Search

CN-122001620-A - Processing method and device of network node, electronic equipment and computer program product

CN122001620ACN 122001620 ACN122001620 ACN 122001620ACN-122001620-A

Abstract

The application provides a processing method, a processing device, electronic equipment and a computer program product of a network node, belongs to the field of network security, and aims to solve the problem that the existing method is difficult to realize quick sensing and response to network security threat. The method comprises the steps of preprocessing each node in a network to determine candidate network nodes, identifying and evaluating network nodes which are not preprocessed in the network to determine complementary network nodes, taking the candidate network nodes and the complementary network nodes as target network nodes, acquiring target data of the target network nodes, analyzing the target data, and determining network security risks according to analysis results.

Inventors

  • Zhu Sunan
  • LU WENSHUANG
  • SUN ZHEN
  • Guan Xingzhou
  • ZHAO YANYAN

Assignees

  • 中国移动通信集团黑龙江有限公司
  • 中国移动通信集团有限公司

Dates

Publication Date
20260508
Application Date
20251226

Claims (10)

  1. 1. A method of processing a network node, the method comprising the steps of: Preprocessing each node in the network to determine candidate network nodes; identifying and evaluating network nodes in the network that have not been subjected to the preprocessing, and determining supplemental network nodes; Taking the candidate network node and the supplementary network node as target network nodes; and acquiring target data of the target network node, analyzing the target data, and determining network security risk according to an analysis result.
  2. 2. The method according to claim 1, wherein the preprocessing of each node in the network to determine candidate network nodes comprises the steps of: obtaining topology structure information of the network; and screening out the candidate network nodes according to a preset node selection rule based on the topological structure information.
  3. 3. The method according to claim 2, wherein the screening the candidate network nodes according to a preset node selection rule based on the topology information comprises the steps of: Initializing an analysis identifier and an analysis count value of each network node; forming a terminal set by the network nodes with the attribute of the terminal based on the topological structure information; Randomly selecting one network node with the analysis identifier as an initial state from the terminal set as a current processing node, taking all other network nodes with the current processing node as connection processing nodes, calculating a monitoring standard value of the current processing node, determining average flow of the current processing node and each connection processing node in preset time, comparing the monitoring standard value with the average flow, and setting the analysis identifier and/or analysis count value of the current processing node and the connection processing node according to a comparison result until the traversal of all network nodes in the terminal set is completed; and taking the network node with the analysis identification or analysis count value meeting the set requirement as the candidate network node.
  4. 4. A method according to claim 3, wherein said calculating a monitoring criterion value for said current processing node comprises the steps of: Acquiring security values of the current processing node and the connection processing node, wherein the security values are obtained based on network security evaluation of the nodes; Obtaining vulnerability grading values of the current processing node and the connection processing node, wherein the vulnerability grading values are obtained based on vulnerability severity of the nodes; Determining an adjustment value according to terminal attributes of the current processing node, wherein the terminal attributes comprise a data acquisition terminal, an action execution terminal and a comprehensive processing terminal; and calculating the monitoring standard value based on the security value, the vulnerability score value and the adjustment value.
  5. 5. The method according to claim 1, wherein said identifying and evaluating network nodes in said network that have not been preprocessed, determining complementary network nodes, comprises the steps of: Traversing network nodes in the network, and identifying network nodes which are not included in the last pretreatment or network nodes which are newly accessed into the network; And evaluating the network nodes which are not included in the last pretreatment or the network nodes newly accessed to the network, and determining the network nodes meeting preset conditions as the supplementary network nodes.
  6. 6. The method according to claim 5, wherein the evaluating the network node not included in the last pre-processing or the network node newly accessing the network, determining a network node satisfying a preset condition as the supplementary network node, comprises the steps of: calculating a monitoring standard value of the network node; comparing the average flow between the network node and other network nodes connected with the network node with the monitoring standard value; and determining the supplementary network node according to the comparison result.
  7. 7. The method according to claim 1, wherein the step of obtaining the target data of the target network node, analyzing the target data, and determining the cyber-security risk according to the analysis result comprises the steps of: And analyzing the target data through a specific identification model, wherein the specific identification model is obtained based on training samples of abnormal behaviors and/or abnormal modes.
  8. 8. A processing apparatus of a network node, the apparatus comprising: The candidate node processing module is used for preprocessing each node in the network and determining candidate network nodes; The supplementary node processing module is used for identifying and evaluating network nodes which are not subjected to pretreatment in the network topology and determining supplementary network nodes; a target node processing module for taking the candidate network node and the supplementary network node as target network nodes, and And the target node analysis module is used for acquiring target data of the target network node, analyzing the target data and determining network security risk according to an analysis result.
  9. 9. An electronic device comprising a processor, a memory, a program or instructions stored on the memory and executable on the processor, which program or instructions when executed by the processor implement the steps of the method of any one of claims 1 to 7.
  10. 10. A computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which when executed by a computer implement the steps of the method of any of claims 1 to 7.

Description

Processing method and device of network node, electronic equipment and computer program product Technical Field The present application relates to the field of network security, and in particular, to a method, an apparatus, an electronic device, and a computer program product for processing a network node. Background With the rapid development of technologies such as 5G, internet of things and Internet of vehicles, networks have entered the universal connection era of everything interconnection. Under the environment, the number of terminal devices connected in the network is greatly increased, the functions are different, and a huge and complex heterogeneous network system is formed from the sensor, the intelligent access control and the high-performance server. The traditional network situation awareness method generally needs to collect and analyze data such as flow, attack logs, safety states and the like of all nodes in a network so as to comprehensively evaluate and early warn. However, in the general connection scenario, the full coverage data acquisition and analysis mode can lead to rapid increase of data scale, increase of system processing load, influence on real-time performance and efficiency of network situation assessment, and difficulty in meeting requirements of rapid sensing and response to network security threat. Disclosure of Invention The embodiment of the application provides a processing method, a processing device, electronic equipment and a computer program product of a network node, which can solve the problem that the prior method is difficult to realize quick sensing and response to network security threat. In a first aspect, an embodiment of the present application provides a method for processing a network node, where the method includes the following steps: Preprocessing each node in the network to determine candidate network nodes; identifying and evaluating network nodes in the network that have not been subjected to the preprocessing, and determining supplemental network nodes; Taking the candidate network node and the supplementary network node as target network nodes; and acquiring target data of the target network node, analyzing the target data, and determining network security risk according to an analysis result. In a second aspect, an embodiment of the present application provides a processing apparatus of a network node, where the apparatus includes: The candidate node processing module is used for preprocessing each node in the network and determining candidate network nodes; The supplementary node processing module is used for identifying and evaluating network nodes which are not subjected to pretreatment in the network topology and determining supplementary network nodes; a target node processing module for taking the candidate network node and the supplementary network node as target network nodes, and And the target node analysis module is used for acquiring target data of the target network node, analyzing the target data and determining network security risk according to an analysis result. In a third aspect, an embodiment of the present application provides an electronic device, which includes a processor, a memory, and a program or instructions stored on the memory and executable on the processor, the program or instructions, when executed by the processor, implementing the steps of the processing method of a network node according to the first aspect. In a fourth aspect, embodiments of the present application provide a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which when executed by a computer implement the steps of the method of processing a network node according to the first aspect. According to the embodiment of the application, through carrying out selective pretreatment and dynamic supplementation on all nodes in the network, only the finally screened target network node is subjected to deep data acquisition and analysis, but not the full-network total nodes, the data scale required to be processed in network situation analysis can be reduced, the resource consumption in the aspects of data acquisition, transmission and calculation is effectively reduced, and the method is particularly suitable for a wide-connection network environment with mass terminals and numerous and mixed data. The candidate network nodes are determined through preprocessing, and the nodes which are not preprocessed are actively identified and evaluated to be used as supplements, so that the omission of key risk nodes caused by dynamic change of the network can be avoided. The preprocessing is combined with the dynamic supplementation mode, so that the efficiency is improved, and meanwhile, the coverage integrity of network situation awareness is still maintained, and the accuracy and the reliability of safety early warning are ensured. When new equip