Search

CN-122027283-A - Computer network security assessment method and system

CN122027283ACN 122027283 ACN122027283 ACN 122027283ACN-122027283-A

Abstract

The invention is suitable for the technical field of network security, and provides a computer network security assessment method and system, which are used for collecting connection establishment request data with a time stamp of a target network, extracting multi-dimensional dynamic characteristics of a connection establishment process, and constructing and maintaining a dynamic normal connection establishment behavior baseline by combining network context dimensions such as a network topology position and the like; and comparing the real-time multidimensional dynamic characteristics with corresponding baselines to generate abnormal deviation indexes, associating session state data to distinguish malicious connection establishment behaviors from legal service fluctuation, and carrying out security situation assessment and scoring on each logic unit of the network by using the comprehensive result, positioning security events by combining network topology information and generating early warning information. The invention realizes multidimensional feature mining and refined baseline matching of network connection behaviors, accurately distinguishes network abnormality and service fluctuation, improves the accuracy of safety assessment, can realize accurate positioning and early warning of safety events, and effectively ensures the safe operation of the network.

Inventors

  • GUO CUILING
  • XING XIN
  • LIU LU
  • LI YING

Assignees

  • 山东铝业职业学院

Dates

Publication Date
20260512
Application Date
20260212

Claims (8)

  1. 1. A computer network security assessment method, the method comprising: Collecting connection establishment request data of a target network, wherein the connection establishment request data comprises a protocol unit with a time stamp; based on the connection establishment request data, extracting multi-dimensional dynamic characteristics of a connection establishment process, wherein the multi-dimensional dynamic characteristics comprise rhythm characteristics, interval distribution characteristics, burstiness statistical characteristics and sequence entropy value characteristics of connection establishment events; Establishing and maintaining dynamic normal connection establishment behavior baselines for different network context dimensions according to multi-dimensional dynamic characteristics of historical time periods, wherein the network context dimensions comprise network topology positions, service ports, protocol types and time periods; Acquiring real-time multidimensional dynamic characteristics aiming at connection establishment request data acquired in real time, and comparing the real-time multidimensional dynamic characteristics with normal connection establishment behavior baselines of corresponding network context dimensions to generate abnormal deviation indexes; Acquiring session state data corresponding to the connection establishment request data, carrying out association analysis on the abnormal deviation index and the session state data, and distinguishing malicious connection establishment behaviors from legal service fluctuations, wherein the session state data comprises a connection success rate, a session duration and a basic flow profile; And (3) integrating the abnormal deviation index and the correlation analysis result, carrying out security situation assessment and grading on each logic unit of the network, and positioning the security event and generating early warning information by combining the network topology information of the target network.
  2. 2. The method according to claim 1, wherein the collecting connection establishment request data of the target network comprises: Deploying data acquisition probes at network entry boundaries, core switching nodes and key service access points; Configuring a data acquisition probe, capturing and filtering a SYN message in a TCP three-way handshake process and a ClientHello message in a TLS handshake process to form original connection establishment request data; Adding a time stamp to each captured SYN message and each captured ClientHello message to form a protocol unit with a time stamp, and arranging and caching the protocol units according to the sequence of the time stamps to construct a time sequence stream of connection establishment request data.
  3. 3. The method of claim 2, wherein extracting the multi-dimensional dynamic feature of the connection establishment procedure based on the connection establishment request data comprises: analyzing the time sequence flow, counting the number change modes of the protocol units in a preset time window, and extracting rhythm characteristics; Calculating the difference value between the time stamps of adjacent protocol units in the time sequence stream to form a time interval sequence, and performing probability distribution fitting on the time interval sequence to extract interval distribution characteristics; identifying a dense time period with the arrival rate of the protocol units higher than the average level in the time sequence flow, counting the ratio of the number of the protocol units in the dense time period to the length of the time period, and extracting burstiness statistical characteristics; And converting the target port information of the protocol unit in the time sequence stream into a symbol sequence, calculating the information entropy of the symbol sequence, and extracting the sequence entropy value characteristic.
  4. 4. The method of claim 3, wherein establishing and maintaining dynamic normal connection establishment behavior baselines for different network context dimensions based on the multi-dimensional dynamic characteristics of the historical time periods comprises: The multi-dimensional dynamic characteristics extracted in the historical time period are subjected to multi-dimensional classification and aggregation according to the network topology position, the service port, the protocol type and the time period of the time stamp, which are attributed to the protocol unit according to which the multi-dimensional dynamic characteristics are extracted; And carrying out statistical modeling on the aggregated historical multidimensional dynamic characteristics of each multidimensional classified combination to form a probability distribution model for describing the normal fluctuation range of each characteristic under the multidimensional classified combination, and forming a normal connection establishment behavior base line by the set of the probability distribution models.
  5. 5. The method of claim 4, wherein the acquiring real-time multi-dimensional dynamic characteristics for the connection establishment request data collected in real-time, and comparing the real-time multi-dimensional dynamic characteristics with normal connection establishment behavior baselines of corresponding network context dimensions, and generating the abnormal deviation index comprises: Classifying the network topology position, the target service port, the protocol type and the current time period of the protocol unit in the connection establishment request data acquired in real time into corresponding network context dimension combinations to acquire real-time multidimensional dynamic characteristics; Searching a corresponding probability distribution model from a normal connection establishment behavior base line according to the network context dimension combination; Calculating the deviation distance of each characteristic value in the real-time multidimensional dynamic characteristics relative to the corresponding probability distribution model in the normal connection establishment behavior base line, and carrying out weighted fusion on the deviation distances to generate an abnormal deviation index.
  6. 6. The method of claim 5, wherein the obtaining session state data corresponding to the connection establishment request data and performing association analysis on the anomaly deviation indicator and the session state data, and distinguishing malicious connection establishment behavior from legitimate traffic fluctuations comprises: tracking a complete network session initiated by a protocol unit in connection establishment request data acquired in real time, and extracting session state data; The abnormal deviation index is correlated and compared with the connection success rate, and the conversation cluster with the abnormal deviation index higher than the abnormal deviation index and the connection success rate lower than a preset threshold is identified; Analyzing a complete network session corresponding to the connection establishment request data with the abnormal deviation index higher than the abnormal deviation index, checking whether the duration of the complete network session deviates from a conventional duration, checking whether the similarity between a basic flow profile and a typical service flow model corresponding to a service port deviates from a preset similarity threshold, and judging that the network session is a malicious connection establishment behavior if the duration deviates from the conventional duration or the similarity deviates from the preset similarity threshold.
  7. 7. The method of claim 6, wherein the evaluating and scoring the security situation of each logic unit of the network and combining the network topology information of the target network to locate the security event and generate the pre-warning information comprises: distributing a basic risk score to each network logic unit according to the numerical value of the abnormal deviation index; Correcting the basic risk score according to the result of the relevance analysis, and calculating to obtain a first time adjustment amount according to the degree of deviation of the duration of the complete network session from the conventional duration interval and a second time adjustment amount according to the degree of deviation of the similarity from the preset similarity threshold value if the relevance analysis judges that the basic risk score is a malicious connection establishment behavior; Marking the network logic units with the security situation scores lower than a preset score threshold as abnormal units, and analyzing the connection relation and the logic positions among the abnormal units by combining the network topology information of the target network; And deducing potential source points and influence ranges of the security event according to the distribution of the abnormal units, the security situation scores and the logic positions of the abnormal units, and generating early warning information.
  8. 8. A computer network security assessment system, the system comprising: The connection request data acquisition module is used for acquiring connection establishment request data of a target network, wherein the connection establishment request data comprises a protocol unit with a time stamp; the dynamic feature extraction module is used for extracting multi-dimensional dynamic features in a connection establishment process based on the connection establishment request data, wherein the multi-dimensional dynamic features comprise rhythm features, interval distribution features, burstiness statistical features and sequence entropy value features of connection establishment events; the normal connection behavior baseline maintenance module is used for establishing and maintaining dynamic normal connection establishment behavior baselines for different network context dimensions according to the multidimensional dynamic characteristics of the historical time period, wherein the network context dimensions comprise network topology positions, service ports, protocol types and time periods; The real-time characteristic acquisition and comparison module is used for acquiring real-time multidimensional dynamic characteristics aiming at connection establishment request data acquired in real time, and comparing the real-time multidimensional dynamic characteristics with normal connection establishment behavior baselines of corresponding network context dimensions to generate abnormal deviation indexes; The session state data association analysis module is used for acquiring session state data corresponding to the connection establishment request data, carrying out association analysis on the abnormal deviation index and the session state data, and distinguishing malicious connection establishment behaviors from legal service fluctuations, wherein the session state data comprises a connection success rate, a session duration and a basic flow profile; The security situation assessment and early warning module is used for integrating the abnormal deviation index and the correlation analysis result, carrying out security situation assessment and scoring on each logic unit of the network, combining network topology information of the target network, positioning security events and generating early warning information.

