Network data risk assessment system for computerTechnical Field
The invention relates to the technical field of data security monitoring, in particular to a network data risk assessment system for a computer.
Background
With the rapid development of information technology and popularization of the internet, computer networks have become an indispensable infrastructure of modern society, however, this also makes network space face increasingly complex threats, such as hacking, data leakage, malicious software, etc., which may not only lead to loss or leakage of important information, but also affect normal operation of enterprises, even bring about significant economic loss and reputation risks, so that risk assessment of network data becomes an important measure for guaranteeing network security.
In the prior art, the change of the network environment is faster, and the interference of multi-dimensional data exists, so that new security threats are difficult to identify and evaluate in real time, the response of the system is lagged when facing an emergency security event, and effective protective measures cannot be timely adopted, therefore, how to improve the identification efficiency of an abnormal mode and respond to the protective measures quickly is a problem to be solved, and therefore, a network data risk evaluation system for a computer is now provided.
Disclosure of Invention
The network data risk assessment system for the computer comprises a data monitoring platform, wherein the data monitoring platform is in communication connection with a data acquisition module, a data preprocessing module, an anomaly detection module, a threat assessment module, an automatic alarm module, a response strategy generation module and a report generation module, and the modules are in electrical signal connection;
the data acquisition module is used for collecting various original data from various network devices and systems, including flow data, log files and system state information, ensuring the comprehensiveness and instantaneity of the data and providing basic data support for risk assessment;
The data preprocessing module is used for carrying out cleaning, formatting and normalization preprocessing on the collected original data, removing noise and redundant information, extracting abnormal characteristics for risk assessment from the preprocessed data, obtaining an abnormal network flow characteristic set and an abnormal system state characteristic set, improving the data processing efficiency, providing a high-quality data set for subsequent analysis, converting a large amount of data into key characteristics, and facilitating the model to carry out risk assessment more efficiently;
The anomaly detection module adopts a machine learning algorithm to combine anomaly characteristics to perform anomaly pattern recognition on the preprocessed data, finds potential security threats, rapidly and accurately recognizes anomaly behaviors in a network, and provides clues for timely response;
The threat assessment module is used for carrying out deep analysis on the detected abnormal behaviors, assessing the potential threat degree of the abnormal behaviors, including threat types and influence ranges, determining the potential risk level of the abnormal behaviors to the system, providing accurate threat information for making protective measures and ensuring effective allocation of resources;
The automatic alarm module is used for continuously monitoring the network state and carrying out real-time monitoring and alarm on abnormal conditions;
the response strategy generation module is used for automatically generating and recommending a protection strategy of a corresponding grade according to the threat assessment result;
and the report generating module is used for recording all key events and operations in the running process of the system and generating detailed audit logs and risk assessment reports.
Preferably, in the data acquisition module, the collecting process of the raw data includes:
The network equipment and the system for definitely collecting data comprise a server, a router, a firewall, an intrusion detection system and an application program, define the source of the data and ensure the comprehensiveness of data collection;
According to network equipment and a system for collecting data, determining a data type, a collection frequency and a storage format and a position of the data, wherein the data type comprises network flow data, system state information and a log file, and configuring a data collection method according to different data types;
According to the data acquisition targets and methods, deploying data acquisition agents on each data source, configuring corresponding data collectors, setting acquisition parameters and rules, ensuring that the data collectors can stably operate and are reliably connected with target network equipment and systems;
the data collector captures network flow data and original data of system state information from the target network equipment and the system, converts the data into a uniform data format and transmits the uniform data format to the central data warehouse through a network.
Preferably, in the data preprocessing module, the acquiring process of the abnormal network traffic feature set and the abnormal system state feature set includes:
Preprocessing the collected network flow data, system state information and original data of a log file, wherein the preprocessing comprises the steps of cleaning, formatting and normalizing;
Identifying relevant features of risk assessment by combining the correlation coefficient with the preprocessed network flow data and system state information data, extracting features, acquiring abnormal features for risk assessment, extracting relevant data of abnormal network flow and abnormal system state information, and forming an abnormal network flow feature set and an abnormal system state feature set, wherein the abnormal features of the network flow data comprise flow burst, abnormal flow mode, abnormal data packet size and frequent connection failure, and the abnormal features of the system state information comprise CPU (central processing unit) utilization rate burst, memory utilization rate burst, disk utilization rate burst, network connection abnormality and system configuration change;
And (3) carrying out coding processing on the abnormal characteristics in the abnormal network flow characteristic set and the abnormal system state characteristic set, and converting the non-numerical data into numerical data so as to enable the data to be suitable for numerical calculation.
Preferably, in the anomaly detection module, the process of identifying the anomaly mode includes:
Extracting abnormal network flow data and associated data of abnormal system state information applied to risk assessment from an abnormal network flow feature set and an abnormal system state feature set respectively, wherein network flow values, total network flow and total abnormal network flow in an observation time range are extracted for the abnormal network flow data, a baseline value of the network flow is determined based on an average value of the normal network flow, a system state value, configuration change times and an average system state value of each system state index in the observation time range are extracted for the abnormal system state information, and the baseline value of the system state is determined based on the average value of the normal system state;
According to the time sequence characteristics of the network flow data, a network flow analysis model is trained by combining a time sequence analysis algorithm and abnormal network flow data, verification and evaluation are carried out on the constructed network flow analysis model, and necessary adjustment is carried out to improve the performance so as to analyze the abnormal degree of the network flow;
identifying abnormal system configuration and behavior by using a clustering algorithm according to static features and dynamic features of system state information, training a system state analysis model by combining the abnormal system state information, verifying and evaluating the constructed system state analysis model, and performing parameter adjustment to identify the abnormal system configuration and behavior;
The method comprises the steps of combining output of a network flow analysis model and abnormal network flow data to obtain a flow evaluation index, analyzing the abnormal degree of network flow, combining output of a system state analysis model and abnormal system state information to obtain a state evaluation index, and measuring the health condition and abnormal trend of a system.
Preferably, the flow evaluation index is calculated by the following expression:
;
Wherein,For the flow rate evaluation index,Is the firstThe network flow value at a point in time,As a baseline value for the network traffic,For the number of time points to be observed,For the total abnormal network traffic during the observation period,For the total network traffic during the observation period,The lower the value, the more normal the network traffic,The higher the value, the greater the degree of anomaly representing network traffic;
the calculation expression of the state evaluation index is as follows:
;
Wherein,For the state-assessment index(s),Is the firstThe system state value of the individual indicator(s),Is the baseline value for the state of the system,In order to observe the number of indicators that are present,For the number of configuration changes during the observation,For the average system state value during the observation,The lower the value, the more healthy the system state,The higher the value, the greater the abnormal trend representing the system state.
Preferably, in the threat assessment module, the process of assessing the degree of potential threat of abnormal behavior includes:
Traversing the historical abnormal behavior data in the log file, combining the flow evaluation index and the state evaluation index with the historical abnormal behavior data, analyzing the relevance of the abnormal behavior, the flow evaluation index and the state evaluation index, and carrying out weighted calculation on the flow evaluation index and the state evaluation index to obtain an abnormal threat evaluation coefficient;
According to historical abnormal behavior data in a log file and threat types and influence ranges of abnormal behaviors, potential threat degrees of the abnormal behaviors are evaluated to determine different risk levels, namely a first-level risk level, a second-level risk level, a third-level risk level and a fourth-level risk level, wherein the potential threat degrees of the abnormal behaviors of the risk levels are gradually increased from the first-level risk level to the fourth-level risk level;
Matching the set risk level with the calculation result of the abnormal threat assessment coefficient, and presetting corresponding risk thresholds for different risk levels;
Outputting the calculation result of the abnormal threat assessment coefficient and the matching relation of different risk levels to obtain an abnormal threat sequence, and determining the correlation between each risk level and the potential threat degree of the abnormal behavior;
And inputting the acquired network flow data and real-time data of system state information, calculating the result of an abnormal threat assessment coefficient, and matching corresponding risk levels by combining a preset risk threshold value to assess the potential threat degree of the abnormal behavior.
Preferably, the calculation expression of the abnormal threat assessment coefficient is:
;
Wherein,The coefficients are evaluated for the abnormal threat,Is the firstFlow evaluation index at each time point,As a baseline value for the flow assessment index,Is the firstThe weight of the point in time is calculated,For the number of time points to be observed,Is the firstThe state of the individual indicators evaluates the index,For the baseline value of the state-assessment index,In order to observe the number of indicators that are present,AndTo adjustAndThe weight coefficient of the influence is determined,To adjust the coefficient of the exponential decay rate, lowThe value of (1) represents that the network flow and the system state are close to the baseline value, the abnormal behavior is not obvious and is highThe values of (1) represent significant off-baseline behavior, indicating a serious threat.
Preferably, the plurality of risk levels correspond to a plurality of risk thresholds, wherein the risk thresholds include an upper threshold and a lower threshold;
the plurality of risk levels and the plurality of risk thresholds satisfy the following relationship:
First level risk levelLow potential threat level, requiring minimal attention and resources;
secondary risk levelModerate potential threat levels, moderate concerns and resources are required;
Three level risk levelThe potential threat degree is high, and significant attention and resources are required;
Four-level risk levelSerious potential threat levels, require immediate and focused responses;
Wherein,The coefficients are evaluated for the abnormal threat,For the lower threshold value corresponding to the secondary risk level and the upper threshold value corresponding to the primary risk level,A lower threshold corresponding to the third risk level and an upper threshold corresponding to the second risk level,For a lower threshold value corresponding to a four-level risk level and an upper threshold value corresponding to a three-level risk level,,,。
Preferably, in the automatic alarm module and the response policy generation module, the alarm and protection policy generation process includes:
Continuously monitoring network state, collecting network flow, system state information and key data of a log file, analyzing and processing the collected data in real time, and identifying abnormal behaviors and abnormal conditions;
combining the abnormal behavior evaluation result of the threat evaluation module with the identified abnormal behavior and abnormal situation, outputting the risk level of the abnormal behavior, checking whether the abnormal behavior has a behavior violating the security policy, and identifying the potential security threat of the abnormal behavior;
once an abnormal situation is detected, an alarm mechanism is immediately triggered, alarm information is sent to an administrator in various modes of mail, short messages and instant messages, and the alarm information comprises an abnormal type, occurrence time, an influence range, detailed severity information and processing advice;
The automatic alarm module carries out risk assessment on abnormal conditions while triggering alarm, judges whether the abnormal conditions form high-risk threats or not, selects corresponding protection measures from a preset protection measure library by combining threat assessment results, and possibly selects stricter measures such as blocking attack sources, isolating infected equipment and the like for the high-risk threats without manual intervention, directly invokes an execution system to execute the selected protection measures, realizes instant protection by automatically triggering the protection measures, effectively suppresses threat diffusion and damage, carries out damage assessment after the protection measures are executed, and checks whether the system resumes normal operation and has other potential influences;
the response strategy generation module receives the evaluation result of the abnormal behavior from the threat evaluation module, receives the alarm result of the abnormal condition from the automatic alarm module, and carries out deep analysis on the received evaluation result and alarm result to determine the current potential risk level and the corresponding alarm mechanism;
Monitoring an execution result, synchronously recording all generated protection strategies and execution results, and reserving a change log and an event response record for subsequent audit and analysis;
And evaluating the implementation effect of the protection strategy according to the monitoring result, wherein the implementation effect comprises whether the threat is effectively restrained and whether the system is recovered to normal operation, and optimizing and adjusting the protection strategy according to the evaluation result, wherein the implementation effect comprises the steps of improving the effectiveness of the strategy, reducing the false alarm rate, improving the response speed and the like.
Preferably, in the report generating module, the generating process of the audit log and the risk assessment report includes:
Capturing all key events in the running process of the system, including login attempt, configuration change, anomaly detection and alarm triggering, recording all security-related operations, sorting the captured data, extracting key information including user ID, operation type and result state, and formatting the data to facilitate report generation;
generating a detailed audit log according to the captured and arranged data, wherein the audit log comprises a time stamp, an event type, an operator and influence range information, summarizing the result of risk assessment, including detection, assessment and response of abnormal behaviors, and generating a risk assessment report, including a risk level, a threat type and influence range;
The generated report is distributed to appointed users and departments through mail, message notification or file sharing mode, and the report is updated periodically to reflect the latest system operation and safety condition, and the report is archived in a safe system for future reference.
The invention provides a network data risk assessment system for a computer. The beneficial effects are as follows:
1. according to the network data risk assessment system for the computer, through integrating the functions of anomaly detection, threat assessment, response strategy generation and automatic alarm, the rapid detection and response to the network threat are realized, the machine learning technology is utilized for anomaly pattern recognition, potential safety threat is found, the recognition accuracy to the anomaly is improved, in addition, the preset protective measures are automatically triggered, so that the rapid response is realized when the high-risk threat is detected, and the damage of a safety event to the system is reduced.
2. According to the network data risk assessment system for the computer, by integrating the efficient monitoring and alarming module, real-time monitoring of network states and data flows is realized, potential threats such as abnormal traffic and unauthorized access attempts can be rapidly identified, preset protective measures are automatically triggered when high-risk threats are detected, a time window from threat discovery to response is greatly shortened by an instant threat detection and response mechanism, the diffusion and damage of security events are effectively restrained, and the overall safety and toughness of a network system are remarkably improved.
Drawings
FIG. 1 is a block diagram of a system for risk assessment of network data for a computer according to the present invention;
FIG. 2 is a flow chart of the present invention for identifying an anomaly pattern;
FIG. 3 is a flow chart of the present invention for assessing the degree of potential threat of abnormal behavior.
Detailed Description
The invention will be described in further detail with reference to the drawings and the detailed description. The embodiments of the invention have been presented for purposes of illustration and description, and are not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.
The invention provides a technical scheme, as shown in fig. 1 and 2, of a network data risk assessment system for a computer, which comprises a data monitoring platform, wherein the data monitoring platform is in communication connection with a data acquisition module, a data preprocessing module, an anomaly detection module, a threat assessment module, an automatic alarm module, a response strategy generation module and a report generation module, and the modules are in electrical signal connection;
the data acquisition module is used for collecting various original data from various network devices and systems, including flow data, log files and system state information, ensuring the comprehensiveness and instantaneity of the data, providing basic data support for risk assessment, definitely acquiring the network devices and systems of the data, including a server, a router, a firewall, an intrusion detection system and an application program, definitely acquiring the data, ensuring the comprehensiveness of the data acquisition, determining the data type, the collection frequency and the storage format and position of the data according to the network devices and systems of the data to be collected, determining the data type, the collection frequency and the storage format and position of the data, wherein the data type comprises the network flow data, the system state information and the log files, and configuring a data acquisition method according to different data types, wherein corresponding to the collection of the network flow data, a network packet capturing tool (such as WIRESHARK, TCPDUMP) is used for capturing the network flow data, the network flow information is acquired in real time through a network monitoring device (such as a flow analyzer and an intrusion detection system), and the network flow is copied to the data acquisition system by using a network flow mirror technology for analysis; for the collection of system state information, a system monitoring tool (such as Zabbix, prometheus) is used for acquiring system performance indexes (such as CPU utilization rate, memory occupation, disk I/O and the like) in real time, system service (such as Windows Management Instrumentation, WMI, systemd of Linux and the like) is called through an API interface to acquire system state information, a script is written to periodically inquire system commands or configuration files, system configuration and state data are acquired, a data collection agent is deployed on each data source according to a data collection target and method, corresponding data collectors are configured, collection parameters and rules are set, the data collector can be ensured to stably run and reliably connected with the target network equipment and the system, and captures the network flow data and the original data of the system state information from the target network equipment and the system, converts the original data into a uniform data format and transmits the uniform data format to the central data warehouse through the network;
The data preprocessing module is used for cleaning, formatting and normalizing the acquired original data, removing noise and redundant information, extracting abnormal characteristics for risk assessment from the preprocessed data, obtaining an abnormal network flow characteristic set and an abnormal system state characteristic set, improving data processing efficiency, providing a high-quality data set for subsequent analysis, converting a large amount of data into key characteristics, facilitating the model to perform risk assessment more efficiently, preprocessing the acquired original data of network flow data, system state information and log files, wherein the preprocessing operation comprises the steps of cleaning, formatting and normalizing, the data cleaning, identifying and processing missing values, abnormal values, repeated records and the like, ensuring the integrity and accuracy of the data, converting the data into a uniform format by data formatting, such as date and time format, numerical format and the like, standardized data, is convenient to process and analyze, data normalization scales the data to a specific range, such as 0 to 1, or enables the data to have the same dimension, eliminates the influence caused by different orders and dimensions, improves the convergence speed and accuracy of an algorithm, uses a correlation coefficient to combine the preprocessed network flow data and system state information data, identifies the associated features of risk assessment, performs feature extraction, acquires the abnormal features for risk assessment, extracts the associated data of abnormal network flow and abnormal system state information, forms an abnormal network flow feature set and an abnormal system state feature set, wherein the abnormal features of the network flow data comprise flow burst, abnormal flow mode, abnormal data packet size and frequent connection failure, the flow sudden increase is a sudden increase of network flow in a short time, may indicate a DDoS attack or other types of flow abnormality, the flow sudden decrease is a sudden decrease of network flow, may indicate a network connection problem or service interruption, the abnormal flow mode is a abnormal increase of flow in an off-peak period, or the flow mode is not coincident with a normal mode, the abnormal data packet size is far greater than or smaller than a normal value, may indicate an attack or abnormal transmission, the frequent connection failure is a large number of connection failure attempts in a short time, may indicate scanning or attack, the abnormal characteristics of system state information include CPU utilization rate sudden increase, memory utilization rate sudden increase, disk utilization rate sudden increase, network connection abnormality and system configuration change, the CPU utilization rate sudden increase is a sudden large increase of CPU utilization rate, may indicate that malicious software or system resources are occupied, the memory utilization rate suddenly increases, the abnormal data packet size is far greater than or smaller than a normal value, the abnormal data packet size is a sudden large increase of the utilization rate, the abnormal connection failure is a large number of connection ports in a short time, the abnormal state information is a large number value, the abnormal state information is suitable for the system state value to be converted into an abnormal state, the network state is not normally-authorized, the system state is not changed, the abnormal state is data value-concentrated, and the abnormal state is not-coded, and the abnormal state is data is not normally configured, and the value-state is data is changed;
An anomaly detection module for identifying anomaly mode of the preprocessed data by combining machine learning algorithm with anomaly feature, finding potential security threat, rapidly and accurately identifying anomaly behavior in network, providing clues for timely response, respectively extracting anomaly network flow data applied to risk assessment and associated data of anomaly system state information from anomaly network flow feature set and anomaly system state feature set, wherein network flow value, total network flow and total anomaly network flow in an observation time range are extracted for the anomaly network flow data, a baseline value of the network flow is determined based on an average value of the normal network flow, system state value, configuration change times and average system state value of each system state index in the observation time range are extracted for the anomaly system state information, and a baseline value of the system state is determined based on an average value of the normal system state, training a network flow analysis model according to the time sequence characteristics of the network flow data, combining a time sequence analysis algorithm and abnormal network flow data, performing verification and evaluation on the constructed network flow analysis model, performing necessary adjustment to improve the performance, analyzing the abnormal degree of the network flow, identifying abnormal system configuration and behavior according to the static characteristics and the dynamic characteristics of system state information by using a clustering algorithm, combining the abnormal system state information to train the system state analysis model, performing verification and evaluation on the constructed system state analysis model, performing parameter adjustment to identify the abnormal system configuration and behavior, combining the output of the network flow analysis model and the abnormal network flow data to obtain a flow evaluation index, analyzing the abnormal degree of the network flow, combining the output of the system state analysis model and the abnormal system state information, obtaining a state evaluation index, and measuring the health condition and abnormal trend of the system;
further, the flow evaluation index is calculated as:
;
Wherein,For the flow rate evaluation index,Is the firstThe network flow value at a point in time,As a baseline value for the network traffic,For the number of time points to be observed,For the total abnormal network traffic during the observation period,For the total network traffic during the observation period,The lower the value, the more normal the network traffic,The higher the value, the greater the degree of abnormality representing the network traffic, the square of the difference between the network traffic and the network traffic of the base line at each point in time is calculated, and the sum is divided by the number of points in timeObtaining the average value of the square sum of the network flow deviation, and using an exponential functionAdjusting the average of the sum of squares of network traffic deviations, whereinRepresenting the proportion of the abnormal network flow to the total network flow, and finally obtainingComprehensively considering the network flow deviation and the abnormal network flow proportion by the value;
the calculated expression of the state evaluation index is:
;
Wherein,For the state-assessment index(s),Is the firstThe system state value of the individual indicator(s),Is the baseline value for the state of the system,In order to observe the number of indicators that are present,For the number of configuration changes during the observation,For the average system state value during the observation,The lower the value, the more healthy the system state,The higher the value, the greater the abnormal trend representing the system state, the square of the difference between each system state indicator and the baseline state is calculated, and the sum is divided by the number of indicatorsObtaining the average value of the square sum of the state deviations, using the root formulaAdjusting the average of the sum of squares of the state deviations, whereinThe number of configuration changes is indicated,Representing the average system state value, and finally obtainingValue synthesis accounts for the effects of state bias and configuration changes
The threat assessment module is used for carrying out deep analysis on the detected abnormal behaviors, assessing the potential threat degree of the abnormal behaviors, including threat types and influence ranges, determining the potential risk level of the abnormal behaviors to the system, providing accurate threat information for making protective measures and ensuring effective allocation of resources;
The automatic alarm module is used for continuously monitoring the network state, carrying out real-time monitoring and alarm on abnormal conditions, automatically triggering preset protection measures such as blocking attack sources, isolating infected equipment and the like when high-risk threats are detected, realizing instant protection, reducing the damage of safety events to the system, enhancing the transparency and controllability of the system, and facilitating the emergency treatment and subsequent analysis of an administrator;
The response strategy generation module is used for automatically generating and recommending a protection strategy of a corresponding grade according to the threat assessment result, including blocking rules and alarm setting, improving the pertinence and effectiveness of the protection measures, reducing the human intervention and accelerating the response speed;
the report generation module is used for recording all key events and operations in the running process of the system, generating detailed audit logs and risk assessment reports, providing basis for post analysis, helping to optimize system configuration and improve protective measures, and meeting compliance requirements.
In a second embodiment, referring to fig. 3, in the threat assessment module, a process for assessing a degree of potential threat of abnormal behavior includes:
Traversing historical abnormal behavior data in a log file, combining a flow evaluation index and a state evaluation index with the historical abnormal behavior data, analyzing the relevance of the abnormal behavior to the flow evaluation index and the state evaluation index, carrying out weighted calculation on the flow evaluation index and the state evaluation index to obtain an abnormal threat evaluation coefficient, according to the historical abnormal behavior data in the log file and the threat type and the influence range of the abnormal behavior, evaluating the potential threat degree of the abnormal behavior to determine different risk levels, namely a first-level risk level, a second-level risk level, a third-level risk level and a fourth-level risk level, wherein the potential threat degree of the abnormal behavior of the risk level is gradually increased from the first-level risk level to the fourth-level risk level, matching the set risk level with the calculation result of the abnormal threat evaluation coefficient, presetting corresponding risk thresholds for the different risk levels, outputting the calculation result of the abnormal threat evaluation coefficient with the matching relation of the different risk levels to obtain an abnormal threat sequence, defining the relevance of each risk level to the potential threat degree, inputting the acquired network flow data and the real-time data of system state information, calculating the result of the abnormal threat coefficient, and presetting the corresponding risk level, and matching the potential risk level to the risk level, and matching threshold is matched with the corresponding risk level;
further, the calculation expression of the abnormal threat assessment coefficient is:
;
Wherein,The coefficients are evaluated for the abnormal threat,Is the firstFlow evaluation index at each time point,As a baseline value for the flow assessment index,Is the firstThe weight of the point in time is calculated,For the number of time points to be observed,Is the firstThe state of the individual indicators evaluates the index,For the baseline value of the state-assessment index,In order to observe the number of indicators that are present,AndTo adjustAndThe weight coefficient of the influence is determined,To adjust the coefficient of the exponential decay rate, lowThe value of (1) represents that the network flow and the system state are close to the baseline value, the abnormal behavior is not obvious and is highThe values of (a) represent a significant off-baseline behavior, indicating a serious threat, and for the flow assessment portion, calculate each time pointThe difference from the baseline value is squared and weighted to emphasize the off-baseline behavior using a logarithmic functionConverting the sum of squares so that sensitivity to threat level is maintained even in the event of multiple deviations from baseline, weightingFor adjusting importance of flow rate evaluation in total evaluation coefficient, for state evaluation section, each index is calculatedDifference from baseline value and squared, using an exponential functionConverting the result of the calculation of the sum of squared differences, whereinControlling the influence of the degree of deviation on the final index byThe form emphasizes larger deviations, i.e. larger deviations lead toIs increased, weightFor adjusting the importance of the state assessment in the overall assessment coefficient;
further, the plurality of risk levels corresponds to a plurality of risk thresholds, wherein the risk thresholds include an upper threshold and a lower threshold;
the plurality of risk levels and the plurality of risk thresholds satisfy the following relationship:
First level risk levelLow potential threat level, requiring minimal attention and resources;
secondary risk levelModerate potential threat levels, moderate concerns and resources are required;
Three level risk levelThe potential threat degree is high, and significant attention and resources are required;
Four-level risk levelSerious potential threat levels, require immediate and focused responses;
Wherein,The coefficients are evaluated for the abnormal threat,For the lower threshold value corresponding to the secondary risk level and the upper threshold value corresponding to the primary risk level,A lower threshold corresponding to the third risk level and an upper threshold corresponding to the second risk level,For a lower threshold value corresponding to a four-level risk level and an upper threshold value corresponding to a three-level risk level,,,;
In the automatic alarm module and the response strategy generation module, the process of alarming and generating the protection strategy comprises the following steps:
Continuously monitoring network state, collecting network flow, system state information and key data of log files, analyzing and processing the collected data in real time, identifying abnormal behaviors and abnormal conditions, combining an abnormal behavior assessment result of a threat assessment module with the identified abnormal behaviors and abnormal conditions, outputting a risk level of the abnormal behaviors, checking whether the abnormal behaviors exist in a behavior violating a security policy, identifying potential security threats of the abnormal behaviors, immediately triggering an alarm mechanism once the abnormal conditions are detected, sending alarm information to an administrator in various modes of mail, short messages and instant messages, wherein the alarm information comprises abnormal types, occurrence time, influence range, severity detailed information and processing advice, triggering an alarm, simultaneously carrying out risk assessment on the abnormal conditions, judging whether the abnormal conditions form high-risk threats, combining a threat assessment result, selecting corresponding protection measures from a preset protection measure library, possibly selecting stricter measures for the high-risk threats, such as blocking an attack source, isolating infection equipment and the like, without manual intervention, directly calling an execution system to execute the selected protection measures, realizing the protection measures by automatically triggering the protection measures, effectively triggering the protection measures, carrying out the automatic alarm module to respond to the normal threat assessment, judging whether the normal conditions are influenced by the alarm assessment result, carrying out the normal operation of the alarm assessment module, and the alarm is well-received by the alarm assessment module, and the alarm is well-received from the alarm assessment module, and the alarm is well-received by the alarm module, and the normal risk is well-received by the alarm is well-being received by the alarm module, and the alarm is well-assessed, and the normal operation is well-being well has been well received by the normal and has been well-being. Monitoring an execution result, synchronously recording all generated protection strategies and execution results, reserving change logs and event response records for subsequent audit and analysis, evaluating the implementation effect of the protection strategies according to the monitoring result, including whether the threat is effectively restrained and whether the system is restored to normal operation, and optimizing and adjusting the protection strategies according to the evaluation result, including improving the effectiveness of the strategies, reducing false alarm rate, improving response speed and the like;
In the report generation module, the generation process of the audit log and the risk assessment report comprises the following steps:
Capturing all key events in the running process of the system, including login attempt, configuration change, anomaly detection and alarm triggering, recording all security-related operations, sorting the captured data, extracting key information including user ID, operation type and result state, formatting the data so as to facilitate report generation, generating detailed audit logs according to the captured and sorted data, wherein the audit logs comprise timestamp, event type, operator and influence range information, summarizing the results of risk assessment, including detection, assessment and response of abnormal behaviors, and generating a risk assessment report, including risk level, threat type and influence range, distributing the generated report to designated users and departments in a mail, message notification or file sharing mode, periodically updating the report, reflecting the latest system running and security conditions, and archiving the report in the secure system for future reference.
It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art and which are included in the embodiments of the present invention without the inventive step, are intended to be within the scope of the present invention. Structures, devices and methods of operation not specifically described and illustrated herein, unless otherwise indicated and limited, are implemented according to conventional means in the art.