CN-121690866-B - Data processing method and system for network security monitoring

Abstract

The invention relates to the technical field of network security, and discloses a data processing method and system for network security monitoring. The method comprises the steps of obtaining network entity connection relation data and historical attack event data, constructing graph structure data, embedding the graph structure data into a preset graph neural network to obtain an initial representation vector, weighting the initial representation vector according to a network entity importance index to obtain a quantization matrix, extracting risk nodes from the quantization matrix, obtaining potential transmission paths through random walk when the number exceeds a preset number threshold, carrying out fragment processing on the potential transmission paths to confirm a risk core mode, marking a propagation chain set based on the risk core mode, extracting node risk values from the propagation chain set, preprocessing the node risk values to obtain a risk state vector, inputting a preset time sequence prediction model to obtain a prediction diffusion distribution probability, determining an enhancement monitoring target based on the preset probability threshold and the prediction probability, and obtaining a monitoring enhancement scheme after solving an objective function.

Inventors

• Request for anonymity

Assignees

• 广州云峰信息科技有限公司

Dates

Publication Date

20260512

Application Date

20260211

Claims (10)

1. 1. A data processing method for network security monitoring, comprising: Extracting connection relation data of network entities and historical attack event data from a network environment; Constructing graph structure data based on the connection relation data and the historical attack event data, and embedding and representing the graph structure data by adopting a preset graph neural network to obtain an initial representation vector; Acquiring an importance index of a network entity, and carrying out weighted adjustment on the initial representation vector according to the importance index to obtain a quantization matrix of a risk distribution state; extracting a risk node set from the quantization matrix, and if the number of the risk node set exceeds a preset number threshold, processing the risk node set by adopting a random walk algorithm to obtain a potential transfer path; calculating segment similarity of the potential transmission paths, and clustering and grouping the potential transmission paths according to the segment similarity and confirming topological structure consistency to obtain a risk core mode of the potential transmission paths; Marking a path with the communication strength lower than a preset communication strength threshold value as a weak link path based on the communication strength of the nodes in the risk core mode to obtain a propagation chain set; extracting node risk values according to the propagation chain set, preprocessing the node risk values to obtain risk state vectors, and processing the risk state vectors based on a preset time sequence prediction model to obtain predicted diffusion distribution probability; Based on a preset probability threshold and the predicted diffusion distribution probability, confirming an enhanced monitoring target, acquiring a monitoring resource constraint condition, constructing an objective function according to the enhanced monitoring target, solving the objective function to obtain an optimal configuration parameter, and generating a monitoring enhancement scheme according to the optimal configuration parameter.
2. 2. The data processing method for network security monitoring according to claim 1, wherein the constructing graph structure data based on the connection relationship data and the historical attack event data, and embedding and representing the graph structure data by using a preset graph neural network, to obtain an initial representation vector, includes: Constructing a network topology structure adjacency matrix according to the connection relation data, extracting attack characteristics in the historical attack event data, and constructing a node attribute matrix; Fusing the network topology adjacency matrix and the node attribute matrix to obtain graph structure data; performing feature aggregation processing on the graph structure data by adopting a preset graph neural network to obtain a network dimension vector; Analyzing the distribution of the network dimension vector, calculating attack influence probability, and finishing the attack influence probability to obtain an initial representation vector.
3. 3. The method for processing data for network security monitoring according to claim 1, wherein the obtaining the importance index of the network entity, and performing weighted adjustment on the initial representation vector according to the importance index of the network entity, obtains a quantization matrix of risk distribution states, includes: acquiring classification information and service association relation of a network entity from a network security platform as an importance index; Generating information importance weights based on the classification information, and determining propagation association weights based on the business association relations; Acquiring real-time operation data from a network security platform, constructing a dynamic change factor according to the real-time operation data, and adjusting the information importance weight and the propagation association weight according to the dynamic change factor to obtain an adjusted weight; and carrying out weighted adjustment on the initial representation vector according to the adjusted weight to obtain a quantization matrix of the risk distribution state.
4. 4. The method for processing data for network security monitoring according to claim 1, wherein extracting a risk node set from the quantization matrix, and if the number of the risk node set exceeds a preset number threshold, processing the risk node set by using a random walk algorithm to obtain a potential transfer path, includes: traversing matrix elements of the quantization matrix, extracting the matrix elements exceeding a preset safety baseline, and combining the matrix elements into a risk node set; If the number of the risk node sets exceeds a preset number threshold, determining state transition probability according to the connection relation data; Adopting a random walk algorithm, and processing the risk node set by combining the state transition probability to generate a walk track; and extracting a target path meeting preset confidence from the migration track to form the potential transfer path.
5. 5. The data processing method for network security monitoring of claim 1, wherein said calculating segment similarity for the potential transfer paths comprises: Representing each of said potential delivery paths as a chronological sequence of network entity identifiers; intercepting a subsequence with a preset length on each potential network entity identifier sequence by adopting a sliding window as a path fragment to obtain a path fragment set; extracting segment characteristics of the path segment, wherein the segment characteristics comprise a node type sequence, an edge connection strength sequence and a node risk value sequence; And respectively calculating the sequence similarity of the node type sequence, the edge connection strength sequence and the node risk value sequence, and carrying out averaging calculation to obtain the segment similarity.
6. 6. The method for processing data for network security monitoring according to claim 5, wherein the clustering the potential transfer paths according to the segment similarity and confirming topological consistency, to obtain a risk core pattern of the potential transfer paths, comprises: Grouping the path segment sets by adopting density clustering to obtain grouped segment sets; Constructing a directed edge set of fragments in the group and generating a topological structure diagram for each group fragment set; And carrying out topology structure consistency judgment based on the topology structure diagram, and determining a risk core mode of the potential transfer path, wherein the topology structure diagram corresponding to the grouping fragment set with isomorphic mapping is used as the risk core mode, and the grouping fragment set without isomorphic mapping does not enter the risk core mode set.
7. 7. The method for processing data for network security monitoring according to claim 1, wherein the marking, based on the connection strength of the nodes in the risk core mode, a path with the connection strength lower than a preset connection strength threshold as a weak link path, to obtain a propagation chain set includes: Extracting nodes based on the risk core mode, constructing a local topology according to the nodes, counting the connection relation data in a preset counting time window to obtain node interaction frequency, extracting a risk value of the nodes from the quantization matrix, and determining a link weight of the local topology according to the node interaction frequency and the risk value; calculating the communication intensity of paths in the local topology based on the link weight, and determining the paths with the communication intensity lower than the preset communication intensity threshold as weak link candidate paths; And carrying out blocking cost evaluation on the weak link candidate paths, and determining the weak link candidate paths with blocking cost meeting a preset blocking cost threshold as a propagation chain set.
8. 8. The data processing method for network security monitoring according to claim 1, wherein the extracting node risk values according to the propagation chain set and preprocessing to obtain risk state vectors, processing the risk state vectors based on a preset time sequence prediction model to obtain predicted diffusion distribution probability, includes: extracting a node set according to the propagation chain set, determining a node index according to the node set, extracting a node risk value corresponding to the node set according to the quantization matrix, normalizing the node risk value, filling the node risk value into vector elements according to the node index, and constructing a risk state vector at an initial moment; Determining state changes of adjacent nodes according to the risk state vector and the connection relation between nodes in the propagation chain set, and integrating to obtain a node state sequence; And inputting the node state sequence into a preset time sequence prediction model, and outputting a predicted diffusion distribution probability.
9. 9. The method for processing data for network security monitoring according to claim 1, wherein the step of confirming an enhanced monitoring target based on a preset probability threshold and the predicted diffusion distribution probability, obtaining a monitoring resource constraint condition, constructing an objective function according to the enhanced monitoring target, solving the objective function to obtain an optimal configuration parameter, and generating a monitoring enhancement scheme according to the optimal configuration parameter comprises the steps of: determining the risk priority of a network area or a network entity according to the predicted diffusion distribution probability, and generating a candidate set to be enhanced and monitored; selecting a network area or a network entity with the predicted diffusion distribution probability exceeding a preset probability threshold from the candidate set as an enhanced monitoring target; Acquiring a monitoring resource constraint condition, setting coverage of an enhanced monitoring target and a monitoring resource occupation amount as optimization targets, constructing an objective function of monitoring resource configuration, and solving the objective function under the monitoring resource constraint condition to obtain an optimal configuration parameter, wherein the monitoring resource constraint condition comprises bandwidth occupation amount, calculation resource occupation amount or storage resource occupation amount; and generating a monitoring enhancement scheme according to the optimal configuration parameters.
10. 10. A data processing system for network security monitoring, comprising: The data acquisition module is used for extracting connection relation data of the network entity and historical attack event data from the network environment; The risk characterization module is used for constructing graph structure data based on the connection relation data and the historical attack event data, and embedding and representing the graph structure data by adopting a preset graph neural network to obtain an initial representation vector; The business weighting module is used for acquiring an importance index of a network entity, and carrying out weighting adjustment on the initial representation vector according to the importance index to obtain a quantization matrix of a risk distribution state; The path generation module is used for extracting a risk node set from the quantization matrix, and if the number of the risk node set exceeds a preset number threshold, a random walk algorithm is adopted to process the risk node set to obtain a potential transfer path; the pattern recognition module is used for calculating segment similarity of the potential transmission paths, clustering the potential transmission paths according to the segment similarity, and confirming topological structure consistency to obtain a risk core pattern of the potential transmission paths; The chain output module is used for marking a path with the communication intensity lower than a preset communication intensity threshold value as a weak link path based on the communication intensity of the nodes in the risk core mode to obtain a propagation chain set; The time sequence deduction module is used for extracting node risk values according to the propagation chain set and preprocessing the node risk values to obtain risk state vectors, and processing the risk state vectors based on a preset time sequence prediction model to obtain predicted diffusion distribution probability; The scheme generation module is used for confirming an enhanced monitoring target based on a preset probability threshold and the predicted diffusion distribution probability, acquiring a monitoring resource constraint condition, constructing an objective function according to the enhanced monitoring target, solving the objective function to obtain an optimal configuration parameter, and generating a monitoring enhanced scheme according to the optimal configuration parameter.

Description

Data processing method and system for network security monitoring Technical Field The present invention relates to the field of network security monitoring technologies, and in particular, to a data processing method and system for network security monitoring. Background Currently, in the technical field of network security monitoring, a security platform needs to analyze an information security state and output alarm information based on data such as a communication connection relationship between network entities, an access behavior, a historical attack event and the like. In the prior art, risk analysis is mostly realized by adopting a rule matching, feature library comparison or alarm association mode, and detection and treatment are mainly performed around single-point events or single network entity abnormal behaviors. However, in complex network topologies, the risk may be subject to multi-hop flooding along the connection relationships between network entities, and the propagation paths may dynamically adjust with access relationship changes, service invocation chain changes, and risk aggregation state changes. Therefore, in the prior art, under the complex network connection relationship, it is difficult to effectively predict potential propagation paths and diffusion trends of risks between network entities. Disclosure of Invention The invention provides a data processing method and a system for network security monitoring, which are used for realizing effective pre-judgment of a risk diffusion direction. In order to solve the above technical problem, the present invention provides a data processing method for network security monitoring, including: Extracting connection relation data of network entities and historical attack event data from a network environment; Constructing graph structure data based on the connection relation data of the network entity and the historical attack event data, and embedding and representing the graph structure data by adopting a preset graph neural network to obtain an initial representation vector; Acquiring an importance index of a network entity, and carrying out weighted adjustment on the initial representation vector according to the importance index of the network entity to obtain a quantization matrix; extracting a risk node set from the quantization matrix, and if the number of the risk node set exceeds a preset number threshold, processing the risk node set by adopting a random walk algorithm to obtain a potential transfer path; calculating segment similarity of the potential transmission paths, and clustering and grouping the potential transmission paths according to the segment similarity and confirming topological structure consistency to obtain a risk core mode of the potential transmission paths; Marking a path with the communication strength lower than a preset communication strength threshold value as a weak link path based on the communication strength of the nodes in the risk core mode to obtain a propagation chain set; extracting node risk values according to the propagation chain set, preprocessing the node risk values to obtain risk state vectors, and processing the risk state vectors based on a preset time sequence prediction model to obtain predicted diffusion distribution probability; Based on a preset probability threshold and the predicted diffusion distribution probability, confirming an enhanced monitoring target, acquiring a monitoring resource constraint condition, constructing an objective function according to the enhanced monitoring target, solving the objective function to obtain an optimal configuration parameter, generating a monitoring enhancement scheme according to the optimal configuration parameter, and performing global optimization on the configuration parameter of the monitoring resource to obtain the monitoring enhancement scheme. In a second aspect, the present invention provides a data processing system for network security monitoring, comprising: The data acquisition module is used for extracting connection relation data of the network entity and historical attack event data from the network environment; The risk characterization module is used for constructing graph structure data based on the connection relation data and the historical attack event data, and embedding and representing the graph structure data by adopting a preset graph neural network to obtain an initial representation vector; The business weighting module is used for acquiring an importance index of a network entity, and carrying out weighting adjustment on the initial representation vector according to the importance index to obtain a quantization matrix of a risk distribution state; The path generation module is used for extracting a risk node set from the quantization matrix, and if the number of the risk node set exceeds a preset number threshold, a random walk algorithm is adopted to process the risk node set to obtain a potential transfer pa