Description

Computer network security assessment method and system Technical Field The invention belongs to the technical field of network security, and particularly relates to a computer network security assessment method and system. Background The computer network technology is developed at a high speed, the network scale is continuously enlarged, the application scene is gradually increased, the complexity of network connection is gradually increased, various network malicious attack behaviors are frequent, and the requirements on the specificity and the accuracy of network safety protection are continuously improved. The network security assessment is used as a core link of a network security protection system, is a key for timely identifying network abnormality and preventing malicious attack, and is continuously explored in the industry at present to be more in line with an assessment technology of the actual running state of a network so as to improve the initiative and the effectiveness of network security protection. The existing computer network security evaluation scheme monitors single or small quantity of characteristics of network connection through preset fixed threshold values, judges network abnormality according to deviation between real-time data and the threshold values, and partial scheme builds a network behavior base line by combining historical data, but is mostly a global unified static model, does not carry out refined division according to different scenes of network operation, carries out abnormality judgment only by means of characteristic data in a connection establishment stage, does not carry out deep analysis by combining with subsequent network session state data, and simply judges network security risk level only through characteristic deviation degree. Disclosure of Invention The invention aims to provide a computer network security assessment method and system, and aims to solve the technical problems in the prior art determined in the background art. The invention is embodied in a computer network security assessment method comprising: Collecting connection establishment request data of a target network, wherein the connection establishment request data comprises a protocol unit with a time stamp; based on the connection establishment request data, extracting multi-dimensional dynamic characteristics of a connection establishment process, wherein the multi-dimensional dynamic characteristics comprise rhythm characteristics, interval distribution characteristics, burstiness statistical characteristics and sequence entropy value characteristics of connection establishment events; Establishing and maintaining dynamic normal connection establishment behavior baselines for different network context dimensions according to multi-dimensional dynamic characteristics of historical time periods, wherein the network context dimensions comprise network topology positions, service ports, protocol types and time periods; Acquiring real-time multidimensional dynamic characteristics aiming at connection establishment request data acquired in real time, and comparing the real-time multidimensional dynamic characteristics with normal connection establishment behavior baselines of corresponding network context dimensions to generate abnormal deviation indexes; Acquiring session state data corresponding to the connection establishment request data, carrying out association analysis on the abnormal deviation index and the session state data, and distinguishing malicious connection establishment behaviors from legal service fluctuations, wherein the session state data comprises a connection success rate, a session duration and a basic flow profile; And (3) integrating the abnormal deviation index and the correlation analysis result, carrying out security situation assessment and grading on each logic unit of the network, and positioning the security event and generating early warning information by combining the network topology information of the target network. As a further aspect of the present invention, the collecting connection establishment request data of the target network includes: Deploying data acquisition probes at network entry boundaries, core switching nodes and key service access points; Configuring a data acquisition probe, capturing and filtering a SYN message in a TCP three-way handshake process and a ClientHello message in a TLS handshake process to form original connection establishment request data; Adding a time stamp to each captured SYN message and each captured ClientHello message to form a protocol unit with a time stamp, and arranging and caching the protocol units according to the sequence of the time stamps to construct a time sequence stream of connection establishment request data. As a further aspect of the present invention, the extracting the multi-dimensional dynamic feature of the connection establishment process based on the connection establishment request data in