技术领域Technical Field
本发明涉及网络安全检测技术领域,具体为基于数据可视化的网络安全检测系统。The present invention relates to the technical field of network security detection, and in particular to a network security detection system based on data visualization.
背景技术Background Art
随着互联网的快速发展和普及,网络安全问题愈发突出。黑客攻击、恶意软件和数据泄露已经成为企业和个人面临的重大威胁。为了保护网络系统免受这些威胁的侵害,网络安全检测系统变得至关重要。With the rapid development and popularization of the Internet, network security issues have become increasingly prominent. Hacker attacks, malware, and data leaks have become major threats to businesses and individuals. In order to protect network systems from these threats, network security detection systems have become essential.
传统的网络安全检测方法主要依靠基于签名的检测技术,这种方法通过比对已知的恶意代码库来识别和拦截已知的威胁。然而,随着恶意软件的不断变异和新型攻击技术的出现,基于签名的检测方法已经显得力不从心。Traditional network security detection methods mainly rely on signature-based detection technology, which identifies and intercepts known threats by comparing known malicious code libraries. However, with the continuous mutation of malware and the emergence of new attack technologies, signature-based detection methods have become inadequate.
且现有的对网络安全监测方式中存在以下问题:And the existing network security monitoring methods have the following problems:
问题一:现有网络安全检测在采集各类与网络安全相关的原始数据时,存在数据获取不全、数据格式不一致,导致无法准确评估网络安全情况;Problem 1: When collecting various types of raw data related to network security, existing network security testing suffers from incomplete data acquisition and inconsistent data formats, which makes it impossible to accurately assess network security conditions;
问题二:现有网络安全检测在对网络的流量状态进行识别分析时,存在数据输出不准确、误判的问题,导致网络安全异常的漏检或误报,并影响网络安全状态的监测和反馈;Problem 2: When existing network security detection identifies and analyzes the network traffic status, there are problems with inaccurate data output and misjudgment, which leads to missed detection or false alarms of network security anomalies and affects the monitoring and feedback of network security status;
问题三:现有网络安全检测时难以做到对用户行为安全性的准确评估,导致无法保证网络安全性。Question 3: It is difficult to accurately assess the security of user behavior during existing network security testing, resulting in the inability to ensure network security.
发明内容Summary of the invention
本发明的目的在于提供基于数据可视化的网络安全检测系统,以解决背景技术中提出的问题。The purpose of the present invention is to provide a network security detection system based on data visualization to solve the problems raised in the background technology.
本发明的目的可以通过以下技术方案实现:基于数据可视化的网络安全检测系统,包括:The purpose of the present invention can be achieved through the following technical solutions: A network security detection system based on data visualization, comprising:
数据采集模块,用于采集各类与网络安全相关的原始数据,且与网络安全相关的原始数据包括有日志文件和用户行为信息,并将收集的各类型信息发送至特征数据提取模块;The data collection module is used to collect various types of raw data related to network security, including log files and user behavior information, and send the collected information to the feature data extraction module;
特征数据提取模块,用于对采集的与网络安全相关的原始数据中的日志文件进行数据预处理,由此提取出与网络安全相关的网络流量数据参数,并将其发送至数据库中进行存储;The feature data extraction module is used to perform data preprocessing on the log files in the collected raw data related to network security, thereby extracting network traffic data parameters related to network security and sending them to the database for storage;
特征数据提取模块,还用于对采集的与网络安全相关的原始数据中的用户行为信息进行数据预处理,由此提取出与网络安全相关的用户行为数据参数,并将其发送至数据库中进行存储;The feature data extraction module is also used to perform data preprocessing on the user behavior information in the collected raw data related to network security, thereby extracting the user behavior data parameters related to network security and sending them to the database for storage;
网络流量数据检测模块,基于输出的与网络安全相关的网络流量数据参数,用于对网络安全的流量状态进行识别分析,据此输出网络的流量特征评估指数和连接特征评估指数,并将两项数据发送至网络流量安全评估模块;The network traffic data detection module is used to identify and analyze the network security traffic status based on the output network traffic data parameters related to network security, and output the network traffic feature evaluation index and connection feature evaluation index accordingly, and send the two data to the network traffic security evaluation module;
网络流量安全评估模块,基于接收到的网络的流量特征评估指数和连接特征评估指数,用于对网络的异常状态进行解析评估,据此生成肯定异常信号或误判异常信号,并将其发送至显示终端进行可视说明;The network traffic security assessment module is used to analyze and assess the abnormal state of the network based on the received network traffic characteristic assessment index and connection characteristic assessment index, and accordingly generate a positive abnormality signal or a false abnormality signal, and send it to the display terminal for visual explanation;
网络用户行为安全评估模块,基于输出的与网络安全相关的用户行为数据参数,用于对网络中的各用户的用户行为状态进行分析,据此生成用户行为异常信号或用户行为正常信号,并将其发送至显示终端进行可视说明。The network user behavior security assessment module is used to analyze the user behavior status of each user in the network based on the output user behavior data parameters related to network security, generate user behavior abnormality signals or user behavior normal signals, and send them to the display terminal for visual explanation.
优选地,所述对采集的与网络安全相关的原始数据中的日志文件进行数据预处理,其具体处理方式为:Preferably, the data preprocessing of the log files in the collected original data related to network security is performed in the following specific processing manner:
从日志文件中提取各数据包的发送方和接收方的网络地址,由此得到各数据包的源IP地址和目标IP地址,将捕捉到的各数据包的源IP地址和目标IP地址转化为可供分析的格式,即将各数据包的源IP地址和目标IP地址转化为数值形式;Extract the network addresses of the sender and receiver of each data packet from the log file, thereby obtaining the source IP address and destination IP address of each data packet, and convert the source IP address and destination IP address of each captured data packet into a format that can be analyzed, that is, convert the source IP address and destination IP address of each data packet into a numerical form;
从日志文件中提取各数据包在网络协议栈中的传输层端口号,由此得到各数据包的端口号,将捕捉到的各数据包的端口号从类型型数据转换为数值型表征;Extracting the transport layer port number of each data packet in the network protocol stack from the log file, thereby obtaining the port number of each data packet, and converting the port number of each captured data packet from type data to a numerical representation;
从日志文件中提取各数据包的字节数,由此得到各数据包的数据量,将捕捉到的各数据包的数据量进行标准化处理,即将每个数据包的数据量线性映射到[0,1]的范围内,具体处理过程为:将每个数据包进行最小-最大标准化转换,依据设定的模型:x' = (x -min) / (max - min),其中,x'是标准化后的值,x是原始值,min是原始值的最小值,max是原始值的最大值,由此完成每个数据包的数据量的标准化处理;Extract the number of bytes of each data packet from the log file to obtain the data volume of each data packet. Standardize the data volume of each captured data packet, that is, linearly map the data volume of each data packet to the range of [0,1]. The specific processing process is: perform minimum-maximum standardization conversion on each data packet according to the set model: x' = (x-min) / (max-min), where x' is the standardized value, x is the original value, min is the minimum value of the original value, and max is the maximum value of the original value, thereby completing the standardization of the data volume of each data packet;
从日志文件中提取各数据包的发送时间和接收时间,由此得到各数据包的发送时间戳和接收时间戳,将捕捉到的各数据包的发送时间戳和接收时间戳转化为可读时间,具体转化过程为:先根据发送时间戳和接收时间戳的单位确定对应的值,再使用编程语言中内置的函数将发送时间戳和接收时间戳转化为日期时间格式,再将日期时间格式化为特定的字符串形式,由此完成发送时间戳和接收时间戳的可读时间的转化;Extract the sending time and receiving time of each data packet from the log file, thereby obtaining the sending timestamp and receiving timestamp of each data packet, and convert the captured sending timestamp and receiving timestamp of each data packet into readable time. The specific conversion process is: first determine the corresponding value according to the unit of the sending timestamp and the receiving timestamp, then use the built-in function in the programming language to convert the sending timestamp and the receiving timestamp into a date and time format, and then format the date and time into a specific string format, thereby completing the conversion of the sending timestamp and the receiving timestamp into a readable time;
从日志文件中提取各数据包中携带的实际数据内容,其中,携带的实际数据内容由HTTP请求量和文件传输量组成,由此得到各数据包的有效荷载;Extracting the actual data content carried in each data packet from the log file, wherein the actual data content carried is composed of the HTTP request amount and the file transfer amount, thereby obtaining the effective load of each data packet;
由数值形式的源IP地址和目标IP地址、数值型表征形式的端口号、标准化处理后的数据量、可读时间形式的发送时间戳和接收时间戳、有效荷载构成与网络安全相关的网络流量数据参数。The network traffic data parameters related to network security are composed of the source IP address and destination IP address in numerical form, the port number in numerical representation form, the amount of data after normalization, the sending timestamp and receiving timestamp in readable time form, and the effective load.
优选地,所述对网络安全的流量状态进行识别分析,其具体分析方式为:Preferably, the identification and analysis of the network security traffic status is performed in the following specific analysis methods:
基于网络安全相关的网络流量数据参数中的源IP地址、目标IP地址、端口号、数据量,由此提取出关键特征参数,且关键特征包括每秒的流入数据量、流出数据量、连接数;Based on the source IP address, target IP address, port number, and data volume in the network traffic data parameters related to network security, key feature parameters are extracted, and the key features include the inflow data volume, outflow data volume, and number of connections per second;
设置监测时段,并将监测时段等量划分为若干个监测时间点,将监测时段中的各监测时间点的下提取的三项关键特征参数分别进行标准差计算,依据设定的公式:、、,由此分别得到网络的流入流量反馈值σ1i、流出流量反馈值σ2i、连接反馈值σ3i,其中,lrij表示为对应数据包在对应监测时段中的各监测时间点下的每秒的流入数据量,lcij表示为对应数据包在对应监测时段中的各监测时间点下的每秒的流出数据量,lkij表示为对应数据包在对应监测时段中的各监测时间点下的每秒的连接数,μ1i表示为对应数据包在对应监测时段流入数据量的平均值,μ2i表示为对应数据包在对应监测时段流出数据量的平均值,μ3i表示为对应数据包在对应监测时段连接数的平均值,i表示为数据包的编号,i=1,2,3...n1,j表示为对应监测时段划分的若干个监测时间点的编号,j=1,2,3...n2,n1、n2均为正整数;Set the monitoring period and divide it into several monitoring time points. Calculate the standard deviation of the three key characteristic parameters extracted at each monitoring time point in the monitoring period according to the set formula: , , , thereby respectively obtaining the network's inflow flow feedback value σ1i , outflow flow feedback value σ2i , and connection feedback value σ3i , where lrij represents the inflow data volume of the corresponding data packet per second at each monitoring time point in the corresponding monitoring period, lcij represents the outflow data volume of the corresponding data packet per second at each monitoring time point in the corresponding monitoring period, lkij represents the number of connections of the corresponding data packet per second at each monitoring time point in the corresponding monitoring period, μ1i represents the average value of the inflow data volume of the corresponding data packet in the corresponding monitoring period, μ2i represents the average value of the outflow data volume of the corresponding data packet in the corresponding monitoring period, μ3i represents the average value of the number of connections of the corresponding data packet in the corresponding monitoring period, i represents the number of the data packet, i=1, 2, 3...n1, j represents the number of several monitoring time points divided into the corresponding monitoring period, j=1, 2, 3...n2, n1, n2 are both positive integers;
基于输出的网络的流入流量反馈值和流出流量反馈值,并将两项数据进行综合分析,依据设定的数据模型:,由此输出网络的流量特征评估指数fcx,其中,a1、a2表示为归一因子;Based on the output network's inflow flow feedback value and outflow flow feedback value, the two data are comprehensively analyzed according to the set data model: , thereby outputting the network's traffic feature evaluation index fcx, where a1 and a2 are represented as normalization factors;
基于输出的网络的连接反馈值进行综合分析,依据设定的数据模型:,由此输出网络的连接特征评估指数cax,其中,a3表示为归一因子。Based on the output network connection feedback value, comprehensive analysis is performed according to the set data model: , thereby outputting the network's connection feature evaluation index cax, where a3 is represented as a normalization factor.
优选地,所述对网络的异常状态进行解析评估,具体解析评估方式为:Preferably, the abnormal state of the network is analyzed and evaluated, and the specific analysis and evaluation method is:
依据输出的网络的流量特征评估指数,设置网络的流量特征评估指数的流量特征阈值,并将网络的流量特征评估指数与预设的流量特征阈值进行比对分析,若网络的流量特征评估指数超出流量特征阈值,则将网络的流量状态标记为异常高流量状态,反之,则将网络的流量状态标记为正常流量状态;According to the outputted network traffic characteristic evaluation index, a traffic characteristic threshold of the network traffic characteristic evaluation index is set, and the network traffic characteristic evaluation index is compared and analyzed with the preset traffic characteristic threshold. If the network traffic characteristic evaluation index exceeds the traffic characteristic threshold, the network traffic state is marked as an abnormally high traffic state, otherwise, the network traffic state is marked as a normal traffic state;
依据输出的网络的连接特征评估指数,设置网络的连接特征评估指数的连接特征阈值,并将网络的连接特征评估指数与预设的连接特征阈值进行比对分析,若网络的连接特征评估指数超出连接特征阈值,则将网络的连接状态标记为异常频繁连接状态,反之,则将网络的连接状态标记为正常连接状态;According to the output connection feature evaluation index of the network, a connection feature threshold of the connection feature evaluation index of the network is set, and the connection feature evaluation index of the network is compared and analyzed with the preset connection feature threshold. If the connection feature evaluation index of the network exceeds the connection feature threshold, the connection state of the network is marked as an abnormally frequent connection state, otherwise, the connection state of the network is marked as a normal connection state;
基于输出的异常高流量状态或异常频繁连接状态,由此输出追溯校验指令,并由此对网络的异常状态进行追溯校验分析,据此输出肯定异常信号或误判异常信号。Based on the output abnormally high traffic state or abnormally frequent connection state, a retrospective verification instruction is output, and the abnormal state of the network is retrospectively verified and analyzed, and a positive abnormal signal or a misjudged abnormal signal is output accordingly.
优选地,所述对网络的异常状态进行追溯校验分析,具体分析方式为:Preferably, the abnormal state of the network is retroactively verified and analyzed, and the specific analysis method is:
基于输出的网络安全相关的网络流量数据参数中的发送时间戳和接收时间戳,依据设定的数据模型:传输时间=数据包的接收时间戳-数据包的发送时间戳,由此得到各数据包的传输时间;Based on the sending timestamp and receiving timestamp in the network traffic data parameters related to network security output, according to the set data model: transmission time = receiving timestamp of data packet - sending timestamp of data packet, the transmission time of each data packet is obtained;
延迟时间=数据包的接收时间戳-数据包的发送时间戳-数据包在网络中的传输时间,由此得到各数据包的延迟时间;Delay time = data packet receiving timestamp - data packet sending timestamp - data packet transmission time in the network, thus obtaining the delay time of each data packet;
将各数据包的传输时间及延迟时间进行多次测试,并取其均值作为最终结果,具体为,设置测试次数为m次,由此得到每个数据包的m次测试下的传输时间、延迟时间,并将其分别记作TOTim、PDTim,将每个数据包的m次测试下的传输时间、延迟时间分别进行均值计算,依据公式:、,由此得到各数据包的传输特征值tfvi、延迟特征值devi;The transmission time and delay time of each data packet are tested multiple times, and the average is taken as the final result. Specifically, the number of tests is set to m times, thereby obtaining the transmission time and delay time of each data packet under m tests, and recording them as TOTim and PDTim respectively. The transmission time and delay time of each data packet under m tests are averaged, respectively, according to the formula: , , thereby obtaining the transmission characteristic value tfvi and the delay characteristic value devi of each data packet;
依据设定的数据模型:,由此输出网络的传输连接综合评估指数epe,其中,b1、b2分别表示为归一因子;According to the set data model: , thereby outputting the comprehensive evaluation index epe of the transmission connection of the network, where b1 and b2 are respectively represented as normalization factors;
设置网络的传输连接综合评估指数的传输连接综合阈值,并将网络的传输连接综合评估指数与预设的传输连接综合阈值进行比对分析,若网络的传输连接综合评估指数大于连接特征阈值时,则生成肯定异常信号,反之,则生成误判异常信号。A transmission connection comprehensive threshold of the network's transmission connection comprehensive evaluation index is set, and the network's transmission connection comprehensive evaluation index is compared and analyzed with the preset transmission connection comprehensive threshold. If the network's transmission connection comprehensive evaluation index is greater than the connection feature threshold, a positive abnormal signal is generated, otherwise, a false abnormal signal is generated.
优选地,所述对网络中的各用户的用户行为状态进行分析,具体分析方式为:Preferably, the user behavior status of each user in the network is analyzed in the following specific manner:
基于输出的与网络安全相关的用户行为数据参数中的登录失败次数、密码错误次数、登录频率及敏感数据访问次数、异常文件上传次数、异常文件下载次数,并将其进行计算分析,依据设定的数据模型:,由此输出网络的用户行为安全评估系数ubs;Based on the output of the user behavior data parameters related to network security, the number of failed logins, the number of incorrect passwords, the number of login frequencies, the number of sensitive data accesses, the number of abnormal file uploads, and the number of abnormal file downloads, they are calculated and analyzed according to the set data model: , thereby outputting the network's user behavior safety assessment coefficient ubs;
设置网络的用户行为安全评估系数的用户行为对比阈值,并将网络的用户行为安全评估系数与预设的用户行为对比阈值进行比对分析,若网络的用户行为安全评估系数超出用户行为对比阈值,则生成用户行为异常信号或用户行为正常信号。A user behavior comparison threshold of the user behavior security assessment coefficient of the network is set, and the user behavior security assessment coefficient of the network is compared and analyzed with the preset user behavior comparison threshold. If the user behavior security assessment coefficient of the network exceeds the user behavior comparison threshold, a user behavior abnormality signal or a user behavior normal signal is generated.
本发明的有益效果:Beneficial effects of the present invention:
本发明通过提取关键特征参数并进行标准差计算,能够更精准地评估网络的流入流量、流出流量和连接情况,有助于实时监测网络状态。By extracting key characteristic parameters and performing standard deviation calculation, the present invention can more accurately evaluate the network's inflow flow, outflow flow and connection status, which helps to monitor the network status in real time.
通过结合网络流量特征评估指数和连接特征评估指数,通过设定阈值进行异常状态的判断和标记,从而及时发现网络异常并作出相应处理,提高了网络安全性和反应速度。By combining the network traffic feature evaluation index and the connection feature evaluation index, and setting thresholds to judge and mark abnormal conditions, network anomalies can be discovered in a timely manner and corresponding processing can be made, thereby improving network security and response speed.
基于传输时间和延迟时间的多次测试,并结合传输特征值和延迟特征值的均值计算,实现了对异常传输连接的准确检测和评估,有助于及时发现和解决网络传输问题。Based on multiple tests of transmission time and delay time, combined with the mean calculation of transmission characteristic values and delay characteristic values, accurate detection and evaluation of abnormal transmission connections are achieved, which helps to promptly discover and solve network transmission problems.
通过计算分析用户行为安全评估系数,并与预设的用户行为对比阈值进行比对,能够有效识别和标记用户行为的异常情况,有助于提升网络安全管理的全面性。By calculating and analyzing the user behavior security assessment coefficient and comparing it with the preset user behavior comparison threshold, it is possible to effectively identify and mark abnormal user behavior, which helps to improve the comprehensiveness of network security management.
通过将预处理后的数据进行可视化展示,系统能够直观地呈现网络流量和用户行为的情况,为安全管理员提供全面的信息和决策支持。管理员可以根据输出的异常信息,及时制定和调整相应的安全策略和措施。By visualizing the pre-processed data, the system can intuitively present the network traffic and user behavior, providing comprehensive information and decision support for security administrators. Administrators can formulate and adjust corresponding security policies and measures in a timely manner based on the output abnormal information.
通过综合性能、异常检测、数据可视化和实时性等特点和功能,能够提供全面的网络安全监测和分析,帮助管理员及时发现和应对网络安全威胁,提高网络的安全性和可靠性。Through comprehensive performance, anomaly detection, data visualization and real-time features and functions, it can provide comprehensive network security monitoring and analysis, help administrators to timely discover and respond to network security threats, and improve the security and reliability of the network.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
下面结合附图对本发明作进一步的说明。The present invention will be further described below in conjunction with the accompanying drawings.
图1是本发明的系统框图。FIG. 1 is a system block diagram of the present invention.
具体实施方式DETAILED DESCRIPTION
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The following will be combined with the drawings in the embodiments of the present invention to clearly and completely describe the technical solutions in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.
参照图1所示,本发明为基于数据可视化的网络安全检测系统,包括:数据采集模块、特征数据提取模块、网络流量数据检测模块、网络流量安全评估模块、网络用户行为安全评估模块、显示终端和数据库。1 , the present invention is a network security detection system based on data visualization, including: a data acquisition module, a feature data extraction module, a network traffic data detection module, a network traffic security assessment module, a network user behavior security assessment module, a display terminal and a database.
数据采集模块用于采集各类与网络安全相关的原始数据,且与网络安全相关的原始数据包括有日志文件和用户行为信息,并将收集的各类型信息发送至特征数据提取模块。The data collection module is used to collect various types of raw data related to network security, and the raw data related to network security includes log files and user behavior information, and sends the collected various types of information to the feature data extraction module.
特征数据提取模块用于对采集的与网络安全相关的原始数据中的日志文件进行数据预处理,具体处理方式为:The feature data extraction module is used to perform data preprocessing on the log files in the collected raw data related to network security. The specific processing method is as follows:
从日志文件中提取各数据包的发送方和接收方的网络地址,由此得到各数据包的源IP地址和目标IP地址,将捕捉到的各数据包的源IP地址和目标IP地址转化为可供分析的格式,即将各数据包的源IP地址和目标IP地址转化为数值形式;Extract the network addresses of the sender and receiver of each data packet from the log file, thereby obtaining the source IP address and destination IP address of each data packet, and convert the source IP address and destination IP address of each captured data packet into a format that can be analyzed, that is, convert the source IP address and destination IP address of each data packet into a numerical form;
需要补充说明的是,将IP地址转换为数值形式涉及将IPv4或IPv6地址转换为整数,对于IPv4地址:先将IPv4地址拆分为四个十进制数,并将它们转换为二进制形式,再将每个二进制数拼接起来,得到一个32位的二进制数,最后将该32位的二进制数转换为对应的十进制数,由此完成IPv4地址的数值形式转化;对于IPv6地址,由于其长度较长,一般使用现有的库或工具进行转换;It should be noted that converting an IP address into a numerical form involves converting an IPv4 or IPv6 address into an integer. For an IPv4 address: first split the IPv4 address into four decimal numbers, convert them into binary form, then concatenate each binary number to obtain a 32-bit binary number, and finally convert the 32-bit binary number into the corresponding decimal number, thereby completing the conversion of the IPv4 address into a numerical form; for an IPv6 address, due to its longer length, it is generally converted using existing libraries or tools;
从日志文件中提取各数据包在网络协议栈中的传输层端口号,由此得到各数据包的端口号,并用于标识不同的应用程序和服务,将捕捉到的各数据包的端口号从类型型数据转换为数值型表征,即将对应数据包的端口号转换为一个二进制向量,其中只有一个元素为1,其他元素均为0;Extract the transport layer port number of each data packet in the network protocol stack from the log file, thereby obtaining the port number of each data packet and using it to identify different applications and services, and convert the port number of each captured data packet from type data to a numerical representation, that is, convert the port number of the corresponding data packet into a binary vector, in which only one element is 1 and the other elements are 0;
从日志文件中提取各数据包的字节数,由此得到各数据包的数据量,将捕捉到的各数据包的数据量进行标准化处理,即将每个数据包的数据量线性映射到[0,1]的范围内,具体处理过程为:将每个数据包进行最小-最大标准化转换,依据设定的模型:x' = (x -min) / (max - min),其中,x'是标准化后的值,x是原始值,min是原始值的最小值,max是原始值的最大值,由此完成每个数据包的数据量的标准化处理,并确保不同数据包大小之间具有可比性;Extract the number of bytes of each data packet from the log file to obtain the data volume of each data packet. Standardize the data volume of each captured data packet, that is, linearly map the data volume of each data packet to the range of [0,1]. The specific processing process is: perform minimum-maximum standardization conversion on each data packet according to the set model: x' = (x-min) / (max-min), where x' is the standardized value, x is the original value, min is the minimum value of the original value, and max is the maximum value of the original value. In this way, the data volume of each data packet is standardized and the comparability between different data packet sizes is ensured.
从日志文件中提取各数据包的发送时间和接收时间,由此得到各数据包的发送时间戳和接收时间戳,并用于分析数据包的时序特征,将捕捉到的各数据包的发送时间戳和接收时间戳转化为可读时间,具体转化过程为:先根据发送时间戳和接收时间戳的单位确定对应的值,再使用编程语言中内置的函数将发送时间戳和接收时间戳转化为日期时间格式,再将日期时间格式化为特定的字符串形式,由此完成发送时间戳和接收时间戳的可读时间的转化;Extract the sending time and receiving time of each data packet from the log file, thereby obtaining the sending timestamp and receiving timestamp of each data packet, and use them to analyze the timing characteristics of the data packet, and convert the captured sending timestamp and receiving timestamp of each data packet into readable time. The specific conversion process is: first determine the corresponding value according to the unit of the sending timestamp and the receiving timestamp, then use the built-in function in the programming language to convert the sending timestamp and the receiving timestamp into a date and time format, and then format the date and time into a specific string format, thereby completing the conversion of the sending timestamp and the receiving timestamp into a readable time;
从日志文件中提取各数据包中携带的实际数据内容,其中,携带的实际数据内容由HTTP请求量和文件传输量组成,由此得到各数据包的有效荷载;Extracting the actual data content carried in each data packet from the log file, wherein the actual data content carried is composed of the HTTP request amount and the file transfer amount, thereby obtaining the effective load of each data packet;
由数值形式的源IP地址和目标IP地址、数值型表征形式的端口号、标准化处理后的数据量、可读时间形式的发送时间戳和接收时间戳、有效荷载构成与网络安全相关的网络流量数据参数,并将其发送至数据库中进行存储。The network traffic data parameters related to network security are composed of the source IP address and destination IP address in numerical form, the port number in numerical representation form, the standardized data volume, the sending timestamp and receiving timestamp in readable time form, and the effective load, and are sent to the database for storage.
特征数据提取模块还用于对采集的与网络安全相关的原始数据中的用户行为信息进行数据预处理,具体处理方式为:The feature data extraction module is also used to pre-process the user behavior information in the collected raw data related to network security. The specific processing method is as follows:
通过对用户的登录和身份验证行为进行采集,由此得到网络中各用户的登录失败次数、密码错误次数、登录频率,并将其依次记作lok、pwk、lfk,其中,k表示为各用户的编号,且k=1,2,3...K,K表示为最大值,且为正整数;By collecting the login and identity authentication behaviors of users, the number of login failures, number of password errors, and login frequency of each user in the network are obtained, and they are recorded as lok , pwk , lfk , respectively, where k represents the number of each user, and k=1, 2, 3...K, K represents the maximum value and is a positive integer;
通过对用户的数据访问和操作行为进行采集,并从用户对系统、应用程序或数据库的访问、读写操作、文件上传下载行为中提取用户对敏感数据的访问次数及对异常文件的上传次数、下载次数,由此得到网络中各用户的敏感数据访问次数、异常文件上传次数、异常文件下载次数,并将其依次记作svk、fuk、fdk;By collecting the data access and operation behaviors of users, and extracting the number of users' access to sensitive data and the number of uploads and downloads of abnormal files from the users' access to the system, application or database, read and write operations, and file upload and download behaviors, the number of sensitive data access, abnormal file upload and abnormal file download of each user in the network is obtained, and they are recorded as svk , fuk , and fdk respectively;
由登录失败次数、密码错误次数、登录频率及敏感数据访问次数、异常文件上传次数、异常文件下载次数构成与网络安全相关的用户行为数据参数,并将其发送至数据库中进行存储。The user behavior data parameters related to network security are composed of the number of failed logins, number of incorrect passwords, login frequency, number of sensitive data accesses, number of abnormal file uploads, and number of abnormal file downloads, and are sent to the database for storage.
网络流量数据检测模块,基于输出的与网络安全相关的网络流量数据参数,用于对网络安全的流量状态进行识别分析,具体分析方式为:The network traffic data detection module is used to identify and analyze the network security traffic status based on the output network traffic data parameters related to network security. The specific analysis method is as follows:
基于网络安全相关的网络流量数据参数中的源IP地址、目标IP地址、端口号、数据量,由此提取出关键特征参数,且关键特征包括每秒的流入数据量、流出数据量、连接数;Based on the source IP address, target IP address, port number, and data volume in the network traffic data parameters related to network security, key feature parameters are extracted, and the key features include the inflow data volume, outflow data volume, and number of connections per second;
设置监测时段,并将监测时段等量划分为若干个监测时间点,将监测时段中的各监测时间点的下提取的三项关键特征参数分别进行标准差计算,依据设定的公式:、、,由此分别得到网络的流入流量反馈值σ1i、流出流量反馈值σ2i、连接反馈值σ3i,其中,lrij表示为对应数据包在对应监测时段中的各监测时间点下的每秒的流入数据量,lcij表示为对应数据包在对应监测时段中的各监测时间点下的每秒的流出数据量,lkij表示为对应数据包在对应监测时段中的各监测时间点下的每秒的连接数,μ1i表示为对应数据包在对应监测时段流入数据量的平均值,μ2i表示为对应数据包在对应监测时段流出数据量的平均值,μ3i表示为对应数据包在对应监测时段连接数的平均值,i表示为数据包的编号,i=1,2,3...n1,j表示为对应监测时段划分的若干个监测时间点的编号,j=1,2,3...n2,n1、n2均为正整数;Set the monitoring period and divide it into several monitoring time points. Calculate the standard deviation of the three key characteristic parameters extracted at each monitoring time point in the monitoring period according to the set formula: , , , thereby respectively obtaining the network's inflow flow feedback value σ1i , outflow flow feedback value σ2i , and connection feedback value σ3i , where lrij represents the inflow data volume of the corresponding data packet per second at each monitoring time point in the corresponding monitoring period, lcij represents the outflow data volume of the corresponding data packet per second at each monitoring time point in the corresponding monitoring period, lkij represents the number of connections of the corresponding data packet per second at each monitoring time point in the corresponding monitoring period, μ1i represents the average value of the inflow data volume of the corresponding data packet in the corresponding monitoring period, μ2i represents the average value of the outflow data volume of the corresponding data packet in the corresponding monitoring period, μ3i represents the average value of the number of connections of the corresponding data packet in the corresponding monitoring period, i represents the number of the data packet, i=1, 2, 3...n1, j represents the number of several monitoring time points divided into the corresponding monitoring period, j=1, 2, 3...n2, n1, n2 are both positive integers;
基于输出的网络的流入流量反馈值和流出流量反馈值,并将两项数据进行综合分析,依据设定的数据模型:,由此输出网络的流量特征评估指数fcx,其中,a1、a2表示为归一因子;Based on the output network's inflow flow feedback value and outflow flow feedback value, the two data are comprehensively analyzed according to the set data model: , thereby outputting the network's traffic feature evaluation index fcx, where a1 and a2 are represented as normalization factors;
基于输出的网络的连接反馈值进行综合分析,依据设定的数据模型:,由此输出网络的连接特征评估指数cax,其中,a3表示为归一因子;Based on the output network connection feedback value, comprehensive analysis is performed according to the set data model: , thereby outputting the network's connection feature evaluation index cax, where a3 is represented as a normalization factor;
据此输出网络的流量特征评估指数和连接特征评估指数,并将两项数据发送至网络流量安全评估模块。Based on this, the network's traffic feature evaluation index and connection feature evaluation index are output, and the two data are sent to the network traffic security evaluation module.
网络流量安全评估模块基于接收到的网络的流量特征评估指数和连接特征评估指数,用于对网络的异常状态进行解析评估,具体解析评估方式为:The network traffic security assessment module is used to analyze and evaluate the abnormal state of the network based on the received network traffic feature assessment index and connection feature assessment index. The specific analysis and evaluation method is as follows:
依据输出的网络的流量特征评估指数,设置网络的流量特征评估指数的流量特征阈值,并将网络的流量特征评估指数与预设的流量特征阈值进行比对分析,若网络的流量特征评估指数超出流量特征阈值,则将网络的流量状态标记为异常高流量状态,反之,则将网络的流量状态标记为正常流量状态;According to the outputted network traffic characteristic evaluation index, a traffic characteristic threshold of the network traffic characteristic evaluation index is set, and the network traffic characteristic evaluation index is compared and analyzed with the preset traffic characteristic threshold. If the network traffic characteristic evaluation index exceeds the traffic characteristic threshold, the network traffic state is marked as an abnormally high traffic state, otherwise, the network traffic state is marked as a normal traffic state;
依据输出的网络的连接特征评估指数,设置网络的连接特征评估指数的连接特征阈值,并将网络的连接特征评估指数与预设的连接特征阈值进行比对分析,若网络的连接特征评估指数超出连接特征阈值,则将网络的连接状态标记为异常频繁连接状态,反之,则将网络的连接状态标记为正常连接状态;According to the output connection feature evaluation index of the network, a connection feature threshold of the connection feature evaluation index of the network is set, and the connection feature evaluation index of the network is compared and analyzed with the preset connection feature threshold. If the connection feature evaluation index of the network exceeds the connection feature threshold, the connection state of the network is marked as an abnormally frequent connection state, otherwise, the connection state of the network is marked as a normal connection state;
基于输出的异常高流量状态或异常频繁连接状态,由此输出追溯校验指令,并由此对网络的异常状态进行追溯校验分析,具体分析方式为:Based on the output abnormally high traffic state or abnormally frequent connection state, a traceback verification instruction is output, and a traceback verification analysis is performed on the abnormal state of the network. The specific analysis method is as follows:
基于输出的网络安全相关的网络流量数据参数中的发送时间戳和接收时间戳,依据设定的数据模型:传输时间=数据包的接收时间戳-数据包的发送时间戳,由此得到各数据包的传输时间;Based on the sending timestamp and receiving timestamp in the network traffic data parameters related to network security output, according to the set data model: transmission time = receiving timestamp of data packet - sending timestamp of data packet, the transmission time of each data packet is obtained;
延迟时间=数据包的接收时间戳-数据包的发送时间戳-数据包在网络中的传输时间,由此得到各数据包的延迟时间;Delay time = data packet receiving timestamp - data packet sending timestamp - data packet transmission time in the network, thus obtaining the delay time of each data packet;
将各数据包的传输时间及延迟时间进行多次测试,并取其均值作为最终结果,具体为,设置测试次数为m次,由此得到每个数据包的m次测试下的传输时间、延迟时间,并将其分别记作TOTim、PDTim,将每个数据包的m次测试下的传输时间、延迟时间分别进行均值计算,依据公式:、,由此得到各数据包的传输特征值tfvi、延迟特征值devi;The transmission time and delay time of each data packet are tested multiple times, and the average is taken as the final result. Specifically, the number of tests is set to m times, thereby obtaining the transmission time and delay time of each data packet under m tests, and recording them as TOTim and PDTim respectively. The transmission time and delay time of each data packet under m tests are averaged, respectively, according to the formula: , , thereby obtaining the transmission characteristic value tfvi and the delay characteristic value devi of each data packet;
依据设定的数据模型:,由此输出网络的传输连接综合评估指数epe,其中,b1、b2分别表示为归一因子;According to the set data model: , thereby outputting the comprehensive evaluation index epe of the transmission connection of the network, where b1 and b2 are respectively represented as normalization factors;
设置网络的传输连接综合评估指数的传输连接综合阈值,并将网络的传输连接综合评估指数与预设的传输连接综合阈值进行比对分析,若网络的传输连接综合评估指数大于连接特征阈值时,则生成肯定异常信号,反之,则生成误判异常信号;Setting a transmission connection comprehensive threshold of the transmission connection comprehensive evaluation index of the network, and comparing and analyzing the transmission connection comprehensive evaluation index of the network with the preset transmission connection comprehensive threshold, if the transmission connection comprehensive evaluation index of the network is greater than the connection feature threshold, a positive abnormal signal is generated, otherwise, a false abnormal signal is generated;
并将生成的肯定异常信号或误判异常信号发送至显示终端进行可视说明。The generated positive abnormal signal or false abnormal signal is sent to the display terminal for visual explanation.
网络用户行为安全评估模块基于输出的与网络安全相关的用户行为数据参数,用于对网络中的各用户的用户行为状态进行分析,具体分析方式为:The network user behavior security assessment module is used to analyze the user behavior status of each user in the network based on the output user behavior data parameters related to network security. The specific analysis method is as follows:
基于输出的与网络安全相关的用户行为数据参数中的登录失败次数、密码错误次数、登录频率及敏感数据访问次数、异常文件上传次数、异常文件下载次数,并将其进行计算分析,依据设定的数据模型:,由此输出网络的用户行为安全评估系数ubs;Based on the output of the user behavior data parameters related to network security, the number of failed logins, the number of incorrect passwords, the number of login frequencies, the number of sensitive data accesses, the number of abnormal file uploads, and the number of abnormal file downloads, they are calculated and analyzed according to the set data model: , thereby outputting the network's user behavior safety assessment coefficient ubs;
设置网络的用户行为安全评估系数的用户行为对比阈值,并将网络的用户行为安全评估系数与预设的用户行为对比阈值进行比对分析,若网络的用户行为安全评估系数超出用户行为对比阈值,则生成用户行为异常信号或用户行为正常信号;Setting a user behavior comparison threshold of the user behavior security assessment coefficient of the network, and comparing and analyzing the user behavior security assessment coefficient of the network with the preset user behavior comparison threshold, if the user behavior security assessment coefficient of the network exceeds the user behavior comparison threshold, generating a user behavior abnormality signal or a user behavior normal signal;
并将生成的用户行为异常信号或用户行为正常信号发送至显示终端进行可视说明。The generated abnormal user behavior signal or normal user behavior signal is sent to the display terminal for visual explanation.
