Search

CN-122027240-A - Active network security defense method, device and equipment

CN122027240ACN 122027240 ACN122027240 ACN 122027240ACN-122027240-A

Abstract

The invention discloses an active network security defense method, device and equipment, which comprise the steps of collecting multi-mode security metadata, preprocessing the multi-mode security metadata to obtain standardized data, constructing a heterogeneous relation diagram based on the standardized data, inputting the heterogeneous relation diagram into a space-time fusion model to perform space correlation analysis and time sequence analysis to obtain dynamic threat probability of a corresponding target security entity, determining a risk level according to the dynamic threat probability, selecting a target security policy from a preset policy template library based on the risk level, issuing the target security policy to corresponding network equipment or terminal equipment to execute, collecting feedback information after the target security policy is executed, and performing self-adaptive optimization on a detection threshold value and policy parameters of the space-time fusion model according to the feedback information. The method can realize active detection of the network threat, effectively reduce false alarm and missing alarm risks and improve the accuracy of defending actions.

Inventors

  • XUE SUJIN
  • ZHOU QISHUN
  • ZHENG JIANMIN
  • Hu Miaoxin

Assignees

  • 厦门农芯数字科技有限公司

Dates

Publication Date
20260512
Application Date
20260121

Claims (10)

  1. 1. An active network security defense method, the method comprising: Collecting multi-mode security metadata comprising a network side, a terminal side, an identity side and a service side, and preprocessing the multi-mode security metadata to obtain standardized data; Constructing a heterogeneous relation graph based on the standardized data, wherein nodes in the heterogeneous relation graph comprise security entities of different types, and edges in the heterogeneous relation graph represent association relations with semantics among the security entities; inputting the heterogeneous relation diagram into a space-time fusion model for space association analysis and time sequence analysis to obtain dynamic threat probability of a corresponding target safety entity; determining a risk level according to the dynamic threat probability, and selecting a target security policy from a preset policy template library based on the risk level; And issuing the target security policy to corresponding network equipment or terminal equipment for execution, collecting feedback information after the target security policy is executed, and carrying out self-adaptive optimization on a detection threshold value and policy parameters of the space-time fusion model according to the feedback information.
  2. 2. The method of claim 1, wherein preprocessing the multi-modal security metadata to obtain standardized data comprises: Performing basic processing including time alignment, numerical normalization and category coding on the multi-mode security metadata to obtain basic processing data; Fingerprint vectorization processing is carried out on the encrypted network traffic in the basic processing data by using a JA3 or JA3S algorithm, so as to obtain an encrypted traffic feature vector; And performing association coding on the process identifier and the network connection session in the basic processing data by utilizing eBPF technology to obtain association relation data of the process and the session, and taking the basic processing data, the association relation data and the encrypted traffic feature vector as the standardized data.
  3. 3. The method according to claim 2, wherein the constructing a heterogeneous relationship graph based on the standardized data, wherein nodes in the heterogeneous relationship graph include security entities of different types, and edges in the heterogeneous relationship graph represent association relationships between the security entities with semantics, includes: Defining nodes and edges in the heterogeneous relation graph according to the basic processing data, the association relation data and the encrypted traffic characteristic vector, and distributing dynamic weights to each edge, The dynamic weight is obtained by calculation according to interaction frequency, port sensitivity, flow fingerprint similarity and flow direction anomaly degree, and the flow fingerprint similarity characteristic is calculated based on the encrypted flow characteristic vector; the security entity comprises a user account, terminal equipment, a server host, a service application, a sensitive file, a process and a network session, wherein the association relationship comprises an execution side representing a starting relationship, an access side representing an access relationship and a home side representing a subordinate relationship.
  4. 4. The method of claim 3, wherein the dynamic weights are calculated according to interaction frequency, port sensitivity, traffic fingerprint similarity, and traffic direction anomaly, and the method comprises: And calculating according to w=alpha.freq+beta.port_score+gamma.ja3_sim+delta.dir to obtain the dynamic weight, wherein freq represents a characteristic value of interaction frequency, port_score represents a characteristic value of port sensitivity, ja3_sim represents a characteristic value of flow fingerprint similarity, dir represents a characteristic value of flow direction anomaly, and alpha, beta, gamma and delta respectively represent corresponding weight coefficients.
  5. 5. An active network security defense method according to claim 3 wherein the heterogeneous relationship graph further comprises: According to Performing attenuation update on the dynamic weight to obtain an updated weight, wherein w new represents the updated weight, w represents the current dynamic weight, lambda represents a time attenuation factor, t now represents the current time of calculating the updated weight, and t last represents the last time of updating the weight; and deleting the corresponding edge from the heterogeneous relation graph when judging that the updating weight is smaller than a preset aging threshold.
  6. 6. The method of claim 1, wherein the space-time fusion model comprises a graph neural network layer and a time sequence model layer, wherein the inputting the heterogeneous relationship graph into the space-time fusion model for space association analysis and time sequence analysis to obtain the dynamic threat probability of the corresponding target security entity comprises the following steps: Inputting the heterogeneous relation diagram into the diagram neural network layer to perform spatial association analysis comprising multi-layer message transmission and feature aggregation, so as to obtain spatial features representing abnormal connection topology of nodes; and generating a feature sequence according to the time sequence of the spatial features, inputting the feature sequence into the time sequence model layer for time sequence analysis, and outputting the dynamic threat probability, wherein the time sequence analysis process comprises capturing the deviation degree of the behavior pattern of the target security entity on a time axis.
  7. 7. The method of claim 1, wherein determining a risk level according to the dynamic threat probability, and selecting a target security policy from a preset policy template library based on the risk level, comprises: When the dynamic threat probability is judged to be smaller than a first threshold value, judging that the risk level is a normal level; Judging that the dynamic threat probability is larger than or equal to a first threshold value and smaller than a second threshold value, and judging the risk level as an observation level; judging that the dynamic threat probability is greater than or equal to a second threshold value, and judging that the risk level is an execution level; And when the risk level is an execution level, calculating a comprehensive risk value according to R=P (t) multiplied by W b +C, and selecting a matched target security policy from the policy template library according to the comprehensive risk value, wherein P (t) represents dynamic threat probability, W b represents business weight and C represents a context factor, wherein the security policies in the policy template library comprise a micro-isolation policy, an access degradation policy, a forced multi-factor authentication policy, a decoy drainage policy, a session cutting-off policy, a packet capturing policy and a evidence obtaining policy.
  8. 8. An active network security defense method according to claim 1 or 7, wherein the adaptively optimizing the detection threshold and policy parameters of the spatio-temporal fusion model according to the feedback information comprises: dynamically adjusting the detection threshold according to false alarm and missing alarm conditions in the feedback information, wherein the detection threshold comprises a first threshold and a second threshold; Dynamically adjusting policy parameters according to the policy execution effect and the user complaint condition in the feedback information, wherein the policy parameters comprise overtime time parameters and/or execution priority parameters of the security policy; and taking the high confidence coefficient data in the feedback information as a training sample to perform incremental learning or fine adjustment on the space-time fusion model.
  9. 9. An active network security defense device, the device comprising: the data acquisition unit is used for acquiring multi-mode security metadata comprising a network side, a terminal side, an identity side and a service side, and preprocessing the multi-mode security metadata to obtain standardized data; the map construction unit is used for constructing a heterogeneous relation map based on the standardized data, wherein nodes in the heterogeneous relation map comprise security entities of different types, and edges in the heterogeneous relation map represent association relations with semantics among the security entities; the model analysis unit is used for inputting the heterogeneous relation diagram into a space-time fusion model for space association analysis and time sequence analysis to obtain dynamic threat probability of a corresponding target safety entity; the strategy selection unit is used for determining a risk level according to the dynamic threat probability and selecting a target security strategy from a preset strategy template library based on the risk level; and the optimizing unit is used for issuing the target security policy to corresponding network equipment or terminal equipment for execution, collecting feedback information after the target security policy is executed, and carrying out self-adaptive optimization on the detection threshold value and the policy parameter of the space-time fusion model according to the feedback information.
  10. 10. An active network security defense device comprising a processor, a memory and a computer program stored in the memory, which when executed by the processor performs the steps of an active network security defense method as claimed in any one of claims 1 to 8.

Description

Active network security defense method, device and equipment Technical Field The present invention relates to the field of network security technologies, and in particular, to an active network security defense method, device and equipment. Background With the rapid development of information technology, network attack means are increasingly complicated and hidden, and traditional defense means face a plurality of challenges. Advanced Persistent Threat (APT), penetration by encrypted channels, cross-system lateral movement, and misuse of identity credentials, etc., are all the more endless, and conventional passive defense systems based on static feature signatures and rule matching constitute serious challenges. Existing mainstream security schemes, such as intrusion detection/prevention systems (IDS/IPS), security Information and Event Management (SIEM), combined with Security Orchestration and Automation Response (SOAR), user and Entity Behavior Analysis (UEBA), and endpoint detection and response (EDR/XDR), etc., in practice expose several common bottlenecks. The schemes are limited to single data dimension (such as only focusing on network traffic or terminal logs) and lack unified association analysis and context understanding on multi-source heterogeneous data, or depending on predefined static rules and thresholds, the schemes are difficult to adapt to dynamic evolution of unknown threats and slow attack behavior modes, so that underreporting and false reporting coexist, or although the schemes have certain automatic response capability, policy formulation is often delayed from attack progress, and after execution, closed-loop feedback and self-adaptive tuning mechanisms based on actual protection effects and business influence are lack, overlong response windows or excessive defense influence on normal business are easily caused, and comprehensive closed-loop defense cannot be formed. Disclosure of Invention In view of the above, the present invention aims to provide an active network security defense method, device and equipment, which aims to solve the problems of detection report missing, response lag, data fragmentation, insufficient policy closed loop and the like in the existing network security defense. To achieve the above object, the present invention provides an active network security defense method, which includes: Collecting multi-mode security metadata comprising a network side, a terminal side, an identity side and a service side, and preprocessing the multi-mode security metadata to obtain standardized data; Constructing a heterogeneous relation graph based on the standardized data, wherein nodes in the heterogeneous relation graph comprise security entities of different types, and edges in the heterogeneous relation graph represent association relations with semantics among the security entities; inputting the heterogeneous relation diagram into a space-time fusion model for space association analysis and time sequence analysis to obtain dynamic threat probability of a corresponding target safety entity; determining a risk level according to the dynamic threat probability, and selecting a target security policy from a preset policy template library based on the risk level; And issuing the target security policy to corresponding network equipment or terminal equipment for execution, collecting feedback information after the target security policy is executed, and carrying out self-adaptive optimization on a detection threshold value and policy parameters of the space-time fusion model according to the feedback information. Preferably, the preprocessing the multimodal security metadata to obtain standardized data includes: Performing basic processing including time alignment, numerical normalization and category coding on the multi-mode security metadata to obtain basic processing data; Fingerprint vectorization processing is carried out on the encrypted network traffic in the basic processing data by using a JA3 or JA3S algorithm, so as to obtain an encrypted traffic feature vector; And performing association coding on the process identifier and the network connection session in the basic processing data by utilizing eBPF technology to obtain association relation data of the process and the session, and taking the basic processing data, the association relation data and the encrypted traffic feature vector as the standardized data. Preferably, the building a heterogeneous relationship graph based on the standardized data, where nodes in the heterogeneous relationship graph include security entities of different types, and edges in the heterogeneous relationship graph represent association relationships with semantics between the security entities, including: Defining nodes and edges in the heterogeneous relation graph according to the basic processing data, the association relation data and the encrypted traffic characteristic vector, and distributing dynamic weights to each edge, T