Search

CN-122027266-A - Network security early warning system and method based on data association analysis

CN122027266ACN 122027266 ACN122027266 ACN 122027266ACN-122027266-A

Abstract

The invention discloses a network security early warning system and method based on data association analysis, which relate to the technical field of network security and comprise an event standardization module, an association analysis module, an intelligent early warning module and a feedback optimization module. According to the invention, parallel and complementary deep association analysis is performed by automatically integrating multi-source heterogeneous data and applying three methods of rule matching, baseline analysis and semantic reasoning, and then, the conflict and redundancy of the multi-element analysis result are removed through a fusion judging mechanism, so that unified comprehensive alarm is generated, on the basis, an intelligent early warning module quantifies and classifies the alarm, an early warning instruction capable of guiding actions is output, a self-learning closed loop is formed through a feedback optimizing module, and internal model parameters of each analysis unit can be continuously and automatically adjusted according to feedback of early warning effect, so that the whole system has threat detection breadth and depth far exceeding those of a single analysis method, and false alarm and missing report rate are remarkably reduced.

Inventors

  • HE MINGDONG
  • LI BO
  • Fu Gehua
  • LIU FENGZHENG
  • HU YIFAN
  • LI XUEWU
  • Liang Zhanbu

Assignees

  • 广东电网有限责任公司
  • 广东电网有限责任公司数智运营中心

Dates

Publication Date
20260512
Application Date
20260204

Claims (10)

  1. 1. The network security early warning system based on the data association analysis is characterized by comprising an event standardization module, a data association analysis module and a data association analysis module, wherein the event standardization module is used for carrying out formatting processing on multi-source heterogeneous security data and outputting a standard event sequence; The association analysis module is connected with the event standardization module and is used for carrying out multidimensional association analysis on the standard event sequence, and the association analysis module comprises a rule matching unit, a baseline analysis unit, a semantic reasoning unit and a fusion judging unit; The intelligent early warning system comprises a rule matching unit, a base line analysis unit, a semantic reasoning unit, a fusion judging unit, an intelligent early warning module, a feedback optimizing module and a feedback optimizing module, wherein the fusion judging unit is used for fusing parallel output results of the rule matching unit, the base line analysis unit and the semantic reasoning unit to generate comprehensive warning, the intelligent early warning module is connected with the correlation analysis module and used for carrying out threat quantification and grading assessment on the comprehensive warning and outputting early warning instructions, and the feedback optimizing module is respectively connected with the intelligent early warning module and the correlation analysis module and used for carrying out self-adaptive adjustment on internal models of the rule matching unit, the base line analysis unit and the semantic reasoning unit according to early warning feedback information.
  2. 2. The network security early warning system based on data association analysis of claim 1, wherein the event normalization module is configured to parse, time synchronize and extract key fields of raw data from network traffic probes, host agent logs and security device alarms to generate event objects with uniform structures.
  3. 3. The network security early warning system based on data association analysis according to claim 1, wherein the rule matching unit is internally provided with a rule base constructed based on an attack chain model, the baseline analysis unit establishes a dynamic behavior baseline model through a machine learning method, and the semantic reasoning unit is associated with a network security knowledge graph containing relationships of assets, vulnerabilities and threats.
  4. 4. The network security early warning system based on data association analysis as claimed in claim 1, wherein the fusion arbitration unit is configured to perform uncertainty modeling and synthesis calculation on results from different analysis units by adopting an evidence theory or a Bayesian inference model, and assign a confidence score to the generated comprehensive alarm.
  5. 5. The network security early warning system based on data association analysis as set forth in claim 1, wherein the dimensions according to which the intelligent early warning module performs threat quantification and hierarchical assessment on the comprehensive warning include attack stage integrity, target asset value, vulnerability severity and abnormal behavior diffusion risk.
  6. 6. The network security early warning system based on data association analysis of claim 1, wherein a weight dynamic adjustment mechanism is arranged in the intelligent early warning module, and the weight coefficient of each evaluation dimension can be automatically updated according to external threat information or internal network asset change information input in real time.
  7. 7. The network security early warning system based on data association analysis of claim 1, wherein the adaptive adjustment logic of the feedback optimization module is: When the early warning is verified as a real threat, enhancing the weight of the analysis feature triggering the early warning in the corresponding internal model; when the early warning is confirmed as false alarm, the analysis logic parameters causing false alarm are reduced or corrected.
  8. 8. The network security early warning system based on data association analysis of claim 1, further comprising a policy execution module connected to the intelligent early warning module for converting the early warning instructions into specific access control or isolation policies and issuing to the relevant network security protection devices.
  9. 9. The network security early warning system based on data association analysis as set forth in claim 1, wherein the event normalization module comprises a data quality monitoring unit for evaluating the quality of the input data and adjusting the data cleaning or collection strategy according to the evaluation result.
  10. 10. The network security early warning method based on data association analysis is applicable to the network security early warning system based on data association analysis as claimed in any one of claims 1 to 9, and is characterized in that the working steps of the network security early warning method based on data association analysis are as follows: S1, multi-source heterogeneous data acquisition and standardization, namely acquiring multi-source heterogeneous security data from a network flow probe, a host agent, a firewall, an intrusion detection system and an external threat information platform, analyzing the original data through an event standardization module, synchronizing a timestamp, normalizing and extracting key fields to generate a standard event sequence with unified format and semantics, S2, multidimensional association analysis and fusion judgment, namely parallelly inputting the standard event sequence into a rule matching unit, a baseline analysis unit and a semantic reasoning unit in an association analysis module, performing real-time mode matching on the event according to a preset rule base based on an attack chain model, outputting rule alarm and matching degree, carrying out statistical analysis on the event sequence by using a dynamic behavior baseline model, identifying abnormal events deviating from a historical normal behavior mode, outputting abnormal alarm and deviating degree, carrying out association reasoning on the context, asset attribute, semantic alarm information and threat relation, finally, carrying out calculation on the rule alarm, the abnormal alarm and alarm by using a Bayesian association reasoning unit, carrying out inference model, carrying out calculation on the rule alarm, the abnormal alarm and the alarm, carrying out error-prone-to the integrated threat information, and carrying out comprehensive threat assessment on the integrated risk value, and the integrated threat information being 3, and the integrated threat analysis is quantitatively assessed by the integrated threat information, and S4, strategy execution and closed loop feedback optimization, wherein the strategy execution module receives the early warning instruction, converts the early warning instruction into a specific network access control, flow isolation or terminal blocking strategy, and automatically transmits the specific network access control, flow isolation or terminal blocking strategy to corresponding safety protection equipment for execution, and meanwhile, the feedback optimization module continuously collects verification feedback information of the early warning instruction and external threat information, when the early warning is verified to be a real threat, the weight of the analysis feature triggering the early warning in a corresponding internal model is enhanced, and when the early warning is confirmed to be a false alarm, the analysis logic parameter causing the false alarm is reduced or corrected, so that the self-adaptive adjustment of the internal models of the rule matching unit, the base line analysis unit and the semantic reasoning unit is realized, and the accuracy of subsequent analysis is optimized.

Description

Network security early warning system and method based on data association analysis Technical Field The invention relates to the technical field of network security, in particular to a network security early warning system and method based on data association analysis. Background At present, network attacks increasingly present advanced threat features of complexity, concealment and persistence, traditional network security protection equipment generally alarms based on a single data source and static rules, and has obvious limitations, firstly, alarm log formats generated by each security device are different and isolated from each other, cross-device and cross-stage associated attack clues are difficult to find from a global view, and secondly, the recognition capability of novel attacks or variant attacks is insufficient depending on a detection method of a predefined signature rule, the failure rate is high, so that the alarm accuracy is low and misinformation is inundated, and security operation and maintenance personnel are tired of coping. The existing network security early warning system based on data association analysis has the defects that: 1. The patent CN119363426A discloses a network security early warning system based on a knowledge graph, which relates to the technical field of network security, in particular to a network security early warning system based on a knowledge graph, and solves the problems that the network security early warning system based on the knowledge graph in the current market in the prior art is still less, and has low early warning accuracy and low real-time performance. A network security early warning system based on a knowledge graph comprises a data preprocessing and knowledge extraction module, a knowledge graph construction and storage module, a threat detection and early warning analysis module and a self-adaptive learning and updating module. The invention improves the early warning accuracy, namely, the system can further know the relation and attack mode among network entities by constructing an accurate and comprehensive network security knowledge graph, thereby improving the early warning accuracy, but the file lacks the automatic integration capability of multi-source heterogeneous data, and relies on a single analysis method, thereby leading to the technical problem of narrow threat detection visual angle. Disclosure of Invention The invention aims to provide a network security early warning system and a network security early warning method based on data association analysis, so as to solve the technical problems in the background technology. In order to achieve the aim, the network security early warning system based on data association analysis comprises an event standardization module, a data management module and a data management module, wherein the event standardization module is used for carrying out formatting processing on multi-source heterogeneous security data and outputting a standard event sequence; The association analysis module is connected with the event standardization module and is used for carrying out multidimensional association analysis on the standard event sequence, and the association analysis module comprises a rule matching unit, a baseline analysis unit, a semantic reasoning unit and a fusion judging unit; The intelligent early warning system comprises a rule matching unit, a base line analysis unit, a semantic reasoning unit, a fusion judging unit, an intelligent early warning module, a feedback optimizing module and a feedback optimizing module, wherein the fusion judging unit is used for fusing parallel output results of the rule matching unit, the base line analysis unit and the semantic reasoning unit to generate comprehensive warning, the intelligent early warning module is connected with the correlation analysis module and used for carrying out threat quantification and grading assessment on the comprehensive warning and outputting early warning instructions, and the feedback optimizing module is respectively connected with the intelligent early warning module and the correlation analysis module and used for carrying out self-adaptive adjustment on internal models of the rule matching unit, the base line analysis unit and the semantic reasoning unit according to early warning feedback information. Preferably, the event standardization module is configured to parse, time synchronize and extract key fields from original data of the network traffic probe, the host agent log and the security device alarm, and generate an event object with a unified structure. Preferably, the rule matching unit is internally provided with a rule base constructed based on an attack chain model, the baseline analysis unit establishes a dynamic behavior baseline model through a machine learning method, and the semantic reasoning unit is associated with a network security knowledge graph containing the relationship of the asset, the vulnerab