CN113343228B - Event credibility analysis method and device, electronic equipment and readable storage medium - Google Patents
Event credibility analysis method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN113343228B CN113343228B CN202110737078.1A CN202110737078A CN113343228B CN 113343228 B CN113343228 B CN 113343228B CN 202110737078 A CN202110737078 A CN 202110737078A CN 113343228 B CN113343228 B CN 113343228B
- Authority
- CN
- China
- Prior art keywords
- event
- security
- target
- events
- historical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 113
- 238000000034 method Methods 0.000 claims abstract description 48
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 30
- 238000010219 correlation analysis Methods 0.000 claims abstract description 17
- 238000001914 filtration Methods 0.000 claims description 16
- 238000001514 detection method Methods 0.000 claims description 15
- 238000004364 calculation method Methods 0.000 claims description 13
- 230000009471 action Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 12
- 230000015654 memory Effects 0.000 claims description 10
- 238000003062 neural network model Methods 0.000 claims description 9
- 230000006399 behavior Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 claims description 5
- 238000002372 labelling Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 12
- 238000004891 communication Methods 0.000 description 9
- 238000012098 association analyses Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000007635 classification algorithm Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000003064 k means clustering Methods 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000011895 specific detection Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The application provides an event credibility analysis method, an event credibility analysis device, electronic equipment and a readable storage medium, and relates to the technical field of network security. When the method analyzes the target security event, the target historical event similar to the target security event is searched from the historical event credibility analysis result, then the event combination similar to the target historical event is obtained, and the credibility between the target security event and the event set is obtained by calculating through a correlation analysis algorithm, so that the credibility of the target security event is obtained, manual identification is not needed, and the efficiency is higher. And by combining the reliability analysis result of the historical event, a certain degree of data support is provided for the reliability analysis of the security event, so that the analysis result is more accurate.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an event reliability analysis method, an event reliability analysis device, an electronic device, and a readable storage medium.
Background
With the development of computer technology and network technology, network security issues are also becoming more and more important. In order to secure a network system, it is generally necessary to alarm any one of actions threatening the security of the network, i.e. to generate a security event. Security events are generated by security systems, such as firewalls, vulnerability scanning systems, anti-virus systems, etc., which all generate a large number of security events. The security system usually recognizes these attacks through simple rule matching, and then generates security events, so that security events generated by the security system may have some false positives, and the reliability is not high, while the security manager recognizes the reliability of these security events only through human experience, which is inefficient and has low accuracy, so that security management work becomes more and more difficult.
Disclosure of Invention
An embodiment of the application aims to provide an event credibility analysis method, an event credibility analysis device, electronic equipment and a readable storage medium, which are used for solving the problems of low efficiency and low accuracy caused by a mode of manually identifying credibility of a security event in the prior art.
In a first aspect, an embodiment of the present application provides a method for analyzing reliability, where the method includes: acquiring a plurality of security events; aiming at a target security event in the plurality of security events, searching a target historical event similar to the target security event in the obtained historical event reliability analysis result; obtaining an event set similar to the target historical event from the plurality of security events, wherein the event set comprises at least one security event; and calculating and obtaining the credibility between the target security event and the event set by adopting a correlation analysis algorithm.
In the implementation process, when the target security event is analyzed, the target historical event similar to the target security event can be searched from the historical event reliability analysis result, then the event combination similar to the target historical event is obtained, and the reliability between the target security event and the event set is obtained through calculation by using a correlation analysis algorithm, so that the reliability of the target security event is obtained, manual identification is not needed, and the efficiency is higher. And by combining the reliability analysis result of the historical event, a certain degree of data support is provided for the reliability analysis of the security event, so that the analysis result is more accurate.
Optionally, the acquiring the event set similar to the target historical event from the plurality of security events includes:
classifying the plurality of security events to obtain a category corresponding to each security event;
sequencing the plurality of security events according to a time sequence to obtain an event sequence;
and acquiring an event set similar to the target historical event according to the category corresponding to each security event and the event sequence, wherein the security event in the event set is the same as the category of the target historical event and/or similar to the occurrence time of the target historical event.
In the implementation process, the security events similar to the target historical event are obtained according to the category and the event sequence corresponding to the security events, so that some similar security events can be found to support the credibility of the target security event, and further more accurate credibility is obtained.
Optionally, the classifying the plurality of security events to obtain a category corresponding to each security event includes:
classifying the plurality of security events according to at least one classification dimension to obtain a class corresponding to each security event, wherein the at least one classification dimension comprises: source, destination, protocol type, port, event properties. Thus, similar security events can be effectively found according to the types of the security events.
Optionally, the calculating, by using a correlation analysis algorithm, the confidence between the target security event and the event set includes:
calculating and obtaining a first support degree of the target security event and a second support degree of the target security event and the event set by adopting an Apriori algorithm;
and calculating and obtaining the credibility between the target security event and the event set according to the first support degree and the second support degree.
In the implementation process, the reliability is calculated through the Apriori algorithm, so that more accurate reliability can be obtained by analyzing the relevance between the target security event and the event set.
Optionally, after the trust between the target security event and the event set is obtained through calculation by adopting a correlation analysis algorithm, the method further includes:
acquiring a credibility analysis result of the target security event according to the credibility;
and labeling the corresponding credibility analysis result of the target security event, and storing the credibility analysis result of the target security event into the credibility analysis result of the historical event. This may provide more data support for the trust analysis of subsequent security events.
Optionally, the acquiring a plurality of security events includes:
Acquiring an original event;
and carrying out anomaly detection on the original event by adopting a neural network model to obtain a plurality of security events. This allows for more accurate detection of security events that threaten network security.
Optionally, the acquiring a plurality of security events includes:
acquiring a plurality of initial security events;
carrying out standardized form processing on the plurality of initial security events to obtain a plurality of processed initial security events;
and filtering the processed multiple initial security events according to a preset filtering rule to obtain multiple security events.
In the implementation process, the initial security events are processed in a standardized form and filtered, so that some security events which do not meet the specifications and requirements can be screened out, and the efficiency of subsequent reliability analysis on the security events is improved.
In a second aspect, an embodiment of the present application provides an event reliability analysis apparatus, including:
the event acquisition module is used for acquiring a plurality of security events;
the historical event searching module is used for searching a target historical event similar to the target security event in the obtained historical event reliability analysis result aiming at the target security event in the plurality of security events;
An event set acquisition module, configured to acquire an event set similar to the target historical event from the plurality of security events, where the event set includes at least one security event;
and the credibility calculation module is used for calculating and obtaining the credibility between the target security event and the event set by adopting a correlation analysis algorithm.
Optionally, the event set obtaining module is configured to classify the plurality of security events to obtain a class corresponding to each security event; sequencing the plurality of security events according to a time sequence to obtain an event sequence; and acquiring an event set similar to the target historical event according to the category corresponding to each security event and the event sequence, wherein the security event in the event set is the same as the category of the target historical event and/or similar to the occurrence time of the target historical event.
Optionally, the event set obtaining module is configured to classify the plurality of security events according to at least one classification dimension, to obtain a class corresponding to each security event, where the at least one classification dimension includes: source, destination, protocol type, port, event properties.
Optionally, the credibility calculation module is configured to calculate and obtain a first support degree of the target security event and a second support degree of the target security event and the event set by adopting an Apriori algorithm; and calculating and obtaining the credibility between the target security event and the event set according to the first support degree and the second support degree.
Optionally, the apparatus further comprises:
the storage module is used for acquiring a credibility analysis result of the target security event according to the credibility; and labeling the corresponding credibility analysis result of the target security event, and storing the credibility analysis result of the target security event into the credibility analysis result of the historical event.
Optionally, the event acquisition module is configured to acquire an original event; and carrying out anomaly detection on the original event by adopting a neural network model to obtain a plurality of security events.
Optionally, the event acquisition module is configured to acquire a plurality of initial security events; carrying out standardized form processing on the plurality of initial security events to obtain a plurality of processed initial security events; and filtering the processed multiple initial security events according to a preset filtering rule to obtain multiple security events.
In a third aspect, an embodiment of the present application provides an electronic device comprising a processor and a memory storing computer readable instructions which, when executed by the processor, perform the steps of the method as provided in the first aspect above.
In a fourth aspect, embodiments of the present application provide a readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method as provided in the first aspect above.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of an electronic device for executing an event reliability analysis method according to an embodiment of the present application;
FIG. 2 is a flowchart of an event reliability analysis method according to an embodiment of the present application;
fig. 3 is a block diagram of an event reliability analysis device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
The embodiment of the application provides an event reliability analysis method, which can search a target historical event similar to a target safety event from a historical event reliability analysis result when analyzing the target safety event, then acquire event combination similar to the target historical event, and calculate and acquire the reliability between the target safety event and an event set by using a correlation analysis algorithm so as to acquire the reliability of the target safety event without manual identification, and has higher efficiency. And by combining the reliability analysis result of the historical event, a certain degree of data support is provided for the reliability analysis of the security event, so that the analysis result is more accurate.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an electronic device for executing an event reliability analysis method according to an embodiment of the present application, where the electronic device may include: at least one processor 110, such as a CPU, at least one communication interface 120, at least one memory 130, and at least one communication bus 140. Wherein the communication bus 140 is used to enable direct connection communication of these components. The communication interface 120 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The memory 130 may be a high-speed RAM memory or a nonvolatile memory (non-volatile memory), such as at least one disk memory. Memory 130 may also optionally be at least one storage device located remotely from the aforementioned processor. The memory 130 has stored therein computer readable instructions which, when executed by the processor 110, perform the method process shown in fig. 2 described below.
It will be appreciated that the configuration shown in fig. 1 is merely illustrative, and that the electronic device may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
Referring to fig. 2, fig. 2 is a flowchart of an event reliability analysis method according to an embodiment of the present application, where the method includes the following steps:
step S110: a plurality of security events is acquired.
Where a security event refers to an event generated by the security system detecting any action that threatens network security, a security event may also be understood as an action that threatens network security, i.e., the action may be understood as a security event. The security events may be obtained by detecting events from network devices and/or WEB applications by the security system, including security events generated by attacks on the network devices, security events such as WEB vulnerabilities, WEB malicious files, malicious code, etc., or alarm events collected through firewalls, IDS, antivirus software, system logs, etc. The security system may scan for network devices and/or WEB-like applications to scan for actions (i.e., events) generated on its network devices and/or WEB-like applications, and then employ rules to detect whether these actions are network security threatening actions to obtain security events.
It can be understood that after the security event is generated, each network device may send the security event to the back-end device after performing the reliability analysis on the security event according to the reliability analysis method provided by the embodiment of the present application, so that the security manager of the back-end device may directly process the security event according to the reliability of the security event, where the electronic device is the network device. Or each network device may send the generated security event to a back-end device, that is, an electronic device, and at this time, the electronic device obtains the security event transmitted by each network device, and then performs reliability analysis on the security events in a unified manner.
Step S120: and aiming at the target security event in the plurality of security events, searching a target historical event similar to the target security event in the obtained historical event reliability analysis result.
The reliability analysis result of the historical event refers to a result obtained after reliability analysis is carried out on the historical security event, the reliability analysis result corresponding to each historical event is stored, the reliability analysis result comprises credibility and non-credibility, and the reliability analysis method of the historical event is obtained by adopting the analysis method provided by the application and is confirmed manually, so that the accuracy is higher.
When the electronic device is each network device, each network device stores a corresponding historical event reliability analysis result, and each historical event reliability analysis result is obtained by performing reliability analysis on the historical security event by the network device. If the electronic equipment is the back-end equipment, a historical event credibility analysis result is stored in the electronic equipment, the historical event credibility analysis result is obtained by carrying out credibility analysis on all historical safety events, and the information quantity is more, so that more data support can be provided when credibility analysis is carried out later, and the accuracy is higher.
The target security event may refer to any one of a plurality of security events, and the reliability analysis method for each security event is the same.
When the reliability analysis is carried out on the target security event, the target historical event similar to the target security event can be searched from the historical event reliability analysis result. For example, the flow characteristics of the target security event may be extracted, including a source address, a destination address, a protocol type, event properties (such as an event of an attack or a Web vulnerability event, etc.), various field characteristics included in the event, and the like, and the corresponding relationship between the flow characteristics of the historical event and the reliability analysis result may be stored in the reliability analysis result of the historical event, so that the flow characteristics of the target security event may be matched with the flow characteristics of the various historical events by similarity, and then the historical event with the most number of flow characteristics is used as the target historical event most similar to the target security event.
It can be appreciated that there may be more than one or more than one target history event, for example, each history event having a similarity greater than the set similarity may be used as the target history event.
Step S130: an event set similar to the target historical event is obtained from the plurality of security events.
Wherein the event set comprises at least one security event. Because the reliability analysis results of the historical events comprise the reliability analysis results corresponding to the historical events, the reliability analysis results can influence the reliability of the current safety event to a certain extent, and the reliability analysis of the target safety event can be more accurate by acquiring the event set similar to the target historical event.
The method for obtaining the event set similar to the target historical event may be similar to the method for obtaining the target historical event similar to the target historical event, for example, the security event similar to the flow characteristic of the target historical event may be obtained from a plurality of security events, that is, the flow characteristic of the target historical event and the flow characteristic of each security event are subjected to similarity calculation, and the security event with the similarity greater than the set similarity is added to the event set as the security event similar to the target historical event. When the similarity is calculated, the flow characteristics of the target historical event and the flow characteristics of each safety event can be mapped into a characteristic vector according to a set rule, then the cosine distance between the characteristic vector of the target historical event and the characteristic vector of each safety event is calculated, if the cosine distance is larger than a preset value, the similarity of the two events is considered to be larger than the set similarity, then the safety events with the similarity larger than the set similarity can be regarded as the safety events similar to the target historical event, and the safety events are regarded as the event set.
Step S140: and calculating and obtaining the credibility between the target security event and the event set by adopting a correlation analysis algorithm.
The association analysis algorithm is an algorithm for mining association relation among data, and may be an Apriori algorithm, an FP-Tree algorithm, an Eclat algorithm, a gray association method and the like.
In the association analysis algorithm, the calculation formula of the credibility is as follows:
wherein A represents a target security event, B represents a set of events,representing the reliability of A, the support (A U.B) represents the support of A and B, i.e. the number of times A and B appear in the transaction set at the same time, the supportort (a) represents the support of a, i.e. the number of times a appears in the transaction set.
In some embodiments, the Apriori algorithm may be used to calculate and obtain a first support degree of the target security event and a second support degree of the target security event and the event set, and then calculate and obtain the credibility between the target security event and the event set according to the first support degree and the second support degree.
It will be appreciated that the number of security events may be very large, such as 80 security events, and that in performing the association analysis, the security events obtained at each time point may be regarded as one transaction, for example, 5 security events are obtained at time T1, 4 security events are obtained at time T2, and a total of 10 events are obtained, and then 10 transactions are corresponding. And then the security events corresponding to the moments are formed into a transaction set, namely the transaction set can comprise the 10 transactions, or the transaction set can also comprise the security events acquired in the historical period, so that more association relations can be mined by using more information. A transaction may be understood as an item set in a transaction set, that is, the transaction set in the above example includes 10 transactions, each transaction may further include a plurality of security events, each security event may be referred to as an item, and a transaction corresponding to time T1 includes 5 items.
When calculating the support degree, for example, the target security event is event a, the event set includes event B, C, D, and when calculating the support degree of event a, the number of times that event a occurs in each transaction may be counted first, for example, when event a occurs in 5 transactions, the support degree of event a is 5 (i.e., the first support degree described above), and similarly, the support degree of event a and the event set refers to the number of times that event A, B, C, D occurs in each transaction, and if these four events occur in two transactions, the support degree of event a and the event set is 2 (i.e., the second support degree described above). And then according to the calculation formula of the credibility, the credibility of the event A is calculated and obtained to be 2/5.
Because the obtained event B, C, D is similar to the target historical event, and the target historical event is an event with the reliability analyzed, the reliability analysis result of the target historical event can influence the reliability of the event A to a certain extent, and further the event B, C, D related to the event A is analyzed through the association analysis algorithm, so that the reliability of the event A can be supported by combining the historical analysis result and the event B, C, D, and further more accurate reliability can be obtained.
Similarly, for other security events in the plurality of security events, the credibility of each security event may be obtained in the same manner as described above.
In addition, in order to facilitate the correlation analysis of the events, the reliability analysis results of each type of safety events, event sequences and historical events can be abstracted in advance based on the statistical law and the Bayesian conditional probability theory to obtain a numeric measurement description, and then the subsequent calculation process can be directly performed based on the numeric measurement description during the reliability analysis, so that the efficiency is higher.
After the credibility of each security event is obtained, the security events can be ranked according to the credibility, the higher the credibility is, the more credible the security event is, namely the lower the risk is, the lower the credibility is, the more unreliable the security event is, namely the higher the risk is. The security manager can output the ordered security events after ordering according to the low reliability from the low reliability to the high reliability, so that the security manager can conduct security check on the security events with low reliability according to the ordering priority, and therefore the security manager can process the security events with high risk according to the risk degree of the security events, and timely process the security events of the network.
In some embodiments, whether each security event is trusted may also be determined based on the confidence level, if the confidence level is greater than a set value, the corresponding security event is considered trusted, otherwise, not trusted. For example, if the confidence level of event a in the above example is greater than the set point, then event a is considered to be trusted, and if the confidence level of event a is greater than the set point, then there is a strong correlation between event a and event B, C, D, then event B, C, D may be determined to be also trusted if event a is trusted, whereas if event a is not trusted, then event B, C, D is determined to be also not trusted. Therefore, if it is determined whether each security event is trusted, it is not necessary to calculate again to obtain the respective credibility of the event B, C, D, that is, it is not necessary to repeat calculation, but it is possible to directly determine whether the event B, C, D is trusted according to whether the event a is trusted, so that the efficiency of the credibility analysis of the security event can be improved.
In the implementation process, when the target security event is analyzed, the target historical event similar to the target security event can be searched from the historical event reliability analysis result, then the event combination similar to the target historical event is obtained, and the reliability between the target security event and the event set is obtained through calculation by using a correlation analysis algorithm, so that the reliability of the target security event is obtained, manual identification is not needed, and the efficiency is higher. And by combining the reliability analysis result of the historical event, a certain degree of data support is provided for the reliability analysis of the security event, so that the analysis result is more accurate.
Based on the above embodiment, in the above manner of acquiring a plurality of security events, an original event may be acquired first, and then, a neural network model is used to perform anomaly detection on the original event, so as to acquire a plurality of security events.
The original event may refer to all network behaviors on the network device and/or the WEB application, and the electronic device may perform anomaly detection on the network behaviors, for example, detect whether the network behaviors are network security threatening behaviors, that is, whether the network behaviors are security events. The specific detection mode can be that the original events are detected abnormally through a neural network model, the neural network model can be a generated type countermeasure network model, a long-term and short-term memory network model and the like, the neural network model can be obtained after training by utilizing a large number of safety events in advance, and the safety events can be detected effectively, so that the safety events can be detected from the original events through the neural network model, the detection is more accurate, and the probability of false detection is reduced.
In other embodiments, the method of detecting the security event may further detect the original event by using some anomaly detection rules, for example, the anomaly detection rules may be configured in advance, the anomaly detection rules may be flow characteristics of the match anomaly (for example, the flow characteristics of the preset anomaly), and by matching the flow characteristics of the original event with the anomaly detection rules, the matched original event is the security event.
Based on the above embodiment, in order to facilitate the subsequent reliability analysis of the security event, some preprocessing may be performed on the security event, where the implementation process is as follows: the method comprises the steps of obtaining a plurality of initial security events, carrying out standardized form processing on the plurality of initial security events to obtain a plurality of processed initial security events, and then filtering the plurality of processed initial security events according to a preset filtering rule to obtain a plurality of security events.
The method for acquiring the plurality of initial security events is the same as the method for acquiring the security events from the original events in the above embodiment, and because the security events may come from different devices or applications and are not uniform in form, for convenience in processing, standardized form processing needs to be performed on the initial security events first, and the processing mode is to convert each initial security event into an event with the same data format, that is, to convert flow characteristics of different formats of each initial security event into flow characteristics of the same format for description, so that the data formats of the initial security events are uniform, and convenience in subsequent data processing is achieved. For example, a formatting plug-in may be preconfigured, which is a collection of statements that employ a particular semantic, a particular format, for formatting the security event, so that the formatting plug-in may be utilized directly to perform standardized formatting processing on each initial security event.
In order to filter out some unsatisfactory security events, the plurality of initial security events obtained after processing may be filtered according to a preset filtering rule, where the preset filtering rule includes at least one of the following: filtering out false or repeated initial security events, filtering out initial security events containing incomplete contents, and filtering out initial security events lacking attack source or attack destination addresses. The plurality of security events left after filtering can be used as the security events for carrying out the subsequent credibility analysis, thereby reducing the processing capacity of the subsequent process.
Based on the above embodiment, in the manner of acquiring the event set similar to the target historical event, the plurality of security events may be classified to obtain a category corresponding to each security event, then the plurality of security events may be sequenced according to an event sequence to obtain an event sequence, and then the event set similar to the target historical event may be acquired according to the category corresponding to each security event and the event sequence, where the category of the security event domain target historical event in the event set is the same and/or similar to the occurrence time of the target historical event.
The Bayesian classification algorithm can be adopted to classify the plurality of security events, so that the category corresponding to each security event can be obtained. The classification dimension may include at least one of: source, destination, protocol type, port, event properties, etc. For example, security events from the same source may be classified into one type, or security events from the same destination may be classified into one type, or the like.
Alternatively, a K-means clustering algorithm may be used to classify the plurality of security events, so that when a new security event is generated, the new security event may be directly clustered into an existing class to more rapidly obtain the class of the new security event.
Each security event can carry relevant information of corresponding event occurrence time, so that a plurality of security events can be sequenced according to time sequence, and an event sequence can be obtained through sequencing according to time sequence. Of course, there may be multiple security events occurring at the same time.
When searching for the obtained event set, the security events with the same category as the target historical event can be searched for from the plurality of security events, if the plurality of security events are classified according to the source, the security events with the same source as the target historical event are searched for as the security events similar to the target historical event. Similarly, security events similar to the target historical event may be obtained if classified in other dimensions. For example, if the target historical event A1 is the same class as the security event B, C, the security event B, C may be considered to be a similar security event as event A1.
And/or, the occurrence time of the target historical event can be obtained, then the security event with the occurrence time similar to the occurrence time of the target historical event is searched in the event sequence, the occurrence time similar can be understood as the same occurrence time or the occurrence time interval is smaller than the preset duration, if the occurrence time interval between the occurrence time of the target historical event A1 and the occurrence time of a certain security event D is smaller than the preset duration, the security event D can be considered as the security event similar to the target historical event A1.
Therefore, a set of events similar to the target historical event, such as including event B, C, D, can be obtained in the manner described above. In this way, some similar security events can be found to support the credibility of the target security event, so that more accurate credibility is obtained. Because some security events may have a certain rule, if the occurrence time is similar or the types are the same, the security events may be trusted or both are not trusted, so by analyzing the relevance between the target security event and the security events, more information can be found to a certain extent to support the credibility of the target security event, so that the credibility of the target security event is more accurate.
On the basis of the embodiment, in order to provide data reference for reliability analysis of subsequent security events, after obtaining the reliability of the target security event, the reliability analysis result of the target security event may be obtained according to the reliability, and then the corresponding reliability analysis result in the target security event table may be stored in the historical event reliability analysis result.
If the credibility of the target security event is larger than a set value, the credibility analysis result of the target security event is credible, otherwise, the credibility analysis result is not credible, and then the corresponding credibility analysis result of the target security event is marked and stored in the credibility analysis result of the historical event. Of course, each security event in the plurality of security events can be processed according to the reliability analysis result, namely, each security event is marked with the corresponding reliability analysis result and then stored in the reliability analysis result of the historical event, so that more reliability analysis results of the historical event can be accumulated, and more data support is provided for reliability analysis of the subsequent new security event.
Referring to fig. 3, fig. 3 is a block diagram illustrating a device 200 for analyzing event reliability according to an embodiment of the present application, where the device 200 may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus 200 corresponds to the above embodiment of the method of fig. 2, and is capable of executing the steps involved in the embodiment of the method of fig. 2, and specific functions of the apparatus 200 may be referred to in the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
Optionally, the apparatus 200 includes:
an event acquisition module 210, configured to acquire a plurality of security events;
the historical event searching module 220 is configured to search, for a target security event in the plurality of security events, a target historical event similar to the target security event in the obtained historical event reliability analysis result;
an event set obtaining module 230, configured to obtain an event set similar to the target historical event from the plurality of security events, where the event set includes at least one security event;
and the credibility calculation module 240 is configured to calculate and obtain the credibility between the target security event and the event set by using a correlation analysis algorithm.
Optionally, the event set obtaining module 230 is configured to classify the plurality of security events to obtain a class corresponding to each security event; sequencing the plurality of security events according to a time sequence to obtain an event sequence; and acquiring an event set similar to the target historical event according to the category corresponding to each security event and the event sequence, wherein the security event in the event set is the same as the category of the target historical event and/or similar to the occurrence time of the target historical event.
Optionally, the event set obtaining module 230 is configured to classify the plurality of security events according to at least one classification dimension, where the at least one classification dimension includes: source, destination, protocol type, port, event properties.
Optionally, the credibility calculation module 240 is configured to calculate and obtain a first support degree of the target security event and a second support degree of the target security event and the event set by using Apriori algorithm; and calculating and obtaining the credibility between the target security event and the event set according to the first support degree and the second support degree.
Optionally, the apparatus 200 further includes:
the storage module is used for acquiring a credibility analysis result of the target security event according to the credibility; and labeling the corresponding credibility analysis result of the target security event, and storing the credibility analysis result of the target security event into the credibility analysis result of the historical event.
Optionally, the event obtaining module 210 is configured to obtain an original event; and carrying out anomaly detection on the original event by adopting a neural network model to obtain a plurality of security events.
Optionally, the event acquisition module 210 is configured to acquire a plurality of initial security events; carrying out standardized form processing on the plurality of initial security events to obtain a plurality of processed initial security events; and filtering the processed multiple initial security events according to a preset filtering rule to obtain multiple security events.
It should be noted that, for convenience and brevity, a person skilled in the art will clearly understand that, for the specific working procedure of the apparatus described above, reference may be made to the corresponding procedure in the foregoing method embodiment, and the description will not be repeated here.
An embodiment of the application provides a readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method procedure performed by an electronic device in the method embodiment shown in fig. 2.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing the methods provided by the above-described method embodiments, for example, comprising: acquiring a plurality of security events; aiming at a target security event in the plurality of security events, searching a target historical event similar to the target security event in the obtained historical event reliability analysis result; obtaining an event set similar to the target historical event from the plurality of security events, wherein the event set comprises at least one security event; and calculating and obtaining the credibility between the target security event and the event set by adopting a correlation analysis algorithm.
In summary, the embodiment of the application provides an event reliability analysis method, an event reliability analysis device, an electronic device and a readable storage medium, wherein when a target security event is analyzed, a target historical event similar to the target security event is searched from a historical event reliability analysis result, then an event combination similar to the target historical event is obtained, and the reliability between the target security event and an event set is obtained by calculating through a correlation analysis algorithm, so that the reliability of the target security event is obtained, manual identification is not needed, and the efficiency is higher. And by combining the reliability analysis result of the historical event, a certain degree of data support is provided for the reliability analysis of the security event, so that the analysis result is more accurate.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. A method of event reliability analysis, the method comprising:
acquiring a plurality of security events, wherein the security events are events generated by the security system detecting any action threatening the network security;
searching a target historical event similar to the target safety event in the obtained historical event reliability analysis results aiming at the target safety event in the plurality of safety events, wherein the target safety event refers to any one of the plurality of safety events, the historical event reliability analysis results comprise the corresponding relation between the historical event and the reliability analysis results, and the historical event refers to the historical safety event;
obtaining an event set similar to the target historical event from the plurality of security events, wherein the event set comprises at least one security event, and the security event in the event set is the same as the category of the target historical event and/or similar to the occurrence time of the target historical event;
and calculating and obtaining the credibility between the target security event and the event set by adopting a correlation analysis algorithm.
2. The method of claim 1, wherein the obtaining a set of events from the plurality of security events that is similar to the target historical event comprises:
Classifying the plurality of security events to obtain a category corresponding to each security event;
sequencing the plurality of security events according to a time sequence to obtain an event sequence;
and acquiring an event set similar to the target historical event according to the category corresponding to each security event and the event sequence.
3. The method of claim 2, wherein classifying the plurality of security events to obtain a class corresponding to each security event comprises:
classifying the plurality of security events according to at least one classification dimension to obtain a class corresponding to each security event, wherein the at least one classification dimension comprises: source, destination, protocol type, port, event properties.
4. The method of claim 1, wherein said employing a correlation analysis algorithm to calculate a confidence level between the target security event and the set of events comprises:
calculating and obtaining a first support degree of the target security event and a second support degree of the target security event and the event set by adopting an Apriori algorithm;
and calculating and obtaining the credibility between the target security event and the event set according to the first support degree and the second support degree.
5. The method of claim 1, wherein after said calculating the confidence level between the target security event and the event set using a correlation analysis algorithm, further comprising:
acquiring a credibility analysis result of the target security event according to the credibility;
and labeling the corresponding credibility analysis result of the target security event, and storing the credibility analysis result of the target security event into the credibility analysis result of the historical event.
6. The method of claim 1, wherein the acquiring a plurality of security events comprises:
acquiring an original event, wherein the original event refers to an event generated by all network behaviors on network equipment and/or WEB class application;
and carrying out anomaly detection on the original event by adopting a neural network model to obtain a plurality of security events.
7. The method of claim 1, wherein the acquiring a plurality of security events comprises:
acquiring a plurality of initial security events;
carrying out standardized form processing on the plurality of initial security events to obtain a plurality of processed initial security events;
and filtering the processed multiple initial security events according to a preset filtering rule to obtain multiple security events.
8. An event reliability analysis apparatus, the apparatus comprising:
the system comprises an event acquisition module, a network security detection module and a network security detection module, wherein the event acquisition module is used for acquiring a plurality of security events, wherein the security events are events generated by the fact that a security system detects any action threatening the network security;
the historical event searching module is used for searching a target historical event similar to the target safety event in the obtained historical event reliability analysis results aiming at the target safety event in the plurality of safety events, wherein the target safety event refers to any one of the plurality of safety events, the historical event reliability analysis results comprise the corresponding relation between the historical event and the reliability analysis results, and the historical event refers to the historical safety event;
an event set obtaining module, configured to obtain an event set similar to the target historical event from the plurality of security events, where the event set includes at least one security event, and the security event in the event set is the same as the category of the target historical event and/or is similar to the occurrence time of the target historical event;
and the credibility calculation module is used for calculating and obtaining the credibility between the target security event and the event set by adopting a correlation analysis algorithm.
9. An electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-7.
10. A readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110737078.1A CN113343228B (en) | 2021-06-30 | 2021-06-30 | Event credibility analysis method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110737078.1A CN113343228B (en) | 2021-06-30 | 2021-06-30 | Event credibility analysis method and device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113343228A CN113343228A (en) | 2021-09-03 |
| CN113343228B true CN113343228B (en) | 2023-11-10 |
Family
ID=77481922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110737078.1A Active CN113343228B (en) | 2021-06-30 | 2021-06-30 | Event credibility analysis method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113343228B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113904838A (en) * | 2021-09-30 | 2022-01-07 | 北京天融信网络安全技术有限公司 | Sensor data detection method and device, electronic equipment and storage medium |
| CN114500038A (en) * | 2022-01-24 | 2022-05-13 | 深信服科技股份有限公司 | Network security detection method and device, electronic equipment and readable storage medium |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101521672A (en) * | 2009-04-03 | 2009-09-02 | 中国科学院计算技术研究所 | Network worm detection method and detection system |
| CN101668012A (en) * | 2009-09-23 | 2010-03-10 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting security event |
| US8407798B1 (en) * | 2002-10-01 | 2013-03-26 | Skybox Secutiry Inc. | Method for simulation aided security event management |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
| CN103996077A (en) * | 2014-05-22 | 2014-08-20 | 中国南方电网有限责任公司电网技术研究中心 | Electric equipment fault forecasting method based on multi-dimension time sequence |
| CN108737147A (en) * | 2017-04-25 | 2018-11-02 | 中国移动通信集团广东有限公司 | A kind of network alarm event-handling method and device |
| CN109255237A (en) * | 2018-08-31 | 2019-01-22 | 新华三大数据技术有限公司 | Security event associative analysis method and device |
| CN109358602A (en) * | 2018-10-23 | 2019-02-19 | 山东中创软件商用中间件股份有限公司 | A kind of failure analysis methods, device and relevant device |
| CN111611495A (en) * | 2020-04-01 | 2020-09-01 | 西安电子科技大学 | Network information reliability detection method, system, storage medium and terminal |
| CN111654489A (en) * | 2020-05-27 | 2020-09-11 | 杭州迪普科技股份有限公司 | Network security situation sensing method, device, equipment and storage medium |
| CN112235312A (en) * | 2020-10-22 | 2021-01-15 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
| CN112333196A (en) * | 2020-11-10 | 2021-02-05 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112351004A (en) * | 2020-10-23 | 2021-02-09 | 烟台南山学院 | Computer network based information security event processing system and method |
| CN112422484A (en) * | 2019-08-23 | 2021-02-26 | 华为技术有限公司 | Method, apparatus, and storage medium for determining a scenario for processing a security event |
| CN112637194A (en) * | 2020-12-18 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Security event detection method and device, electronic equipment and storage medium |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9888024B2 (en) * | 2015-09-30 | 2018-02-06 | Symantec Corporation | Detection of security incidents with low confidence security events |
| US10915420B2 (en) * | 2018-12-03 | 2021-02-09 | At&T Intellectual Property I, L.P. | Events data structure for real time network diagnosis |
| US11588839B2 (en) * | 2019-12-10 | 2023-02-21 | Fortinet, Inc. | Leveraging user-behavior analytics for improved security event classification |
-
2021
- 2021-06-30 CN CN202110737078.1A patent/CN113343228B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8407798B1 (en) * | 2002-10-01 | 2013-03-26 | Skybox Secutiry Inc. | Method for simulation aided security event management |
| CN101521672A (en) * | 2009-04-03 | 2009-09-02 | 中国科学院计算技术研究所 | Network worm detection method and detection system |
| CN101668012A (en) * | 2009-09-23 | 2010-03-10 | 成都市华为赛门铁克科技有限公司 | Method and device for detecting security event |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
| CN103996077A (en) * | 2014-05-22 | 2014-08-20 | 中国南方电网有限责任公司电网技术研究中心 | Electric equipment fault forecasting method based on multi-dimension time sequence |
| CN108737147A (en) * | 2017-04-25 | 2018-11-02 | 中国移动通信集团广东有限公司 | A kind of network alarm event-handling method and device |
| CN109255237A (en) * | 2018-08-31 | 2019-01-22 | 新华三大数据技术有限公司 | Security event associative analysis method and device |
| CN109358602A (en) * | 2018-10-23 | 2019-02-19 | 山东中创软件商用中间件股份有限公司 | A kind of failure analysis methods, device and relevant device |
| CN112422484A (en) * | 2019-08-23 | 2021-02-26 | 华为技术有限公司 | Method, apparatus, and storage medium for determining a scenario for processing a security event |
| CN111611495A (en) * | 2020-04-01 | 2020-09-01 | 西安电子科技大学 | Network information reliability detection method, system, storage medium and terminal |
| CN111654489A (en) * | 2020-05-27 | 2020-09-11 | 杭州迪普科技股份有限公司 | Network security situation sensing method, device, equipment and storage medium |
| CN112235312A (en) * | 2020-10-22 | 2021-01-15 | 新华三信息安全技术有限公司 | Method and device for determining credibility of security event and electronic equipment |
| CN112351004A (en) * | 2020-10-23 | 2021-02-09 | 烟台南山学院 | Computer network based information security event processing system and method |
| CN112333196A (en) * | 2020-11-10 | 2021-02-05 | 恒安嘉新(北京)科技股份公司 | Attack event tracing method and device, electronic equipment and storage medium |
| CN112637194A (en) * | 2020-12-18 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Security event detection method and device, electronic equipment and storage medium |
| CN112738115A (en) * | 2020-12-31 | 2021-04-30 | 北京天融信网络安全技术有限公司 | Advanced persistent attack detection method, apparatus, computer device and medium |
Non-Patent Citations (5)
| Title |
|---|
| 一种基于计划识别的安全事件关联分析方法;刘育楠;徐震;王若琦;;信息工程大学学报(第01期);全文 * |
| 一种网络安全信息的综合关联分析方法;邱荣斌;许榕生;;福建电脑(第02期);全文 * |
| 基于Apriori算法的安全事件二级关联方法;唐湘滟;程杰仁;刘博艺;郑兆华;周静荷;;网络安全技术与应用(第01期);全文 * |
| 基于信任领域和评价可信度量的信任模型研究;蔡红云;计算机研究与发展;全文 * |
| 无线闭塞中心安全风险评估研究;李远远;中国优秀硕士学位论文数据库 工程科技II辑;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113343228A (en) | 2021-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10721245B2 (en) | Method and device for automatically verifying security event | |
| US8108931B1 (en) | Method and apparatus for identifying invariants to detect software tampering | |
| CN111585955B (en) | HTTP request abnormity detection method and system | |
| US11250043B2 (en) | Classification of log data | |
| CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
| US11888881B2 (en) | Context informed abnormal endpoint behavior detection | |
| CN113343228B (en) | Event credibility analysis method and device, electronic equipment and readable storage medium | |
| US10505986B1 (en) | Sensor based rules for responding to malicious activity | |
| CN110912884A (en) | Detection method, detection equipment and computer storage medium | |
| US11698962B2 (en) | Method for detecting intrusions in an audit log | |
| CN113408281B (en) | Mailbox account anomaly detection method and device, electronic equipment and storage medium | |
| CN113422763B (en) | Alarm correlation analysis method constructed based on attack scene | |
| CN112839014B (en) | Method, system, equipment and medium for establishing abnormal visitor identification model | |
| CN112131249A (en) | Attack intention identification method and device | |
| US20190370476A1 (en) | Determination apparatus, determination method, and determination program | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN108804914A (en) | A kind of method and device of anomaly data detection | |
| US11157620B2 (en) | Classification of executable files using a digest of a call graph pattern | |
| US20230087309A1 (en) | Cyberattack identification in a network environment | |
| CN112583847A (en) | Method for network security event complex analysis for medium and small enterprises | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN111565377B (en) | Security monitoring method and device applied to Internet of things | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN116010600B (en) | Log classification method, device, equipment and medium | |
| CN116432240B (en) | Method, device, server and system for detecting sensitive data of intranet terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |