Research And Application Of Key Technologies For Intelligent Analysis Of Network Security Situation

The research on network security situation is of significance to the decision-making of network management,control and maintenance.The mining of network security situation information aims at analyzing various data generated and aggregated on the network,and extracting key index information that can intuitively measure the network status,so as to provide a basis for decision-making.At present,the analysis technology and evaluation systems of network security are becoming more and more mature,but the following deficiencies still exist:(1)Singleness of data source for cyber attack detection: At present,the detection of network security is mainly focused on the analysis of traffic data or network alarm log data.The data source is relatively one-sided,which makes the characteristics of the attack lack and the accuracy of attack detection cannot be improved.(2)Network structural characteristics of cyber threat identification ignored: In the identification of network threats,usually due to the propagation characteristics of the attacks,the network threat show regional characteristics.The regional characteristics of cyber threats are not only related to the characteristics of the cyber attack itself,but also to the network structure.(3)Lack of network topology prediction and security research: At present,the research on network security situation is focused on data mining,but the correlation between network structure and security is lacking.In order to solve the above problems,this article analyzes and evaluates the network security situation from three aspects: network attack situation,network node situation,and network topology situation.The main research contents are as follows:(1)The network attack event detection method that correlates traffic and log raw data is studied: in order to improve the accuracy of network attack detection and extract network attack events,a method to detect the attack events by associating the association rules between the traffic and the original log data is proposed.According to the potential causal relationship between traffic and logs,data association rules are formulated,and the traffic and log characteristic attributes that can reflect the attack are extracted.Use Bi-LSTM to learn the dependencies between feature attributes,perform network attack events detection.(2)A threat region recognition model based on network representation learning is proposed:in order to mine the threat propagation area of the network equipment that the attack event has occupied,a threat area identification model based on network representation learning is proposed.According to the attack feature attributes associated with the attack event,such as vulnerability,attack information,vulnerability information,etc.,combined with the network topology structure features,such as the reachability probability between nodes,etc.,the abstract representation of the node feature attributes can reflect the strength of the threat association between nodes is extracted through the network representation learning algorithm TADW,Based on this,a clustering operation is performed to obtain the distribution of threat strength measured from the distance between the host and the attacked host.(3)A lost link prediction algorithm for network topology is proposed and the relationship between attack and network topology is studied:in order to study the local and macro effects of network attacks on the network topology,at the local level,by analyzing the causal relationship between the appearance of node attribute information and the disappearance of links,a vanishing link prediction algorithm based on the calculation of node attribute information is proposed to predict the probability of local link damage under attack.On the whole,by analyzing the damage of the macro laws of the network structure under the attack,it reflects the characteristics of the overall structure of the attack,which has guiding significance for the assessment of the network security situation.(4)In order to comprehensively measure the network security situation,a network security situation assessment method based on network information and structure fusion is proposed.The threat index value of network node information and the network structure destruction index value from the first three parts are fused and calculated,and finally obtain the network security situation.