[go: up one dir, main page]

CN118449789B - Data communication safety analysis system based on wireless network - Google Patents

Data communication safety analysis system based on wireless network Download PDF

Info

Publication number
CN118449789B
CN118449789B CN202410905290.8A CN202410905290A CN118449789B CN 118449789 B CN118449789 B CN 118449789B CN 202410905290 A CN202410905290 A CN 202410905290A CN 118449789 B CN118449789 B CN 118449789B
Authority
CN
China
Prior art keywords
communication
risk
similarity
records
preference
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410905290.8A
Other languages
Chinese (zh)
Other versions
CN118449789A (en
Inventor
刘晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian University of Posts and Telecommunications
Original Assignee
Xian University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian University of Posts and Telecommunications filed Critical Xian University of Posts and Telecommunications
Priority to CN202410905290.8A priority Critical patent/CN118449789B/en
Publication of CN118449789A publication Critical patent/CN118449789A/en
Application granted granted Critical
Publication of CN118449789B publication Critical patent/CN118449789B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of communication safety management, and particularly discloses a data communication safety analysis system based on a wireless network, which is used for screening out communication records subjected to risk interception from historical communication records, classifying the communication records according to communication environment characteristics, further analyzing network attack preference topics based on the classified communication records, obtaining network attack preference topics under different communication environments, ensuring that the network attack preference topics are more comprehensive to mine, improving the recognition and prediction capability of a model on diversified attack scenes, and simultaneously comprising network attack preference topics, network attack preference environments and network attack preference behaviors when the classified communication records are mined, providing comprehensive and deep understanding on the whole appearance of an attacker, and being beneficial to establishing a more comprehensive and multi-layer attack protection system.

Description

Data communication safety analysis system based on wireless network
Technical Field
The invention belongs to the technical field of communication safety management, and particularly relates to a data communication safety analysis system based on a wireless network.
Background
Along with the increasing demands of modern society for information acquisition, sharing and processing, a large amount of data needs to be transmitted through communication to meet the demands, and the data often becomes an attack object because of carrying some important sensitive information in the process of communication transmission, so that information leakage frequently occurs, and therefore, the security management of visible data communication is very necessary.
In view of the increasing complexity of the threat environment at present, the tools and technologies used by the attacker are continuously evolved, and the traditional passive defense is often only coping with the known threat, so that the current data communication security management is changed from the original passive management to the active defense management based on the preference of the mining network attack, thereby being capable of predicting possible attack events in advance, taking corresponding preventive measures and effectively reducing the security risk.
In the prior art, a data communication security management scheme related to mining network attack preference is also provided, for example, chinese patent publication No. CN115225404A discloses a big data analysis method and system based on network security. However, when the network attack preference is mined, on one hand, the communication session sample selection trained by the diversity and the variability of the network attack is not considered, and possibly concentrated under a single condition, so that effective generalization is difficult to be performed in different time periods or different network environments, and the mined network attack preference is limited in applicability and difficult to be widely applied; on the other hand, the method only focuses on the mining of the preference subject of the network attack, so that the preference mining is too unilateral, the attack behaviors and the attack communication environment of an attacker are ignored, the understanding of the behavior mode of the attacker is insufficient, and the capability of predicting and preventing future attacks is reduced to a certain extent.
The invention evaluates the safety of the delivery data Rn when transmitting different types of delivery data Rn, acquires the safety protection information and data attribute of the delivery data Rn, and enhances the protection level of the delivery data Rn in a targeted manner by combining the attack mode of a communication protocol. However, when the current communication data is identified as the preference of network attack, the communication protection is carried out by replacing the safe communication protocol, and the protection mode may cause applicability problems, influence the normal operation of the existing system and application, and cause the increase of resources and cost.
Disclosure of Invention
In view of the above, the present invention is directed to a data communication security analysis system based on a wireless network, which effectively solves the problems set forth in the above background art.
The aim of the invention can be achieved by the following technical scheme: a wireless network-based data communication security analysis system, comprising the following modules: the risk communication record screening and classifying module is used for screening out communication records intercepted by risks from the historical communication records, recording the communication records as risk communication records, and extracting communication topics, communication environment characteristics and attack behavior characteristics from the records, wherein the communication environment characteristics specifically comprise communication time periods, endpoint geographic positions and network configuration, and the attack behavior characteristics are attack tools, so that the risk communication records are classified according to the communication environment characteristics.
The network attack preference analysis module is used for taking the classified risk communication records as training samples, analyzing the network attack preference topics according to the communication topics of the training samples, analyzing the network attack preference environment according to the communication environment characteristics of each risk communication record, simultaneously calling the training samples with corresponding preference according to the network attack preference topics and the network attack preference environment, and analyzing the network attack preference behavior according to the attack behavior characteristics.
The communication protection module is used for acquiring the current communication theme and the current communication environment characteristic when the current communication is carried out, so that whether the current communication is risk communication or not is identified, if the current communication is identified as a risk communication acquisition risk related party, the risk related degree corresponding to the current communication is predicted, the network attack preference behavior corresponding to the current communication is extracted, and communication protection is carried out by combining the risk related degree corresponding to the current communication and the network attack preference behavior.
Compared with the prior art, the invention has the following beneficial effects: 1. according to the invention, the communication records subjected to risk interception are screened out from the historical communication records and classified according to the characteristics of the communication environment, and then the network attack preference topic analysis is carried out based on the classified communication records, so that the network attack preference topics under different communication environments can be obtained, the network attack preference topics are more comprehensively mined, the applicability is better, the recognition and prediction capability of the model on diversified attack scenes is improved, and the risk of missing mining of the network attack preference topics is reduced.
2. When the network attack preference mining is carried out based on the classified communication records, the network attack preference mining method not only comprises network attack preference theme, but also comprises network attack preference environment and network attack preference behavior mining, so that comprehensive and deep understanding of the overall view of an attacker can be provided, a more comprehensive and multi-level attack protection system can be established, the method is not only dependent on the detection and the defense of a single network attack preference theme, but also can comprehensively consider various possibility and change of attack occurrence, and the overall communication safety protection capability is improved.
3. According to the invention, when the current communication data is subjected to communication protection based on the mined network attack preference, the risk related party of the current communication data can be obtained according to the communication theme and the communication environment characteristic of the current communication data, and the risk related party is subjected to communication protection by combining the network attack preference behavior corresponding to the current communication, so that the protection based on the network attack preference on the basis of not replacing the communication protocol is realized, and compared with the protection based on the direct replacement of the communication protocol, the protection method enables the protection measure to be consistent with the communication protocol, the normal operation of communication is not influenced, and the communication safety and the response capability are effectively improved while the communication efficiency and the cost are maintained.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of the connection of the modules of the system of the present invention.
Fig. 2 is a schematic diagram illustrating analysis of network attack preference by using risk communication records in the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the invention provides a data communication security analysis system based on a wireless network, which comprises a risk communication record screening and classifying module, a network attack preference analysis module and a communication protection module, wherein the risk communication record screening and classifying module is connected with the network attack preference analysis module, and the network attack preference analysis module is connected with the communication protection module.
The risk communication record screening and classifying module is used for screening out communication records intercepted by risks from historical communication records, recording the communication records as risk communication records, and extracting communication topics, communication environment characteristics and attack behavior characteristics from the records, wherein the communication environment characteristics specifically comprise communication time periods, endpoint geographic positions and network configuration, and the attack behavior characteristics are attack tools, so that the risk communication records are classified according to the communication environment characteristics.
It should be added that the communication record mentioned in the present invention refers to a record formed in the data communication process, and may include information in the form of transmitted file data, audio data, video data, etc.
It is further added that the invention screens out the communication records intercepted by risk from the history communication records to perform the network attack preference analysis by using the records instead of performing the network attack preference analysis on all the history communication records, thus being capable of centralizing the limited resources for analyzing the communication records which are considered to have risk, preferentially processing the records which possibly involve security threat or abnormal activity, having more pertinence, being capable of improving analysis efficiency instead of wasting time and resources in a large amount of normal communication, and simultaneously performing the broad analysis on all the history communication records possibly resulting in higher false alarm rate, namely mistaking the normal communication as the attack behavior. By screening out the records related to risks, false alarms can be reduced, and accuracy and reliability of preference analysis can be improved.
It is particularly pointed out that when risk interception is utilized to screen risk communication records, risk interception is realized by defining risk marks, such as abnormal data transmission modes, potential malicious file transmission, abnormal communication frequency and the like, so as to monitor historical communication records and check whether behaviors consistent with the defined risk marks exist.
The communication time period is a time period between a start communication time and an end communication time, the endpoint geographic position is a communication source geographic position and a communication destination geographic position, wherein the communication source geographic position is a communication sending geographic position, the communication destination geographic position is a communication receiving geographic position, the network configuration is a network service, equipment and the like used in a communication process, and the network configuration can specifically include network bandwidth, a communication protocol and the like.
It should be explained that, the communication time period, the geographical location of the endpoint and the network configuration are taken as the characteristics of the communication environment, these parameters are important factors in analyzing and understanding the communication environment, wherein the communication time period can reflect the communication time dimension, the geographical location of the endpoint reflects the communication space dimension, the network configuration reflects the technical implementation condition of the communication process, and these parameters combine to help comprehensively understand and manage various conditions and backgrounds in the communication process.
Further to the above embodiments, the attack tool refers to a software or hardware tool used by an attacker for network attack. Illustratively, the attack tool may be a scan tool: for scanning a target network or system to identify vulnerabilities or vulnerabilities that may exist.
As yet another example, the attack tool may be an exploit tool: for exploiting known vulnerabilities to hack the system or gain unauthorized access.
As yet another example, the attack tool may be a password cracking tool: means for attempting to crack a password or gain access through brute force means.
In the optimized implementation of the scheme, the risk communication records are classified according to the communication environment characteristics, and the following process is adopted: and extracting the initial communication time from each risk communication record, and arranging the risk communication records according to the order of the communication initial time from beginning to end.
Sequentially extracting risk communication records based on the arrangement sequence to serve as main risk communication records, and respectively carrying out similar comparison on communication environment characteristics of the main risk communication records and communication environment characteristics of other risk communication records to obtain communication time period similarity, endpoint geographic position similarity and network configuration similarity of the main risk communication records and the other risk communication records, wherein the specific acquisition process is as follows: performing intersection operation on the communication time periods of the main risk communication records and the communication time periods of other risk communication records, wherein the specific calculation formula is thatWhereinAnd the communication time periods of the main risk communication record and the other risk communication records are respectively represented, so that the similarity of the communication time periods of the main risk communication record and the other risk communication records is calculated.
Marking corresponding positions on a map based on the endpoint geographic positions of the main risk communication record and other risk communication records, thereby obtaining endpoint distance between the main risk communication record and other risk communication records, wherein the endpoint distance comprises endpoint distance between the communication source geographic position and the communication destination geographic position, and takes two fifths as a base number and takes the ratio of the endpoint distance to a reference distance as an index, wherein the reference distance is initially set by the system, and the reference distance is 10m, and the endpoint geographic position similarity between the main risk communication record and other risk communication records is calculated, so that the endpoint geographic position similarity is calculated as followsIn the followingIndicating the similarity of the geographical locations of the endpoints,The distance between the main risk communication record and the end point of the communication source geographic position and the communication destination geographic position corresponding to other risk communication records is respectively indicated,Representing the reference distance.
Matching the network configuration of the main risk communication record with the network configuration of other risk communication records, counting the network configuration item proportion of the failure in matching, and calculating the similarity of the network configuration of the main risk communication record and the network configuration of other risk communication records by taking the three-fifths of the network configuration item proportion of the failure in matching as an index.
The communication time interval similarity, the endpoint geographical position similarity and the network configuration similarity of the main risk communication record and other risk communication records are respectively compared with a system preset threshold value, and further the other risk communication records with the communication time interval similarity, the endpoint geographical position similarity and the network configuration similarity larger than or equal to the system preset threshold value are selected from the communication time interval similarity, the endpoint geographical position similarity and the network configuration similarity, and form a plurality of communication time interval similarity groups, a plurality of endpoint geographical position similarity groups and a plurality of network configuration similarity groups together with the main risk communication record, wherein the system preset threshold value of the similarity is 0.8 in an exemplary manner, and the purpose of the classification of the similarity groups is assisted.
In the above, when the risk communication records are grouped according to the communication environment characteristics, the same communication time period, the same endpoint geographic position and the same network configuration are not simply grouped, but the risk communication records corresponding to the identical communication environment characteristics may occupy a relatively small area, so that the similar grouping with the identical communication environment characteristics is excessively pursued to increase the grouping difficulty to a certain extent, thereby losing the meaning of grouping, and the grouping by adopting the similarity of the communication environment characteristics is more reasonable and effective due to the consideration of the fine difference of the risk communication records on the communication environment, and simultaneously reduces the grouping difficulty.
The network attack preference analysis module is used for taking the classified risk communication records as training samples, so that network attack preference topic analysis is carried out according to the communication topics of the training samples, network attack preference environment analysis is carried out according to the communication environment characteristics of each risk communication record, training samples with corresponding preference are called according to the network attack preference topics and the network attack preference environment, and network attack preference behavior analysis is carried out according to the attack behavior characteristics.
As a preferred implementation of the above scheme, the network attack preference topic analysis implementation process is performed according to the communication topic of the training sample: and selecting an effective communication time period similar group, an effective endpoint geographic position similar group and an effective network configuration similar group from the formed communication time period similar groups, the endpoint geographic position similar groups and the network configuration similar groups.
It should be understood that the network attack preference topic analysis cannot be directly used after the communication period similarity group, the endpoint geographical location similarity group and the network configuration similarity group are formed, because there may be a situation that the number of risk communication records is small in the formed similarity group, and enough data samples may not be provided to reflect the wide communication attack preference. If analysis of the network attack preference topics is performed based on such similarity groups, inaccuracy and incompleteness of analysis results may be caused, and analysis resources are wasted, so that effective similarity group screening is required for the formed similarity groups to analyze more representative network attack preference topics.
In the innovative implementation of the above scheme, the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group are selected as follows; counting the ratio of risk communication records existing in a plurality of communication time period similarity groups, a plurality of end point geographic position similarity groups and a plurality of network configuration similarity groups which are formed, selecting the ratio of maximum risk communication records and minimum risk communication records corresponding to the plurality of communication time period similarity groups, the plurality of end point geographic position similarity groups and the plurality of network configuration similarity groups from the ratio, and calculating the ratio differentiation degree, wherein the ratio differentiation degree is calculated by the ratio of the risk communication recordsAnd comparing the allowable duty differentiation degree with the allowable duty differentiation degree preset by the system, wherein the allowable duty differentiation degree is 0.3, and the allowable duty differentiation degree is preset for assisting in screening of the effective communication environment similarity group, so that the effective communication period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group are selected.
The screening process is to compare the ratio differentiation degree corresponding to the communication time period similarity group, the endpoint geographical location similarity group and the network configuration similarity group with the allowable ratio differentiation degree, taking the communication time period similarity group as an example, if the ratio differentiation degree corresponding to the communication time period similarity group is larger than the allowable ratio differentiation degree, the risk communication record ratio difference in each communication time period similarity group is larger, the communication time period similarity group corresponding to the maximum value contains the risk communication record number with absolute advantage, the similarity is more representative, the communication time period similarity group corresponding to the maximum risk communication record ratio is selected from the plurality of communication time period similarity groups to serve as the effective communication time period similarity group, otherwise, the risk communication record ratio distribution in each communication time period similarity group is indicated to be more average, only the communication time period similarity group corresponding to the maximum value is taken as the effective communication time period similarity group, the larger advantage is not highlighted, the risk communication record ratio corresponding to the plurality of communication time period similarity groups is compared with the median ratio, and the median ratio is 0.5, and the communication time period similarity group with the largest median ratio is selected from the communication time period similarity groups as the effective communication time period similarity groups.
And comparing the communication topics corresponding to the risk communication records in the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group respectively, thereby classifying the risk communication records corresponding to the same communication topic.
And summarizing the risk communication record duty ratio corresponding to each communication theme in the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group respectively, and further selecting the communication theme corresponding to the maximum risk communication record duty ratio from the risk communication record duty ratios as the network attack preference theme corresponding to the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group.
Further preferably, the network attack preference environment analysis is performed according to the communication environment characteristics of each risk communication record, wherein the network attack preference environment analysis comprises the following steps: and comparing the communication topics corresponding to the risk communication records, classifying the risk communication records corresponding to the same communication topics to form a plurality of communication topic sets, and screening effective communication topic sets from the communication topic sets, wherein the screening of the effective communication topic sets is similar to the screening of the effective communication period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group, and the screened effective communication topic sets may be more than one.
And carrying out similar combined calculation on communication environment characteristics corresponding to each risk communication record in the effective communication theme set, namely carrying out similar comparison on the communication environment characteristics corresponding to each risk communication record to obtain communication time period similarity, endpoint geographical position similarity and network configuration similarity of each risk communication record and other risk communication records, carrying out accumulation and division by 3 to obtain combined similarity, and comparing the combined similarity with standard-reaching similarity set by a system, wherein the standard-reaching similarity is 0.8, and further selecting risk communication records with the combined similarity being greater than or equal to the standard-reaching similarity to form a communication environment similarity group.
And counting the occupation ratio of risk communication records corresponding to each communication environment similarity group in the effective communication theme set, and further selecting the communication environment characteristics corresponding to the risk communication records in the communication environment similarity group corresponding to the maximum occupation ratio as the network attack preference environment.
Still further, the network attack preference behavior is analyzed as follows: and taking the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group as training samples of the home network attack preference subjects.
Extracting the corresponding attack behavior characteristics of each risk communication record from the training sample of the home network attack preference theme, comparing the attack behavior characteristics, classifying the risk communication records corresponding to the same attack behavior characteristics, summarizing the ratio of the risk communication records corresponding to the attack behavior characteristics in the training sample of the home network attack preference theme, and selecting the attack behavior characteristic corresponding to the maximum risk communication record ratio from the ratio as the network attack preference behavior of the network attack preference theme.
And taking the risk communication record in the effective communication theme set as a training sample of the home network attack preference environment.
And extracting the attack behavior characteristics corresponding to each risk communication record from the training samples of the home network attack preference environment for comparison, thereby classifying the risk communication records corresponding to the same attack behavior characteristics.
Summarizing the risk communication record duty ratio corresponding to each attack behavior characteristic in the training sample of the home network attack preference environment, and further selecting the attack behavior characteristic corresponding to the maximum risk communication record duty ratio from the risk communication record duty ratio as the network attack preference behavior of the network attack preference environment.
It should be noted that, since the effective communication period similarity group, the effective endpoint geographical location similarity group, the effective network configuration similarity group and the effective communication theme set are selected, which may be more than one, each effective communication period similarity group, the effective endpoint geographical location similarity group and the effective network configuration similarity group corresponds to one network attack preference theme, each effective communication theme set corresponds to one network attack preference environment, so that the obtained network attack preference theme and network attack preference environment may be more than one, and meanwhile, the network attack preference behavior obtained based on the network attack preference environment and the network attack preference environment attribution training sample may be more than one, and the analyzed network attack preference behavior has correlation pertinence with the network attack preference environment and the network attack preference environment. See fig. 2.
The communication protection module is used for acquiring the characteristics of a current communication theme and a current communication environment when current communication is carried out, so that whether the current communication is risk communication or not is identified, and if the current communication is identified as risk communication acquisition risk related parties, the risk related parties comprise the communication theme, the communication environment and both the risk related parties, so that the risk related degree corresponding to the current communication is predicted, the network attack preference behavior corresponding to the current communication is extracted, and the communication protection is carried out by combining the risk related degree corresponding to the current communication and the network attack preference behavior.
In a preferred implementation of the above scheme, the operation of identifying whether the current communication is a risky communication is as follows: and matching the current communication theme with the current communication environment characteristics, the network attack preference theme and the network attack preference environment, and identifying the current communication as risk communication if the current communication theme is successfully matched or the current communication environment characteristics are successfully matched, wherein the risk related party is the communication theme if the current communication theme is successfully matched, the risk related party is the communication environment if the current communication environment characteristics are successfully matched, and the risk related party is the communication environment if the current communication theme is successfully matched with the current communication environment characteristics.
In a further preferred implementation, the risk related prediction for the current communication is as follows: and acquiring a risk related party corresponding to the current communication when the current communication is identified as risk communication, if the risk related party is a communication theme, marking the successfully matched network attack preference theme as a target preference theme, and counting the occurrence proportion of the target preference theme in the network attack preference theme corresponding to the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group as the risk related degree corresponding to the current communication.
If the risk related party is a communication environment, the successfully matched network attack preference environment is recorded as a target preference environment, so that the occurrence proportion of the target preference environment in the network attack preference environment corresponding to the effective communication theme set is counted and used as the risk related degree corresponding to the current communication.
If the risk related party is a communication theme and a communication environment, accumulating the occurrence proportion of the target preference theme in the network attack preference theme corresponding to the effective communication period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group and the occurrence proportion of the target preference environment in the network attack preference environment corresponding to the effective communication theme set as the risk related degree corresponding to the current communication.
Optimally, the communication protection implementation process is as follows: and (1) comparing the risk relation corresponding to the current communication with a system limit value (namely, the risk relation of the communication defined by the system), if the risk relation corresponding to the current communication is larger than the system limit value, replacing a communication protocol, specifically selecting a safe communication protocol, and otherwise, executing the steps (2) - (3).
(2) And acquiring the type of attack data corresponding to the preference behavior based on the network attack preference behavior corresponding to the current communication.
It is to be understood that different attack tools typically have specific attack targets and methods, so they may attack against different types of data. Illustratively, malware typically attacks against files, operating systems, or applications in order to destroy data or system proper functioning.
(3) Classifying the current communication content according to the data types, matching the classified data types with attack data types corresponding to network attack preference behaviors, and screening out successfully matched data types from the classified data types as sensitive data types, so that the data content corresponding to the sensitive data types in the current communication content is encrypted.
According to the invention, when the current communication data is subjected to communication protection based on the mined network attack preference, the risk related party of the current communication data can be obtained according to the communication theme and the communication environment characteristic of the current communication data, and the risk related party is subjected to communication protection by combining the network attack preference behavior corresponding to the current communication, so that the protection based on the network attack preference on the basis of not replacing the communication protocol is realized, and compared with the protection based on the direct replacement of the communication protocol, the protection method enables the protection measure to be consistent with the communication protocol, the normal operation of communication is not influenced, and the communication safety and the response capability are effectively improved while the communication efficiency and the cost are maintained.
The foregoing is merely illustrative and explanatory of the principles of this invention, as various modifications and additions may be made to the specific embodiments described, or similar arrangements may be substituted by those skilled in the art, without departing from the principles of this invention or beyond the scope of this invention as defined in the claims.

Claims (7)

1. The data communication safety analysis system based on the wireless network is characterized by comprising the following modules:
The risk communication record screening and classifying module is used for screening out communication records subjected to risk interception from the historical communication records, recording the communication records as risk communication records, and extracting communication topics, communication environment characteristics and attack behavior characteristics from the records, wherein the communication environment characteristics specifically comprise communication time periods, endpoint geographic positions and network configuration, and the attack behavior characteristics are attack tools, so that the risk communication records are classified according to the communication environment characteristics;
the network attack preference analysis module is used for taking the classified risk communication records as training samples, analyzing the network attack preference topics according to the communication topics of the training samples, analyzing the network attack preference environment according to the communication environment characteristics of each risk communication record, simultaneously calling the training samples with corresponding preference according to the network attack preference topics and the network attack preference environment, and analyzing the network attack preference behavior according to the attack behavior characteristics;
The communication protection module is used for acquiring a communication theme and communication environment characteristics when current communication is carried out, so that whether the current communication is risk communication or not is identified, if the current communication is identified as a risk communication acquisition risk related party, the risk related degree corresponding to the current communication is predicted, the network attack preference behavior corresponding to the current communication is extracted, and communication protection is carried out by combining the risk related degree corresponding to the current communication and the network attack preference behavior;
The network attack preference theme analysis implementation process is carried out according to the communication theme of the training sample:
selecting an effective communication time period similar group, an effective endpoint geographical position similar group and an effective network configuration similar group from the formed communication time period similar groups, the endpoint geographical position similar groups and the network configuration similar groups;
The communication topics corresponding to the risk communication records in the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group are respectively compared, so that the risk communication records corresponding to the same communication topic are classified;
Summarizing the corresponding risk communication record duty ratio of each communication theme in the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group respectively, and further selecting the communication theme corresponding to the maximum risk communication record duty ratio from the risk communication record duty ratio as the network attack preference theme corresponding to the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group;
And analyzing the preference environment of the network attack according to the communication environment characteristics of each risk communication record, wherein the analysis comprises the following steps:
Comparing the communication topics corresponding to the risk communication records, classifying the risk communication records corresponding to the same communication topics to form a plurality of communication topic sets, and screening effective communication topic sets from the communication topic sets;
Performing similar combination calculation on communication environment characteristics corresponding to each risk communication record in the effective communication theme set to obtain combination similarity, comparing the combination similarity with standard similarity set by a system, and selecting risk communication records with the combination similarity being greater than or equal to the standard similarity to form a communication environment similarity group;
Calculating the ratio of risk communication records corresponding to each communication environment similarity group in the effective communication theme set, and further selecting the communication environment characteristics corresponding to the risk communication records in the communication environment similarity group corresponding to the maximum ratio as the network attack preference environment;
The network attack preference behavior is analyzed as follows:
the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group are used as training samples of home network attack preference subjects;
Extracting attack behavior characteristics corresponding to each risk communication record from training samples of home network attack preference subjects, and comparing the attack behavior characteristics, so that risk communication records corresponding to the same attack behavior characteristics are classified;
Summarizing the risk communication record duty ratio corresponding to each attack behavior characteristic in a training sample of the home network attack preference theme, and further selecting the attack behavior characteristic corresponding to the maximum risk communication record duty ratio from the risk communication record duty ratio as the network attack preference behavior of the network attack preference theme;
Taking the risk communication record in the effective communication theme set as a training sample of the home network attack preference environment;
Extracting attack behavior characteristics corresponding to each risk communication record from training samples of the home network attack preference environment for comparison, and classifying the risk communication records corresponding to the same attack behavior characteristics;
Summarizing the risk communication record duty ratio corresponding to each attack behavior characteristic in the training sample of the home network attack preference environment, and further selecting the attack behavior characteristic corresponding to the maximum risk communication record duty ratio from the risk communication record duty ratio as the network attack preference behavior of the network attack preference environment.
2. A wireless network-based data communication security analysis system as claimed in claim 1, wherein: the risk communication records are classified according to the communication environment characteristics, and the following processes are seen:
Extracting initial communication time from each risk communication record, and arranging the risk communication records according to the sequence of the communication initial time from first to last;
sequentially extracting risk communication records based on the arrangement sequence to serve as main risk communication records, and respectively carrying out similar comparison on communication environment characteristics of the main risk communication records and communication environment characteristics of other risk communication records to obtain communication time period similarity, endpoint geographic position similarity and network configuration similarity of the main risk communication records and other risk communication records;
And comparing the communication time period similarity, the endpoint geographical position similarity and the network configuration similarity of the main risk communication record and other risk communication records with the system preset threshold value respectively, and further screening the other risk communication records with the communication time period similarity, the endpoint geographical position similarity and the network configuration similarity larger than or equal to the system preset threshold value together with the main risk communication record to form a plurality of communication time period similarity groups, a plurality of endpoint geographical position similarity groups and a plurality of network configuration similarity groups.
3. A wireless network-based data communication security analysis system as claimed in claim 2, wherein: the method is characterized in that the communication environment characteristics of the main risk communication records are respectively compared with the communication environment characteristics of other risk communication records in a similar manner, and the method is implemented as follows:
performing intersection operation on the communication time periods of the main risk communication records and the communication time periods of other risk communication records, and thus calculating the similarity of the communication time periods of the main risk communication records and the other risk communication records;
Marking corresponding positions on a map based on the end point geographic positions of the main risk communication record and other risk communication records, so as to obtain end point distance between the main risk communication record and other risk communication records, and calculating the similarity of the end point geographic positions of the main risk communication record and other risk communication records by taking two-fifths as a base number and taking the ratio of the end point distance to the reference distance as an index;
Matching the network configuration of the main risk communication record with the network configuration of other risk communication records, counting the network configuration item proportion of the failure in matching, and calculating the similarity of the network configuration of the main risk communication record and the network configuration of other risk communication records by taking the three-fifths of the network configuration item proportion of the failure in matching as an index.
4. A wireless network-based data communication security analysis system as claimed in claim 1, wherein: the effective communication time period similarity group, the effective endpoint geographic position similarity group and the effective network configuration similarity group are selected as follows;
Counting the ratio of risk communication records existing in the formed communication time period similarity groups, the end point geographical position similarity groups and the network configuration similarity groups, selecting the maximum and minimum risk communication record ratio corresponding to the communication time period similarity groups, the end point geographical position similarity groups and the network configuration similarity groups from the ratio, calculating the ratio differentiation degree, And comparing the received data with the allowable duty ratio differentiation degree preset by the system, and selecting an effective communication time period similar group, an effective endpoint geographic position similar group and an effective network configuration similar group.
5. A wireless network-based data communication security analysis system as claimed in claim 1, wherein: the operation of identifying whether the current communication is a risk communication is as follows:
And matching the current communication theme with the current communication environment characteristics, the network attack preference theme and the network attack preference environment, and if the current communication theme is successfully matched or the current communication environment characteristics are successfully matched, identifying the current communication as risk communication.
6. A wireless network-based data communication security analysis system as claimed in claim 1, wherein: the risk-related parties include communication topics, communication environments, and both.
7. A wireless network-based data communication security analysis system as claimed in claim 1, wherein: the communication protection implementation process is as follows:
Comparing the risk relation corresponding to the current communication with a system limit value, if the risk relation corresponding to the current communication is larger than the system limit value, replacing a communication protocol, otherwise, executing the steps (2) - (3);
(2) Acquiring attack data types corresponding to the preference behaviors based on network attack preference behaviors corresponding to the current communication;
(3) Classifying the current communication content according to the data types, matching the classified data types with attack data types corresponding to network attack preference behaviors, and screening out successfully matched data types from the classified data types as sensitive data types, so that the data content corresponding to the sensitive data types in the current communication content is encrypted.
CN202410905290.8A 2024-07-08 2024-07-08 Data communication safety analysis system based on wireless network Active CN118449789B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410905290.8A CN118449789B (en) 2024-07-08 2024-07-08 Data communication safety analysis system based on wireless network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410905290.8A CN118449789B (en) 2024-07-08 2024-07-08 Data communication safety analysis system based on wireless network

Publications (2)

Publication Number Publication Date
CN118449789A CN118449789A (en) 2024-08-06
CN118449789B true CN118449789B (en) 2024-10-15

Family

ID=92314477

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410905290.8A Active CN118449789B (en) 2024-07-08 2024-07-08 Data communication safety analysis system based on wireless network

Country Status (1)

Country Link
CN (1) CN118449789B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785579A (en) * 2022-04-14 2022-07-22 七台河达不琉网络科技有限公司 Network attack analysis method and server applied to cloud side computing
CN117040871A (en) * 2023-08-18 2023-11-10 广州唐邦信息科技有限公司 Network security operation service method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019028341A1 (en) * 2017-08-03 2019-02-07 T-Mobile Usa, Inc. Similarity search for discovering multiple vector attacks
KR102296215B1 (en) * 2019-11-26 2021-08-31 아주대학교 산학협력단 Method For Recommending Security Requirements With Ontology Knowledge Base For Advanced Persistent Threat, Apparatus And System Thereof
CN116743479B (en) * 2023-07-07 2024-04-19 兴容(上海)信息技术股份有限公司 Network security detection system and method based on big data

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785579A (en) * 2022-04-14 2022-07-22 七台河达不琉网络科技有限公司 Network attack analysis method and server applied to cloud side computing
CN117040871A (en) * 2023-08-18 2023-11-10 广州唐邦信息科技有限公司 Network security operation service method

Also Published As

Publication number Publication date
CN118449789A (en) 2024-08-06

Similar Documents

Publication Publication Date Title
US20080276317A1 (en) Detection of Multi-Step Computer Processes Such as Network Intrusions
KR100468232B1 (en) Network-based Attack Tracing System and Method Using Distributed Agent and Manager Systems
CN116781430B (en) Network information security system and method for gas pipe network
CN107172022B (en) APT threat detection method and system based on intrusion path
CN119316226B (en) A method, device and storage medium for detecting illegal external connection of a terminal
CN113411297A (en) Situation awareness defense method and system based on attribute access control
CN120110787B (en) An abnormal data monitoring method and system based on artificial intelligence
CN116132989A (en) Industrial Internet security situation awareness system and method
CN117668828A (en) Malicious event detection method, device, equipment and computer readable storage medium
Bose et al. Multi-layered security framework for intrusion detection system in software defined networking environment using machine learning
CN112073426A (en) Website scanning detection method, system and equipment in cloud protection environment
CN110618977B (en) Login anomaly detection method, device, storage medium and computer equipment
CN110381047B (en) Network attack surface tracking method, server and system
CN118449789B (en) Data communication safety analysis system based on wireless network
CN111885011B (en) Method and system for analyzing and mining safety of service data network
Adebayo et al. An artificial intelligence-based ensemble technique for intrusion detection and prevention in IoT systems
CN112367315A (en) Endogenous safe WAF honeypot deployment method
CN117579353A (en) Smart home remote attack protection method and system
CN117221017A (en) Network monitoring method and system based on big data
CN112887288B (en) Internet-based E-commerce platform intrusion detection front-end computer scanning system
KR101809671B1 (en) Apparatus and method for detecting anomaly authentication
Xiao et al. Alert verification based on attack classification in collaborative intrusion detection
Park et al. A study on risk index to analyze the impact of port scan and to detect slow port scan in network intrusion detection
Kurniawan et al. Enhancing the Detection of Botnet Attacks in the Internet of Things Networks Through the Utilization of Hybrid Feature Selection
CN118250040B (en) Data security maintenance optimization method and system based on data analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant