CN106446720B - The optimization system and optimization method of IDS rule - Google Patents

The optimization system and optimization method of IDS rule Download PDF

Info

Publication number
CN106446720B
CN106446720B CN201610815708.1A CN201610815708A CN106446720B CN 106446720 B CN106446720 B CN 106446720B CN 201610815708 A CN201610815708 A CN 201610815708A CN 106446720 B CN106446720 B CN 106446720B
Authority
CN
China
Prior art keywords
ids
rule
alarm
history
unique identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610815708.1A
Other languages
Chinese (zh)
Other versions
CN106446720A (en
Inventor
朱志博
张昊峥
吴善鹏
张晓强
雷兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Ctrip Business Co Ltd
Original Assignee
Shanghai Ctrip Business Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Ctrip Business Co Ltd filed Critical Shanghai Ctrip Business Co Ltd
Priority to CN201610815708.1A priority Critical patent/CN106446720B/en
Publication of CN106446720A publication Critical patent/CN106446720A/en
Application granted granted Critical
Publication of CN106446720B publication Critical patent/CN106446720B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses the optimization system and optimization method of a kind of IDS rule, optimization system includes: alarm log processing module, collects IDS alarm log and generates unique identifier, obtains the date on the same day;History alarm database stores history IDS alarm log;Enquiry module, whether the IDS alarm log for inquiring collection is stored in history alarm database, if otherwise storing;Rule-statistical module, the history alarm database in past M days of statistics simultaneously generate M history alarm list;Scan module scans each history alarm list and is inquired;Extraction module extracts statistics number and is greater than the history alarm log of first threshold and obtains IDS rule name;Address statistical module counts number of addresses according to direction of the traffic;Wrong report rule assert module, and the IDS rule that the number of addresses of statistics is greater than second threshold is regarded as wrong report rule;Processing module deletes wrong report rule.The present invention reduces alarm quantity, improves alarm accuracy.

Description

The optimization system and optimization method of IDS rule
Technical field
The present invention relates to a kind of technical field of network security, more particularly to the optimization system and optimization of a kind of IDS rule Method.
Background technique
With the development of internet, network security is increasingly taken seriously, IDS (Intrusion Detection Systems, intruding detection system) it is by the widely used system of enterprise, it sends out as much as possible for monitoring network operation conditions Existing attack attempt, behavior, guarantee the safety of network system with this.But there is a large amount of wrong report situation in IDS system itself, Cause to produce a large amount of alarm, safety engineer can not obtain real threat from the warning message of magnanimity, greatly drop The low availability of IDS system.
Summary of the invention
The technical problem to be solved by the present invention is in order to overcome in the prior art IDS itself there is a large amount of wrong report situation, Cause to produce the defect largely alarmed, the optimization system and optimization method of a kind of IDS rule are provided.
The present invention is to solve above-mentioned technical problem by following technical proposals:
The present invention provides a kind of optimization systems of IDS rule, it is characterized in that, comprising:
Alarm log processing module includes IDS rule name in the IDS alarm log for collecting IDS alarm log Title, source IP (agreement interconnected between network) address and purpose IP address, and according to the IDS rule name, source IP address And purpose IP address generates the unique identifier of the IDS alarm log, and obtain the IDS alarm log works as light Phase;
History alarm database, for storing the corresponding unique identifier of history IDS alarm log and date on the same day;
Enquiry module, the corresponding unique identification of IDS alarm log collected for inquiring the alarm log processing module Whether code and date on the same day are stored in the history alarm database, and when being judged as NO that the alarm log is corresponding Unique identifier and same day date storage are in the history alarm database;
Rule-statistical module, for counting M days in the past history alarm databases, and according to the history of every day alarm number A history alarm list is generated according to library, each history alarm list records all in the history alarm database for having the same day The corresponding unique identifier of history alarm log and date on the same day;Wherein M is positive integer;
Scan module, for successively scanning each history alarm list and being inquired according to unique identifier, if a mesh Mark unique identifier is not present, then by the target unique identifier and corresponding IDS rule name, source IP address, destination IP Address, date on the same day are saved into a statistics list, and set the statistics number of the target unique identifier to 1 time;If The target unique identifier exists, then the statistics number of the target unique identifier in the statistics list is added 1;
Extraction module, for after the scan module completes scanning, extracting the history that statistics number is greater than first threshold Alarm log simultaneously obtains corresponding IDS rule name;
Address statistical module, for counting number of addresses according to the direction of the traffic of IDS rule name;
Wrong report rule assert module, and the IDS rule for the number of addresses of statistics to be greater than second threshold is regarded as reporting by mistake Rule;
Processing module, for deleting wrong report rule.
Preferably, the processing module is also used to delete the corresponding all history alert datas of wrong report rule.
Preferably, the unique identifier is MD5 (Message Digest Algorithm 5) value.
Preferably, the address statistical module is used to count source IP address quantity when the direction of the traffic is positive, Purpose IP address quantity is counted when the direction of the traffic is reversed.
It is an object of the invention to additionally provide a kind of optimization method of IDS rule, it is characterized in that, it utilizes above-mentioned The optimization system of IDS rule realizes, the optimization method the following steps are included:
S1, the alarm log processing module collects IDS alarm log, include IDS rule name in the IDS alarm log Title, source IP address and purpose IP address, and institute is generated according to the IDS rule name, source IP address and purpose IP address The unique identifier of IDS alarm log is stated, and obtains the date on the same day of the IDS alarm log;
S2, the corresponding unique identifier of history alarm database storage history IDS alarm log and date on the same day;
S3, the enquiry module inquire the corresponding unique knowledge of IDS alarm log that the alarm log processing module is collected Whether other code and date on the same day are stored in the history alarm database, and when being judged as NO that the alarm log is corresponding Unique identifier and same day date storage in the history alarm database;
S4, M days in the past history alarm databases of rule-statistical module statistics, and according to the alarm of the history of every day Database generates a history alarm list, and each history alarm list records the institute in the history alarm database for having the same day There are the corresponding unique identifier of history alarm log and date on the same day;Wherein M is positive integer;
S5, the scan module successively scan each history alarm list and inquired according to unique identifier, if one In the absence of target unique identifier, then by the target unique identifier and corresponding IDS rule name, source IP address, mesh IP address, the date on the same day save into a statistics list, and set 1 for the statistics number of the target unique identifier It is secondary;If in the presence of the target unique identifier, by the statistics time of the target unique identifier in the statistics list Number plus 1;
S6, the extraction module after the scan module completes scanning, extract statistics number and be greater than going through for first threshold History alarm log simultaneously obtains corresponding IDS rule name;
S7, the address statistical module number of addresses counted according to the direction of the traffic of IDS rule name;
S8, it is described wrong report rule assert module by the number of addresses of statistics be greater than second threshold IDS rule regard as missing Report rule;
S9, the processing module delete wrong report rule.
Preferably, step S9Further include: the processing module also deletes the corresponding all history alert datas of wrong report rule.
Preferably, the unique identifier is MD5 value.
Preferably, step S7Described in address statistical module source IP address number is counted when the direction of the traffic is positive Amount counts purpose IP address quantity when the direction of the traffic is reversed.
The positive effect of the present invention is that: the present invention is by the way of calculating and counting to all IDS alarm IDS rule is analyzed, and based on the analysis results identifies the IDS rule of wrong report, and when being confirmed as reporting rule by mistake It is automatic to carry out the operation such as Policy Updates, wrong report rule is directly eliminated, to fundamentally reduce alarm quantity, improves report Alert accuracy optimizes IDS rule, reduces the rate of false alarm of IDS system, improve the availability of IDS system.
Detailed description of the invention
Fig. 1 is the module diagram of the optimization system of the IDS rule of presently preferred embodiments of the present invention.
Fig. 2 is the flow chart of the optimization method of the IDS rule of presently preferred embodiments of the present invention.
Specific embodiment
The present invention is further illustrated below by the mode of embodiment, but does not therefore limit the present invention to the reality It applies among a range.
As shown in Figure 1, the optimization system of IDS rule of the invention includes alarm log processing module 1, history alert data Library 2, enquiry module 3, rule-statistical module 4, scan module 5, extraction module 6, address statistical module 7, wrong report rule assert mould Block 8 and processing module 9.
Wherein, the alarm log processing module 1 collects IDS alarm log first, includes in the IDS alarm log IDS rule name, source IP address and purpose IP address, and according to the IDS rule name, source IP address and destination IP Location generates the unique identifier of the IDS alarm log, and obtains the date on the same day of the IDS alarm log;
Wherein, the unique identifier concretely MD5 value;
The history alarm database 2 is then for storing the corresponding unique identifier of history IDS alarm log and working as light Phase;
The enquiry module 3 can inquire the corresponding unique knowledge of IDS alarm log that the alarm log processing module 1 is collected Whether other code and date on the same day are stored in the history alarm database 2, and when being judged as NO by the alarm log pair The unique identifier and same day date storage answered are in the history alarm database 2 (it is, of course, also possible to store the alarm day The corresponding IDS rule of will, source IP address and purpose IP address), it is not processed if being judged as YES;
The rule-statistical module 4 is used to count M days in the past history alarm databases, and according to the history report of every day Alert database generates a history alarm list (i.e. symbiosis is at M history alarm list), and each history alarm list records There are the corresponding unique identifier of all history alarm logs in the history alarm database on the same day and date on the same day;Wherein M is Positive integer;
The rule-statistical module 4 can preferably be run once daily;
The scan module 5 is used to successively scan each history alarm list and be inquired according to unique identifier, if One target unique identifier is not present, then by the target unique identifier and corresponding IDS rule name, source IP address, mesh IP address, the date on the same day save into a statistics list, and set 1 for the statistics number of the target unique identifier It is secondary;If the target unique identifier exists, by the statistics number of the target unique identifier in the statistics list Add 1;
Preferably, after the scan is complete, final statistics list can be generated, and can will count in the scan module 5 Number converts: number=statistics number * 100/M;
The extraction module 6 then after the scan module 5 completes scanning, extracts statistics number (or number) and is greater than the The history alarm log of one threshold value simultaneously obtains corresponding IDS rule name;
The address statistical module 7 is used to count number of addresses according to the direction of the traffic of IDS rule name;Specifically, institute Address statistical module 7 is stated for counting source IP address quantity when the direction of the traffic is positive, is anti-in the direction of the traffic To when count purpose IP address quantity;
The wrong report rule assert that number of addresses of the module 8 then for that will count is greater than the IDS rule identification of second threshold For wrong report rule;Wherein the second threshold can be set according to the IP quantity of intranet host;
The processing module 9 will be deleted wrong report rule, and delete the corresponding all history alert datas of wrong report rule.
As shown in Fig. 2, utilizing the excellent of above-mentioned IDS rule the present invention also provides a kind of optimization method of IDS rule Change system realizes, the optimization method of the IDS rule the following steps are included:
Step 101, the alarm log processing module collect IDS alarm log, include IDS in the IDS alarm log Rule name, source IP address and purpose IP address, and according to the IDS rule name, source IP address and purpose IP address The unique identifier of the IDS alarm log is generated, and obtains the date on the same day of the IDS alarm log;
Step 102, the history alarm database store the corresponding unique identifier of history IDS alarm log and work as light Phase;
It is corresponding only that step 103, the enquiry module inquire the IDS alarm log that the alarm log processing module is collected Whether one identification code and date on the same day are stored in the history alarm database, and when being judged as NO by the alarm log Corresponding unique identifier and same day date storage are in the history alarm database;
M days in the past step 104, rule-statistical module statistics history alarm databases, and going through according to every day History alarm database generates a history alarm list, and each history alarm list records the history alarm database for having the same day In the corresponding unique identifier of all history alarm logs and the date on the same day;Wherein M is positive integer;
Step 105, the scan module successively scan each history alarm list and are inquired according to unique identifier, If in the absence of a target unique identifier, by the target unique identifier and corresponding IDS rule name, source IP Location, purpose IP address, date on the same day save into a statistics list, and the statistics number of the target unique identifier are arranged It is 1 time;If in the presence of the target unique identifier, by the statistics of the target unique identifier in the statistics list Number adds 1;
Step 106, the extraction module extract statistics number and are greater than first threshold after the scan module completes scanning History alarm log and obtain corresponding IDS rule name;
Step 107, the address statistical module count number of addresses according to the direction of the traffic of IDS rule name;
Step 108, the wrong report rule assert that the number of addresses of statistics is greater than the IDS rule identification of second threshold by module For wrong report rule;
Step 109, the processing module delete wrong report rule, and delete the corresponding all history alarm numbers of wrong report rule According to.
Wherein, the unique identifier is preferably MD5 value, and address statistical module described in step 107 is specifically in the stream It measures when direction is positive and counts source IP address quantity, purpose IP address quantity is counted when the direction of the traffic is reversed.
Although specific embodiments of the present invention have been described above, it will be appreciated by those of skill in the art that these It is merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back Under the premise of from the principle and substance of the present invention, many changes and modifications may be made, but these are changed Protection scope of the present invention is each fallen with modification.

Claims (8)

1. a kind of optimization system of IDS rule characterized by comprising
Alarm log processing module includes IDS rule name, source in the IDS alarm log for collecting IDS alarm log IP address and purpose IP address, and the IDS is generated according to the IDS rule name, source IP address and purpose IP address The unique identifier of alarm log, and obtain the date on the same day of the IDS alarm log;
History alarm database, for storing the corresponding unique identifier of history IDS alarm log and date on the same day;
Enquiry module, for inquire the corresponding unique identifier of IDS alarm log that the alarm log processing module is collected and Whether the date on the same day is stored in the history alarm database, and when being judged as NO that the alarm log is corresponding unique Identification code and same day date storage are in the history alarm database;
Rule-statistical module, for counting M days in the past history alarm databases, and according to the history alarm database of every day A history alarm list is generated, each history alarm list records all history in the history alarm database for having the same day The corresponding unique identifier of alarm log and date on the same day;Wherein M is positive integer;
Scan module, for successively scanning each history alarm list and being inquired according to unique identifier, if a target is only One identification code is not present, then by the target unique identifier and corresponding IDS rule name, source IP address, purpose IP address, Date on the same day saves into a statistics list, and sets the statistics number of the target unique identifier to 1 time;If the mesh It marks unique identifier to exist, then the statistics number of the target unique identifier in the statistics list is added 1;
Extraction module, the history that first threshold is greater than for after the scan module completes scanning, extracting statistics number are alarmed Log simultaneously obtains corresponding IDS rule name;
The direction of the traffic of address statistical module, the IDS rule name for being extracted according to the extraction module counts number of addresses;
Wrong report rule assert module, and the IDS rule for the number of addresses of statistics to be greater than second threshold regards as wrong report rule;
Processing module, for deleting wrong report rule.
2. the optimization system of IDS rule as described in claim 1, which is characterized in that the processing module is also used to delete mistake The corresponding all history alert datas of report rule.
3. the optimization system of IDS rule as described in claim 1, which is characterized in that the unique identifier is MD5 value.
4. the optimization system of IDS rule as described in claim 1, which is characterized in that the address statistical module is used in institute It states when direction of the traffic is positive and counts source IP address quantity, purpose IP address quantity is counted when the direction of the traffic is reversed.
5. a kind of optimization method of IDS rule, which is characterized in that it utilizes the optimization system of IDS rule as described in claim 1 System realize, the optimization method the following steps are included:
S1, the alarm log processing module collects IDS alarm log, include IDS rule name, source in the IDS alarm log IP address and purpose IP address, and the IDS is generated according to the IDS rule name, source IP address and purpose IP address The unique identifier of alarm log, and obtain the date on the same day of the IDS alarm log;
S2, the corresponding unique identifier of history alarm database storage history IDS alarm log and date on the same day;
S3, the enquiry module inquire the corresponding unique identifier of IDS alarm log that the alarm log processing module is collected and Whether the date on the same day is stored in the history alarm database, and when being judged as NO that the alarm log is corresponding unique Identification code and same day date storage are in the history alarm database;
S4, M days in the past history alarm databases of rule-statistical module statistics, and according to the history alert data of every day Library generates a history alarm list, and each history alarm list record all going through in the history alarm database on the day of having The corresponding unique identifier of history alarm log and date on the same day;Wherein M is positive integer;
S5, the scan module successively scan each history alarm list and inquired according to unique identifier, if a target is only In the absence of one identification code, then by the target unique identifier and corresponding IDS rule name, source IP address, destination IP Location, date on the same day are saved into a statistics list, and set the statistics number of the target unique identifier to 1 time;If institute In the presence of stating target unique identifier, then the statistics number of the target unique identifier in the statistics list is added 1;
S6, the extraction module after the scan module completes scanning, extract statistics number and be greater than the history of first threshold and alarm Log simultaneously obtains corresponding IDS rule name;
S7, the direction of the traffic of IDS rule name extracted according to the extraction module of the address statistical module count number of addresses Amount;
S8, it is described wrong report rule assert module by the number of addresses of statistics be greater than second threshold IDS rule regard as wrong report rule Then;
S9, the processing module delete wrong report rule.
6. the optimization method of IDS rule as claimed in claim 5, which is characterized in that step S9Further include: the processing module Also delete the corresponding all history alert datas of wrong report rule.
7. the optimization method of IDS rule as claimed in claim 5, which is characterized in that the unique identifier is MD5 value.
8. the optimization method of IDS rule as claimed in claim 5, which is characterized in that step S7Described in address statistical module exist Source IP address quantity is counted when the direction of the traffic is positive, and purpose IP address number is counted when the direction of the traffic is reversed Amount.
CN201610815708.1A 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule Active CN106446720B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610815708.1A CN106446720B (en) 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610815708.1A CN106446720B (en) 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule

Publications (2)

Publication Number Publication Date
CN106446720A CN106446720A (en) 2017-02-22
CN106446720B true CN106446720B (en) 2019-02-01

Family

ID=58168582

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610815708.1A Active CN106446720B (en) 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule

Country Status (1)

Country Link
CN (1) CN106446720B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109815697B (en) * 2018-12-29 2021-04-27 360企业安全技术(珠海)有限公司 Method and device for processing false alarm behavior
CN112699169A (en) * 2020-12-30 2021-04-23 北京顺达同行科技有限公司 Slow log-based hidden danger mining method and device, computer equipment and medium
CN112527609B (en) * 2021-02-18 2021-05-28 成都新希望金融信息有限公司 Early warning information pushing method and device, electronic equipment and storage medium
CN112800356A (en) * 2021-03-22 2021-05-14 南京怡晟安全技术研究院有限公司 Identification method based on abnormal access behavior of polymorphic URL (Uniform resource locator)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
CN1450757A (en) * 2002-10-11 2003-10-22 北京启明星辰信息技术有限公司 Method and system for monitoring network intrusion
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101902456A (en) * 2010-02-09 2010-12-01 北京启明星辰信息技术股份有限公司 Safety defense system of Website
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
CN1450757A (en) * 2002-10-11 2003-10-22 北京启明星辰信息技术有限公司 Method and system for monitoring network intrusion
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101902456A (en) * 2010-02-09 2010-12-01 北京启明星辰信息技术股份有限公司 Safety defense system of Website
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method

Also Published As

Publication number Publication date
CN106446720A (en) 2017-02-22

Similar Documents

Publication Publication Date Title
US10867034B2 (en) Method for detecting a cyber attack
CN106446720B (en) The optimization system and optimization method of IDS rule
CN106713049B (en) Monitoring alarm method and device
CN103026345B (en) For the dynamic multidimensional pattern of event monitoring priority
CN108471429B (en) Network attack warning method and system
CN108683687B (en) Network attack identification method and system
CN112114995B (en) Terminal abnormality analysis method, device, equipment and storage medium based on process
CN107360118B (en) Advanced persistent threat attack protection method and device
CN101557327A (en) Intrusion detection method based on support vector machine (SVM)
CN107733693B (en) Network security operation and maintenance capability evaluation method and system based on security event statistics
CN112528279B (en) Method and device for establishing intrusion detection model
CN112416872A (en) Cloud platform log management system based on big data
CN115883236A (en) Power grid intelligent terminal cooperative attack monitoring system
CN115174251B (en) False alarm identification method and device for safety alarm and storage medium
KR100846835B1 (en) Method and apparatus for Security Event Correlation Analysis based on Context Language
CN101202744A (en) Devices for self-learned detecting helminth and method thereof
CN110912753B (en) Cloud security event real-time detection system and method based on machine learning
CN111865951A (en) Network data flow abnormity detection method based on data packet feature extraction
CN108123789B (en) Method and device for analyzing security attack
CN113162904B (en) Power monitoring system network security alarm evaluation method based on probability graph model
CN110708296B (en) VPN account number collapse intelligent detection model based on long-time behavior analysis
CN114707145A (en) Legiong software detection method based on Fanotify mechanism
CN114338346A (en) Alarm message processing method and device and electronic equipment
CN113568811A (en) Distributed safety monitoring data processing method
CN111581475A (en) System and method for identifying identification and analyzing flow

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant