CN-122027352-A - Network security defense strategy accurate evaluation and protection effect quantitative analysis method and system

Abstract

The application provides a method and a system for precisely evaluating network security defense strategies and quantitatively analyzing protection effects, and relates to the technical field of network security analysis. The method comprises the steps of firstly obtaining real-time attack data and strategy execution records in a target network environment, secondly carrying out disturbance analysis on the real-time attack data through a pre-trained analogy model to obtain abnormal characteristics representing attack intention, then constructing a response track based on the strategy execution records and carrying out association analysis on the response track and the abnormal characteristics to generate an effect section of a defending strategy, then collecting key state data, calculating a stability index of a defending effect according to the effect section, and finally reversely adjusting strategy parameters for generating the response track according to the stability index. The technical scheme provided by the application not only realizes the data-driven closed loop from attack intention characteristic extraction to defense strategy parameter self-adaptive adjustment, but also improves the accuracy and dynamic adaptability of network security defense.

Inventors

• Lv zhuo
• Chen cen
• LI YAN
• ZHANG YIMENG
• Wu tongle
• Sun tuo
• JIN ZHENDUO
• WANG ZIYU

Assignees

• 国网河南省电力公司电力科学研究院
• 国网河南省电力公司
• 国家电网有限公司
• 华清未央(北京)科技有限公司

Dates

Publication Date

20260512

Application Date

20260409

Claims (10)

1. 1. The method for precisely evaluating the network security defense strategy and quantitatively analyzing the protection effect is characterized by comprising the following steps of: Acquiring real-time attack data and strategy execution records in a target network environment, wherein the real-time attack data comprises an abnormal operation sequence; Performing disturbance analysis on the real-time attack data through a pre-trained analog model to obtain abnormal characteristics representing attack intention; constructing a response track of the defense strategy based on the strategy execution record, carrying out association analysis on the response track and the abnormal characteristics, and generating an effect profile of the defense strategy according to an association analysis result; Acquiring key state data in a target network environment, and calculating a stability index of a protection effect according to the effect profile; And reversely adjusting strategy parameters for generating the response track according to the stability index.
2. 2. The method of claim 1, wherein the disturbance analysis of the real-time attack data by a pre-trained analog model to obtain abnormal features characterizing attack intent comprises: acquiring an abnormal operation sequence in the real-time attack data, and reconstructing the abnormal operation sequence into a continuous behavior chain; injecting a virtual disturbance signal into the continuous behavior chain by the analog model, and tracking the propagation state of the virtual disturbance signal in the behavior chain; resolving an interaction mode between the virtual disturbance signal and an inherent signal of the behavior chain according to the propagation state; And extracting a mode which is stable under the injection of different virtual disturbance signals from the action chain according to the interaction mode, and taking the mode as an abnormal characteristic for representing attack intention.
3. 3. The method of claim 1, wherein constructing a response track of a defense strategy based on the strategy execution record, performing association analysis on the response track and the abnormal feature, and generating an effect profile of the defense strategy according to the association analysis result, comprises: Extracting defending action nodes from the strategy execution record according to the time sequence recorded in the strategy execution record, and connecting continuous defending action nodes to form a response track of the defending strategy; Corresponding action objects of each defending action node in the response track of the defending strategy to action units of corresponding time stamps in a action chain, and judging the association state of the defending action nodes acting on the action units according to whether each action unit contains the abnormal characteristics; summarizing the association states of all the defending action nodes to form coverage records of the defending strategy aiming at the abnormal characteristics; and generating an effect profile reflecting the dynamic relationship between the defense strategy and the attack intention on the complete time span of the behavior chain according to the coverage record.
4. 4. A method according to claim 3, characterized in that generating an effect profile reflecting the dynamic relationship between the defending policy and the attack intent over the complete time span of the behavioral chain from the coverage record comprises: Analyzing the coverage record, identifying an association success segment which is successfully corresponding to the defending action node and the action unit containing the abnormal characteristics, and identifying an association missing segment which is not corresponding to the defending action node and contains the abnormal characteristics; calculating the success intensity of the association success segment according to the number of the corresponding defense action nodes in the association success segment and the number of the abnormal features contained in the behavior unit; according to the number of abnormal features contained in the behavior units in the associated missing segment, calculating the missing intensity of the associated missing segment; combining the success intensity of the associated success fragments with the deletion intensity of the associated deletion fragments according to the time sequence of the behavior chain, and forming a section unit sequence arranged in time along the time sequence; And generating an effect profile which covers the complete time span of the behavior chain and reflects the dynamic relationship between the defense strategy and the attack intention based on the profile unit sequence arranged in time.
5. 5. The method of claim 1, wherein collecting critical state data in a target network environment and calculating a stability index for a guard effect from the effect profile comprises: acquiring indexes reflecting the running load and the security situation of the system from the target network environment as key state data; matching and binding the key state data with a profile unit of a corresponding time point on the effect profile according to the generated time stamp; for each section unit which completes the matched binding, calculating a unit stability value of the section unit in the current system state by combining key state data of the section unit binding which completes the matched binding; Synthesizing the unit stable values of all section units according to the time sequence of the behavior chain to generate a synthesized sequence; And carrying out consistency measurement calculation on the synthesized sequences to obtain a stability index of the protection effect.
6. 6. The method of claim 5, wherein for each profile unit that completes a matching binding, in combination with key state data for the profile unit that completes the matching binding, calculating a unit stability value for the profile unit in a current system state, comprises: Analyzing the key state data bound with the section unit to obtain a specific numerical value of the system operation load and a quantized score reflecting the security situation; judging whether the section unit is formed by the successful intensity of the associated successful fragment or the missing intensity of the associated missing fragment; If the section unit is formed by the successful intensity of the associated successful fragment, forward superposition is carried out on the successful intensity and the quantized score reflecting the security situation, and then reduction calculation is carried out by combining the specific numerical value of the system operation load, so as to obtain the unit stability value of the section unit; If the section unit is formed by the missing intensity of the associated missing segment, the missing intensity is associated and amplified with a specific value of the system operation load, and then counteracted with the quantized score reflecting the security situation to obtain a unit stable value of the section unit.
7. 7. The method of claim 1, wherein inversely adjusting the policy parameters that generate the response trajectory based on the stability index comprises: Comparing the stability index with a preset stability threshold; If the stability index is lower than the stability threshold, locating a target profile unit with a unit stability value lower than the overall average level from the effect profile; According to the corresponding relation between the effect profile and the behavior chain, determining a target association success segment or a target association missing segment associated with a target profile unit; backtracking to the response track of the defense strategy, and finding out a target defense action node corresponding in time to the target association success segment or the target association deletion segment; calculating a correction amount of a strategy parameter for adjusting the target defense action node according to a difference between a unit stable value of the target profile unit and an overall average level; and updating the policy parameters of the target defensive action node by using the correction amount.
8. 8. The utility model provides a network security protection tactics accurate aassessment and protection effect quantitative analysis system which characterized in that includes: The system comprises an acquisition module, a strategy execution module and a strategy execution module, wherein the acquisition module is used for acquiring real-time attack data and strategy execution records in a target network environment, wherein the real-time attack data comprises an abnormal operation sequence; The analysis module is used for carrying out disturbance analysis on the real-time attack data through a pre-trained analog model so as to obtain abnormal characteristics representing attack intention; The construction module is used for constructing a response track of the defense strategy based on the strategy execution record, carrying out association analysis on the response track and the abnormal characteristics, and generating an effect profile of the defense strategy according to an association analysis result; the acquisition module is used for acquiring key state data in a target network environment and calculating a stability index of the protection effect according to the effect profile; And the adjusting module is used for reversely adjusting the strategy parameters for generating the response track according to the stability index.
9. 9. The computing device is characterized by comprising a processing component and a storage component, wherein the storage component stores one or more computer instructions, and the one or more computer instructions are used for being invoked and executed by the processing component to realize the network security defense strategy accurate assessment and protection effect quantitative analysis method according to any one of claims 1-7.
10. 10. A computer storage medium, wherein a computer program is stored, and when the computer program is executed by a computer, the method for precisely evaluating a network security defense strategy and quantitatively analyzing a protection effect according to any one of claims 1 to 7 is implemented.

Description

Network security defense strategy accurate evaluation and protection effect quantitative analysis method and system Technical Field The application relates to the technical field of network security analysis, in particular to a method and a system for precisely evaluating network security defense strategies and quantitatively analyzing protection effects. Background Along with the trend of increasingly dynamic and intention concealing network attacks, the network security defense strategy is accurately evaluated and the protection effect is quantized, so that the network security defense strategy becomes an urgent technical requirement for guaranteeing the stable operation of a key information system. One technical scheme aiming at the technical requirement at present is an evaluation method based on a machine learning model, wherein the method predicts and scores the protection effect of the current defense strategy by learning the mapping relation between the historical attack and the defense data through a training model. However, the method still has the defect that the evaluation process is highly dependent on the completeness and static characteristics of training data, and the real-time matching degree and the cooperative relationship between the defense strategy and the dynamically evolved attack intention are difficult to accurately quantify in a continuously-changing network environment, so that the evaluation result has large fluctuation when coping with novel or complex attacks, and a stable and reliable basis cannot be provided for accurate adjustment and optimization of the strategy. Disclosure of Invention The application provides a network security defense strategy accurate evaluation and protection effect quantitative analysis method and system, which are used for solving the problems of insufficient defense effect evaluation accuracy and poor stability of an evaluation result in a dynamic countermeasure environment in the prior art. In a first aspect, the present application provides a method for precisely evaluating network security defense strategies and quantitatively analyzing protection effects, including: Acquiring real-time attack data and strategy execution records in a target network environment, wherein the real-time attack data comprises an abnormal operation sequence; Performing disturbance analysis on the real-time attack data through a pre-trained analog model to obtain abnormal characteristics representing attack intention; constructing a response track of the defense strategy based on the strategy execution record, carrying out association analysis on the response track and the abnormal characteristics, and generating an effect profile of the defense strategy according to an association analysis result; Acquiring key state data in a target network environment, and calculating a stability index of a protection effect according to the effect profile; And reversely adjusting strategy parameters for generating the response track according to the stability index. Optionally, performing disturbance analysis on the real-time attack data through a pre-trained analog model to obtain abnormal features representing attack intention, including: acquiring an abnormal operation sequence in the real-time attack data, and reconstructing the abnormal operation sequence into a continuous behavior chain; injecting a virtual disturbance signal into the continuous behavior chain by the analog model, and tracking the propagation state of the virtual disturbance signal in the behavior chain; resolving an interaction mode between the virtual disturbance signal and an inherent signal of the behavior chain according to the propagation state; And extracting a mode which is stable under the injection of different virtual disturbance signals from the action chain according to the interaction mode, and taking the mode as an abnormal characteristic for representing attack intention. Optionally, constructing a response track of the defending strategy based on the strategy execution record, performing association analysis on the response track and the abnormal feature, and generating an effect profile of the defending strategy according to an association analysis result, including: Extracting defending action nodes from the strategy execution record according to the time sequence recorded in the strategy execution record, and connecting continuous defending action nodes to form a response track of the defending strategy; Corresponding action objects of each defending action node in the response track of the defending strategy to action units of corresponding time stamps in a action chain, and judging the association state of the defending action nodes acting on the action units according to whether each action unit contains the abnormal characteristics; summarizing the association states of all the defending action nodes to form coverage records of the defending strategy aiming at the abnormal characterist