System and method for evaluating network safe state

Abstract

The invention discloses a system and a method for evaluating network safe state, which are used for evaluating the network safe state of an intrusion detection device. The method comprises the following steps of: according to a history log before the current observation cycle of the intrusion detection device, extracting indexes of the network safe state, and establishing a normal distribution model of the indexes of the network safe state; during evaluation, according to a real-time log of the current observation cycle of the intrusion detection device, acquiring index values of the network safe state of the real-time log; and according to the index values of the network safe state of the real-time log and the normal distribution model, acquiring an evaluation result of the network safe state of the intrusion detection device in the current observation cycle. The system and the method for evaluating the network safe state can automatically evaluate the current network safe state according to the logs generated by the intrusion detection device.

Description

technical field [0001] The invention relates to the field of information security, in particular to a system and method for assessing network security status. Background technique [0002] The rapid development of the Internet (Internet) has brought great convenience to the dissemination and utilization of information, but at the same time, human society is facing a huge challenge of information security. In order to alleviate the increasingly serious security problems, intrusion detection system (Intrusion Detection System, IDS) has been more and more widely used. The intrusion detection device is installed in the protected network segment, and its monitoring network card works in promiscuous mode, analyzes all data packets in the network segment, and performs real-time detection and response of network security events. At present, intrusion detection equipment generally adopts misuse detection technology. The detection method is as follows: first, encode the specific intr...

AI Technical Summary

Problems solved by technology

This scheme can predict the attack situation indicators at the next moment based on the historical attack situation indicators, but cannot make a judgment on whether the attack situation at the next moment is normal

Moreover, only the number of alarms is considered in the selection of indicators, and it is difficult to accurately quantify the threat level of network attacks

For example, suppose there are two information systems, namely, information system A and information system B, and these two information systems have detected 100 attack events in one observation period, and in information system A, the 100 attack events are respectively For 100 hosts, and in information system B, 100 attack events are for the same host, the threats faced by the two systems are obviously different, but it is difficult to reflect this difference by using the aforementioned scheme

Images