Search

CN-121984719-A - Network situation awareness method and device, electronic equipment and storage medium

CN121984719ACN 121984719 ACN121984719 ACN 121984719ACN-121984719-A

Abstract

An embodiment of the specification provides a network situation awareness method, a device, electronic equipment and a storage medium, which are applied to the technical field of network security, and include marking a received first data packet under the condition that a source address of the first data packet is an element in an abnormal address set, processing the marked first data packet, and recording a sensitive data processing result of the marked data packet and an associated address set corresponding to the sensitive data processing result under the condition that a first processing result comprises processing sensitive data, and performing network situation awareness according to the sensitive data processing results and the associated address set of a plurality of marked first data packets. And the sensitive data processing result of the marked data packet is used for acquiring a corresponding associated address set, so that network situation awareness based on the associated characteristics is realized, the accuracy of network situation awareness is improved, and the efficiency of network situation awareness is also improved by marking the data packet based on the abnormal address set.

Inventors

  • Zhu Sunan
  • LU WENSHUANG
  • Guan Xingzhou
  • WEI LINNA
  • CHEN LIANG
  • ZHAO YANYAN

Assignees

  • 中国移动通信集团黑龙江有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260505
Application Date
20251231

Claims (10)

  1. 1. A method of network situational awareness, the method comprising: Marking the received first data packet under the condition that the source address of the first data packet is an element in an abnormal address set, wherein the abnormal address set comprises a first address corresponding to a historical attack data packet; processing the marked first data packet, and recording the sensitive data processing result of the marked data packet and an associated address set corresponding to the sensitive data processing result under the condition that the first processing result comprises processing of sensitive data; And sensing the network situation according to the sensitive data processing results of the first marked data packets and the associated address set.
  2. 2. The method according to claim 1, wherein the method further comprises: and when the source address is not an element in the abnormal address set, but the similarity with any element in the abnormal address set is larger than a preset first similarity threshold value, adding the source address as a second address into the abnormal address set, and marking the first data packet.
  3. 3. The method according to claim 1, wherein, in the case that the first processing result includes processing the sensitive data, recording the sensitive data processing result of the marked data packet and the associated address set corresponding to the sensitive data processing result includes: In case the first processing result includes processing only sensitive data, recording the address of the current node for processing sensitive data and the source address of the marked data packet in the associated address set, or And under the condition that the first processing result comprises the steps of processing sensitive data and forwarding the data, the addresses of a plurality of nodes on a forwarding path are used as an associated address sequence and the source address association of the marked data packet is recorded in the associated address set.
  4. 4. A method according to any one of claims 1 to 3, wherein said network situation awareness based on sensitive data processing results and associated address sets of a plurality of labeled data packets comprises: aggregating network nodes into a plurality of first associated networks according to the associated network set; Determining first network situation values corresponding to the plurality of first associated networks and second network situation values corresponding to each first associated network respectively according to the sensitive data processing result; And determining a target network situation value according to the first network situation value and the second network situation value.
  5. 5. A method according to any one of claims 1 to 3, wherein said network situation awareness based on sensitive data processing results and associated address sets of a plurality of labeled data packets comprises: aggregating network nodes into a plurality of first associated networks according to the associated network set; Merging the plurality of first associated networks into a plurality of second associated networks according to the similarity of the first associated networks; Determining third network situation values corresponding to the plurality of second associated networks and fourth network situation values corresponding to each second associated network according to the sensitive data processing result; and determining a target network situation value according to the third network situation value and the fourth network situation value.
  6. 6. The method according to claim 4 or 5, wherein the aggregating network nodes into a plurality of first associated networks according to the set of associated networks comprises: Step 1, taking one terminal node in network nodes as a current node; Step 2, determining at least one node to be aggregated corresponding to the current node in the associated address set; Step 3, determining at least one associated node of the current node from the at least one node to be aggregated according to a second processing result of a second data packet sent by the at least one node to be aggregated to the current node; Step 4, taking the current node and the at least one associated node as a first associated network, and acquiring a terminal node from the rest network nodes except the current node and the at least one associated node in the network nodes as a new current node; and 5, repeating the steps 2 to 4 until the first preset condition is met.
  7. 7. The method of claim 5, wherein the merging the plurality of first associated networks into a plurality of second associated networks according to the similarity of the first associated networks comprises: Step 1, acquiring center nodes corresponding to each first association network respectively through a centrality analysis method; Step 2, randomly selecting a first association network as a current association network; Step 3, determining a target association network from other first association networks except the current association network in the plurality of first association networks, wherein the ratio of the number of intersection nodes of the target association network and the current association network to a first number is greater than a preset ratio threshold, the network attribute similarity of a central node of the current association network and a central node of the target association network is greater than a preset similarity threshold, and the first number is the minimum value of the number of nodes included in the plurality of association networks; step4, merging the current association network and the target association network; and 5, repeating the steps 1 to 4 until a second preset condition is met.
  8. 8. An apparatus for network situational awareness, the apparatus comprising: the marking module is used for marking the received first data packet when the source address of the first data packet is an element in an abnormal address set, wherein the abnormal address set comprises a first address corresponding to a historical attack data packet; The processing module is used for processing the marked first data packet, and recording the sensitive data processing result of the marked data packet and the associated address set corresponding to the sensitive data processing result under the condition that the first processing result comprises the processing of the sensitive data; And the sensing module is used for sensing the network situation according to the sensitive data processing results of the first marked data packets and the associated address set.
  9. 9. An electronic device comprising a processor, a memory, and a communication bus; the communication bus is used for realizing connection communication between the processor and the memory; The processor is configured to execute one or more programs stored in the memory to implement the steps of the network situational awareness method of any of claims 1 to 7.
  10. 10. A computer storage medium, characterized in that the computer storage medium stores one or more programs, the one or more programs are executable by one or more processors to implement the steps of the network situational awareness method of any of claims 1 to 7.

Description

Network situation awareness method and device, electronic equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, an electronic device, and a storage medium for sensing a network situation. Background The network situation refers to the current state and the subsequent change trend of the network. Network situation awareness is visual and comprehensive awareness of current network conditions under a certain space-time scale, and future development trends are acquired, synthesized, predicted and visualized for various elements possibly causing situation changes. The current network situation awareness technology is used for independently analyzing data of all nodes in a network, so that the situation of the whole network is perceived based on the risk condition of all the nodes, and the situation awareness technology in the related technology has the technical problem of low accuracy. Disclosure of Invention An object of one embodiment of the present disclosure is to provide a method, an apparatus, an electronic device, and a storage medium for network situation awareness. To solve the above technical problems, an embodiment of the present specification is implemented as follows: in a first aspect, an embodiment of the present specification provides a method for network situational awareness, the method comprising: Marking the received first data packet under the condition that the source address of the first data packet is an element in an abnormal address set, wherein the abnormal address set comprises a first address corresponding to a historical attack data packet; processing the marked first data packet, and recording the sensitive data processing result of the marked data packet and an associated address set corresponding to the sensitive data processing result under the condition that the first processing result comprises processing of sensitive data; And sensing the network situation according to the sensitive data processing results of the first marked data packets and the associated address set. In a second aspect, a further embodiment of the present specification provides an apparatus for network situational awareness, the apparatus comprising: the marking module is used for marking the received first data packet when the source address of the first data packet is an element in an abnormal address set, wherein the abnormal address set comprises a first address corresponding to a historical attack data packet; The processing module is used for processing the marked first data packet, and recording the sensitive data processing result of the marked data packet and the associated address set corresponding to the sensitive data processing result under the condition that the first processing result comprises the processing of the sensitive data; And the sensing module is used for sensing the network situation according to the sensitive data processing results of the first marked data packets and the associated address set. In a third aspect, yet another embodiment of the present specification provides an electronic device comprising a processor, a memory, and a communication bus; the communication bus is used for realizing connection communication between the processor and the memory; The processor is configured to execute one or more programs stored in the memory, so as to implement the steps of the method for network situation awareness according to the first aspect. In a fourth aspect, a further embodiment of the present specification provides a computer-readable storage medium for storing computer-executable instructions which, when executed by a processor, enable the steps of the network situational awareness method of the first aspect described above. In a fifth aspect, a further embodiment of the present specification provides a computer program product comprising a processing program, the processing program being executed by a processor to perform the steps of the method for network situational awareness according to the first aspect described above. According to the embodiment of the disclosure, when the source address of the received first data packet is an element in the abnormal address set, the first data packet is marked, the marked first data packet is processed, when the first processing result comprises the processing of sensitive data, the sensitive data processing result of the marked data packet and the associated address set corresponding to the sensitive data processing result are recorded, and network situation sensing is performed according to the sensitive data processing results and the associated address set of the plurality of marked first data packets. And the sensitive data processing result of the marked data packet is used for acquiring a corresponding associated address set, so that network situation awareness based on the associated characteristics is reali