以上内容仅仅是对本发明结构所作的举例和说明,所属本技术领域的技术人员对所描述的具体实施例做各种各样的修改或补充或采用类似的方式替代,只要不偏离发明的结构或者超越本权利要求书所定义的范围,均应属于本发明的保护范围。The above contents are merely examples and explanations of the structure of the present invention. The technicians in this technical field may make various modifications or additions to the specific embodiments described or replace them in a similar manner. As long as they do not deviate from the structure of the invention or exceed the scope defined by the claims, they should all fall within the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702037.4ACN117997586B (en) | 2023-12-12 | 2023-12-12 | Network security detection system based on data visualization |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311702037.4ACN117997586B (en) | 2023-12-12 | 2023-12-12 | Network security detection system based on data visualization |
| Publication Number | Publication Date |
|---|---|
| CN117997586A CN117997586A (en) | 2024-05-07 |
| CN117997586Btrue CN117997586B (en) | 2024-10-18 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311702037.4AActiveCN117997586B (en) | 2023-12-12 | 2023-12-12 | Network security detection system based on data visualization |
| Country | Link |
|---|---|
| CN (1) | CN117997586B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118540151A (en)* | 2024-06-19 | 2024-08-23 | 北京京诚华福科技有限公司 | Automatic detection system and method for network security vulnerabilities |
| CN118965438B (en)* | 2024-08-29 | 2025-04-25 | 湖南惟客科技集团有限公司 | Popularization data security analysis method and system based on blockchain |
| CN119293795B (en)* | 2024-09-19 | 2025-08-08 | 南方电网科学研究院有限责任公司 | Intelligent penetration detection method and system for electric power system |
| CN119299174A (en)* | 2024-10-11 | 2025-01-10 | 浙江长舒信息技术有限公司 | A network-based big data analysis method and analysis system |
| CN119484111A (en)* | 2024-11-18 | 2025-02-18 | 北京芯盾时代科技有限公司 | Intelligent construction method, device and readable medium for network security protection based on big data |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110149343A (en)* | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
| CN110703162A (en)* | 2019-09-18 | 2020-01-17 | 国网江苏省电力有限公司淮安市洪泽区供电分公司 | A kind of distribution line fuse fault detection device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11463457B2 (en)* | 2018-02-20 | 2022-10-04 | Darktrace Holdings Limited | Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance |
| CN117155625A (en)* | 2023-08-28 | 2023-12-01 | 江苏三维博达电子工程股份有限公司 | Computer network monitoring system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110149343A (en)* | 2019-05-31 | 2019-08-20 | 国家计算机网络与信息安全管理中心 | A kind of abnormal communications and liaison behavioral value method and system based on stream |
| CN110703162A (en)* | 2019-09-18 | 2020-01-17 | 国网江苏省电力有限公司淮安市洪泽区供电分公司 | A kind of distribution line fuse fault detection device |
| Publication number | Publication date |
|---|---|
| CN117997586A (en) | 2024-05-07 |
| Publication | Publication Date | Title |
|---|---|---|
| CN117997586B (en) | Network security detection system based on data visualization | |
| CN110909811B (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
| CN112184091B (en) | Industrial control system security threat assessment method, device and system | |
| KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
| CN109063486B (en) | A security penetration testing method and system based on PLC device fingerprint identification | |
| CN119449432B (en) | A network data risk assessment system for computers | |
| JP6564799B2 (en) | Threshold determination device, threshold determination method and program | |
| CN111885210A (en) | Cloud computing network monitoring system based on end user environment | |
| CN113572760B (en) | Device protocol vulnerability detection method and device | |
| CN118041673A (en) | Network security analysis system based on big data | |
| CN118381672B (en) | Data security dynamic protection method and system based on artificial intelligence | |
| CN112532614A (en) | Safety monitoring method and system for power grid terminal | |
| CN114785567A (en) | Traffic identification method, device, equipment and medium | |
| CN115310090A (en) | Terminal reliability dynamic detection system | |
| KR20070077517A (en) | Profile based web application intrusion detection system and method | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN101453454A (en) | Network attack detection internal tracking method | |
| CN117221892A (en) | Security test system of 5G wireless communication network | |
| CN114153641B (en) | Audit log dynamic implementation method and device based on interceptor technology | |
| WO2024212214A1 (en) | Certificate monitor service reliability test method for pki certificate transparency system | |
| CN116318777A (en) | Password application monitoring method, system, equipment and storage medium | |
| CN111967778A (en) | Data security detection method and system based on security baseline model | |
| CN120281572B (en) | Industrial Internet safety monitoring control system | |
| CN119598478B (en) | Public service management system of electronic seal | |
| CN114095279B (en) | An encryption security analysis system of image encryption technology |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |