A Big Data Intelligent Analysis Application Method Based on Network Security
By establishing an abnormal behavior database and hierarchical management attack behavior model through a big data intelligent analysis platform, the problem of poor defense effectiveness of traditional network security defense systems against unknown viruses and attack methods has been solved, achieving proactive defense and efficient protection of network security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUANGDONG ENERGY GRP GUIZHOU CO LTD
- Filing Date
- 2022-10-20
- Publication Date
- 2026-06-30
AI Technical Summary
Traditional network security defense systems adopt a passive defense approach, which is less effective against viruses and attack methods that have not yet appeared.
An abnormal behavior database is established through a big data intelligent analysis platform, attack behavior models are managed hierarchically, access behavior is monitored at network access ports, and real-time comparative analysis is performed to discover abnormal behavior and trace the source of attacks, restrict frequent access and issue warnings, and update the abnormal behavior model.
It enhances the ability to defend against unknown viruses and attack methods, promptly detects abnormal behavior, and provides effective network security protection.
Smart Images

Figure CN115643083B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of big data intelligent analysis technology, specifically a big data intelligent analysis application method based on network security. Background Technology
[0002] With the increasing informatization and networking of society, society's reliance on computer networks has reached unprecedented levels, and network security issues have become increasingly severe. If all people, things, and systems are connected in the Internet of Things (IoT) environment, IoT security will have a profound impact on national security. Therefore, network security is receiving increasing attention from internet users. With the application of multimedia and other technologies, massive amounts of data are constantly emerging in various fields, increasing the difficulty of processing and analyzing intelligent data in the context of big data. Big data is typically complex, large in quantity, and distributed, necessitating new technical methods for data processing. Therefore, intelligent analysis technology plays a crucial role in data processing.
[0003] With the development of mobile smart terminals, the protection of computer network security has received increasing attention and importance from the public. Traditional network security defense systems adopt a passive defense approach, that is, defense measures are implemented after the virus has been detected. This approach is effective against viruses and attack methods that have already been discovered, but it is less effective against viruses and attack methods that have not yet been discovered. Summary of the Invention
[0004] Technical problems to be solved
[0005] To address the shortcomings of existing technologies, this invention provides a big data intelligent analysis application method based on network security, which solves the problem that traditional network security defense systems adopt a passive defense approach and are ineffective against viruses and attack methods that have not yet appeared.
[0006] Technical solution
[0007] To achieve the above objectives, the present invention provides the following technical solution: a big data intelligent analysis application method based on network security, comprising the following steps:
[0008] S1: Obtain network behavior data based on information in the big data database, analyze the network behavior data through the big data analysis platform, and establish an abnormal behavior database;
[0009] S2: The database management unit establishes an attack behavior model based on the data content in the abnormal behavior database and manages the attack behavior model in a hierarchical manner, including mild abnormal behavior, moderate abnormal behavior and severe abnormal behavior.
[0010] S3: Monitor all access behaviors at the network access port, and compare and analyze the access behaviors with the attack behavior model through the model analysis unit to determine whether the access behaviors are abnormal.
[0011] S31: If the access behavior is not abnormal, then the access behavior is allowed to proceed normally;
[0012] S32: If the access behavior is abnormal, the access behavior will not be allowed to continue, and the source of the abnormal behavior will be traced through the defense tracking unit, and a counterattack will be launched.
[0013] S4: By restricting access, normal access behavior is marked, the number of times the same access behavior is accessed is recorded, access limit is set, and when the same access behavior is accessed frequently, access is restricted and a warning is issued.
[0014] Preferably, the marked access behaviors in S4) are recorded in the abnormal behavior database, registered as new abnormal behavior data, and the attack behavior model is updated according to the new abnormal behavior data.
[0015] Preferably, the big data analysis platform is connected to the database management unit, the database management unit is connected to the model analysis unit, and the model analysis unit is connected to the defense tracking unit and the access restriction unit.
[0016] Preferably, the big data analysis platform includes a data acquisition module, a data analysis module, and a data classification module, wherein:
[0017] The data acquisition module is used to acquire network behavior data, including access behavior and request behavior, based on the information content in the big data database.
[0018] The data analysis module is used to analyze network behavior data based on the information obtained by the data acquisition module, thereby filtering out abnormal behaviors and establishing an abnormal behavior database.
[0019] The data classification module categorizes abnormal behaviors based on the data analyzed by the data analysis module, including mild, moderate, and severe abnormal behavior data.
[0020] Preferably, the database management unit includes a model design module, a hierarchical management module, and a behavior simulation module, wherein:
[0021] The model design module establishes attack behavior models based on the data content in the abnormal behavior database, and further refines them into mild abnormal behavior models, moderate abnormal behavior models, and severe abnormal behavior models according to behavior classification.
[0022] The hierarchical management module manages and stores mild, moderate, and severe abnormal behavior models in a hierarchical manner.
[0023] The behavior simulation module applies the access behavior to models of mild, moderate, and severe abnormal behavior.
[0024] Preferably, the model analysis unit includes a behavior comparison module, an anomaly detection module, and a result output module, wherein:
[0025] The behavior comparison module compares the behavior simulation state from the behavior simulation module with abnormal behavior data.
[0026] The anomaly detection module retrieves abnormal data based on the comparison results from the behavior comparison module and then determines abnormal behavior based on the retrieval results.
[0027] The result output module outputs the judgment results of the anomaly judgment module to the defense tracking unit, including abnormal behavior results and normal behavior results.
[0028] Preferably, the defense tracking unit includes an access control module, a tag tracking module, and a defense counterattack module, wherein:
[0029] The access control module, based on the output of the result output module, restricts access to abnormal behaviors and prevents them from continuing to access the system.
[0030] The tagging and tracking module tags data exhibiting abnormal behavior and traces its source.
[0031] The defense and counterattack module performs defense and counterattack based on the tracking results.
[0032] Preferably, the defense and counterattack module includes a firewall, virus scanning and removal, and intrusion detection.
[0033] Preferably, the access restriction unit includes a behavior marking module and a firewall defense module, wherein:
[0034] The behavior marking module marks access behaviors that exceed the limit number of accesses;
[0035] The firewall defense module is used to establish a firewall defense state and prevent further access when a marked access behavior continues.
[0036] Preferably, the behavior marking module can be used to set a limit on the number of accesses for an access behavior, and the number of accesses can be modified as needed.
[0037] Beneficial effects
[0038] The present invention has the following beneficial effects: By leveraging big data analysis technology, the present invention establishes an abnormal behavior model, and promptly detects abnormal behavior based on the simulation analysis of abnormal behavior, thereby finding the source of the attack based on the abnormal behavior, which can provide effective protection for network security and improve the quality of network security protection work.
[0039] Of course, any product implementing this invention does not necessarily need to achieve all of the advantages described above at the same time. Attached Figure Description
[0040] Figure 1 This is a flowchart of the method of the present invention;
[0041] Figure 2 This is a system flowchart of the present invention. Detailed Implementation
[0042] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0043] In the description of this invention, it should be understood that the terms "opening", "upper", "lower", "thickness", "top", "middle", "length", "inner", "around", etc., which indicate orientation or positional relationship, are only for the convenience of describing this invention and simplifying the description, and do not indicate or imply that the components or elements referred to must have a specific orientation, or be constructed and operated in a specific orientation, and therefore should not be construed as limiting this invention.
[0044] Please see Figures 1-2 This invention provides a technical solution: a big data intelligent analysis application method based on network security, comprising the following steps:
[0045] S1: Obtain network behavior data based on information in the big data database, analyze the network behavior data through the big data analysis platform, and establish an abnormal behavior database;
[0046] S2: The database management unit establishes an attack behavior model based on the data content in the abnormal behavior database and manages the attack behavior model in a hierarchical manner, including mild abnormal behavior, moderate abnormal behavior and severe abnormal behavior.
[0047] S3: Monitor all access behaviors at the network access port, and compare and analyze the access behaviors with the attack behavior model through the model analysis unit to determine whether the access behaviors are abnormal.
[0048] S31: If the access behavior is not abnormal, then the access behavior is allowed to proceed normally;
[0049] S32: If the access behavior is abnormal, the access behavior will not be allowed to continue, and the source of the abnormal behavior will be traced through the defense tracking unit, and a counterattack will be launched.
[0050] S4: By restricting access, normal access behavior is marked, the number of times the same access behavior is accessed is recorded, access limit is set, and when the same access behavior is accessed frequently, access is restricted and an alert is issued. The marked access behavior is recorded in the abnormal behavior database and registered as new abnormal behavior data. The attack behavior model is updated based on the new abnormal behavior data.
[0051] Specifically, the big data analysis platform is connected to the database management unit, the database management unit is connected to the model analysis unit, and the model analysis unit is connected to the defense tracking unit and the access restriction unit.
[0052] Furthermore, the big data analytics platform includes a data acquisition module, a data analysis module, and a data classification module, wherein:
[0053] The data acquisition module is used to acquire network behavior data, including access behavior and request behavior, based on the information content in the big data database.
[0054] The data analysis module is used to analyze network behavior data based on the information obtained by the data acquisition module, thereby filtering out abnormal behaviors and establishing an abnormal behavior database.
[0055] The data classification module categorizes abnormal behaviors based on the data analyzed by the data analysis module, including mild, moderate, and severe abnormal behavior data.
[0056] Furthermore, the database management unit includes a model design module, a hierarchical management module, and a behavior simulation module, wherein:
[0057] The model design module establishes attack behavior models based on the data content in the abnormal behavior database, and further refines them into mild abnormal behavior models, moderate abnormal behavior models, and severe abnormal behavior models according to behavior classification.
[0058] The hierarchical management module manages and stores mild, moderate, and severe abnormal behavior models in a hierarchical manner.
[0059] The behavior simulation module applies the access behavior to models of mild, moderate, and severe abnormal behavior.
[0060] Furthermore, the model analysis unit includes a behavior comparison module, an anomaly detection module, and a result output module, wherein:
[0061] The behavior comparison module compares the behavior simulation state from the behavior simulation module with abnormal behavior data.
[0062] The anomaly detection module retrieves abnormal data based on the comparison results from the behavior comparison module and then determines abnormal behavior based on the retrieval results.
[0063] The result output module outputs the judgment results of the anomaly judgment module to the defense tracking unit, including abnormal behavior results and normal behavior results.
[0064] Furthermore, the defense tracking unit includes an access control module, a tag tracking module, and a defense counterattack module, wherein:
[0065] The access control module, based on the output of the result output module, restricts access to abnormal behaviors and prevents them from continuing to access the system.
[0066] The tagging and tracking module tags data exhibiting abnormal behavior and traces its source.
[0067] The defense and counterattack module performs defense and counterattack based on the tracking results. The defense and counterattack module includes firewall, virus scanning and removal and intrusion detection.
[0068] Furthermore, the access restriction unit includes a behavior marking module and a firewall defense module, wherein:
[0069] The behavior marking module marks access behaviors that exceed the limit number of accesses. The behavior marking module can be used to set the limit number of accesses for an access behavior, and the number of accesses can be modified as needed.
[0070] The firewall defense module is used to establish a firewall defense state and prevent further access when a marked access behavior continues.
[0071] This invention utilizes big data analytics to establish anomaly behavior models, enabling timely detection of abnormal behaviors through simulation and analysis. This allows for the identification of attack sources based on these abnormal behaviors, providing effective protection for network security and improving the quality of network security assurance work.
[0072] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus.
[0073] The preferred embodiments of the present invention disclosed above are merely illustrative of the invention. These preferred embodiments do not exhaustively describe all details, nor do they limit the invention to the specific implementations described. Clearly, many modifications and variations can be made based on the content of this specification. This specification selects and specifically describes these embodiments to better explain the principles and practical applications of the invention, thereby enabling those skilled in the art to better understand and utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims
1. A big data intelligent analysis application method based on network security, characterized in that: Includes the following steps: S1: The network behavior data content in the big data database is obtained by the data acquisition module of the big data analysis platform. The abnormal behavior is filtered by the data analysis module and an abnormal behavior database is established. Then, the abnormal behavior data is divided into mild, moderate and severe abnormal behavior data by the data classification module. S2: Through the model design module of the database management unit, an attack behavior model is established based on the data content in the abnormal behavior database, and further refined into a mild abnormal behavior model, a moderate abnormal behavior model, and a severe abnormal behavior model. The hierarchical management module performs hierarchical storage management, and the behavior simulation module simulates the access behavior with the above three-level models. S3: Monitor all access behaviors at the network access port, compare the simulated results of access behaviors with abnormal behavior data through the behavior comparison module of the model analysis unit, and determine whether it is an abnormal behavior after being retrieved by the anomaly judgment module. The judgment result is output by the result output module. S31: If the access behavior is not abnormal, it is allowed to run normally. At the same time, the access behavior is marked and the number of accesses is recorded by the behavior marking module of the access restriction unit. S32: If the access behavior is abnormal, the access control module of the defense tracking unit will block its continued operation, the tagging tracking module will trace the source of the attack, and then the defense counterattack module, which includes firewall, virus scanning and intrusion detection, will launch a counterattack. S4: The access frequency limit is set through the behavior marking module of the access restriction unit. This limit can be modified according to actual needs. When the same access behavior frequently exceeds the limit, the firewall defense module will block the access and issue an alert. The marked access behavior will be registered in the abnormal behavior database and updated in real time as new abnormal behavior data to update the mild, moderate and severe abnormal behavior models. The marked access behaviors in S4 are recorded in the abnormal behavior database, registered as new abnormal behavior data, and the attack behavior model is updated based on the new abnormal behavior data. The big data analytics platform includes a data acquisition module, a data analysis module, and a data classification module, wherein: The data acquisition module is used to acquire network behavior data, including access behavior and request behavior, based on the information content in the big data database. The data analysis module is used to analyze network behavior data based on the information obtained by the data acquisition module, thereby filtering out abnormal behaviors and establishing an abnormal behavior database. The data classification module categorizes abnormal behaviors based on the data analyzed by the data analysis module, including mild abnormal behavior data, moderate abnormal behavior data, and severe abnormal behavior data. The database management unit includes a model design module, a hierarchical management module, and a behavior simulation module, wherein: The model design module establishes attack behavior models based on the data content in the abnormal behavior database, and further refines them into mild abnormal behavior models, moderate abnormal behavior models, and severe abnormal behavior models according to behavior classification. The hierarchical management module manages and stores mild, moderate, and severe abnormal behavior models in a hierarchical manner. The behavior simulation module applies and simulates access behavior against mild, moderate, and severe abnormal behavior models. The access restriction unit includes a behavior marking module and a firewall defense module, wherein: The behavior marking module marks access behaviors that exceed the limit number of accesses; The firewall defense module is used to establish a firewall defense state and prevent further access when the marked access behavior continues. The behavior marking module can be used to set a limit on the number of accesses for an access behavior, and this number of accesses can be modified as needed.
2. The big data intelligent analysis application method based on network security according to claim 1, characterized in that: The big data analytics platform is connected to the database management unit, which in turn is connected to the model analysis unit, which is then connected to the defense tracking unit and the access restriction unit.
3. The big data intelligent analysis application method based on network security according to claim 1, characterized in that: The model analysis unit includes a behavior comparison module, an anomaly detection module, and a result output module, wherein: The behavior comparison module compares the behavior simulation state from the behavior simulation module with abnormal behavior data. The anomaly detection module retrieves abnormal data based on the comparison results from the behavior comparison module and then determines abnormal behavior based on the retrieval results. The result output module outputs the judgment results from the anomaly judgment module to the defense tracking unit, including behavioral anomaly results. And normal behavioral outcomes.
4. The big data intelligent analysis application method based on network security according to claim 1, characterized in that: The defense tracking unit includes an access control module, a tag tracking module, and a defense counterattack module, wherein: The access control module, based on the output of the result output module, restricts access to abnormal behaviors and prevents them from continuing to access the system. The tagging and tracking module tags data exhibiting abnormal behavior and traces its source. The defense and counterattack module performs defense and counterattack based on the tracking results.
5. The big data intelligent analysis application method based on network security according to claim 4, characterized in that: The defense and counterattack module includes a firewall, virus scanning and removal, and intrusion detection.