and system
CN120415752A (en) * 2025-07-04 2025-08-01 上海零数众合信息科技有限公司 A multi-node multi-factor security authentication method and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240333729A1 (en) * 2023-03-31 2024-10-03 Hitachi, Ltd. Connection destination malignancy determination system, connection destination malignancy determination program, and connection destination malignancy determination method
CN120263556A (en) * 2025-06-05 2025-07-04 北京中超伟业信息安全技术股份有限公司 A computer information real-time security detection method and system
CN120415752A (en) * 2025-07-04 2025-08-01 上海零数众合信息科技有限公司 A multi-node multi-factor security authentication method and system

Similar Documents

Publication Publication Date Title
EP2040435B1 (en) Intrusion detection method and system
CN117955712A (en) Communication information security risk early warning management and control method and system based on big data
CN114978770B (en) Internet of Things security risk early warning management and control method and system based on big data
US9401924B2 (en) Monitoring operational activities in networks and detecting potential network intrusions and misuses
US7281270B2 (en) Attack impact prediction system
CN119966659A (en) A multi-level dynamic network attack detection and response method
Gómez et al. Design of a snort-based hybrid intrusion detection system
CN119402235A (en) A security protection system for cloud-edge-end collaborative interaction in power distribution Internet of Things
CN113839935B (en) Network situation awareness method, device and system
CN116827675A (en) Network information security analysis system
CN118018231A (en) Security policy management method, device, equipment and storage medium for isolation area
CN115766235A (en) Network security early warning system and early warning method
CN118332548B (en) Security monitoring method, system and storage medium for computer information
CN119249459A (en) A data security protection supervision system
Beigh et al. Intrusion Detection and Prevention System: Classification and Quick
Chu et al. ALERT-ID: analyze logs of the network element in real time for intrusion detection
CN117201044A (en) Industrial Internet safety protection system and method
Kumar et al. Statistical based intrusion detection framework using six sigma technique
CN119299242A (en) A network security digital stand-in protection method and system
CN119966658A (en) A network security situation awareness method based on adaptive algorithm
CN119728279A (en) Network security monitoring system based on big data analysis
CN117811813A (en) Network security situation awareness early warning method and system
CN120785645B (en) A method for protecting industrial control network security
CN120474771B (en) Real-time network intrusion prevention method based on multi-source data fusion
CN119834994B (en) Computer network communication security monitoring method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination