Network security situation prediction method, device, equipment, storage medium and product
By identifying the exposure labels of network nodes and forming virtual nodes through clustering, and combining this with artificial intelligence models for network security assessment, the problem of the inability to monitor network conditions globally in existing technologies is solved, thereby improving network security and the accuracy of situational awareness.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- LIAONING MOBILE COMM
- Filing Date
- 2026-03-03
- Publication Date
- 2026-06-19
AI Technical Summary
Existing network security equipment is unable to achieve global monitoring of network conditions, making it difficult to make effective decisions when an attack occurs, resulting in low network security.
By identifying the exposure labels of network nodes, clustering based on the connection relationships between nodes to form virtual nodes, and using artificial intelligence models to conduct network security assessments, network security situation prediction results are obtained.
It enables global monitoring of network conditions, improves network security, enhances the accuracy and real-time performance of security situation awareness, and reduces errors and delays caused by manual analysis.
Smart Images

Figure CN122247659A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to a network security situation prediction method, apparatus, device, storage medium, and product. Background Technology
[0002] With the continuous development of network and communication technologies, the scale of the Internet is constantly expanding and network traffic is increasing daily. At the same time, network security issues are also emerging more frequently. As a crucial part of information technology infrastructure development, the failure to provide timely and effective early warnings and responses to network security risks can affect the stable operation of information systems, causing irreparable losses and data security risks to relevant organizations and users.
[0003] Network security mainly relies on security devices such as firewalls, access control, vulnerability scanning, and intrusion detection. It is usually protected from both active and passive defense. Although these security devices have the function of recording security events and logs, the devices are independent of each other, the information is scattered and difficult to share, which makes it impossible to monitor the network status globally and make it difficult to make effective decisions when an attack occurs, resulting in low network security. Summary of the Invention
[0004] To address the problems existing in the prior art, embodiments of the present invention provide a network security situation prediction method, apparatus, device, storage medium, and product, which can realize global monitoring of network conditions and improve network security.
[0005] In a first aspect, embodiments of the present invention provide a method for predicting network security situation, including: Based on the communication behavior data of each node in the network, the exposure labels of each node are identified; wherein, the exposure labels include exposed nodes and non-exposed nodes; Based on the connection relationships between the nodes, the non-exposed nodes are clustered to obtain several virtual nodes; Based on the security situation assessment parameters of the nodes and the virtual nodes, a network security assessment is performed using a preset artificial intelligence model to obtain a network security situation prediction result.
[0006] As an improvement to the above scheme, based on the communication behavior data of each node in the network, the exposure labels of each node are identified, including: Based on the access logs in the node's communication behavior data, determine the IP addresses accessed by the node and the number of times each IP address was accessed; Based on the traffic logs in the communication behavior data of the nodes, determine the traffic value of each IP address; Based on the IP address of each node, the number of times each IP address is accessed, and the traffic value, the exposure label of each node is identified.
[0007] As an improvement to the above scheme, based on the IP address accessed by each node, the number of accesses to each IP address, and the traffic value, the exposure label of each node is identified, including: Each IP address is identified to determine its network affiliation; wherein, an IP address whose network affiliation is outside the network is an external network IP address. Calculate the first access parameter based on the number of external IP addresses; Calculate the second access parameter based on the number of accesses to the external IP address; Calculate the third access parameter based on the traffic value of the external IP address; The exposure label of the node is determined based on the first access parameter, the second access parameter, and the third access parameter.
[0008] As an improvement to the above scheme, based on the connection relationships between the nodes, the non-exposed nodes are clustered to obtain several virtual nodes, including: Based on the connection relationships between the nodes, all links originating from each of the nodes are determined; wherein, each link terminates before reaching the exposed node; Based on the communication behavior data of the nodes on each link, calculate the clustering value of each link; Based on the clustering values of all links of the node, cluster the nodes on all links of the node to obtain the corresponding virtual nodes.
[0009] As an improvement to the above scheme, based on the communication behavior data of the nodes on each link, a clustering value for each link is calculated, including: The attack data of the nodes on the link is determined based on the attack logs in the communication behavior data of the nodes on the link. Based on the traffic logs in the communication behavior data of the nodes on the link, determine the external network traffic data of the nodes on the link; Based on the attack data and external network traffic data of the nodes on the link, the clustering value of the corresponding link is calculated.
[0010] As an improvement to the above solution, based on the security situation assessment parameters of the node and the virtual node, a network security assessment is performed using a preset artificial intelligence model to obtain a network security situation prediction result, including: The security status assessment parameters of each node involved in the virtual node are aggregated to obtain the security status assessment parameters of the virtual node. The security status assessment parameters of the node and the virtual node are input into the artificial intelligence model to perform a network security assessment and obtain a network security status prediction result.
[0011] Secondly, embodiments of the present invention provide a network security situation prediction device, comprising: The tag identification module is used to identify the exposure tags of each node based on the communication behavior data of each node in the network; wherein, the exposure tags include exposed nodes and non-exposed nodes; The node clustering module is used to cluster the non-exposed nodes according to the connection relationship between the nodes to obtain a number of virtual nodes; The network security prediction module is used to perform network security assessments based on the security status assessment parameters of the nodes and the virtual nodes using a preset artificial intelligence model, and obtain network security status prediction results.
[0012] Thirdly, embodiments of the present invention provide a network security situation prediction device, comprising: a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the processor executes the computer program to implement the network security situation prediction method as described in any one of the first aspects.
[0013] Fourthly, embodiments of the present invention provide a computer-readable storage medium storing a computer program, wherein the computer program, when running, controls the device where the computer-readable storage medium is located to execute the network security situation prediction method as described in any one of the first aspects.
[0014] Fifthly, embodiments of the present invention provide a computer program product, including a computer program or instructions, which, when executed by a processor, implement the network security situation prediction method as described in any one of the first aspects.
[0015] Compared to existing technologies, the present invention provides a network security situation prediction method, apparatus, device, storage medium, and product. First, based on the communication behavior data of each node in the network, the exposure labels of each node are identified; wherein, the exposure labels include exposed nodes and non-exposed nodes. Then, according to the connection relationships between the nodes, the non-exposed nodes are clustered to obtain several virtual nodes. Subsequently, based on the security situation assessment parameters of the nodes and the virtual nodes, a network security assessment is performed using a preset artificial intelligence model to obtain a network security situation prediction result. The present invention, by aggregating nodes with high security risks and close connections into a single virtual node for overall consideration, avoids the problem of failing to monitor the overall network situation due to independent consideration of nodes, thereby achieving global network situation monitoring and improving network security. Attached Figure Description
[0016] To more clearly illustrate the technical solution of the present invention, the accompanying drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0017] Figure 1 This is a flowchart of a network security situation prediction method provided in an embodiment of the present invention; Figure 2 This is a network topology diagram provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of the neural network architecture provided in an embodiment of the present invention; Figure 4 This is a structural block diagram of a network security situation prediction device provided in an embodiment of the present invention; Figure 5 This is a structural block diagram of a network security situation prediction device provided in an embodiment of the present invention. Detailed Implementation
[0018] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0019] It is understood that the various numerical designations used in the embodiments of this invention are merely for descriptive convenience and are not intended to limit the scope of this application. The order of the process numbers does not imply the order of execution; the execution order of each process should be determined by its function and internal logic.
[0020] In embodiments of the invention, relational terms such as "first" and "second" are used merely to distinguish one entity or operation from another, without necessarily requiring or implying any such actual relationship or order between these entities or operations. The terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising" does not exclude the presence of additional identical elements in the process, method, article, or apparatus that includes said element. The term "a plurality or several" refers to two or more.
[0021] See Figure 1 , Figure 1 This is a flowchart of a network security situation prediction method provided by an embodiment of the present invention. The network security situation prediction method can be executed by a device performing security situation prediction, such as a central security protection node. The method specifically includes: S11: Identify the exposure labels of each node based on the communication behavior data of each node in the network; wherein, the exposure labels include exposed nodes and non-exposed nodes; Node communication behavior data includes, but is not limited to: access logs, traffic logs, attack logs, vulnerability data, etc. By analyzing the communication behavior data generated from data interactions between each node in the network and the outside world, it is determined whether each node is exposed or not.
[0022] Understandably, non-exposed nodes are nodes that are less exposed to the network. For example, nodes with a low percentage of external IP addresses interacting with the network, and / or a low percentage of traffic, and / or a low percentage of accesses are non-exposed nodes. Exposed nodes are nodes that are more exposed to the network. For example, nodes with a high percentage of external IP addresses interacting with the network, and / or a high percentage of traffic, and / or a high percentage of accesses are non-exposed nodes.
[0023] S12: Based on the connection relationships between the nodes, the non-exposed nodes are clustered to obtain several virtual nodes; After identifying whether nodes in the network are exposed or not, the connections between nodes are clustered based on the network topology. This clusters closely connected non-exposed nodes into a single virtual node for overall consideration.
[0024] Furthermore, the connectivity and security risks between non-exposed nodes can be clustered simultaneously to group nodes with high security risks and tight connections into a single virtual node. Nodes with high security risks and tight connections can be determined based on a comprehensive analysis of the attack situation and traffic patterns of each node in the network's transmission links.
[0025] S13: Based on the security situation assessment parameters of the node and the virtual node, a network security assessment is performed using a preset artificial intelligence model to obtain a network security situation prediction result.
[0026] By using artificial intelligence (AI) models (such as neural networks and machine learning) to assess the security situation of all nodes in the network and the virtual nodes formed by the above clusters, the network security situation prediction results are obtained, which are the probability distributions of network security and insecurity.
[0027] Among them, security situation assessment parameters can be determined through communication behavior data, such as determining the traffic value of each node at each time through the traffic logs of each node, determining the identifier of each vulnerability of each node and the CVSS (Common Vulnerability Scoring System) value of each node through the vulnerability data of each node, and determining the attack time, attack type, and attack level of each attack of each node based on the attack logs of each node.
[0028] This invention, by grouping high-security-risk and tightly connected nodes into a single virtual node for overall consideration, avoids the problem of being unable to monitor the overall network status due to independent consideration of nodes, thereby achieving global network status monitoring and improving network security.
[0029] In one optional embodiment, identifying the exposure label of each node based on the communication behavior data of each node in the network includes: Based on the access logs in the node's communication behavior data, determine the IP addresses accessed by the node and the number of times each IP address was accessed; Based on the traffic logs in the communication behavior data of the nodes, determine the traffic value of each IP address; Based on the IP address of each node, the number of times each IP address is accessed, and the traffic value, the exposure label of each node is identified.
[0030] For example, for any node i in the network, its exposed label can be determined by the following steps: The central security protection node sends a log retrieval request to node i, and node i returns access logs and traffic logs to the central security protection node based on the log retrieval request.
[0031] The central security protection node determines all IP addresses involved in node i and the number of times each IP address is accessed based on the access logs, determines the traffic value corresponding to the IP addresses involved in node i based on the traffic logs, and identifies the exposure label of node i based on the above-determined all IP addresses involved in node i and the number of times each IP address is accessed and the traffic value, that is, determines whether node i is an exposed node or a non-exposed node.
[0032] This invention automatically identifies the exposure tags of nodes based on data such as IP addresses, access counts, and traffic values. It can accurately and efficiently determine whether a node in the network is an exposed node or not, thereby achieving quantitative identification and unified management of network node exposure risks, improving the accuracy and real-time nature of network security situation awareness, reducing errors and delays caused by manual analysis, and enhancing overall network security protection capabilities.
[0033] Specifically, based on the IP address accessing each node, the number of accesses to each IP address, and the traffic value, the exposure label of each node is identified, including: Each IP address is identified to determine its network affiliation; wherein, an IP address whose network affiliation is outside the network is an external network IP address. Calculate the first access parameter based on the number of external IP addresses; Calculate the second access parameter based on the number of accesses to the external IP address; Calculate the third access parameter based on the traffic value of the external IP address; The exposure label of the node is determined based on the first access parameter, the second access parameter, and the third access parameter.
[0034] For example, after determining all IP addresses involved in each node in the network and the number of accesses and traffic values of each IP address, it is further determined whether each IP address involved in the node is an IP address of a node in the network, and IP addresses that do not correspond to nodes in the network are determined as external network IP addresses, while IP addresses that correspond to nodes in the network are determined as internal network IP addresses.
[0035] Then, for each node, statistics on external IP addresses, access counts, and traffic values are performed. For example, the ratio of the number of external IP addresses to the total number of all IP addresses is calculated to obtain the first access parameter; the ratio of the access count of external IP addresses to the total access count of all IP addresses is calculated to obtain the second access parameter; and the ratio of the traffic value of external IP addresses to the total traffic value of all IP addresses is calculated to obtain the third access parameter. Then, threshold comparisons are performed on the first, second, and third access parameters to determine the node's exposure label. For example, the square root of the product of the first and second access parameters is calculated to obtain the fourth access parameter. It is then determined whether this fourth access parameter is less than or equal to a preset access ratio threshold and whether the third access parameter is less than or equal to a preset access volume threshold. If the fourth access parameter is less than or equal to the preset access ratio threshold and the third access parameter is less than or equal to the preset access volume threshold, it indicates that the node is less exposed to the network and is considered a non-exposed node; otherwise, it indicates that the node is more exposed to the network and is considered an exposed node. The formula for determining the node's exposure label is as follows: like ,and If so, then the node's exposed label is determined to be a non-exposed node. ,or If so, then the node's exposure label is determined to be an exposed node.
[0036] in, This represents the total number of external IP addresses. The total number of all IP addresses. This represents the total number of accesses from external IP addresses. This represents the total number of accesses from all IP addresses. This is the sum of the traffic values corresponding to all external IP addresses. This is the sum of the traffic values corresponding to all IP addresses. This is a preset access ratio threshold, determined based on the normal access status of nodes in the network that can be accessed from the external network. . This is a preset access threshold, determined based on the normal access situation of nodes in the network being accessed from the external network. .
[0037] This invention, through comprehensive calculation of the proportion of external IP addresses, the proportion of accesses to external IP addresses, and the proportion of traffic to external IP addresses, combined with preset thresholds, can objectively and quantitatively identify the exposure risk of nodes, accurately distinguish between exposed and non-exposed nodes, and avoid misjudgment problems caused by a single indicator. This improves the accuracy and reliability of node exposure status identification and provides a scientific and stable data basis for subsequent network security situation assessment.
[0038] In one optional embodiment, the non-exposed nodes are clustered according to the connection relationships between the nodes to obtain several virtual nodes, including: Based on the connection relationships between the nodes, all links originating from each of the nodes are determined; wherein, each link terminates before reaching the exposed node; Based on the communication behavior data of the nodes on each link, calculate the clustering value of each link; Based on the clustering values of all links of the node, cluster the nodes on all links of the node to obtain the corresponding virtual nodes.
[0039] For example, based on network topology, the connection relationships between nodes in the network are determined. Network topology reflects the relationships between nodes in the network; each node corresponds to a point in the network topology. If there is a communication connection between two nodes, then there is an edge between the corresponding points in the network topology, representing the connection relationship between the two nodes. Figure 2 As shown, white dots are non-exposed nodes, and black dots are exposed nodes.
[0040] Based on the network topology, all links originating from each node can be identified; where each link terminates at an exposed node, meaning the link ends before reaching the exposed node.
[0041] For example, for Figure 2 If node 3 is a node in the chain, then all links originating from node 3 include: Link 1: Node 3 - Node 2; because Node 1 is an exposed node, it terminates at Node 2; Link 2: Node 3 - Node 4 - Node 8; Link 3: Node 3 - Node 5; because Node 6 is an exposed node, it terminates at Node 5.
[0042] Then, for each node, the clustering value of each link of that node is calculated, and the nodes on all links of that node are clustered to obtain the corresponding virtual nodes.
[0043] This invention provides an intuitive mapping of the connection relationships between nodes through network topology, clearly defining the link range starting from each node and limiting the link termination to before the exposed node, effectively isolating the impact of exposed nodes on non-exposed node areas. Simultaneously, by calculating the clustering value of each link and clustering the nodes on the link to generate virtual nodes, nodes with high security risks and close connections can be grouped into a single virtual node for overall consideration. This avoids the problem of being unable to monitor the overall network status due to independent consideration of nodes, thereby achieving global network status monitoring and improving network security.
[0044] Specifically, based on the communication behavior data of the nodes on each link, a clustering value for each link is calculated, including: The attack data of the nodes on the link is determined based on the attack logs in the communication behavior data of the nodes on the link. Based on the traffic logs in the communication behavior data of the nodes on the link, determine the external network traffic data of the nodes on the link; Based on the attack data and external network traffic data of the nodes on the link, the clustering value of the corresponding link is calculated.
[0045] For example, for any link j of any node i in the network, the number of attacks on the corresponding node can be determined based on the attack logs of the nodes on link j, serving as attack data; the traffic value of the external IP address of the node on link j can be determined based on the traffic logs of the nodes on link j, serving as external network traffic data. Then, based on the above attack data and external network traffic data, the cluster weight is calculated. Based on the cluster weight, the number of edges connected to the nodes on link j, and the node data between the node and the starting node, the cluster value of the nodes on link j is calculated. The cluster values of all nodes on link j are summed to obtain the cluster value of link j. The formula for calculating the cluster value of a link is expressed as follows: (1); Where u is the node identifier in link j, excluding node i. Let be the clustering weight of node u in link j. This represents the number of edges connected to node u. Let be the number of nodes that separate node i from node u in link j. This represents the clustering value of link j of node i.
[0046] (2); in, Let represent the proportion of the attack dimension of node u in link j. Let be the minimum proportion of the attack dimension among all nodes on all links in node i. It represents the maximum value among the attack dimensions of all nodes on all links in node i.
[0047] , The number of attacks on node u; The attack value of node u; It is obtained through the node's value (preset) and the difficulty of attacking the node, i.e. ; This represents the total number of IP addresses involved in node u. This is the maximum value among the total number of IP addresses of all nodes in the network. The loss value of node u is the loss suffered by node u after it is attacked. This value is predetermined based on the business value involved in node u. This represents the ratio of the number of high-risk vulnerabilities in node u to the total number of vulnerabilities. This represents the maximum value among the ratios of the number of high-risk vulnerabilities to the total number of vulnerabilities across all nodes in the network. The security score for node u is obtained through the security procedures on node u.
[0048] Let represent the proportion of traffic in node u within link j. Let be the minimum proportion of the traffic dimension among all nodes on all links in node i. It represents the maximum value among the proportions of traffic dimensions for all nodes on all links in node i.
[0049] , This refers to the total traffic to node u whose destination IP address is an external IP address. Let be the total uplink traffic of node u. This refers to the total traffic volume involving node u whose source IP addresses are external network IP addresses. This represents the total downlink traffic of node u.
[0050] Let i be the number of nodes with external IP addresses among all nodes on all links in node i. Let be the total number of nodes on all links in node i.
[0051] This represents the proportion of external IP addresses involved in the link of node i. The larger the proportion, the more likely the link is to be attacked from the outside and the less secure the link is. This value represents the likelihood of node u being attacked; the larger the value, the more likely it is to be attacked. This value represents the case where node u involves external network data. The larger this value is, the more node u is affected by the external network.
[0052] The clustering weight of each node in the link can be calculated. Assess the security risk of each node. The greater the security risk of node u, the more it affects the security of the link it belongs to, and the more necessary it is to consider all nodes in the link as a whole. Therefore, the clustering weight is important. The larger; the greater the clustering weight The larger the value, the higher the clustering value of the corresponding link. The larger the clustering condition, the better. Specifically, the following clustering conditions can be set: if at least one of the following clustering conditions is met, nodes on all links of a node will be clustered.
[0053] Clustering condition 1: The average cluster value of all links of a node is greater than a pre-set cluster value threshold; Clustering condition 2: The number of nodes in all links of a node is not greater than a pre-set threshold, but the difference between the maximum and minimum cluster values of all links is greater than a pre-set difference threshold. If any of the above clustering conditions are met, it indicates that the link of that node has a relatively high risk. Therefore, all links of that node are clustered and merged into a single virtual node. In this merging process, all links of that node are treated as a whole, i.e., a single virtual node. This virtual node includes all the links' nodes, and its attributes are the sum of the attributes of all the link nodes. For example, traffic logs of all links' nodes are merged as the traffic logs of the merged virtual node; vulnerability data of all links' nodes is merged as the vulnerability data of the merged virtual node, etc. This allows all nodes to be considered as a whole, improving the network security posture assessment and preventing the neglect of security impacts between nodes due to considering only a single node, thus enhancing the accuracy of network security posture assessment.
[0054] In one optional embodiment, based on the security situation assessment parameters of the node and the virtual node, a network security assessment is performed using a preset artificial intelligence model to obtain a network security situation prediction result, including: The security status assessment parameters of each node involved in the virtual node are aggregated to obtain the security status assessment parameters of the virtual node. The security status assessment parameters of the node and the virtual node are input into the artificial intelligence model to perform a network security assessment and obtain a network security status prediction result.
[0055] For example, assuming a virtual node is formed by aggregating nodes 1 and 2, the security posture assessment parameters of this virtual node are derived by merging the security posture assessment parameters of nodes 1 and 2. In this case, the traffic value of the virtual node at any time o = the traffic value of node 1 at time o + the traffic value of node 2 at time o. The vulnerabilities of the virtual node are the identifiers and CVSS values of all vulnerabilities in node 1 + the identifiers and CVSS values of all vulnerabilities in node 2. If both node 1 and node 2 have vulnerabilities with the same identifier and CVSS value, only one is retained after aggregation to clean up duplicate data, avoid data redundancy, and improve the calculation efficiency and accuracy of security posture assessment parameters. The attacks on the virtual node = the attack time, attack type, and attack level of all attacks on node 1 + the attack time, attack type, and attack level of all attacks on node 2.
[0056] The security situation assessment parameters of all nodes and virtual nodes in the network are input into the artificial intelligence model, which then performs network security situation prediction to obtain the corresponding network security situation prediction results.
[0057] The artificial intelligence model can be constructed using a neural network, which includes an input layer (containing multiple neurons) and a hidden layer (containing multiple neurons), such as... Figure 3 As shown.
[0058] The output of the hidden layer is obtained through the formula The calculation yielded that, Identify the input layer neurons. For identifying hidden layer neurons, It's weight. f is the bias, and f is the activation function (such as the ReLU function).
[0059] Each hidden layer neuron (such as hidden layer neurons) ) Receives input from all neurons in the input layer (such as input layer neurons) The input is ), through weight Perform a weighted summation and add a bias term. Then the weighted summation result (i.e. ) through activation function (e.g., ReLU) is used to perform a nonlinear transformation to obtain the final output. The final output is the probability distribution of network security and insecurity predicted based on security situation assessment parameters (i.e., the network security situation prediction result), which is then processed by an activation function. It can guarantee that the sum of the probabilities of network security and insecurity is 1. If the probability of network security is higher than the probability of network insecurity, then network security is predicted; otherwise, network insecurity is predicted.
[0060] Among them, weight Decide to input For hidden layer neurons (such as hidden layer neurons) The influence strength of the bias. Used to adjust neurons (such as hidden layer neurons) The activation threshold is set by the activation function f (e.g., f(x) = max(0, x)), which enables the neural network to learn complex patterns.
[0061] It should be noted that the training process of artificial intelligence models is an existing technology. For example, training them with a large amount of sample data of various types can improve the ability of artificial intelligence models to perceive cybersecurity situations.
[0062] Because artificial intelligence models are self-learning models, they can learn based on current evaluation parameters, ensuring that their evaluation indicators and weights are always matched with current network data. This enables them to accurately perceive the current network security situation. In addition, nodes on links with security risks are aggregated into a virtual node for overall consideration, avoiding the problem of not being able to monitor the overall network status due to independent consideration by nodes. This achieves global monitoring of network status and improves network security.
[0063] See Figure 4 , Figure 4 This is a structural block diagram of a network security situation prediction device provided in an embodiment of the present invention. The network security situation prediction device includes: The tag identification module 11 is used to identify the exposure tags of each node based on the communication behavior data of each node in the network; wherein, the exposure tags include exposed nodes and non-exposed nodes; The node clustering module 12 is used to cluster the non-exposed nodes according to the connection relationship between the nodes to obtain a number of virtual nodes; The network security prediction module 13 is used to perform network security assessment based on the security status assessment parameters of the node and the virtual node through a preset artificial intelligence model, and obtain network security status prediction results.
[0064] In an optional embodiment, the tag recognition module 11 includes: The access count determination unit is used to determine the IP addresses accessed by the node and the access count of each IP address based on the access log in the node's communication behavior data. A traffic determination unit is used to determine the traffic value of each IP address based on the traffic log in the communication behavior data of the node. The exposure tag identification unit is used to identify the exposure tag of each node based on the IP address accessed by each node, the number of times each IP address is accessed, and the traffic value.
[0065] In one optional embodiment, the exposure tag identification unit includes: The IP attribution identification subunit is used to identify the attribution of each IP address and determine the network attribution of each IP address; wherein, the IP address whose network attribution is outside the network is the external network IP address; The first calculation subunit is used to calculate the first access parameter based on the number of external network IP addresses; The second calculation subunit is used to calculate the second access parameter based on the number of accesses to the external network IP address; The third calculation subunit is used to calculate the third access parameter based on the traffic value of the external network IP address; The exposure tag identification subunit is used to determine the exposure tag of the node based on the first access parameter, the second access parameter and the third access parameter.
[0066] In an optional embodiment, the node clustering module 12 includes: The link determination unit is used to determine all links originating from each of the nodes based on the connection relationships between the nodes; wherein the links terminate before reaching the exposed node; The clustering value calculation unit is used to calculate the clustering value of each link based on the communication behavior data of the nodes on each link; The clustering unit is used to cluster the nodes on all links of the node according to the clustering value of all links of the node, so as to obtain the corresponding virtual nodes.
[0067] In one optional embodiment, the clustering value calculation unit includes: The attack data determination subunit is used to determine the attack data of the nodes on the link based on the attack logs in the communication behavior data of the nodes on the link. The external network traffic data determination subunit is used to determine the external network traffic data of the nodes on the link based on the traffic logs in the communication behavior data of the nodes on the link; The link clustering value calculation subunit is used to calculate the clustering value of the corresponding link based on the attack data and external network traffic data of the nodes on the link.
[0068] In one optional embodiment, the network security prediction module 13 includes: The parameter aggregation unit is used to aggregate the security status assessment parameters of each node involved in the virtual node to obtain the security status assessment parameters of the virtual node. The prediction unit is used to input the security status assessment parameters of the node and the security status assessment parameters of the virtual node into the artificial intelligence model to perform network security assessment and obtain network security status prediction results.
[0069] It should be noted that the working process of each module in the network security situation prediction device described in the embodiments of the present invention can refer to the working process of the network security situation prediction method described in the above embodiments, and the technical effect achieved is the same as that of the network security situation prediction method described in the above embodiments, so it will not be repeated here.
[0070] See Figure 5 , Figure 5 This is a structural block diagram of a network security situation prediction device provided in an embodiment of the present invention. The network security situation prediction device includes a processor 21, a memory 22, and a computer program stored in the memory 22 and executable on the processor 21. When the processor 21 executes the computer program, it implements the steps in the above-described embodiments of the network security situation prediction method, such as steps S11 to S13.
[0071] For example, the computer program may be divided into one or more modules or units, which are stored in the memory 22 and executed by the processor 21 to complete the present invention. The one or more modules or units may be a series of computer program instruction segments capable of performing specific functions, which describe the execution process of the computer program in the network security situation prediction device.
[0072] The network security situation prediction device may include, but is not limited to, a processor 21 and a memory 22. Those skilled in the art will understand that the schematic diagram is merely an example of a network security situation prediction device and does not constitute a limitation on the device. It may include more or fewer components than illustrated, or combine certain components, or use different components. For example, the network security situation prediction device may also include input / output devices, network access devices, buses, etc.
[0073] The processor 21 can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or any conventional processor. The processor 21 is the control center of the network security situation prediction device, connecting various parts of the device via various interfaces and lines.
[0074] The memory 22 can be used to store the computer programs and / or modules. The processor 21 implements various functions of the network security situation prediction device by running or executing the computer programs and / or modules stored in the memory 22 and calling the data stored in the memory 22. The memory 22 may mainly include a program storage area and a data storage area. The program storage area may store the operating system, at least one application program required for a function (such as sound playback function, image playback function, etc.), etc.; the data storage area may store data created according to the use of the mobile phone (such as audio data, phonebook, etc.). In addition, the memory 22 may include high-speed random access memory, and may also include non-volatile memory, such as hard disk, memory, plug-in hard disk, smart media card (SMC), secure digital (SD) card, flash card, at least one disk storage device, flash memory device, or other volatile solid-state storage device.
[0075] If the modules or units integrated into the network security situation prediction device are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, all or part of the processes in the above embodiments of the present invention can also be implemented by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by the processor 21, it can implement the steps of the various method embodiments described above. The computer program includes computer program code, which can be in the form of source code, object code, executable files, or certain intermediate forms. The computer-readable medium can include: any entity or device capable of carrying the computer program code, recording media, USB flash drives, portable hard drives, magnetic disks, optical disks, computer memory, read-only memory (ROM), random access memory (RAM), electrical carrier signals, telecommunication signals, and software distribution media, etc.
[0076] It should be noted that the device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Furthermore, in the accompanying drawings of the device embodiments provided by this invention, the connection relationships between modules indicate that they have communication connections, which can be specifically implemented as one or more communication buses or signal lines. Those skilled in the art can understand and implement this without any creative effort.
[0077] The above description represents the preferred embodiments of the present invention. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of the present invention, and these improvements and modifications are also considered to be within the scope of protection of the present invention.
Claims
1. A method for predicting network security situation, characterized in that, include: Based on the communication behavior data of each node in the network, the exposure labels of each node are identified; wherein, the exposure labels include exposed nodes and non-exposed nodes; Based on the connection relationships between the nodes, the non-exposed nodes are clustered to obtain several virtual nodes; Based on the security situation assessment parameters of the nodes and the virtual nodes, a network security assessment is performed using a preset artificial intelligence model to obtain a network security situation prediction result.
2. The network security situation prediction method as described in claim 1, characterized in that, Based on the communication behavior data of each node in the network, identify the exposure labels of each node, including: Based on the access logs in the node's communication behavior data, determine the IP addresses accessed by the node and the number of times each IP address was accessed; Based on the traffic logs in the communication behavior data of the nodes, determine the traffic value of each IP address; Based on the IP address of each node, the number of times each IP address is accessed, and the traffic value, the exposure label of each node is identified.
3. The network security situation prediction method as described in claim 2, characterized in that, Based on the IP address accessed by each node, the number of accesses to each IP address, and the traffic value, the exposure label of each node is identified, including: Each IP address is identified to determine its network affiliation; wherein, an IP address whose network affiliation is outside the network is an external network IP address. Calculate the first access parameter based on the number of external IP addresses; Calculate the second access parameter based on the number of accesses to the external IP address; Calculate the third access parameter based on the traffic value of the external IP address; The exposure label of the node is determined based on the first access parameter, the second access parameter, and the third access parameter.
4. The network security situation prediction method as described in claim 1, characterized in that, Based on the connection relationships between the nodes, the non-exposed nodes are clustered to obtain several virtual nodes, including: Based on the connection relationships between the nodes, all links originating from each of the nodes are determined; wherein, each link terminates before reaching the exposed node; Based on the communication behavior data of the nodes on each link, calculate the clustering value of each link; Based on the clustering values of all links of the node, cluster the nodes on all links of the node to obtain the corresponding virtual nodes.
5. The network security situation prediction method as described in claim 4, characterized in that, Based on the communication behavior data of the nodes on each link, a clustering value for each link is calculated, including: The attack data of the nodes on the link is determined based on the attack logs in the communication behavior data of the nodes on the link. Based on the traffic logs in the communication behavior data of the nodes on the link, determine the external network traffic data of the nodes on the link; Based on the attack data and external network traffic data of the nodes on the link, the clustering value of the corresponding link is calculated.
6. The network security situation prediction method as described in claim 1, characterized in that, Based on the security situation assessment parameters of the nodes and the virtual nodes, a network security assessment is performed using a preset artificial intelligence model to obtain a network security situation prediction result, including: The security status assessment parameters of each node involved in the virtual node are aggregated to obtain the security status assessment parameters of the virtual node. The security status assessment parameters of the node and the virtual node are input into the artificial intelligence model to perform a network security assessment and obtain a network security status prediction result.
7. A network security situation prediction device, characterized in that, include: The tag identification module is used to identify the exposure tags of each node based on the communication behavior data of each node in the network; wherein, the exposure tags include exposed nodes and non-exposed nodes; The node clustering module is used to cluster the non-exposed nodes according to the connection relationship between the nodes to obtain a number of virtual nodes; The network security prediction module is used to perform network security assessments based on the security status assessment parameters of the nodes and the virtual nodes using a preset artificial intelligence model, and obtain network security status prediction results.
8. A network security situation prediction device, characterized in that, include: A processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, wherein the processor, when executing the computer program, implements the network security situation prediction method as described in any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, wherein, when the computer program is executed, it controls the device where the computer-readable storage medium is located to perform the network security situation prediction method as described in any one of claims 1 to 6.
10. A computer program product, comprising a computer program or instructions, characterized in that, When the computer program or instructions are executed by the processor, they implement the network security situation prediction method according to any one of claims 1 to 6.