Protection linkage configuration method based on network security big data and big data cloud system

[0020] BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure will be specifically described, and the specific methods of operation in the method embodiment can be applied to device embodiments or system embodiments.

[0021] figure 1 It is a schematic diagram of the interaction of the protective linkage configuration system 10 based on network security big data provided by one embodiment of the present disclosure. Protective linkage configuration system 10 based on network security big data can include large data cloud system 100 and network access device 200 connected to large data cloud system 100. figure 1 The displayed network-based security-based protective linkage configuration system 10 is only one feasible example, in other possible embodiments, the protection linkage-based configuration system 10 based on network security data can also include only figure 1 At least part of the components shown, or may also include other components.

[0022] In one embodiment, the large data cloud system 100 and the network access device 200 in the protective linkage system 10 based on the network security data can be used to perform the network security big data-based protection linkage configuration method based on the following method embodiment. The implementation step portion of the specific large data cloud system 100 and the network access device 200 can be described in detail with reference to the following method embodiments.

[0023] In order to solve the technical problem in the foregoing background, figure 2 A flow diagram of a protective linkage configuration method based on a network security large data provided in the present disclosure, the protection linkage-based configuration method based on network security data provided in this embodiment can be figure 1 The large data cloud system 100 shown in the present is to be described, in the description of the following embodiments, some steps are not necessarily necessary, and the flexible sequence adjustment can be performed according to the actual design requirements, or delete some steps, only the part steps It is a complete process. The following is a detailed introduction to the protective linkage configuration method based on network security data.

[0024] In step S110, the corresponding protective linkage configuration information is acquired based on the interface protection configuration information of the reference network access object.

[0025] Step S120, acquire the interface protection network data layer of the protective linkage configuration information, which includes an interface protection network data node in the interface protection network data layer.

[0026] In an embodiment, the interface protection network data layer may, for example,, for example, an interface protection network data node, wherein the interface protection network data layer can be any protective network data layer in a protective data layer, which can input a protective network data layer. The interface protection network data node detection is performed. When the input protection network data layer includes an interface protection network data node, the input protection network data layer is input as the interface protection network data layer to identify network security protection rules, when the input protection network data layer is not When an interface protection network data node is included, the next input protective network data layer is detected. It should be noted that a linkable object or a plurality of linkage objects may include a linkable object or a plurality of linkage objects in the interface protection network data node.

[0027] Step S130, call the preset network security protection rule prediction model to predict the network security protection rules corresponding to the interface protection network data layer, and protect the protective linkage command corresponding to the protective linkage configuration information based on the network security protection rule. Rules are fused to generate the final configuration of protective linkage command information.

[0028] Based on the above steps, by obtaining the corresponding protective linkage configuration information by the interface protection configuration information of the reference network, the interface protection network data layer of the protective linkage configuration information is acquired, and then the preset network security protection rule prediction model prediction interface protection Network security protection rules corresponding to the network data layer, and based on network security protection rules, the protective line of protective linkage, the protection rule, generates the final configuration of the protective linkage command information. In this way, by means of a network security protection rule predicts after the interface protection network data layer of the protective linkage configuration information, the protective linkage command corresponding to the protective linkage configuration information will be organized, and the final configuration of the protective linkage command information is generated. , Compared to the configuration of conventional single network security rules, the rule correlation of each protective linkage instruction portion in the protection linkage command can be improved, and the network security protection reliability can be improved.

[0029] In an embodiment, step S130 can be implemented by the following exemplary steps.

[0030] Step S210, the interface protection network data layer is coupled to the interposable project data corresponding to the interface protection network data layer.

[0031] In an embodiment, the linkable project data includes X canlocal project network layers in the interface protection network data node and the linkage probability of each of the network layers of the linkable project. For example, after obtaining the interface protection network data layer, the accessible project prediction model of the training completion can be used to identify the accessible project in the interface protection network data node in the interface protection network data layer.

[0032]In an embodiment, the specific manner of obtaining the canable item data corresponding to the interface protection network data layer can be, the protective network data layer of K a labeled can be selected in advance, and inputs the above protective network data layer To the initial prediction model, iterative training is performed to update the parameters in the initial prediction model. When the initial prediction model after receiving the parameter update meets the preset condition, the initial prediction model after the parameter update is determined as the canovable project prediction. Model, preset conditions can be greater than the predetermined accuracy. Among them, the initial prediction model can specifically constructed a model using the depth learning algorithm can be constructed by the CNN, GRU algorithm, LSTM algorithm, etc., the specific principle of model training can return to all the linkage objects of the protection network data layer, and regressive The accessible item of the linkage object, then removes the response to other linkage objects according to the link method, and finally adjust the parameters in the model by calculating the model evaluation value (such as the loss function), when the model evaluation indicator value is not reduced Determine the model training. Further, the network layer distribution can be constructed based on the protective network data layer to obtain the connected project network layer of each can be associated in the identified canopy project, and the linkage attribute between the network layers of the associated can be determined based on the linkage attributes between the network layers of the associated linkage project. The linkage probability of the network layer of the linkable project, wherein the associated canlocal project can specifically determine the two can be associated with two canlocal projects in the interface protection network data node, and determine the candidate can be linked to any candidate project. The different way of linkage probability can be, obtain the first linkage attribute between the candidate can be associated with the corresponding associated linkage, and the linkage attribute determined based on the linkage attributes determined based on different associated linkage projects, calculate The first linkage property is associated with the linkage attribute difference between the linkage attribute mean, and determines the linkage probability of each canlocal project based on the correspondence between the linkage attribute difference zone and the linkage probability, where the linkage attribute difference interval is, The lower the linkage probability.

[0033] By the above manner, a plurality of privately linked items can be extracted, for example, whether the number of can be detected is a preset number n, and if, then, the interface protection network data layer can be re-entered into the model, and the interface is used. The protective network data layer is re-detected. In the above manner, it is possible to avoid the case where the network security protection rule identification is not possible due to less identified canameless items.

[0034] Step S220, the linkage probability of the network layer is screened based on the linkage probability of the network layer of each can be used to obtain the Y candidate can be associated with the network layer.

[0035] In an embodiment, the X-linkable project network layer corresponding to the interface protection network is obtained and the linkage probability of each of the network layers of the network layer can be based on the linkage probability of the linkage probability of the network layer. A linkable project network layer for screening, get Y candidate can linkage project network layers.

[0036] In the specific implementation, the linkage probability reference value can be calculated based on the linkage probability of each of the network layer data of the network layer in X, linkable project, and the linkage probability reference value may include a looming probability mean, a linkage probability, median linkage probability. At least one, and based on the linkage probability reference value to determine the linkage probability threshold, and then filter the Y candidate of the linkage probability greater than the linkage probability threshold from the X private item network layer. For example, the linkage probability reference value is a linkage probability mean, and the 0.5 times average value can be determined as the linkage probability threshold, and the Y candidate of the link probability greater than 0.5 times the co-power probability mean, or the linkage probability base value For the linkage probability variance, it can be detected whether the above variance is greater than the preset variance. If it is, the screening is larger than the linkage probability of the loose probability mean, until the linkage probability variance is lower than the preset variance, and recalculates the remaining after the screening The linkage probability mean of each linkage probability will be used as the linkage probability threshold. Alternatively, the linkage probability reference value includes a network probability mean, a linkage probability variance, and a median mediterion of the linkage probability, the multi-link probability greater than the median mediter is acquired, and the screen is divided into the linkage probability mean in the plurality of linkage probability. Larger linkage probability, until the linkage probability variance is lower than the preset variance, recalculate the linkage probability mean of each linkage probability after the screening, the linkage probability mean at this time is used as the linkage probability threshold.

[0037] Step S230, the first network layer reference data corresponding to the interface protection network data layer is constructed based on the Y candidate can be associated with the network layer.

[0038] In an embodiment, after the Y candidate can be associated with the network layer, the first network layer reference data corresponding to the interface protection network data layer corresponding to the interface protection network data layer will be constructed, and the second network layer reference data corresponding to the interface protection network data layer is constructed. Among them, the first network layer reference data may be a linkage attribute between each candidate can be associated, and the second network layer reference data may be a combination attribute between the network layers of each candidate.

[0039] In the specific implementation, the specific mode of constructing the first network layer reference data can be, the static linkage attributes, dynamic linkage attributes, dependent linkage properties between each candidate can be calculated based on the Y candidate can be associated with the network layer, and each Static linkage attributes between candidate can be associated, dynamic linkage properties, and dependent linkage properties are determined as the first network layer reference data corresponding to the interface protection network data. By the above manner, the first network layer reference data can be constructed based on the linkage attributes between different target positions.

[0040] The specific mode of constructing the second network layer reference data can be, a plurality of network layers are constructed based on the Y candidate can be built, and the matching item data between candidate can be used in each network layer sequence is determined as The interface protection network data layer corresponds to the second network layer reference data, wherein each network layer sequence includes a plurality of candidate can be associated with a network layer, and the second network layer reference data can be constructed based on different target combinations by the above manner. In an embodiment, in order to reduce the amount of operation, it is possible to select some of the first network layer reference data with some automatic should be built with representative candidate.

[0041] Step S240, input the first network layer reference data and the second network layer reference data into the network security protection rule prediction model, resulting in network security protection rules corresponding to the interface protection network data layer, and based on the network security protection rule The protective linkage instruction corresponding to the protective linkage configuration information performs a protection rule fusion to generate the final configuration of the protective linkage command information.

[0042] In an embodiment, after constructing the first network layer reference data and the second network layer reference data, the first network layer reference data and the second network layer reference data can be input to the training completion of the network security protection rule prediction model, Get the network security protection rules corresponding to the interface protection network data layer.

[0043] Among them, the specific process of training for the network security protection rule prediction model can be, obtain multiple sample protection network data layers, each sample protection network data layer includes interface protection network data nodes, and marked network security protection rules information, A canlocal project parsing for each sample protection network data layer, obtain the sample can be associated with the sample protection network data layer, and the sample can be associated with the X-sample can be associated in the interface protection network data node and the network layer and The linkage probability of each sample can be linked to the network layer, and the linkage probability of the network layer of each sample can be screened to the X sample can be connected to the network layer to obtain the Y one target sample can be associated with the network layer based on Y. Target Sample Connectable Project Network layer builds sample first network layer reference data and sample second network layer reference data corresponding to the sample protection network data layer, and inputs sample first network layer reference data and sample second network layer reference data to Iterative training in the initial network security protection rules predictive model to update the parameters in the initial network security rule prediction model, update parameters when the initial network security protection rule forecast model meets the preset conditions when receiving the parameter update The initial network security protection rule prediction model is determined as a network security protection rule prediction model, and the preset condition can be greater than the preset accuracy, where the network security rule of the model output is pre-quenched with the sample protection network data layer. When the marked network security protection rule matches, determine the model output accurately, and determine the accuracy of the model output based on the network security protection rule identification result of the above-mentioned multiple sample protection network data layers.

[0044] In an embodiment, the interface protection network data layer is acquired, and the interface protection network data layer is subjected to the interposable project data corresponding to the interface protection network data, which is based on each linkable project in the data data. The linkage probability of the network layer performs screening of X canlocal project network layers to obtain the Y candidate can be associated with the network layer, and the first network layer reference data corresponding to the interface protection network data layer is constructed based on the Y candidate. And the second network layer reference data; input the first network layer reference data and the second network layer reference data into the network security protection rule prediction model to obtain network security protection rules corresponding to the interface protection network data layer. By implementing the above method, the network security protection rules can be identified, and the recognition efficiency of network security protection rules can be identified, and the recognition accuracy of the network security protection rules can be identified, enhance the recognition accuracy of the network security protection rules can be implemented based on the connectionable items of the linkage object.

[0045] In another possible design embodiment, the above method can also be achieved by step:

[0046] Step S310, the corresponding protective linkage configuration information is acquired based on the interface protection configuration information of the reference network access object.

[0047] Get the interface protection network data layer of the protective linkage configuration information.

[0048] In an embodiment, the interface protection network data layer includes an interface protection network data node.

[0049] Step S320, the interface protection network data layer is coupled to the interposable project data, which obtains the canable project data corresponding to the interface protection network data layer.

[0050] In an embodiment, the linkable project data includes X canlocal project network layers in the interface protection network data node and the linkage probability of each of the network layers of the linkable project. For example, after obtaining the interface protection network data layer, the accessible project prediction model of the training completion can be used to identify the accessible project in the interface protection network data node in the interface protection network data layer.

[0051] Step S330, the X-linkable project network layer is screened based on the linkage probability of the network layer of each can be used to obtain a network layer of Y candidate.

[0052] In an embodiment, the X-link probability of the X-connections corresponding to the interface protection network data layer and the linkage probability of each of the network layers of the network layer, based on the linkage probability of the network layer of each can be associated with the X The linkable project network layer is screened to obtain a network layer of Y candidate.

[0053] Step S340, the first network layer reference data corresponding to the interface protection network data layer is constructed based on the Y candidate can be associated with the network layer.

[0054] In an embodiment, after the Y candidate can be associated with the network layer, the first network layer reference data corresponding to the interface protection network data layer corresponding to the interface protection network data layer will be constructed, and the second network layer reference data corresponding to the interface protection network data layer is constructed. Wherein, the first network layer reference data is a linkage attribute between each candidate can be associated, and the second network layer reference data is a combination attribute between the network layers of each candidate.

[0055] Step S350, the target data layer tag belongs to the interface protection network data layer.

[0056]In an embodiment, the target data layer label includes a data layer tag corresponding to the link protection network data layer, the interface label corresponding to the interface protection behavior in the interface protection network data layer, the interface protection network data layer is associated with the linkage target behavior At least one of the corresponding data layer tags, for example, the data layer tag corresponding to the linkage rule set can be determined by the attribute of the linkage rule set, when the linkage rule set is the largest value of the attribute value of the A category, the interface protection network data layer Determine a category.

[0057] In step S360, the first network layer reference data and the second network layer reference data are input to the network security protection rule prediction model corresponding to the target data layer tag, and the network security protection rules corresponding to the interface protection network data layer are obtained.

[0058] In an embodiment, after determining the target data layer tag belonging to the interface protection network data layer, the first network layer reference data and the second network layer reference data can be input to the target data layer tag corresponding to the network security protection rule prediction model. , Get network security protection rules corresponding to the interface protection network data layer.

[0059] Among them, the network security protection rule prediction model corresponding to the target data layer label is obtained by the sample protection network data layer training under the target data layer label, that is, a category corresponding network security protection rule prediction model is sample protection network data under this category. Layer training is obtained.

[0060] Step S370 determines the linkage probability of the network security protection rule corresponding to the interface protection network data layer.

[0061] In an embodiment, after obtaining the network security protection rules corresponding to the interface protection network data layer, the linkage probability of the network security protection rule corresponding to the interface protection network data layer will be determined.

[0062] In the first implementation, the interface protection network data layer is a protective network data layer to be configured to be combined to determine the connection probability of the linkage probability of network security protection rules, which can be obtained to obtain a set of rules to be set to the interface protection network data layer. The associated plurality of reference protection network data layers, and use the network security protection rule prediction model to identify multiple reference protection network data layers to obtain multiple reference network security rules; in accordance with the set of rules to be associated each protective network data layer Sort the network security rules corresponding to the interface protection network data layer and multiple reference network security rules to obtain network security protection rules sequence; detection network security protection rules sequence and preset network security protection rule template Related degree, and determine the linkage probability of network security protection rules corresponding to the interface protection network data layer in accordance with the correlation degree, where multiple reference protection network data layers associated with the interface protection network data layer can be concentrated and interface protection for the linkage rule. The front i protective network data layer associated with the network data layer and the post-I protect network data layer, i is a positive integer, specifically, the R & D personnel can be pre-set in advance, and the preset network security protection rule template can be pre-set by the R & D personnel. If the interval between different regions in the protective data layer is short, the preset network security protection rule template is set to at least U the U-protection network data layer associated with the protective data layer corresponds to the same network security protection rule, U is greater than 1 Integers, when receiving a network security rule sequence is only once again once, it is determined that it does not match the preset network security rule template, based on each network security rule in the sequence of network security protection rules. To determine the matching of the preset network security rule template to determine the correlation between the network security protection rule sequence and the preset network security protection rule template, the correlation degree can be the number of network security rules related to the network security rules sequence. Commercial value for the number of total network security protection rules. In an implementation scenario, obtain the first four protective network data layers associated with the interface protection network data layer and the last four protective network data layers, together with the interface protection network data layer, which constitutes 9 protective network data layers, pre- Setting the network security protection rule template for at least 3 protective network data layers associated with the protective data layer correspond to the same network security protection rule, based on the network security protection rule sequence obtained by identification results "1A, 2A, 3A, 4B, 5A, 6b, 7c, 8d, 9c ", determining the network security rules" 5A "and" 8D "do not meet the preset network security rules template, the network security protection rule sequence and the preset network security rule template is 7 / 9. Further, the linkage probability of network security protection rules corresponding to the interface protection network can be determined to be 7/9. By the above, the network security protection rule template can determine the linkage probability of identifying network security rules, providing a specific manner for accurate checking of identification results, making the identification result more logic.

[0063] In the second implementation method, determine the specific manner of the linkage probability of the network security protection rule can be, obtain the protective configuration section of each network data sublayer in the interface protection network data layer, and based on the protection of the relevant network data sublayer The difference between the configuration interval determines the plurality of edge network data sub-layers in the interface protection network data layer, and screens the plurality of edge network data sub-layers based on the protection configuration interval of each edge network data sublayer to obtain it for depiction. The target edge network data sublayer sequence of the boundary object edge in the interface protective network data layer; calculates the correlation between the target edge network data sublayer sequence and the preset information set, and acquires and acquires Target edge network data sublayer sequence correlation target reference edge network data sublayer sequence, determine the target reference edge network data sublayer sequence corresponding to the target reference network security rule, and detect network security corresponding to the interface protection network data layer The rule correlation between the protection rules and the target reference network security rules; determine the linkage probability of network security protection rules corresponding to the interface protection network data layer according to the rule correlation. Among them, it is possible to determine the protection configuration interval difference between the associated network data sub-layers is larger than the preset differential interval network data sublayer as an edge network data sublayer, and the edge network data sublayer is used to depict the interface protection network data. The edge of the data layer in the layer, the specific manner of screening a plurality of edge network data sub-layers based on each edge network data sublayer can be, the average protection of interface protection network data nodes in the interface protection network data layer Configure the interval, and calculate the difference between the protection configuration interval between the respective edge network data sub-layers and the average protection configuration interval, determine the edge network data sub-layer of the differential interval than the preset threshold as the target edge network data sublayer, for example, The interface protection network data layer is a protective network data layer to be set in the cameraic set, and the interface protection network data node can be obtained based on the relevant joint protection network data layer, and the interface protective network data layer and the associated protection network data layer. There is a region in which the difference is determined as an interface protection network data node. The correlation mode of the relevant degree of each reference edge network data sub-layer sequence stored in the target edge network data sublayer sequence and the preset information can be, for the target edge network data. The target edge network data sublayer in the sub-layer sequence performs normalized processing, and calculates the target edge network data sub-layer associated with the reference edge network data sub-layer in the target edge network data sublayer sequence after normalization. The number, when the linkage property between the network data sub-layers is smaller than the preset linkage property, it is considered that the network data sublayer matches, and the number of target edge network data sub-layers associated with the target edge network data sublayer sequence The value value of the total event is determined as the degree of correlation between the target edge network data sublayer sequence and the reference edge network data sublayer sequence. After determining the target reference edge network security protection rule, the target reference network security protection rule corresponds to the target reference edge network data sub-layer sequence, the rule correlation between network security protection rules corresponding to the interface protection network, and the rules of the target reference network security rule, of which The rules correlation between different network safety protection rules can be pre-set by R & D personnel, such as the rule correlation between network security protection rules A1 and A2 is 95%, network security protection rules D and C rules are 30 %, Can determine the rules associated with the network security protection rules corresponding to the interface protection network data layer, further, can determine the rule correlation to determine the rule correlation to the interface protection network data layer The linkage probability of network security protection rules.

[0064] In a third implementation, the linkage probability obtained in the first mode is determined as the first linkage probability, and the second mode obtained is determined as the second linkage probability, and the first linkage probability and the second link probability are performed. Comprehensive processing, the linkage probability of network security protection rules corresponding to the interface protection network data layer. Among them, the integrated processing may include weighted processing and processing, that is, the weight coefficient corresponding to the first linkage probability is weighted to obtain the first linkage probability, obtain the first weighting linkage, and the weight coefficient corresponding to the second link probability The second linkage probability is performed to obtain the second weighted linkage probability, determine the sum of the network security protection rules corresponding to the interface protection network data layer with the second weighting linkage probability, and the second weighting linkage probability.

[0065] Step S380 determines how the network security protection rule corresponding to the interface protection network data layer is determined according to the linkage probability.

[0066] In an embodiment, after determining the linkage probability of the network security protection rule corresponding to the interface protection network data layer, the processing method of network security protection rules corresponding to the interface protection network data layer can be determined based on the linkage probability.

[0067] Specifically, the linkage probability of detecting the network security rules is greater than the preset linkage probability; if the probability of the same, the interface protection network data layer inputs multiple reference network security protection rules predictive models, get multiple references Network security protection rules, and filter out the target network security protection rules corresponding to the interface protection network data layer from multiple reference network security rules, which can be used to filter out the number of reference network security rules as interface protection. Target network security protection rules corresponding to the network data layer, for example, refer to the network security protection rules "D, D, C, D", then refer to the number of "D" of the network security rule, "D" is determined as an interface The target network security protection rule corresponding to the protection network data layer, or each reference network security protection rule prediction model can also correspond to the corresponding weight coefficient, based on each reference network security protection rule prediction model weight coefficient for each reference network security The initial feature value of the protection rule performs weighting processing, obtains the eigenvalues ​​corresponding to each reference network security rule, determines the target network security rules corresponding to the interface protection network data layer, for example. The initial feature value of each reference network security rule is 1. Reference network security protection rules are "D, C, D", respectively, corresponding reference network security protection rules predictive weight coefficients are "0.5, 0.2, 0.3", respectively. Then, "D" corresponds to 0.5 * 1 + 0.3 * 1 = 0.8, and the feature value is 0.2 * 1 = 0.2, "D" determines "D" to determine the target network security protection rule corresponding to the interface protection network data layer. Among them, the weight coefficient of different reference network safety protection rules predictive model can be determined by the accuracy of the model history, the higher the identification accuracy, the higher the weight coefficient, and after the reference prediction model is recognized, based on this The identification result is accurately updated to the weight coefficient of the reference prediction model. Different reference network security protection rules predictive models can be based on different algorithm training, such as reference network security protection rules predictive model 1 to trade with CNN algorithms. Model, referring to the human prediction model 2 for the model of training using the LSTM algorithm.

[0068]In an embodiment, the interface protection network data layer is acquired, and the interface protection network data layer is subjected to the interposable project data corresponding to the interface protection network data, which is based on each linkable project in the data data. The linkage probability of the network layer performs screening of X canlocal project network layers to obtain the Y candidate can be associated with the network layer, and the first network layer reference data corresponding to the interface protection network data layer is constructed based on the Y candidate. And the second network layer reference data, input the first network layer reference data and the second network layer reference data into the network security protection rule prediction model, resulting in network security protection rules corresponding to the interface protection network data layer, further, determined The linkage probability of network security protection rules is based on the linkage probability to determine how the processing method for the network security protection rule is implemented. By implementing the above method, the network security protection rules can be identified based on the connection of the linkage of the linkage object, and enhance network security protection. The identification efficiency of the rules and the accuracy of the recognition, further, the present disclosure provides a specific manner to the identification result, which can make the identification result more accurate.

[0069] In an embodiment, another embodiment of the present disclosure may further include the following steps.

[0070] Step A110, according to multiple network access objects in accordance with multiple network security history data generated in the access service channel, generate network security events that refer to access service channels, network security event threat cloud maps are used to represent multiple network security history The threat probability distribution of multiple network security events determined.

[0071] Step A120, determine the reference network access object, obtain a plurality of target main access interfaces of the reference network access object, and multiple target main access interfaces are generated by the reference network access object in the reference network security history data generated. .

[0072] Step A130, get the main network security event in the Network Security Event Threat Cloud Map, the main network security event is located between the plurality of target main access interfaces and the average probability value of the corresponding threat probability distribution is greater than the corresponding threat probability distribution. The average probability value is preset.

[0073] Step A140, based on the main network security event, the plurality of target main access interfaces interface protection configuration, generate interface protection configuration information of the reference network access object.

[0074] Based on the above steps, the present embodiment generates a network security event threatening a network security event in the reference access service channel according to a plurality of network security history data generated in the access service channel, based on multiple network access objects, generating network security events in the reference access service channel. Event Threat Cloud Map The reference network access object Inputs the target main access interface in the access service channel, and reconstructs the reference network access object in referring to the interface protection configuration information in the access service channel, using network security event threatens the cloud map characterization The ability of the probability distribution, using the interface protection configuration to accurately build the interface protection configuration information of the reference network access object, and the interface protection configuration information constructed is subsequent interface protection configuration service with the specified main access interface by the prior art. It is more responsive to the safe protection of the actual network access object, which matches the safety protection of the actual network access object.

[0075] Based on the above embodiment, the present disclosure provides a main body access interface generation method, and can be implemented by the following exemplary steps.

[0076] Step A210, acquire multiple network security history data, determine multiple network security events according to multiple network security history data.

[0077] The inventor studies have found that the prior art uses only the designated subject access interface, which leads to a low protection reliability and cannot match the safety protection potential features of the actual network access object, resulting in the construction of the main body access interface and the actual access interface. A larger difference than produces. It should be noted that the network access object mentioned in the present disclosure may be a single network access object, or a network access object group composed of a plurality of network access objects, and the present disclosure does not specifically limit it.

[0078] Therefore, the present disclosure proposes a main body access interface generation method, combining network security category attributes, network security protocols, and network vulnerability reference data, and builds network access objects, and will get All incomplete subject access interfaces are connected to network security events threatening cloud maps, based on network security event threatening cloud map reconstruction main access interface, using network security event threatens the ability to threatens the probability distribution, accurately build the main access interface of network access objects, It is also possible to predict the main access interface, which provides a more reliable basis analysis data for subsequent protection configuration optimization.

[0079] In order to achieve the technical solution in the present disclosure, it is necessary to generate network security events related to the reference access service channel threatening the network, based on the network security history data generated in the access service channel, according to the various network access objects. During the actual application, network access objects are triggered in the process of accessing to some specific network protection environments. The specific network protection environment is typically set, and the functional space of these specific network protection environments will be formed. Network Security Protocol Environment, Network Security Filter Scene, etc., network access object uses the network protection behavior with these network security protocols or with the network security filtering scene, and the security between network access objects and specific network protection environments The degree of threat affects the acquisition network security protocol environment protection network vulnerability reference, and the smaller the security threat, the weaker the network vulnerability, the larger the security threat, the stronger the network vulnerability reference. Therefore, through this information, the network access object can be accurately estimated to trigger network security protection behavior in referring to the network protection behavior in the access service channel.

[0080] Specifically, obtain multiple network access objects in accordance with multiple network security history data generated in the access service channel, determine multiple network security events according to multiple network security history data, which is incompletely used in subsequent use of these network security events. The main body access interface, thus constructing the network security event threatening the network security event of the access service channel. The following is an example of any network security history data in multiple network security history data: When the network security event is determined based on the network security history, first, the network security category attribute, network security is extracted in network security history data. The agreement environment set and network vulnerability reference data. Network security history data is a network access object scanned to and generates data to the big data cloud system in the process of accessing the behavior in the access service channel, where the network security category property is used to represent network access objects when generating network security history data. Successfully interact with which network protection behavior triggering business objects; network security protocol enumerations are used to indicate which network security protocol environments can be searched for network access objects when generating network security history data; network vulnerability reference data A network vulnerability reference for representing network access objects and network protection behavior triggering business objects and a network vulnerability reference for searching for various network security protocol environments. Subsequently, on the one hand, the big data cloud system determines the actual protection target indicating the network security category attribute indication, query the actual protection target in the network vulnerability reference data, the protection network vulnerability reference value, the protection network vulnerability reference value corresponds to The degree of security threat is taken as the first security threat level. On the other hand, the large data cloud system acquires a number of network security protocol environments including network security protocols, and queries multiple environmental network vulnerability references that open network security protocol environments in network vulnerability reference data. Value, the degree of security threats corresponding to multiple environmental network vulnerability reference values ​​are values ​​as multiple second security threats. That is, the security threat level value corresponding to the environment network vulnerability reference value is queried according to the network access object search value to the environment network vulnerability value of the network security protocol environment. For example, it is assumed that the environmental network vulnerability reference value 4 level of the network security protocol environment A can be turned on, and the degree of 300 security threats corresponding to the 4th level are the second security threat. After that, the degree of target security threat value value is extracted in the first security threat level and the degree value of multiple second security threats. The value of the degree of target security threat is greater than the first security threat value and multiple second security threats. In addition to the degree of security threats in the degree of target security threat, the degree of target security threat is the first security threat value and the maximum level of security threats in the degree of multiple second security threats. The degree of security threat is the largest network access object where the network protection behavior triggered network security protection behavior and network protection behavior triggered business objects, the more accurate it is determined. Finally, depending on the degree of derivation of the target security threat, it is possible to determine the network security event where the network access object is generated when generating network security history data. Specifically, considering that sometimes the target security threat value is too small, for example, the degree of security threats, if the subsequent continuation is based on the network security incident based on the excessive target security threat value, then there is a large error with the actual situation, It does not have the meaning of analysis, no need to record, so the security threat threshold can be set in advance, and the degree value of the target security threat is determined by the security threat threshold. When the target security threat value is greater than equals the security threat threshold, the network security event based on the target security threat estimates that the network security event of network access object is more accurate, and therefore, it is determined to determine the actual value of the target security threat value. Protection targets or objectives can open the network security protocol environment, set the actual protection or target to the specific business environment network security event for the specific network protection environment of the network security protocol environment, set to network security events. That is, the actual protection target or the business scenario where the target can open the specific network protection environment of the network security protocol environment acts as a network access object generates network security history data to trigger network security protection behavior. When the degree of target security threat is less than the security threat threshold, the network security event based on the target security threat is not accurate enough, the error is large, so the network security event is set to stability and does not meet the requirements. It is not possible to indicate an estimate of network security events that cannot be performed based on the network security history data. Repeat the determination process of the above network security event, and each network security history data in multiple network security history data is analyzed and identified, and multiple network security events in the reference access service channel can be obtained.

[0081] Step A220, generate a plurality of network security events according to the network security filter data of multiple network security history data, resulting in multiple network security event filtering trajectories.

[0082] In the present disclosure, when a plurality of network security events are determined, these network security events can be connected to form a plurality of network access objects to access the plurality of body access interfaces in the access service channel. Wherein, when the main body access interface is formed, it is necessary to associate the main access interface of the network security event for a network access object, that is, the network security event for a network access object, and forms the main access interface of the network access object, and is formed simultaneously or sequentially. Other network access object access interfaces.

[0083]Specifically, it is necessary to divide multiple network security history data into multiple unit network security data based on multiple network access objects. The network security history data including each unit network security data in multiple unit network security data is the same network access. The object is generated, that is to say to group network security history data according to the network access object, the network security history data generated by the same network access object is divided into the same unit network security data, which in turn forms the main access interface of the network access object. . Next, any of the unit network security data in multiple unit network security data will be described as an example: First, determine the network security filtering data of network security history data including the unit network security data, and the network security filtering process of network security filtering data. Network security events corresponding to the network security event included in the unit network security data, i.e., network security history data including unit network security data in accordance with network security filtering data, network security history data including unit network security data. Stability Identify. For example, it is assumed that the network security history data included in the unit network security data is A, B, C, and D, and A is generated by the network security filter T3, B is generated in the network security filter T1, C is a network security filter T2 Generated, D is generated in the network security filter T4 (the order in which the network security filter node is T1, T2, T3, T4), the network security history data after the network operation stability recognition is B, C, A, D. Subsequently, the network security event after network operation stability is read in turn. When reading a network security event that does not meet the requirements of stability, it means that the network access object cannot be determined when generating network security history data including the network security event. The access feature, therefore, the network security event recognizes the network security event before stability does not meet the requirements of the network security event, and obtains the network security event filtering trajectory of the unit network security data, which is not to meet the requirements. All network security events between network security events are connected in accordance with the network security filtering process, forming a main access interface as a network security event filtering trajectory. The network security event due to stability does not determine the access characteristics of the network access object, so it is necessary to re-statistically access the interface, continue to read the next network security event of network security events that are not satisfied with the requirements, and Re-according to the above process, generate a new network security event filtering trajectory until multiple network security events are read, obtain multiple network security event filtering trajectories of unit network security data. It should be noted that the interface protection configuration is not performed with any network security event filtering trajectory due to stability, and the main body access interface obtained in the process is not complete, and it is intermittent, Network security event filter trajectory. Subsequent, repeatedly performing the above-described processes on the remaining unit network security data, which generate a network security event filtering trajectory for multiple unit network security data, and can get multiple network security event filtering trajectories, which are also the trajectory of these network security events. Network Access Objects Access Interfaces when the behavior in the access service channel is encompassed. It should be noted that each network security event filtering trajectory is essentially a sequence containing network security protection behavior information, each network security protection behavior in the sequence, can correspond to one or more network security events, The specific is not limited.

[0084] Step A230, the plurality of network security event filtering traces are generated, generating network security events threatening the access service channel threatening cloud map.

[0085] In the present disclosure, after a plurality of network security event filter traces are obtained, the cloud map generation of multiple network security event filter is started, and the network security event threatening the network security event to access the service channel is generated. Among them, considering the generated network security event filtering trajectory is actually a sequence containing network security protection behavior information contains network security protection behavior information, in order to be able to use network security protection behavior information in the sequence as much as possible, it is generated in this disclosure. Network security incident threatens cloud map. Network Security Event Threat Cloud Map is a multi-level threat cloud map, unlike traditional first-order threat cloud maps, network security event threatens the cloud map can be a good portrait of non-Markov information in the sequence, and the starting point, end point of the sequence, etc. The network security event threat cloud map is essentially a threat distribution that represents multiple network security events determined by multiple network security history data, that is, according to these network security event filter statistics by a network security event to another The threat profile (probability size) of the network security event, thereby reconstructing the main body access interface, performs the main body access interface and the main body access interface, ensuring the generation of coherent and complete main body Access interface.

[0086] The process of specifically generating network security event threatening the cloud map: First, read the network security event included in each network security event filter in multiple network security event filters trajectories, which will include the same network security event filtering trajectory The network security event is associated with the associated node to get the initial threat cloud. For example, suppose network security event filtering trajectories is used to indicate that the network security protection behavior to M network security protection behavior is reached to X network security protection behavior, and network security event filtering track 2 is used to represent from A network security protection behavior to M network. Safety protection behavior is reached to Y network security protection behavior, then the same network security event in two network security event filter is M network security protection behavior, and the M network security protection behavior is associated with two network security event filtering trajectories. The resulting results are from the A network security protection behavior to M network security protection behavior, M network security protection behavior is bifurcated to X network security protection behavior and Y network security protection. Subsequently, for each network security event in the initial threat cloud map, determine multiple linkage network security events with the network security incident in the initial threat cloud map, count each linkage behavior in multiple linkage network security events The data and network security events are associated with the association as a linkage confidence and statistics to the total events of multiple linkage network security events. For example, suppose network security events M, all network security linkage attributes, and statistics, network security events y and m have association relationships in three network security event filter trajectories, the network security event y The linkage confidence is 3. Thereafter, the intensive value of the linkage confidence and total event quantity of each linkage network security event is calculated in multiple linkage network security events, and the probability distribution of multiple linkage network security events is obtained. For example, it is assumed that the network security event m has a associated relationship with four network security events in multiple network security event filters traces, and the linkage confidence of network security event Y is 3, then Y's threat probability distribution is 3/4 = 75%. Finally, the probability distribution of the linkage network security event calculation threat to each network security event in the initial threat cloud is added, and the determined threat probability distribution is added to the initial threat cloud map, and the network security event threatens the cloud map. It should be noted that when the threat probability distribution is added in the initial threat cloud map, the threat probability distribution is determined for which two network security events are determined, and the threat probability distribution is added between which two network security events.

[0087] In the present disclosure, one example of the process threatening the cloud map by the network security event generated by the above steps: First, a plurality of network security event filter trajectories are expressed, including "A → M → X", " A → M → Y "The network security event filter trajectory is an example, and these network security event filters traces are associated with the same network security event, which can be obtained from the same network security event in the network security event filter. Finally, the threat probability distribution is calculated. For example, all network security event filtering traces are mm with a relationship between A relationship with A, and threat probability distribution is 1, and 1 omitted in the first step, no labeling. Thereafter, for network security events M, A to M, the network security event with the associated relationship with M includes X and Y, X appear 3 times, the linkage confidence is 3, Y appence, the linkage confidence is 1, Therefore, calculating the threat probability distribution of X is 3/4 = 75%, and the threat probability distribution of Y is 1/4 = 25%. Similarly, the threat probability distribution of X is 25% after calculation of B to M, and the threat probability distribution of Y is 75%. Finally, add the determined number of threat probability distributions between two network security events associated with it, you can get a network security event threatening cloud map.

[0088] Step A240, extracting the threat probability distribution in the network security event threat cloud map is lower than the network security event of the preset threat probability distribution as the network security event, and the threat distribution of the network security event and the threat to the network security event will be removed from Network Security Event Threat Cloud Map Remove.

[0089] In the present disclosure, since the network security history data is generated by the network access object, some network security historical data errors are large, so that the probability of threats to certain network security events determined in step A230 The distribution is too small, such as 10%, 1%, etc. These network security protection behavior data belong to noise data, low accuracy, and it is easy to affect subsequent main body access interface and update, so in order to reduce noise data. The impact, such as the preset threat probability distribution, and extracting a network security event with a network security event threat cloud map is lower than the network security event of the preset threat probability distribution as a network security event, and will be removed from the network security incident and The threat probability distribution of the network security incident is removed from the network security event threat cloud map, and the network security event threat cloud map generated based on the preset threat probability distribution is implemented to ensure the accuracy of the follow-up.

[0090] At this point, the network security event threat cloud map for accessing the service channel is generated according to multiple network security history data generated in the access service channel according to multiple network access objects. Thereafter, the reconstruction of the network access object body access interface can be started. Step A250 determines that the reference network access object is obtained to obtain a plurality of target main body access interfaces of the reference network access object.

[0091] In the present disclosure, the network access object selected in multiple network access objects is determined as a reference network access object, i.e., the interface protection configuration information of the service service provider wants to reconstruct which network access object. Subsequently, the number of target network security history data generated by the reference network access object is queried in multiple network security history data, and the network security event filtering trace generated based on multiple target network security history data is used as a plurality of target main access interfaces. For example, assume that the reference network access object is the access object R, network security history data A, B, S, G, K is the access object R to generate the large data cloud system, the network security history data A, B, S, G, K is the target network security history data, and the network security event filter generated based on the target network security history data described above is the target main body access interface of the object R.

[0092] Step A260, get the main network security event in the network security event threatening the cloud map.

[0093] For example, in the present disclosure embodiment, after a plurality of target main body access interfaces are determined, since the plurality of target main access interfaces are incomplete main access interfaces, multiple target main access interfaces need to interface protection configuration. There are some scattered network security events between multiple target subject access interfaces. The threat distribution of these network security events is different. The higher the threat probability distribution, the more accurate, so it is necessary to threaten the cloud map in the network security event. Get the main network security event, the main network security event is also a network that is not binding between multiple target host access interfaces and the corresponding threat probability distribution is greater than the network of preset average probability values. Safety events to bind multiple target host access interfaces in subsequent host network security events.

[0094]Specifically, when determining the main network security event, first, querying multiple candidate network security events between multiple subject access interfaces in the Network Security Event Threat Cloud Map. Subsequently, determine the threat probability distribution of each candidate network security event in multiple candidate network security events, and the average probability distribution of the probability distribution in multiple candidate network security events is greater than the candidate network security of the threat distribution of other candidate network security events. Event acts as a main network security event, which is also a candidate network security event that is about to threatens the maximum distribution. Finally, the main network security event is extracted in order to subsequent connections between multiple target main access interfaces.

[0095] It should be noted that during the actual application, a wide range of priority search can also be used to calculate the host access interface of the reference network access object on the reference network access object, and the main body access interface of the reference network accessed. The threat probability distribution, in turn restipate the interface protection configuration information of the reference network access object in subsequent threat probability distribution. For example, for network security events that threatens the probability distribution in the target main access interface, you can use the network security event threat cloud map to correct, thereby increasing the accuracy of the generated interface protection configuration information.

[0096] Step A270, based on the main network security event, the plurality of target main access interfaces interface protection configuration, generate the interface protection configuration information of the reference network access object.

[0097] In the present disclosure, when it is determined that the main network security event is determined, the interface protection configuration of the plurality of target main body access interfaces can be generated based on the main network security event, and the interface protection configuration information of the reference network access object can be generated.

[0098] In the process of practical applications, the big data cloud system will generate a corresponding network security event threatening the cloud map for many access service channels. Use these network security event threaten cloud maps, which can be subject to the network access object in the access service channel. The interface update, the specific update process is as follows: When receiving the request information for interface protection configuration information for the specified network access object, the current network security event and the target network security event of the specified network access object are obtained. Subsequently, query the designated network security event threatening cloud map, specifying the network security event threat cloud map exists in the first linkage network security event associated with the current network security event and the second link security event associated with the target network security event, which is also the query determination. In which the specified network access object is being delivered in which access service channel is delivered, the network security event corresponding to the access service channel threatens the cloud map as the designated network security event threatens the cloud map. After that, start the target network security event for the first linkage network security event. Among them, the average probability that the target network security event and the first linkage network security event is associated and the threat probability distribution in the specified network security event threat cloud map is greater than the threat probability of other network security events associated with the first linkage network security incident. distributed. For example, suppose the first linkage network security event is A, A. The threat probability distribution of the associated network security event in the designated network security event is 75%, C is 25%, and B is used as A Target network security event. Repeat the process of determining the target network security event, continue to extract the next target network security event for the target network security event in the Specify Network Security Event Threat Cloud Map until the second linkage network security event threatening the network security event is reached. Finally, the linkage network security event, the extracted total target network security event, and the termination network security event are associated, obtain the update of the designated network access object, and implements the host access to the specified network access object. Interface update.

[0099] In an embodiment, in step A140, for example, the interface protection linkage command between the main network security event and the plurality of target main body access interfaces can be obtained, and then determine the same or associated target interface protection associated with the main network security event. The target body access interface list of instructions is constructed to refer to the interface protection configuration information of the network access object, and allocate the interface protection linkage command set between the various target main access interfaces in the interface protection configuration information. The interface protection linkage command set includes any two. The interface protection linkage command between the target main access interface and the main network security event and the linkage configuration information corresponding to the interface protection linkage command.

[0100] The method provided by the present disclosure, according to a plurality of network access objects, generating network security events generated in the access service channel, generating network security events in the reference access service channel, threatening cloud map, based on network security events, based on multiple network security history data generated in the access service channel. Safety Event Threat Cloud Map The Reference Network Access Object is generated by the target main body access interface in the access service channel, and reconstructs the reference network access object in referring to the interface protection configuration information in the access service channel, and uses network security event threatens cloud map characterization. The ability to threate the probability distribution, accurately build the main access interface of the network access object, and ensure that the constructed main access interface accuracy is high, better reliability, providing more reliable basic analysis data for information mining of large data cloud systems.

[0101] image 3 A functional module of the protective linkage configuration device 300 provided based on the network security data provided herein, and the functions of each functional module of the protection linkage-based protection linkage configuration device 300 based on the network security data are respectively described in detail below.

[0102] The first acquisition module 310 is configured to access the corresponding protective linkage configuration information to the interface protection configuration information of the reference network of the network access device.

[0103] The second acquisition module 320 is used to obtain an interface protection network data layer of the protection linkage configuration information, including the interface protection network data node in the interface protection network data layer.

[0104] Generating module 330, used to call a preset network security protection rule predictive model predictive interface protection network data layer corresponding to network security protection rules, and based on network security protection rules, protective linkage instructions corresponding to protective linkage configuration information for protection rules, Generate the final configuration of protective linkage command information.

[0105] Figure 4 The hardware structure intent for realizing the large data cloud system 100 for realizing the above-described network-based security-based protection linkage, such as the present disclosure, and Figure 4 As shown, large data cloud system 100 can include processor 110, machine readable storage medium 120, bus 130, and transceiver 140.

[0106] In the specific implementation, the plurality of processor 110 executes the computer execution instruction stored by the machine readable storage medium 120 such that processor 110 can perform a network-based security-based protection linkage configuration method, processor 110, and processor 110, The machine readable storage medium 120 and the transceiver 140 are connected via the bus 130, and the processor 110 can be used to control the transmission and reception operation of the transceiver 140, so that data can be performed with the aforementioned network access device 200.

[0107] The specific implementation process of the processor 110 can be referring to the respective method embodiments performed by the above larger data cloud system 100, and the principles and technical effects are similar, and the present embodiment will not be described later.

[0108] Further, the present disclosure also provides a readable storage medium, and the computer execution instruction is presented in the readable storage medium. When the processor performs the computer execution instruction, it is realized the protection linkage based on network security-based data. Configuration method.

[0109] Finally, it should be understood that the embodiments of the present specification are only used to illustrate the principles of the embodiments of the present specification. Other modifications may also belong to the scope of this specification. Thus, as an example, not limited, the alternative configuration of the present specification can be opened to match the teachings of the present specification. Accordingly, the embodiments of the present specification are not limited to the embodiments of the present specification clearly described and described.