Network security marking system based on behavioral data fusion and method

Abstract

The invention relates to a network security marking system based on behavioral data fusion and a method. The system comprises evaluation modules, a study module, and a standard behavior characteristic library, wherein the evaluation modules, the study module and the standard behavior characteristic library are arranged on each single node. An information processing module is arranged in a gateway, each single node is connected with the gateway through an internet, each single node of the system processes information of the node, and the gateway carries out information fusion and network condition analysis to feedback data which is processed and finished by each node. The evaluation modules are used for evaluating causal relationship between nodes which have a connecting relationship with users and nodes. The study module is used for classifying the users and comparing change of each time section. The standard behavior characteristic library is used for detecting typical abnormal behavior characteristics and suspicious behavior characteristics. The information processing module carries out calculation to safety level conditions of all the nodes in the network. Through the adoption of the method, malicious behavior characteristics hiding in a normal network can be distinguished, and reliability of network security detection is improved.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a network security scoring system and method based on behavioral data fusion. Background technique [0002] Malware includes viruses, worms, Trojan horses, etc. Their spread on the Internet poses a huge threat to network users. According to the characteristics of malware propagation, the detection of behavioral characteristics is currently a popular and effective detection method. Its advantage is that it can Timely detection of propagation behavior, and early detection of some unknown malware propagation based on the behavioral characteristics of malware. The problem with this method is that there is a high false positive rate, such as by detecting IPs connected within a period of time. However, in the current situation where P2P networks are prevalent, connecting to multiple IP addresses in a short period of time can also be a normal network behavior, and m...

AI Technical Summary

Problems solved by technology

[0002] Malware includes viruses, worms, Trojan horses, etc. Their spread on the Internet poses a huge threat to network users. According to the characteristics of malware propagation, the detection of behavioral characteristics is currently a popular and effective detection method. Its advantage is that it can Timely detection of propagation behavior, and early detection of some unknown malware propagation based on the behavioral characteristics of malware. The problem with this method is that there is a high false positive rate, such as by detecting IPs connected within a period of time. However, in the current situation where P2P networks are prevalent, connecting to multiple IP addresses in a short period of time can also be a normal network behavior, and many malware designers will try to spread malware as much as possible. The behavior is disguised to be consistent with normal data traffic, which increases the difficulty of security detection. How to distinguish the characteristics of malicious behavior hidden in the normal network is currently a difficult problem to solve

Images