[go: up one dir, main page]

CN119814457A - A network security detection method based on big data - Google Patents

A network security detection method based on big data Download PDF

Info

Publication number
CN119814457A
CN119814457A CN202510024259.8A CN202510024259A CN119814457A CN 119814457 A CN119814457 A CN 119814457A CN 202510024259 A CN202510024259 A CN 202510024259A CN 119814457 A CN119814457 A CN 119814457A
Authority
CN
China
Prior art keywords
network
security
detection
traffic
index
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202510024259.8A
Other languages
Chinese (zh)
Other versions
CN119814457B (en
Inventor
孙元波
孙炜皓
徐菀鸿
曾琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuxi Kehong Unlimited Information Technology Co ltd
Original Assignee
Wuxi Kehong Unlimited Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuxi Kehong Unlimited Information Technology Co ltd filed Critical Wuxi Kehong Unlimited Information Technology Co ltd
Priority to CN202510024259.8A priority Critical patent/CN119814457B/en
Publication of CN119814457A publication Critical patent/CN119814457A/en
Application granted granted Critical
Publication of CN119814457B publication Critical patent/CN119814457B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network security detection method based on big data, which relates to the technical field of network security detection, and comprises the steps of utilizing a big data acquisition module to acquire network flow data, security event data and system security state data in the current detection period, utilizing a network flow abnormality degree measuring unit to calculate and output an abnormal flow detection index YL, calculating and outputting a threat assessment value WW, introducing the abnormal flow detection index YL and the threat assessment value WW into a comprehensive evaluation network overall security condition unit, calculating and outputting a security situation index AQ, carrying out detection analysis, and responding and disposing a security response and disposing module aiming at the security situation index AQ.

Description

Network security detection method based on big data
Technical Field
The invention relates to the technical field of network security detection, in particular to a network security detection method based on big data.
Background
With the rapid development and wide application of information technology, networks have penetrated into various layers of social life, including government, enterprise, education, medical and financial industries, however, with the popularization of networks, network security problems are increasingly prominent, including hacking, virus transmission and data leakage, which pose serious threats to individuals, enterprises and even national security, and these threats may not only lead to property loss, but also affect social stability and national security, so it is important to develop an effective network security detection method.
At present, the prior art often relies on a single detection means, is difficult to capture the subtle changes and potential threats of network traffic, lacks comprehensive evaluation capability of network security, cannot integrate a plurality of security factors for unified analysis, and in addition, many prior art adopt static thresholds to judge whether the network is safe or not, which is often inflexible and accurate in practical application, so that the prior art often lacks a circulating feedback mechanism, cannot continuously optimize and improve according to detection results, and in addition, the prior art has limitations in processing and analyzing big data, and cannot fully utilize the advantages of the big data to improve the accuracy and efficiency of detection.
Disclosure of Invention
The invention aims to provide a network security detection method based on big data, which solves the problems in the background technology.
In order to achieve the above purpose, the invention provides a technical scheme that the system comprises a big data acquisition module, a big data calculation and evaluation module and a response and treatment module, wherein the big data calculation and evaluation module comprises a network flow abnormality degree measuring unit, a threat degree evaluating unit and a comprehensive network overall safety condition evaluating unit;
the specific detection implementation steps are as follows:
step I, acquiring network flow data, security event data and system security state data of a current detection period by using the big data acquisition module;
step II, firstly calculating and outputting an abnormal flow detection index YL by using the network flow abnormality measuring unit;
step III, introducing the abnormal flow detection index YL into a threat degree unit of the current network, and calculating and outputting a threat assessment value WW;
Step IIII, introducing the abnormal flow detection index YL and threat assessment value WW into the comprehensive assessment network overall security condition unit, calculating and outputting a security situation index AQ, and carrying out detection analysis;
step IIIII, the response and handling module makes a safety response and handling for the safety situation index AQ.
Optionally, the equipment used by the big data acquisition module comprises a network flow analyzer, a SIEM system and safety monitoring equipment;
the equipment used by the big data calculation and evaluation module comprises a server;
The equipment used by the response and disposal module comprises a security patch management system and an anti-malware tool.
Optionally, the calculation formula of the network traffic abnormality degree measuring unit is as follows:
;
Wherein:
YL is an abnormal flow detection index;
L in is inbound traffic, L in is the amount of data that enters the network per unit time;
L out is outbound traffic, L out is the amount of data that leaves the network per unit time;
L avg is the average traffic, L avg is the average data traffic of the network in the current detection period;
L peak is the peak traffic and L peak is the maximum data traffic generated by the network during the current detection period.
Optionally, the calculation formula of the average flow rate L avg is as follows:
Lavg=(L1+L2+L3+......+Ln)/n;
n is the current period and reflects the time quantity of the current detection period;
L 1 is the first time period detection data traffic, L 2 is the second time period detection data traffic, L 3 is the third time period detection data traffic, and L n is the nth time period detection data traffic;
And the average flow L avg of the current detection period is updated and calculated in real time in any detection period.
Optionally, the calculation formula for evaluating the threat level unit of the current network is as follows:
;
Wherein:
WW is threat assessment value;
EX is a malicious behavior count, and reflects the number of detected malicious behaviors, wherein the malicious behaviors comprise virus propagation, phishing attack, DDoS attack, SQL injection and cross-site scripting attack (XSS);
ZX is the total behavior count, ZX reflects the number of all behaviors detected;
WX is the number of new threats, and the WX reflects the number of threat types newly appearing in the current detection period, wherein the threat types comprise viruses, trojans, worms, luxury software and spyware software;
LWX is the number of historical threats, and LWX reflects the number of threat types that have existed in the past detection period.
Optionally, the virus is transmitted through a network and infects files and programs in the system;
the phishing attack is that a user is tricked to reveal sensitive information by forging websites and mails;
The DDoS attack is a distributed denial of service attack, and the target system is paralyzed through a large number of requests;
The SQL injection is that malicious SQL sentences are sent to a database by utilizing website vulnerabilities to acquire and tamper data;
the cross site scripting attack (XSS) is to inject malicious scripts on the target website to steal user information and perform other malicious operations.
Optionally, the calculation formula of the comprehensive evaluation network overall security condition unit is as follows:
;
BDL=BD/ZBD;
EZL=CZL/EX;
WWavg=(WW1+WW2+WW3+......+WWm)/m;
Wherein:
AQ is a security posture index;
BDL is the patch application rate;
BD is the number of patch systems applied, ZBD is the total number of systems;
FE is the amount of anti-malware;
EZL is malicious behavior efficiency;
CZL is the number of successfully executed malicious acts;
WW avg is threat assessment average;
m is the total of the historical detection periods;
WW 1 is a first detection period threat assessment value, WW 2 is a second detection period threat assessment value, WW 3 is a third detection period threat assessment value, WW m is an mth detection period threat assessment value, and when entering the next period detection, the current threat assessment value WW is an mth detection period threat assessment value WW m;
l in,max is the maximum inbound traffic, the maximum inbound data traffic for the network in the current detection period.
Optionally, the detection analysis based on the security situation index AQ is as follows:
If the security situation index AQ is higher than the security situation average index AQ avg, reflecting that the current network is in high security risk, and a large amount of malicious behaviors and abnormal traffic exist, so that network security measures are enhanced;
If the security situation index AQ is lower than the security situation average index AQ avg, the current network state is relatively stable, the existence of malicious behaviors and abnormal traffic is small, and the current network security measures are kept.
Optionally, the calculation formula of the security situation average index AQ avg is as follows:
AQavg=(AQ1+AQ2+AQ3+......+AQm)/m;
AQ 1 is a first detection period safety situation index, AQ 2 is a second detection period safety situation index, AQ 3 is a third detection period safety situation index, AQ m is an mth detection period safety situation index, and when entering the next period detection, the current safety situation index AQ is the mth detection period safety situation index AQ m.
Compared with the prior art, the invention has the following beneficial effects:
1. The invention can comprehensively and dynamically evaluate the safety condition of the network by measuring the abnormal degree unit of the network flow, evaluating the threat degree unit of the current network and comprehensively evaluating the overall safety condition unit of the network, wherein the abnormal flow detection index YL can capture the abnormal change of the network flow, the threat evaluation value WW can evaluate the threat degree of the current network, the safety situation index AQ can comprehensively use a plurality of factors to give out the overall safety situation of the network, and the dynamic threshold setting is adopted, comprising the average flow L avg and the threat evaluation value WW, and the threshold can be automatically adjusted according to the actual condition of the network flow and the threat evaluation result, thereby improving the detection accuracy and flexibility.
2. According to the invention, the safety situation index AQ is used as a reference for judging the cyclic influence of detection, so that a cyclic feedback mechanism can be realized, and the calculation parameters and algorithms of the abnormal flow detection index YL and the threat assessment value WW are continuously optimized according to the detection result, so that the detection accuracy and efficiency are improved.
3. The invention fully utilizes the advantages of the big data technology, improves the accuracy and efficiency of detection by collecting and analyzing multidimensional data, improves the intelligent level of detection by continuously learning and optimizing an algorithm model, combines the latest research results in the big data technology and network security detection field, has innovation and practicability, can obviously improve the security of a network and reduce the security risk.
Drawings
FIG. 1 is a flow chart of the method of the present big data based network security detection method;
FIG. 2 is a schematic diagram of a big data calculation and evaluation module according to the present invention;
FIG. 3 is a schematic diagram of malicious behavior according to the present invention;
fig. 4 is a schematic diagram of the threat type architecture of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The network security detection method based on big data is different from the existing network security detection method, the existing network security detection method is often dependent on a single detection means and tool, and is difficult to comprehensively and accurately evaluate the security condition of the network, and the algorithm unit comprehensively and dynamically evaluates the network security by collecting and analyzing multidimensional data of network traffic, security events and system states and applying advanced algorithms and models.
Referring to fig. 1 to fig. 4, the present embodiment provides a network security detection method based on big data, which includes a big data acquisition module, a big data calculation and evaluation module, and a response and treatment module, wherein the big data calculation and evaluation module includes a network traffic abnormality degree measuring unit, a current network threat degree evaluating unit and a comprehensive network overall security condition evaluating unit;
the specific detection implementation steps are as follows:
Step I, acquiring network flow data, security event data and system security state data of a current detection period by using a big data acquisition module;
Step II, calculating and outputting abnormal flow detection index YL by using a network flow abnormality measuring unit;
step III, introducing an abnormal flow detection index YL into a threat degree unit for evaluating the current network, and calculating an output threat evaluation value WW;
Step IIII, introducing an abnormal flow detection index YL and a threat assessment value WW into a comprehensive assessment network overall security condition unit, calculating an output security situation index AQ, and carrying out detection analysis;
step IIIII, a response and disposition module makes a safety response and disposition for the safety situation index AQ;
the equipment used by the big data acquisition module comprises a network flow analyzer, a SIEM system and safety monitoring equipment;
The equipment used by the big data calculation and evaluation module comprises a server;
the equipment used by the response and handling module comprises a security patch management system and an anti-malware tool.
In the embodiment, the system combines three operation results of YL, WW and AQ through mutual coordination of three algorithm units, thereby forming a core part of a network security detection method based on big data together, providing powerful support and guarantee for network security, specifically, YL is an abnormal flow detection index, the index can reflect fluctuation condition and abnormal change of network flow, when the network flow is abnormal, the value of YL can deviate from a normal range remarkably, so that prompt timely taking measures to conduct investigation and coping is prompted, WW is a threat assessment value, the value can evaluate the current security condition of the network more comprehensively, including whether potential threat exists or not, the type and the number of threats are included, the index has important significance for formulating a targeted network security defense strategy, AQ is a security situation index, the index can reflect the security situation of the network comprehensively, the security of the system, the effectiveness of the potential threat and the severity of the potential threat are included, the importance of the network security protection strategy is formulated, the network security protection strategy is optimized, the network security protection capability is improved, timely measures are timely taken are reminded to conduct investigation and coping, the WW is an evaluation value, the security protection algorithm can be improved, the security protection system can be influenced by the security protection method is not fully, the security protection method is also improved, and the security protection system can be influenced by the security protection method is improved, and the security protection condition is not has the security and the security detection result is improved, and the security protection is improved, and the security protection is obviously is improved.
Referring to fig. 1 to 4, the calculation formula of the network traffic abnormality measuring unit is as follows:
;
Wherein:
YL is an abnormal flow detection index;
L in is inbound traffic, L in is the amount of data that enters the network per unit time;
L out is outbound traffic, L out is the amount of data that leaves the network per unit time;
L avg is the average traffic, L avg is the average data traffic of the network in the current detection period;
L peak is the peak traffic, L peak is the maximum data traffic generated by the network in the current detection period;
the calculation formula of the average flow rate L avg is as follows:
Lavg=(L1+L2+L3+......+Ln)/n;
n is the current period and reflects the time quantity of the current detection period;
L 1 is the first time period detection data traffic, L 2 is the second time period detection data traffic, L 3 is the third time period detection data traffic, and L n is the nth time period detection data traffic;
And the average flow L avg of the current detection period is updated and calculated in real time in any detection period.
In this embodiment, first, "in this algorithm unit"The calculation part aims at reflecting the balance and fluctuation of the network traffic, the asymmetry and the variation degree of the traffic can be captured by adding the inbound traffic L in and the outbound traffic L out and then subtracting the added inbound traffic L in and the outbound traffic L out, the calculation part is used as a core of a calculation formula of a unit for measuring the abnormality degree of the network traffic, the value of the calculation part is increased when the traffic shows obvious unbalance and fluctuation, the value of the abnormal traffic detection index YL is increased, the existence of the abnormal traffic is indicated, specifically, the inbound traffic L in and the outbound traffic L out in the algorithm unit are the basis of the calculation of the abnormal traffic detection index YL and directly reflect the in-out condition of the network traffic, whether the network traffic is abnormal or not can be primarily judged by calculating the difference value of the inbound traffic L in, and when the inbound traffic L out is suddenly and greatly increased and the outbound traffic L out is kept unchanged and slightly decreased, the network is subject to external attack and the risk of data leakage exists;
The average flow L avg is taken as an important parameter in the calculation of the abnormal flow detection index YL, represents the normal level of the network flow, and can more accurately judge whether the current flow deviates from the normal range by comparing with the average flow L avg so as to discover the flow abnormality in time;
The "calculation section for measuring the difference between the peak value and the average value of the network traffic, that is, the fluctuation range of the traffic, by introducing this calculation section, the abnormal traffic detection index YL can evaluate the degree of abnormality of the network traffic more comprehensively, when the difference between the peak traffic and the average traffic is large, it is indicated that the network is experiencing a traffic peak and abnormal fluctuation, which also increases the value of the abnormal traffic detection index YL, wherein the peak traffic L peak reflects the highest level of the network traffic, which has an important meaning for evaluating the fluctuation and stability of the network traffic, and in the calculation of the abnormal traffic detection index YL, the degree and nature of the traffic abnormality can be further judged by taking the difference between the peak traffic L peak and the average traffic L avg into consideration;
The abnormal flow detection index YL calculated by the algorithm unit can capture the slight change of the network flow more accurately by comprehensively considering a plurality of flow parameters, so that the detection sensitivity is improved, the abnormal flow detection index YL not only considers the absolute value of the flow, but also considers the fluctuation and stability of the flow, so that the overall condition of the network flow can be estimated more comprehensively, in addition, the calculation formula of the abnormal flow detection index YL is relatively simple, complex mathematical operation is not involved, and the abnormal flow detection index YL is easier to understand and operate in practical application.
Referring to fig. 1 to 4, the calculation formula for evaluating the threat level unit of the current network is as follows:
;
Wherein:
WW is threat assessment value;
EX is a malicious behavior count, and reflects the number of detected malicious behaviors, wherein the malicious behaviors comprise virus propagation, phishing attack, DDoS attack, SQL injection and cross-site scripting attack (XSS);
ZX is the total behavior count, ZX reflects the number of all behaviors detected;
WX is the number of new threats, and the WX reflects the number of threat types newly appearing in the current detection period, wherein the threat types comprise viruses, trojans, worms, luxury software and spyware software;
LWX is the number of historical threats, and LWX reflects the number of threat types that have existed in the past detection period.
In this embodiment, first, "The calculation part combines the value of the abnormal traffic detection index YL, the ratio of the total behavior count ZX to the malicious behavior count EX and the ratio of the inbound traffic L in to the average traffic L avg, is used for comprehensively evaluating the threat degree faced by the current network, the threat assessment value WW can more accurately reflect the threat condition in the network by introducing the calculation parts, the value of the abnormal traffic detection index YL reflects the abnormal degree of the traffic, the ratio of the total behavior count ZX to the malicious behavior count EX provides the ratio of the malicious behavior in the total behavior, the ratio of the inbound traffic L in to the average traffic L avg reflects the relative size of the traffic, and the factors jointly determine the value of the threat assessment value WW, thereby helping to know the current threat level;
the calculation part is used for measuring the difference between the new threat and the historical threat, namely the change degree of the threat type, by introducing the calculation part, the threat assessment value WW can capture the change of the threat type more sensitively, and when the number of the new threats is increased/decreased significantly, the value of the part is increased, so that the value of the threat assessment value WW is increased, and the existence of the new threat type is prompted;
The algorithm unit can evaluate the threat degree faced by the network more accurately by comprehensively considering a plurality of threat parameters, provides powerful support for network security decision, and dynamically adjusts the evaluation standard by the threat evaluation value WW, and continuously updates the evaluation result according to the appearance of new threats and the evolution trend of historical threats so that the evaluation accords with the actual situation;
in addition, the evaluation result of the threat evaluation value WW can directly guide the formulation and implementation of the network security defense strategy, so that the defense measures are more targeted and effective.
Referring to fig. 1 to 4, the calculation formula of the overall security status unit of the comprehensive evaluation network is as follows:
;
BDL=BD/ZBD;
EZL=CZL/EX;
WWavg=(WW1+WW2+WW3+......+WWm)/m;
Wherein:
AQ is a security posture index;
BDL is the patch application rate;
BD is the number of patch systems applied, ZBD is the total number of systems;
FE is the amount of anti-malware;
EZL is malicious behavior efficiency;
CZL is the number of successfully executed malicious acts;
WW avg is threat assessment average;
m is the total of the historical detection periods;
WW 1 is a first detection period threat assessment value, WW 2 is a second detection period threat assessment value, WW 3 is a third detection period threat assessment value, WW m is an mth detection period threat assessment value, and when entering the next period detection, the current threat assessment value WW is an mth detection period threat assessment value WW m;
l in,max is the maximum inbound traffic, the maximum inbound data traffic for the network in the current detection period.
In this embodiment, the algorithm unit first "The computing part combines the value of the threat assessment value WW, the patch application rate BDL and the ratio of the malicious behavior efficiency EXL to the anti-malicious software quantity FE to comprehensively evaluate the overall security condition of the network, the security situation index AQ can reflect the security situation of the network more comprehensively by introducing the computing parts, the value of the threat assessment value WW reflects the current threat level, the patch application rate BDL provides a direct index of the system security, the ratio of the malicious behavior efficiency EXL to the anti-malicious software quantity FE reflects the anti-malicious software performance, and the factors jointly determine the value of the security situation index AQ so as to help know the overall security condition of the network;
The "calculation part is used for measuring the change degree of the threat assessment value WW and the ratio of the inbound traffic L in to the maximum inbound traffic L in,max so as to reflect the dynamic change of the network security, and by introducing the calculation part, the security situation index AQ can capture the dynamic change of the network security more sensitively. When the threat assessment value is significantly increased/decreased, the value of the part is increased, so that the value of the security situation index AQ is increased to indicate that the security situation of the network is changing, and meanwhile, the ratio of the inbound traffic L in to the maximum inbound traffic L in,max also provides relative information of the traffic size, which is helpful for further evaluating the security of the network;
Specifically, the patch application rate BDL in the algorithm unit reflects the timeliness and effectiveness of system patches, the high patch application rate BDL means that the system can repair known vulnerabilities in time, the risk of attack is reduced, the anti-malware quantity FE measures the capability of an anti-malware tool in terms of detecting and removing malicious software, the anti-malware tool with the high anti-malware quantity FE can more effectively protect network safety, the malicious behavior efficiency EXL reflects the propagation speed and the influence range of malicious behaviors in the network, and the spread of the malicious behaviors can be discovered and restrained in time by monitoring the change of the malicious behavior efficiency EXL;
The security situation index AQ output by the algorithm unit can comprehensively evaluate the overall security condition of the network by comprehensively considering a plurality of security parameters, provides comprehensive information support for network security decision, realizes a circulating feedback mechanism by introducing threat evaluation average WW avg and maximum inbound flow L in,max, and further can continuously optimize the strategy and method of network security detection according to the change of historical data and current flow;
the calculation result of the security situation index AQ can directly reflect the security situation of the network, powerful support is provided for emergency response, and measures can be rapidly taken to cope with potential threats when the security situation of the network changes, so that the security risk is reduced;
In summary, the network traffic abnormality degree unit, the threat degree unit for evaluating the current network and the overall security condition unit for comprehensively evaluating the network and the parameters thereof have remarkable beneficial effects on network security detection. They not only can improve the sensitivity and accuracy of detection, but also can comprehensively evaluate the network security conditions and optimize the detection strategy and method.
Referring to fig. 1 to 4, the detection analysis based on the security situation index AQ is as follows:
If the security situation index AQ is higher than the security situation average index AQ avg, reflecting that the current network is in high security risk, and a large amount of malicious behaviors and abnormal traffic exist, so that network security measures are enhanced;
if the security situation index AQ is lower than the security situation average index AQ avg, reflecting that the current network state is relatively stable, the existence of malicious behaviors and abnormal traffic is small, and maintaining the current network security measures;
The calculation formula of the security situation average index AQ avg is as follows:
;
AQ 1 is a first detection period safety situation index, AQ 2 is a second detection period safety situation index, AQ 3 is a third detection period safety situation index, AQ m is an mth detection period safety situation index, and when entering the next period detection, the current safety situation index AQ is the mth detection period safety situation index AQ m.
In this embodiment, when the security situation index AQ is higher than the security situation average index AQ avg, this algorithm unit means that the network faces a higher security risk, and at this time, by evaluating the cyclic feedback of the overall security situation unit to the abnormality degree unit of the measured network flow, the judgment threshold value of the abnormality flow in the abnormality degree unit of the measured network flow can be reduced, so that the system is more sensitive to the abnormality flow, even if the abnormality flow fluctuation is small, it can be timely detected, thereby improving the detection accuracy, and when the security situation index AQ is lower than the security situation average index AQ avg, the security situation of the network is relatively better, at this time, by improving the judgment threshold value of the abnormality flow in the abnormality degree unit of the measured network flow, the false report caused by the flow fluctuation can be reduced, and at the same time, because the system is more tolerant to the abnormality flow, the potential threat of missing report due to setting of the too low threshold value can be avoided;
The threat assessment value WW in the threat level unit for assessing the current network is an important index reflecting the current threat severity of the network, the algorithm for assessing the threat in the threat level unit for assessing the current network can be adjusted according to the level of the security situation index AQ by comprehensively assessing the cyclic feedback of the overall security situation unit for measuring the network traffic abnormality level unit, specifically, when the security situation index AQ is higher, the weight of malicious behavior count can be increased to assess the severity of the current threat more accurately, and when the security situation index AQ is lower, the algorithm can be adjusted to pay more attention to threat types which can cause great influence on the network, and according to the judgment result of the security situation index AQ and the cyclic feedback mechanism of the overall security situation unit for comprehensively assessing the network for measuring the network traffic abnormality level unit, a more reasonable response strategy can be formulated;
Comprehensively evaluating the patch application rate BDL and the anti-malicious software quantity FE in the overall network security condition unit to be important indexes for measuring the overall network security level, and enhancing patch management and improving the efficiency of the anti-malicious software according to the judgment result of the security situation index AQ by comprehensively evaluating the loop feedback mechanism of the overall network security condition unit to the unit for measuring the network traffic abnormality degree;
In summary, the network traffic anomaly degree measuring unit, the current network threat degree evaluating unit and the comprehensive network overall safety condition evaluating unit have unique beneficial effects, and the comprehensive network overall safety condition evaluating unit brings significant advantages to the cyclic influence of the network traffic anomaly degree measuring unit, the formulas together form the core part of a network safety detection method based on big data, powerful support and guarantee are provided for network safety, and the detection method using the safety situation average index AQ avg as a judgment standard and the cyclic feedback mechanism of the comprehensive network overall safety condition evaluating unit can generate various beneficial effects including improving the accuracy and sensitivity of detection, optimizing threat evaluation and response strategies and improving the overall safety level of the network, which are helpful to better cope with network safety challenges and threats, and ensure the safe and stable operation of the network.
In a second embodiment, referring to fig. 1 to 4, virus transmission is that the virus is transmitted through a network and infects files and programs in a system;
Phishing attack, namely, trapping users to reveal sensitive information by forging websites and mails;
DDoS attack, namely distributed denial of service attack, wherein a target system is paralyzed through a large number of requests;
SQL injection, namely sending malicious SQL sentences to a database by utilizing website vulnerabilities to acquire and tamper data;
cross site scripting (XSS) is to inject malicious scripts on a target website to steal user information and do other malicious operations.
In this embodiment, the evaluation of the accumulation of the current network threat level unit to the malicious behavior count EX includes the accumulation of virus propagation, phishing attack, DDoS attack, SQL injection, and cross-site scripting attack (XSS), so that malicious behaviors that can affect network security can be introduced more comprehensively, and further, the management and detection of network security are improved.
Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (8)

1.一种基于大数据的网络安全检测方法,其特征在于,包括大数据采集模块,大数据计算评估模块,响应与处置模块,所述大数据计算评估模块包括衡量网络流量异常程度单元,评估当前网络面临威胁程度单元以及综合评估网络整体安全状况单元;1. A network security detection method based on big data, characterized in that it includes a big data acquisition module, a big data calculation and evaluation module, and a response and disposal module. The big data calculation and evaluation module includes a unit for measuring the degree of abnormality of network traffic, a unit for evaluating the degree of threat faced by the current network, and a unit for comprehensively evaluating the overall security status of the network; 具体检测实现步骤如下:The specific detection steps are as follows: 步骤I、利用所述大数据采集模块,采集当前检测周期的网络流量数据、安全事件数据和系统安全状态数据;Step 1: Using the big data acquisition module, collect network traffic data, security event data and system security status data of the current detection period; 步骤II、利用所述衡量网络流量异常程度单元,首先计算输出异常流量检测指数YL;Step II: using the unit for measuring the degree of abnormality of network traffic, firstly calculate and output an abnormal traffic detection index YL; 步骤III、将所述异常流量检测指数YL引入所述评估当前网络面临威胁程度单元,并计算输出威胁评估值WW;Step III, introducing the abnormal traffic detection index YL into the unit for evaluating the threat level of the current network, and calculating and outputting the threat assessment value WW; 步骤IIII、将所述异常流量检测指数YL和威胁评估值WW,引入所述综合评估网络整体安全状况单元,并计算输出安全态势指数AQ,进行检测分析;Step III: introduce the abnormal traffic detection index YL and the threat assessment value WW into the comprehensive evaluation network overall security status unit, and calculate and output the security situation index AQ for detection and analysis; 步骤IIIII、所述响应与处置模块针对安全态势指数AQ,做出安全响应与处置。Step IIIII: the response and disposal module makes a security response and disposal according to the security situation index AQ. 2.根据权利要求1所述的一种基于大数据的网络安全检测方法,其特征在于,2. A network security detection method based on big data according to claim 1, characterized in that: 所述大数据采集模块所使用到的设备包括网络流量分析器、SIEM系统、安全监控设备;The equipment used by the big data acquisition module includes network traffic analyzers, SIEM systems, and security monitoring equipment; 所述大数据计算评估模块所使用的设备包括服务器;The equipment used by the big data computing and evaluation module includes a server; 所述响应与处置模块所使用到的设备包括有安全补丁管理系统、反恶意软件工具。The equipment used by the response and disposal module includes a security patch management system and anti-malware tools. 3.根据权利要求2所述的一种基于大数据的网络安全检测方法,其特征在于:所述衡量网络流量异常程度单元的计算公式如下:3. According to a network security detection method based on big data in claim 2, it is characterized in that: the calculation formula of the unit for measuring the degree of abnormality of network traffic is as follows: ; 其中:in: YL为异常流量检测指数;YL is the abnormal traffic detection index; Lin为入站流量,Lin指单位时间内进入网络的数据量; Lin is the inbound traffic, Lin refers to the amount of data entering the network per unit time; Lout为出站流量,Lout指单位时间内离开网络的数据量;L out is the outbound traffic, L out refers to the amount of data leaving the network per unit time; Lavg为平均流量,Lavg指网络在当前检测周期内的平均数据流量; Lavg is the average traffic. Lavg refers to the average data traffic of the network in the current detection period; Lpeak为峰值流量,Lpeak指网络在当前检测周期内产生的最大数据流量。L peak is the peak traffic, which refers to the maximum data traffic generated by the network in the current detection cycle. 4.根据权利要求3所述的一种基于大数据的网络安全检测方法,其特征在于:所述平均流量Lavg的计算公式如下:4. According to a network security detection method based on big data in claim 3, it is characterized in that: the calculation formula of the average flow Lavg is as follows: Lavg=(L1+L2+L3+......+Ln)/n;L avg = (L 1 +L 2 +L 3 +......+L n )/n; n为当前周期时段,反映当前检测周期的时间量;n is the current cycle period, reflecting the amount of time in the current detection cycle; L1为第一时段检测数据流量,L2为第二时段检测数据流量,L3为第三时段检测数据流量,Ln为第n时段检测数据流量; L1 is the data flow detected in the first period, L2 is the data flow detected in the second period, L3 is the data flow detected in the third period, and Ln is the data flow detected in the nth period; 且任意一检测周期均对当前检测周期的平均流量Lavg进行实时更新计算。In any detection period, the average flow Lavg of the current detection period is updated and calculated in real time. 5.根据权利要求4所述的一种基于大数据的网络安全检测方法,其特征在于:所述评估当前网络面临威胁程度单元的计算公式如下:5. According to a network security detection method based on big data in claim 4, it is characterized in that: the calculation formula of the unit for evaluating the degree of threat faced by the current network is as follows: ; 其中:in: WW为威胁评估值;WW is the threat assessment value; EX为恶意行为计数,EX反映检测到的恶意行为数量,恶意行为包括病毒传播、钓鱼攻击、DDoS攻击、SQL注入、跨站脚本攻击(XSS);EX is the malicious behavior count, which reflects the number of malicious behaviors detected. Malicious behaviors include virus propagation, phishing attacks, DDoS attacks, SQL injections, and cross-site scripting attacks (XSS); ZX为总行为计数,ZX反映检测到的所有行为数量;ZX is the total behavior count, ZX reflects the number of all behaviors detected; WX为新威胁数量,WX反映当前检测周期内新出现的威胁类型数量,威胁类型包括病毒、木马、蠕虫、勒索软件、间谍软件;WX is the number of new threats. WX reflects the number of new threat types that appear in the current detection cycle. Threat types include viruses, Trojans, worms, ransomware, and spyware. LWX为历史威胁数量,LWX反映以往检测周期内中已存在的威胁类型数量。LWX is the number of historical threats. LWX reflects the number of threat types that have existed in previous detection cycles. 6.根据权利要求5所述的一种基于大数据的网络安全检测方法,其特征在于:所述病毒传播:病毒通过网络传播并感染系统中的文件、程序;6. A network security detection method based on big data according to claim 5, characterized in that: the virus propagation: the virus propagates through the network and infects files and programs in the system; 所述钓鱼攻击:通过伪造网站以及邮件方式,诱骗用户泄露敏感信息;Phishing attacks: using fake websites and emails to trick users into revealing sensitive information; 所述DDoS攻击:分布式拒绝服务攻击,通过大量请求使目标系统瘫痪;The DDoS attack is a distributed denial of service attack that paralyzes the target system through a large number of requests. 所述SQL注入:利用网站漏洞,向数据库发送恶意SQL语句以获取、篡改数据;The SQL injection: exploits website vulnerabilities to send malicious SQL statements to the database to obtain and tamper with data; 所述跨站脚本攻击(XSS):在目标网站上注入恶意脚本,以窃取用户信息以及进行其他恶意操作;The cross-site scripting attack (XSS) described above: injects malicious scripts into the target website to steal user information and perform other malicious operations; 所述综合评估网络整体安全状况单元的计算公式如下:The calculation formula for the comprehensive evaluation unit of the overall network security status is as follows: ; BDL=BD/ZBD;BDL=BD/ZBD; EZL=CZL/EX;EZL=CZL/EX; WWavg=(WW1+WW2+WW3+......+WWm)/m;WW avg = (WW 1 +WW 2 +WW 3 +......+WW m )/m; 其中:in: AQ为安全态势指数;AQ is the security situation index; BDL为补丁应用率;BDL is the patch application rate; BD为已应用补丁系统数量,ZBD为总系统数量;BD is the number of systems with applied patches, and ZBD is the total number of systems; FE为反恶意软件量;FE is the anti-malware amount; EZL为恶意行为效率;EZL is the efficiency of malicious behavior; CZL为成功执行恶意行为数量;CZL is the number of successfully executed malicious actions; WWavg为威胁评估平均值;WW avg is the threat assessment average; m为历史检测周期总计;m is the total number of historical detection cycles; WW1为第一检测周期威胁评估值,WW2为第二检测周期威胁评估值,WW3为第三检测周期威胁评估值,WWm为第m检测周期威胁评估值,且在进入下一周期检测时,当前的威胁评估值WW即为第m检测周期威胁评估值WWmWW 1 is the threat assessment value of the first detection cycle, WW 2 is the threat assessment value of the second detection cycle, WW 3 is the threat assessment value of the third detection cycle, WW m is the threat assessment value of the mth detection cycle, and when entering the next cycle detection, the current threat assessment value WW is the threat assessment value WW m of the mth detection cycle; Lin,max为最大入站流量,网络在当前检测周期内最大的入站数据流量。Lin , max is the maximum inbound traffic, which is the maximum inbound data traffic of the network in the current detection cycle. 7.根据权利要求6所述的一种基于大数据的网络安全检测方法,其特征在于:基于所述安全态势指数AQ的检测分析如下:7. A network security detection method based on big data according to claim 6, characterized in that: the detection analysis based on the security situation index AQ is as follows: 若安全态势指数AQ高于安全态势平均指数AQavg,则反映当前网络面临高的安全风险,并存在大量的恶意行为、异常流量,当加强网络安全措施;If the security situation index AQ is higher than the security situation average index AQ avg , it means that the current network faces high security risks and there are a large number of malicious behaviors and abnormal traffic. Network security measures should be strengthened. 若安全态势指数AQ低于安全态势平均指数AQavg,则反映当前网络状态相对稳定,恶意行为、异常流量的存在量少,当保持当前网络安全措施。If the security situation index AQ is lower than the security situation average index AQ avg , it reflects that the current network status is relatively stable, and there are few malicious behaviors and abnormal traffic. The current network security measures should be maintained. 8.根据权利要求7所述的一种基于大数据的网络安全检测方法,其特征在于:所述安全态势平均指数AQavg的计算公式如下:8. A network security detection method based on big data according to claim 7, characterized in that: the calculation formula of the security situation average index AQ avg is as follows: AQavg=(AQ1+AQ2+AQ3+......+AQm)/m;AQ avg = (AQ 1 +AQ 2 +AQ 3 +......+AQ m )/m; AQ1为第一检测周期安全态势指数,AQ2为第二检测周期安全态势指数,AQ3为第三检测周期安全态势指数,AQm为第m检测周期安全态势指数,且在进入下一周期检测时,当前的安全态势指数AQ即为第m检测周期安全态势指数AQmAQ 1 is the security situation index of the first detection cycle, AQ 2 is the security situation index of the second detection cycle, AQ 3 is the security situation index of the third detection cycle, AQ m is the security situation index of the mth detection cycle, and when entering the next cycle detection, the current security situation index AQ is the security situation index AQ m of the mth detection cycle.
CN202510024259.8A 2025-01-07 2025-01-07 A network security detection method based on big data Active CN119814457B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510024259.8A CN119814457B (en) 2025-01-07 2025-01-07 A network security detection method based on big data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510024259.8A CN119814457B (en) 2025-01-07 2025-01-07 A network security detection method based on big data

Publications (2)

Publication Number Publication Date
CN119814457A true CN119814457A (en) 2025-04-11
CN119814457B CN119814457B (en) 2025-08-29

Family

ID=95274420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510024259.8A Active CN119814457B (en) 2025-01-07 2025-01-07 A network security detection method based on big data

Country Status (1)

Country Link
CN (1) CN119814457B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
CN113965404A (en) * 2021-11-02 2022-01-21 公安部第三研究所 Network security situation self-adaptive active defense system and method
KR102592868B1 (en) * 2022-06-07 2023-10-20 주식회사 카카오페이 Methods and electronic devices for analyzing cybersecurity threats to organizations
CN118764277A (en) * 2024-07-17 2024-10-11 邹芳 A method for blocking network attacks
CN118802230A (en) * 2023-11-07 2024-10-18 中国移动通信集团安徽有限公司 Safety analysis system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160219067A1 (en) * 2015-01-28 2016-07-28 Korea Internet & Security Agency Method of detecting anomalies suspected of attack, based on time series statistics
CN113965404A (en) * 2021-11-02 2022-01-21 公安部第三研究所 Network security situation self-adaptive active defense system and method
KR102592868B1 (en) * 2022-06-07 2023-10-20 주식회사 카카오페이 Methods and electronic devices for analyzing cybersecurity threats to organizations
CN118802230A (en) * 2023-11-07 2024-10-18 中国移动通信集团安徽有限公司 Safety analysis system
CN118764277A (en) * 2024-07-17 2024-10-11 邹芳 A method for blocking network attacks

Also Published As

Publication number Publication date
CN119814457B (en) 2025-08-29

Similar Documents

Publication Publication Date Title
CN111245793A (en) Method and device for analyzing abnormity of network data
Yi et al. An intelligent communication warning vulnerability detection algorithm based on IoT technology
CN119272339B (en) Internet data security protection method and system based on intelligent algorithm
CN111625821A (en) Application attack detection system based on cloud platform
CN118138362A (en) LLM-driven self-adaptive industrial network safety protection method and firewall device
CN117811783A (en) Industrial control network dynamic defense method and system based on endophytic security
CN117319019A (en) A dynamic defense system for power networks based on intelligent decision-making
Chen et al. Defending malicious attacks in cyber physical systems
CN112738127A (en) Web-based website and host vulnerability detection system and method
Fu et al. APT attack situation assessment model based on optimized BP neural network
Falana et al. Detection of cross-site scripting attacks using dynamic analysis and fuzzy inference system
Rahmawati et al. Web Application Firewall Using Proxy and Security Information and Event Management (SIEM) for OWASP Cyber Attack Detection
Zengeni et al. Zero-day exploits and vulnerability management
CN119603069A (en) A computer network information security monitoring method
CN120017320A (en) A real-time network security monitoring and protection method and system based on deep learning
CN119814457B (en) A network security detection method based on big data
Wang et al. Detecting and defending csrf at api-level
Dohi et al. An adaptive mode control algorithm of a scalable intrusion tolerant architecture
CN118677661B (en) Threat information detection method and device, electronic equipment and storage medium
Fu et al. A study of evaluation methods of WEB security threats based on multi-stage attack
Kurniawan et al. File Integrity Monitoring as a Method for Detecting and Preventing Web Defacement Attacks
CN115664771B (en) A method and system for security monitoring of intelligent terminals participating in flexible resource aggregation and regulation
Wang et al. Research on Power System Cyber Security Defense based on ATT&CK Framework
CN119299126B (en) Threat alarm semantic analysis system for power grid network security
KR102616603B1 (en) Supporting Method of Network Security and device using the same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant