Nothing Special   »   [go: up one dir, main page]

CN114697141B - C4ISR situation awareness analysis system and method based on state machine - Google Patents

C4ISR situation awareness analysis system and method based on state machine Download PDF

Info

Publication number
CN114697141B
CN114697141B CN202210596397.XA CN202210596397A CN114697141B CN 114697141 B CN114697141 B CN 114697141B CN 202210596397 A CN202210596397 A CN 202210596397A CN 114697141 B CN114697141 B CN 114697141B
Authority
CN
China
Prior art keywords
state machine
c4isr
intelligent decision
information
decision center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210596397.XA
Other languages
Chinese (zh)
Other versions
CN114697141A (en
Inventor
戚建淮
崔宸
刘航
唐娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Y&D Electronics Information Co Ltd
Original Assignee
Shenzhen Y&D Electronics Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Y&D Electronics Information Co Ltd filed Critical Shenzhen Y&D Electronics Information Co Ltd
Priority to CN202210596397.XA priority Critical patent/CN114697141B/en
Publication of CN114697141A publication Critical patent/CN114697141A/en
Application granted granted Critical
Publication of CN114697141B publication Critical patent/CN114697141B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/16Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using machine learning or artificial intelligence
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a C4ISR situation awareness analysis system and a method based on a state machine, wherein the system comprises an intelligent decision center, a controlled layer and a communication network layer which is connected with the intelligent decision center and the controlled layer; the intelligent decision center is used for realizing multi-task integration, induction and decision through data of a brain-like safety control parallel processing system; and the controlled layer is used for identifying and configuring the virtual assets and classifying the virtual assets to form asset protection objects. The invention has the beneficial effects that: the brain-like safety control parallel processing system is utilized to control a large computing power of the parallel processing system and an intelligent Agent neuron node full-switching network, so that the information processing speed can be improved to the maximum extent, and the business workflow can be independently learned through an independent evolution decision mechanism to deal with newly-appeared attacks and threats, so that the safety performance is self-improved.

Description

C4ISR situation awareness analysis system and method based on state machine
Technical Field
The invention relates to the technical field of network security management and control, in particular to a C4ISR situation perception analysis system and method based on a state machine.
Background
A network security management and control system based on a C4ISR system is a network security protection system which takes machine calculation as a core and conducts, controls, communicates, calculates, makes information, monitors and reconnaissance through a computer. Attack types are increased at the present stage, uncertainty and diversity are presented, but most of the existing methods are limited in monitoring and protecting key nodes, the state monitoring mode is limited, and all-round safety protection cannot be realized.
Disclosure of Invention
The invention provides a C4ISR situation perception analysis system and method based on a state machine, and solves the problems that at present, the monitoring and protection of key nodes are stopped, the state monitoring mode is limited, and the omnibearing safety protection cannot be realized.
In order to solve the above problems, in one aspect, the present invention provides a state machine-based C4ISR situational awareness analysis system, including an intelligent decision center, a controlled layer, and a communication network layer connecting the intelligent decision center and the controlled layer;
the intelligent decision center is used for realizing multi-task integration, induction and decision through data of a brain-like safety control parallel processing system;
and the controlled layer is used for identifying and configuring the virtual assets and classifying the virtual assets to form asset protection objects.
The intelligent decision center is also used for analyzing the data gathered by the neuron computing nodes and carrying out protection deployment according to the existing knowledge;
the communication network layer establishes a private network on a public network by adopting a communication mode of a virtual private network and carries out encryption communication; and a full-switching network is constructed through the neuron computing nodes and is responsible for information exchange and conduction among the neuron computing nodes.
On one hand, the method for C4ISR situation awareness analysis based on the state machine is realized by adopting a C4ISR situation awareness analysis system based on the state machine, and comprises the following steps:
using a state machine-based C4ISR situational awareness analysis system for marker detection;
applying a C4ISR situation awareness analysis system based on a state machine to state machine detection;
and using the C4ISR situation awareness analysis system based on the state machine for vulnerability detection.
The state machine-based C4ISR situation awareness analysis system is used for label detection and comprises:
obtaining the format characteristics of information transmitted and received by a host and an object;
concealingly disposing a security token in the format feature;
each time a message is sent or received, the host and object are specified to check the security label in the received message to ensure the authenticity of the identity of the other party.
The concealably setting the security mark in the format feature includes:
if the object is text information, the format characteristics are character or word shift codes, line shift codes of text line spacing and character characteristics; the character features comprise font, color, height, width, stroke width, underline, italics and character topology; the safety mark sender identification code, sending time, sending destination and check code.
The method for using the state machine-based C4ISR situation awareness analysis system for state machine detection comprises the following steps:
setting the range, time limit requirement and sequence authority requirement of the received instruction;
after receiving the instruction, executing actions according to the sequence authority requirement and the time limit requirement;
and feeding back an execution result after the action is executed.
The use of a state machine-based C4ISR situational awareness analysis system for vulnerability detection includes:
determining whether a known vulnerability exists by comparing the detected information with vulnerability characteristic information commonly found in a vulnerability characteristic library in a brain-like computing system;
and carrying out unknown vulnerability detection on the battlefield state information stream collected by the distributed front-end equipment in real time through an intelligent decision center.
The method for carrying out unknown vulnerability detection on the battlefield state information flow collected by the distributed front-end equipment in real time through the intelligent decision center comprises the following steps:
submitting a stream calculation query request by a combat unit;
calculating a query request on the flow by an intelligent decision center to judge whether the workflow is normal or not;
if the workflow is judged to be normal, performing flow calculation operation;
and outputting the query result to the combat unit through an intelligent decision center.
The step of judging whether the workflow is normal or not by the intelligent decision center to the flow calculation query request comprises the following steps:
if the intelligent decision center finds that the calculation query request has abnormal jump through comparison and permission query, the behavior of the combat unit is judged to be abnormal;
if the operation unit is judged to be abnormal in behavior, the intelligent decision center stops execution of the calculation query request, and abnormal behavior of the operation unit, which may be caused by unknown vulnerabilities, is recorded.
In one aspect, a computer-readable storage medium having stored therein a plurality of instructions adapted to be loaded by a processor to perform a state machine-based C4ISR situational awareness analysis method as described above is provided.
The beneficial effects of the invention are: the brain-like safety control parallel processing system is utilized to control a large computing power and an intelligent Agent neuron node full-switching network, the information processing speed can be improved to the greatest extent, and the autonomous evolution decision mechanism can be used for autonomously learning the service workflow to deal with the newly-appeared attacks and threats, so that the self-improvement of the safety performance is realized. In addition, a converged and complete safety baseline set is formed by combing protected objects, information protection can be performed according to business requirements, and the defect that the current protection method needs to be disconnected with the business is overcome.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a block diagram of a state machine-based C4ISR situational awareness analysis system according to an embodiment of the present invention;
FIG. 2 is a block diagram of an embodiment of the present invention;
fig. 3 is a schematic diagram of discovering an unknown vulnerability model based on a workflow according to an embodiment of the present invention;
FIG. 4is a diagram of an operation tree according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", etc. indicate orientations or positional relationships based on those shown in the drawings, and are only for convenience of description and simplicity of description, but do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be considered as limiting the present invention. Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more features. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
In the present invention, the word "exemplary" is used to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. The following description is presented to enable any person skilled in the art to make and use the invention. In the following description, details are set forth for the purpose of explanation. It will be apparent to one of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and processes are not shown in detail to avoid obscuring the description of the invention with unnecessary detail. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
Referring to fig. 1, fig. 1 is a block diagram of a structure of a state machine-based C4ISR situational awareness analysis system according to an embodiment of the present invention, where the C4ISR situational awareness analysis system includes an intelligent decision center, a controlled layer, and a communication network layer connecting the intelligent decision center and the controlled layer. The intelligent decision center is used for realizing multi-task integration, induction and decision through data of a brain-like safety control parallel processing system; and the controlled layer is used for identifying and configuring the virtual assets and classifying the virtual assets to form asset protection objects. The intelligent decision center is also used for analyzing the data gathered by the neuron computing nodes and carrying out protection deployment according to the existing knowledge; the communication network layer adopts a communication mode of a virtual private network to establish a private network on a public network and carries out encryption communication; and a full-switching network is constructed through the neuron computing nodes and is responsible for information exchange and conduction among the neuron computing nodes.
In this embodiment, the intelligent decision center: the decision layer is a brain of a safety framework, and all structures and functions of safety defense are mutually cooperated without influencing each other through continuous learning and self-improvement. The brain-like safety control parallel processing system integrates the high parallel computing characteristics of brain-like supercomputing and quantum computing, integrates a series of large-scale machine learning computing models, simulates the full connection mechanism of a brain nerve group, constructs a full exchange brain-like supercomputing network architecture and realizes centerless cooperative computing. The flexible extension of the computing nodes and the flexible assembly of the distributed clusters are supported, and strong computing capacity is provided. The system is combined with a CMAC model and an ART3 model to establish a brain-like parallel computing multidimensional database. The multidimensional database establishing module analyzes all file information recorded by storage, establishes association among various types of information by utilizing the combined action of the CMAC multidimensional information association mapper and the brain cognitive architecture information association mapper, and stores the association information into the memories classified by brain cognitive structures in a coding mode.
An integrated storage and calculation model is established by using an artificial neural network (AI) model and a brain cognitive mechanism of bionic memory inference for reference, and the content-based associative memory is realized. The content-based associative memory is realized, the problem of a memory wall is solved, and IO delay is reduced. Establishing a storage table space in advance, directly corresponding to violent search during calculation, and decoupling complex calculation into matching calculation; and a secondary searching mode is adopted, the primary searching is carried out, and the secondary searching is carried out on the contents in the searched classes, so that the calculation and searching efficiency is improved. Dividing a computing task into subtasks according to different types through mapping nodes, and splitting the same computing task into different next-level subtasks; stacking the calculation results of the next-level subtasks through the stacking nodes to form stacking calculation of the subtasks of the same type; and summarizing the stack calculation results of different types through the specification nodes to obtain a final calculation result.
Thereby completing multitask integration, induction and decision-making.
And the data of the parallel processing system is controlled through brain-like safety, so that multitask integration, induction and decision are realized. The neuron provides the ability to adjust and improve the ability of the human body to respond to threats by sensing the surrounding environment and by a hierarchical nervous system, which provides the brain with continuous information such as temperature, surface roughness, humidity, etc. the nervous system is a system which plays a leading role in the regulation of physiological functions in the body, mainly consists of nervous tissue, is divided into a central nervous system and a peripheral nervous system, the central nervous system comprises a brain and a spinal cord, and the peripheral nervous system comprises cranial nerves and spinal nerves And a coordinated coping processing module distributed throughout the system. The nervous system of the human body is abstracted and analogized to the information system. The perception neuron perceives various key information of a network space from the aspects of protocols, states, codes and topological relations, restores an IT system dynamic panorama formed by the information, comprises the depiction of normal network behaviors, the comprehensive detection of data packets, the deviation behavior of suspicious activities, the running condition of front-end equipment and the like, and reports data in real time through the middle neuron.
The motor neuron is a safety protection and counter-control unit and comprises traditional safety mechanisms, such as encryption, access control, blocking and the like; some functional responses are also included, such as reducing load, increasing operating speed, etc.
The intermediate neurons are responsible for information exchange among the neurons and information conduction of an upper layer network and a lower layer network by constructing a full-switching network.
The intelligent decision center is the brain of the safety architecture, and all structures and functions of safety defense are mutually cooperated without influencing each other through continuous learning and self-improvement. And the data of the parallel processing system is controlled through brain-like safety, so that multitask integration, induction and decision are realized. And the safety performance is self-improved by self-learning of the business workflow through the self-evolution decision. The intelligent decision center has the capability of integration, induction and decision, analyzes the data gathered by each part of neurons, and performs protection deployment according to the existing knowledge. And carrying out centralized processing on the collected data from the distributed front-end equipment to depict a potential safety gap. Advanced cross data rule logic analysis is adopted in the data analysis process and is used for distinguishing gaps and threats based on various devices and multi-layer information logic. ). The intelligent decision center has integration, induction and decision-making capabilities, analyzes data gathered by each part of neuron computing nodes (see a part of explanation above), and performs protection deployment according to existing knowledge (in the protection process, the protection process comprises the processes of memory, storage and decision-making, after new abnormal data are obtained, the system can firstly compare with the content of the existing database, if the data in the existing database are, defense can be directly performed, if no abnormality occurs, interception is firstly performed, then related information is reported to the data center, and the abnormality is automatically collected and stored). And carrying out centralized processing on the collected data from the distributed front-end equipment to depict a potential safety gap. Advanced cross data rule logic analysis is adopted in the data analysis process and is used for distinguishing gaps and threats based on various devices and multi-layer information logic.
Controlled layer: the system identifies and configures the virtual assets, and classifies the virtual assets to form asset protection objects. The method comprises the steps of combing a protected object, achieving the first step of tight coupling of business and safety, and effectively determining the boundary of asset protection through cleaning of target assets, which is also the premise of establishing a safety baseline and aims to control the state of the safety baseline to be a countable finite state set.
Referring to fig. 2, fig. 2 is a structural model diagram of information security provided by an embodiment of the present invention. The environment is also a business application scene, and speaking security without the application scene is actually incomplete, even if the emerging performance of the same system in different application scenes is different. The use habits of users and indexes of upstream and downstream scene chains are different, and people need to clearly outline the use habits and the indexes, which is a task which is extremely large in workload, extremely large in number of objects and has to be done. Only in this way, our security is targeted, and we can construct and converge a complete set of security baselines only if we are dependent on later security baseline establishment.
A communication network layer: a VPN (virtual private network) communication mode (a private network is established on a public network and encrypted communication is carried out) is adopted; and a full-switching network is constructed among the neuron computing nodes and is responsible for information exchange and conduction among the neuron computing nodes. The intelligent Agent is introduced into each neuron computing node during communication, has certain knowledge, can autonomously sense the environment (the managed object and the state of the managed object), and adjusts and modifies the environment after analysis and reasoning. In addition, a cooperative communication mechanism is established between the intelligent agents. Therefore, the intelligent Agent is adopted to enable the management entities to work autonomously, actively, in real time and cooperatively with each other. The intelligent decision center can sense the state of each neuron computing node, and when a certain neuron computing node fails, the intelligent decision center reconstructs a switching network through other neuron computing nodes to realize function recovery.
The C4ISR situation perception analysis method based on the state machine is realized by adopting a C4ISR situation perception analysis system based on the state machine, and the C4ISR situation perception analysis method based on the state machine comprises the following steps of S1-S3:
s1, using a C4ISR situation perception analysis system based on a state machine for label detection. Step S1 includes steps S11-S13:
s11, obtaining the format characteristics of the information transmitted and received by the host and the object.
In this embodiment, security marks are set for the subject and the objects, security mark check is supported, the credibility of the subject is ensured, and mandatory access control is performed on all subjects and the objects (such as processes, files, devices, fields, and the like) controlled by the subjects. For example, for a subject and an object, security tag information is hidden in an information format by using format characteristics of information transmitted and received without changing the contents of the information, and for each time information is transmitted and received, it is specified that both the subject and the object are forced to check the security tag in the received information to ensure the credibility of the identity of the other party.
A principal refers to an active object that can perform an action on other computer resources or legitimate users, including but not limited to users, operating systems, and the like. With the symbol S = { S = } 1 ,s 2 ,…,s n Denotes wherein s is i =(s i1 ,s i2 ,…,s il ) I is more than or equal to 1 and less than or equal to n, l is more than or equal to 1, and the dimension (the trust degree of the subject) is judged in the field related to the subject.
Object means capable of calculating otherPassive objects for a machine resource or legitimate user to perform an action include, but are not limited to, computer physical devices, files, databases, etc. With the symbol O = { O 1 ,o 2 ,…,o m Denotes wherein o j =(o j1 ,o j2 ,…,o jt ) J is more than or equal to 1 and less than or equal to m, and t is more than or equal to 1, and the object evaluation dimension (object importance) in the concerned field is obtained.
S12, arranging a security mark in the format characteristic in a hidden manner; if the object is text information, the format characteristics are character or word shift codes, line shift codes of text line spacing and character characteristics; the character features comprise font, color, height, width, stroke width, underline, italics and character topology; the safety mark sender identification code, sending time, sending destination and check code.
In this embodiment, if the object is a file such as a text file or a picture file, the security mark information can be hidden by using the format of the text file or the picture file without changing the content of the file. Further by way of example of textual information, security indicia (security indicia content may include sender identification code, time of transmission, destination of transmission, check code, etc.) may be added using techniques including word shifting using characters or words, line shifting using line spacing of text, techniques using character characteristics (font, color, height, width, stroke width, whether underlined, italic, etc., character topology), and the like. Upon receipt of the text message, its security label must be identified to ensure that the sender identity is authentic.
And S13, each time the information is transmitted and received, the specified host and the specified object check the security mark in the received information to ensure the credibility of the identity of the opposite party.
In this embodiment, if the object is a file such as a text, a picture, or the like, the security mark of the object only needs to be determined according to an agreed rule during detection, and the object itself does not need to be detected.
And S2, using the C4ISR situation perception analysis system based on the state machine for state machine detection. Step S2 includes steps S21-S23:
and S21, setting the range of the received instruction, the time limit requirement and the sequence authority requirement.
In this embodiment, detection based on a service state machine is supported, the state machine includes a time sequence state and a space state, and transition of each state includes condition triggering such as a time sequence, a right, a session space, a request response result, and the like. When the current occurring state is inconsistent with the expected state machine, the state machine detects an abnormal alarm.
And S22, after receiving the instruction, executing an action according to the sequence authority requirement and the time limit requirement.
In the present embodiment, according to the role service state machine, when receiving the command event, a certain unit defines a range request for receiving the command (for example, only the command sent within the range of 5km is received) and a sequence authority request (only the command sent from the unit before the sequence is received, for example, the unit number 005, which can only receive the commands sent from the unit of 004 and the unit of the previous number, and does not receive the commands sent from the unit of 006 and the unit of the next number).
When an action is executed after receiving an instruction, there are also related sequence authority requirements, that is, only 3 actions of executing the instruction, feeding back an execution result, and forwarding the sequence are allowed (for example, the unit number 005 can only forward the instruction to the unit numbered 006 and later, and cannot forward the instruction to the unit numbered 004 and earlier), the execution result must be fed back after the execution instruction is completed, and when the action is executed, there are time limit requirements (for example, execution must be started within 3 seconds after the instruction is received, and the execution time cannot exceed 10 seconds), there are only an idle state when the instruction is not received, an execution instruction state, feeding back the execution result, and a command state is forwarded to the unit numbered later in the sequence, that is, 4 states;
after the unit receives the command, its action and state must conform to the expected state machine, otherwise the state machine monitors and alarms the exception. For example, if the unit receives the instruction for 3 seconds and then does not forward or execute the instruction, or tries to forward information to the unit after the instruction is received, or does not feed back the execution result after the instruction is executed, or the time for executing the instruction exceeds the time limit, etc., the unit state is abnormal, and an abnormal alarm is given.
And S23, feeding back an execution result after the action is executed.
In this embodiment, a software system, which is an automatic machine that starts from input, then executes the program to output the result finally by transferring between different intermediate states, if the software system is in a safe state, that is, the transfer of the program state is changed according to the design idea of the programmer, then all the program states are also in the space of the program state, and finally execute the program to a normal ending state. This program execution flow is at risk if the program state transitions to a state space that is not set by the program itself, i.e., exceeds the state space of the program itself, which may result in the program's last shutdown state not ending in the originally designed ending state of the program. It is necessary that the execution result must be fed back after the execution instruction is completed.
And S3, using the C4ISR situation perception analysis system based on the state machine for vulnerability detection. Step S3 includes steps S31-S32:
and S31, comparing the detected information with common vulnerability characteristic information in a vulnerability characteristic library in the brain-like computing system to confirm whether the known vulnerability exists.
In this embodiment, for a known bug, the known bug is found by a scanning tool, and the security scanning technology is mainly divided into two types: the vulnerability detection tool plug-in is integrated in a plug-in mode based on the security scanning technology of the host and the security scanning technology based on the network, and the known vulnerabilities are discovered through the security scanning technology based on the host. The vulnerability detection plug-in needs to confirm whether the known vulnerability exists by actively comparing the detected information with the vulnerability characteristic information commonly found in the vulnerability characteristic library in the brain-like computing system. A brain-like parallel computing vulnerability feature database is established in advance. Establishing various vulnerability characteristic types and associations among various vulnerability information by utilizing the combined action of the CMAC multidimensional information association mapper and the brain cognitive architecture information association mapper, and storing the association information into a memory classified by a brain cognitive structure in a coding mode for real-time matching during detection. Working examples are as follows: the vulnerability detection plug-in discovers the service states of different network ports of the target host through remote detection, collects relevant target host information through recording the answer of the target, compares the relevant target host information with vulnerability characteristics in the characteristic library, and confirms known vulnerabilities such as anonymous login, vulnerability password and the like.
And S32, carrying out unknown vulnerability detection on the battlefield state information flow collected by the distributed front-end equipment in real time through an intelligent decision center. Step S32 includes steps S321-S324:
s321, submitting a flow calculation query request by a combat unit.
In this embodiment, referring to fig. 3, fig. 3 is a schematic diagram of a workflow-based unknown vulnerability discovery model provided in an embodiment of the present invention, an intelligent decision center needs to perform unknown vulnerability detection on a battlefield state information stream collected by distributed front-end equipment in real time, the battlefield information data size is large, the real-time requirement is strong, and the acquired battlefield information stream can be ensured to be processed in time by the strong computing power provided by a brain-like safety control parallel processing system fusing the high parallel computing characteristics of brain-like supercomputing and quantum computing. Taking a query request of a certain combat unit for a certain item of information as an example, a flow calculation query request is submitted by the combat unit first.
S322, calculating the query request for the stream by the intelligent decision center to judge whether the workflow is normal; step S322 includes steps S3221-S3222:
s3221, if the intelligent decision center finds that the calculation query request has abnormal jump through comparison and permission query, the behavior of the combat unit is judged to be abnormal.
In this embodiment, when the intelligent decision center finds that the query request has an abnormal jump (for example, a request for calling a resource or computing power beyond the unit authority, or a request for confusion of unknown reasons such as an address, an event, and a data structure) through comparison and authority query, it determines that the behavior of the combat unit is abnormal (for example, an adversary pretends a query request sent by a unit of my through an unknown vulnerability, or a query request is abnormal due to a communication change of the unit of my because of an unknown vulnerability or interference).
And S3222, if the combat unit is judged to be abnormal in behavior, the intelligent decision center terminates execution of the calculation query request, and records abnormal behavior of the combat unit possibly caused by unknown vulnerabilities at this time.
In this embodiment, the intelligent decision center terminates execution of the query request, records abnormal behaviors (recording time, request type, rejection cause, and the like) of the combat unit, which may be caused by an unknown vulnerability at this time, and then the intelligent decision center may analyze various recorded data according to a data self-association rule (two sets of monitoring data from mutually associated different units, for example, two sets of monitoring data of cameras observing the same target at different positions and at different angles), so as to infer causes, corresponding solutions, and the like of unknown vulnerabilities that may exist in various distributed front-end devices.
And S323, if the workflow is judged to be normal, performing flow calculation operation.
In the embodiment, the intelligent decision center judges whether the workflow of the query request is normal or not, and if the workflow is judged to be normal, the flow calculation operation is carried out; and finally, the intelligent decision center outputs the query result to the fighting unit.
And S324, outputting the query result to the combat unit through an intelligent decision center.
In conclusion, for unknown vulnerabilities or new vulnerabilities to be mined, a workflow-based model is used for detection, and abnormal jumping occurs in a workflow to discover security vulnerabilities existing in a program.
Preferably, the C4ISR situational awareness analysis method based on the state machine further includes step S4:
and S4, using the C4ISR situation perception analysis system based on the state machine for behavior trace detection. Step S4 includes steps S41-S43:
s41, carrying out logic relation and/or sequencing detection on the work flow of the role; the business system comprises a plurality of roles with preset authority.
In this embodiment, the business system has a role with a certain authority, and a plurality of operation behaviors have a certain logical relationship/order, or are defined to have a certain logical relationship/order.
And S42, forming an operation tree and a service chain.
In this embodiment, referring to fig. 4, fig. 4is a schematic diagram of an operation tree provided in an embodiment of the present invention. Based on the service flow of the system, the operation requests of different roles and the corresponding server responses are detected to form an operation tree and a service chain. And carrying out early warning and prevention on abnormal operation requests and responses.
And S43, if the logical relation and/or the sequencing detection is abnormal, early warning and stopping the abnormal operation request and response. As shown in fig. 4, when the workflow jumps due to the intermediate behavior, an anomaly is detected.
In this embodiment, according to the preset operation rule, when performing detection, a certain subsystem must sequentially complete the following operations:
(1) Updating a feature library;
(2) Self-checking;
(3) Detecting;
(4) And reporting the detection data.
And 4, the sequence exists in the steps, if the subsystem does not pass through the step 1 for updating the feature library and the step 2 for self-checking, the step 3 detection is directly carried out, the behavior abnormity can be judged, and the alarm is required.
In addition, bidirectional detection and the like can be performed, wherein the bidirectional detection is to perform bidirectional content detection on a request initiated by the server and a reply packet of the server, so that sensitive data information is not sent out, and prevention before an attack event occurs and detection and remediation after the attack event occurs are realized.
From the aspect of the relationship between the information security attribute and the operation attribute, the information security is related to the abruptness of the combat action, namely if the intrusion information is intercepted before the intrusion action, the intrusion action is difficult to achieve the effect of odd defeating; the information integrity is related to the correctness of the security action, namely if the intrusion information is modified and damaged, the correctness of security command decision is necessarily influenced, and the correctness of the security action is also necessarily influenced; availability relates to timeliness of security information defense actions, namely if intrusion information cannot be used in time, an action scheme cannot be made in time, and opportunity selection of combat actions can be influenced; the authenticity is related to the consistency of the combat action, namely, the coordination and consistency of the combat action among all levels and between friend groups can be ensured only by ensuring that the combat information of all levels is not disguised and deceived.
Based on the existing network architecture, the security antenna can be issued to each device and each process, and meanwhile, the security process is also indispensable to the existing architecture.
Aiming at the existing network structure, the network security management and control system utilizes a matrix type full-flow detection engine, aims at the condition that a protection system removes invasion events, can prevent most of the invasion events from occurring, but cannot prevent all invasion conditions, and comprehensively detects the intelligent fire-proof cloud based on a brain-like platform from main assets and network flow, wherein the intelligent fire-proof cloud comprises multiple detections of attack characteristics, request response, behaviors, behavior chains and the like.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor. To this end, embodiments of the present invention provide a storage medium having stored therein a plurality of instructions, which can be loaded by a processor to perform the steps of any of the state machine based C4ISR situational awareness analysis methods provided by embodiments of the present invention.
Wherein the storage medium may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute the steps in any one of the state machine-based C4ISR situational awareness analysis methods provided in the embodiments of the present invention, beneficial effects that can be achieved by any one of the state machine-based C4ISR situational awareness analysis methods provided in the embodiments of the present invention can be achieved, for details, see the foregoing embodiments, and are not described herein again.
The above description is intended to be illustrative of the preferred embodiment of the present invention and should not be taken as limiting the invention, but rather, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Claims (2)

1. A C4ISR situation perception analysis method based on a state machine is realized by adopting a C4ISR situation perception analysis system based on the state machine, wherein the C4ISR situation perception analysis system based on the state machine comprises an intelligent decision center, a controlled layer and a communication network layer which is connected with the intelligent decision center and the controlled layer;
the intelligent decision center is used for realizing multi-task integration, induction and decision through data of a brain-like safety control parallel processing system;
the controlled layer is used for identifying and configuring the virtual assets, and classifying the virtual assets to form asset protection objects;
the intelligent decision center is also used for analyzing the data gathered by the neuron computing nodes and carrying out protection deployment according to the existing knowledge;
the communication network layer establishes a private network on a public network by adopting a communication mode of a virtual private network and carries out encryption communication; a full-switching network is constructed through the neuron computing nodes and is responsible for information exchange and conduction among the neuron computing nodes;
the C4ISR situation awareness analysis method based on the state machine is characterized by comprising the following steps:
using a state machine-based C4ISR situational awareness analysis system for marker detection;
using a C4ISR situation awareness analysis system based on a state machine for state machine detection;
using a C4ISR situation awareness analysis system based on a state machine for vulnerability detection;
the state machine-based C4ISR situation awareness analysis system is used for label detection and comprises:
obtaining the format characteristics of information transmitted and received by a host and an object;
concealingly disposing a security token in the format feature;
when the information is transmitted and received, the host and the object are specified to check the security label in the received information so as to ensure the credibility of the identity of the opposite party;
the concealably setting the security mark in the format feature includes:
if the object is text information, the format characteristics are character or word shift codes, line shift codes of text line spacing and character characteristics; the character features include font, color, height, width, stroke width, underline, italics, and character topology; the safety mark is a sender identification code, sending time, a sending destination and a check code;
the method for using the state machine-based C4ISR situation awareness analysis system for state machine detection comprises the following steps:
setting the range of the received instruction, the time limit requirement and the sequence authority requirement;
after receiving the instruction, executing actions according to the sequence authority requirement and the time limit requirement;
feeding back an execution result after the action is executed;
the method for using the state machine-based C4ISR situation awareness analysis system for vulnerability detection comprises the following steps:
determining whether a known vulnerability exists by comparing the detected information with vulnerability characteristic information commonly found in a vulnerability characteristic library in a brain-like computing system;
carrying out unknown vulnerability detection on the battlefield state information flow collected by the distributed front-end equipment in real time through an intelligent decision center;
the battlefield state information flow collected by the distributed front-end equipment in real time through the intelligent decision center is subjected to unknown vulnerability detection, and the method comprises the following steps:
submitting a stream calculation query request by a combat unit;
calculating the query request to the flow by an intelligent decision center to judge whether the workflow is normal or not;
if the workflow is judged to be normal, performing flow calculation operation;
outputting the query result to the combat unit through an intelligent decision center;
the step of judging whether the workflow is normal or not by the intelligent decision center to the flow calculation query request comprises the following steps:
if the intelligent decision center finds that the stream calculation query request has abnormal jump through comparison and permission query, the behavior of the combat unit is judged to be abnormal;
if the unit of war is judged to be abnormal in behavior, the intelligent decision center terminates execution of the flow calculation query request and records abnormal behavior of the unit of war possibly caused by unknown bugs;
establishing a storage table space in advance, directly corresponding to violent search during calculation, and decoupling complex calculation into matching calculation; adopting a secondary search mode, wherein the primary search is carried out for types, and the secondary search is carried out for contents in the searched types; dividing a computing task into different subtasks according to different types through mapping nodes, and splitting the subtasks of the same type into different next-level subtasks; stacking the calculation results of the next-level subtasks through the stacking nodes to form stacking calculation of the subtasks of the same type; and summarizing the stack calculation results of different types through the specification nodes to obtain a final calculation result.
2. A computer readable storage medium having stored therein a plurality of instructions adapted to be loaded by a processor to perform a state machine based C4ISR situational awareness analysis method of claim 1.
CN202210596397.XA 2022-05-30 2022-05-30 C4ISR situation awareness analysis system and method based on state machine Active CN114697141B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210596397.XA CN114697141B (en) 2022-05-30 2022-05-30 C4ISR situation awareness analysis system and method based on state machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210596397.XA CN114697141B (en) 2022-05-30 2022-05-30 C4ISR situation awareness analysis system and method based on state machine

Publications (2)

Publication Number Publication Date
CN114697141A CN114697141A (en) 2022-07-01
CN114697141B true CN114697141B (en) 2022-12-27

Family

ID=82144432

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210596397.XA Active CN114697141B (en) 2022-05-30 2022-05-30 C4ISR situation awareness analysis system and method based on state machine

Country Status (1)

Country Link
CN (1) CN114697141B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115086075B (en) * 2022-07-21 2022-12-27 深圳市永达电子信息股份有限公司 Mandatory access control method and device with credible behaviors
CN116205301A (en) * 2023-01-31 2023-06-02 苏州浪潮智能科技有限公司 Training frame construction method, device and system based on quantum machine learning

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109871461A (en) * 2019-02-13 2019-06-11 华南理工大学 The large-scale image sub-block search method to be reordered based on depth Hash network and sub-block
WO2021213293A1 (en) * 2020-04-24 2021-10-28 西北工业大学 Ubiquitous operating system oriented toward group intelligence perception

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10609079B2 (en) * 2015-10-28 2020-03-31 Qomplx, Inc. Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
US20170214701A1 (en) * 2016-01-24 2017-07-27 Syed Kamran Hasan Computer security based on artificial intelligence
CN109447048B (en) * 2018-12-25 2020-12-25 苏州闪驰数控系统集成有限公司 Artificial intelligence early warning system
CN113240116B (en) * 2021-07-12 2021-11-19 深圳市永达电子信息股份有限公司 Wisdom fire prevention cloud system based on class brain platform
CN113254946A (en) * 2021-07-12 2021-08-13 深圳市永达电子信息股份有限公司 Brain-like computing platform and manageable control vulnerability scanning system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109871461A (en) * 2019-02-13 2019-06-11 华南理工大学 The large-scale image sub-block search method to be reordered based on depth Hash network and sub-block
WO2021213293A1 (en) * 2020-04-24 2021-10-28 西北工业大学 Ubiquitous operating system oriented toward group intelligence perception

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NFV中虚拟化网络功能生命周期安全管理措施;苏坚等;《电信科学》;20161120(第11期);全文 *

Also Published As

Publication number Publication date
CN114697141A (en) 2022-07-01

Similar Documents

Publication Publication Date Title
Martins et al. Host-based IDS: A review and open issues of an anomaly detection system in IoT
Dilek et al. Applications of artificial intelligence techniques to combating cyber crimes: A review
Ficco Security event correlation approach for cloud computing
US20180032724A1 (en) Graph-based attack chain discovery in enterprise security systems
CN111163115A (en) Internet of things safety monitoring method and system based on double engines
CN114697141B (en) C4ISR situation awareness analysis system and method based on state machine
Idris et al. Artificial intelligence techniques applied to intrusion detection
CN112887268B (en) Network security guarantee method and system based on comprehensive detection and identification
EP3799385A1 (en) Method of data-efficient threat detection in a computer network
CN113240116B (en) Wisdom fire prevention cloud system based on class brain platform
CN114499982B (en) Honey net dynamic configuration strategy generation method, configuration method and storage medium
CN113965341A (en) Intrusion detection system based on software defined network
Luo et al. A systematic literature review of intrusion detection systems in the cloud‐based IoT environments
Ghosh et al. Agent-based distributed intrusion alert system
CN113971288A (en) Big data technology-based smart campus security management and control platform
Zbakh et al. A multi-criteria analysis of intrusion detection architectures in cloud environments
Chai et al. Research of intelligent intrusion detection system based on web data mining technology
CN113283594B (en) Intrusion detection system based on brain-like calculation
Siqueira et al. A fault tolerance mechanism for network intrusion detection system based on intelligent agents (NIDIA)
CN109218315A (en) A kind of method for managing security and security control apparatus
Herrero et al. Mobile hybrid intrusion detection
Dai et al. Bionic autonomic nervous systems for self-defense against DoS, spyware, malware, virus, and fishing
Çiloğlu et al. A new anomaly-based intrusion detection system for MIL-STD-1553
Benmoussa et al. Towards a new intelligent generation of intrusion detection system
Kushwaha Application of Artificial Intelligence Methods to the Prevention of Cybercrime

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant