CN114244634A - Network security detection method and system based on structured event data search - Google Patents

Network security detection method and system based on structured event data search Download PDF

Info

Publication number
CN114244634A
CN114244634A CN202210174679.0A CN202210174679A CN114244634A CN 114244634 A CN114244634 A CN 114244634A CN 202210174679 A CN202210174679 A CN 202210174679A CN 114244634 A CN114244634 A CN 114244634A
Authority
CN
China
Prior art keywords
event
data
item
event data
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210174679.0A
Other languages
Chinese (zh)
Inventor
周磊
姜双林
饶志波
刘军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Andi Technology Co ltd
Original Assignee
Beijing Andi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Andi Technology Co ltd filed Critical Beijing Andi Technology Co ltd
Priority to CN202210174679.0A priority Critical patent/CN114244634A/en
Publication of CN114244634A publication Critical patent/CN114244634A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of network security, and provides a network security detection method and a system based on structured event data search. Determining an event function according to suspicious event data, and executing query on a structurally stored event data set based on the event function to obtain a behavior data query result; determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior; according to the invention, through network security detection based on events and behaviors, on one hand, the problems of detection fragility and invalidity in finding unknown attacks in the conventional failure index IOCs scheme are avoided; on the other hand, the grammar complexity and the threshold of entry of retrieval are reduced; in addition, based on the event data set of the structured storage, log files of different data sources can be collected and fused, so that the aggregation analysis of a plurality of data sources is more efficient and convenient.

Description

Network security detection method and system based on structured event data search
Technical Field
The invention relates to the technical field of network security, in particular to a network security detection method and a system based on structured event data search.
Background
Traditional security tests focusing only on the loss indicators IOCs can result in tests that are vulnerable and ineffective in discovering unknown attacks. In addition, many databases and search platforms are cumbersome and unintuitive, complex in syntax, and high in threshold for entry. The detection of suspicious behavior requires analysis of multiple data sources, and aggregate analysis of multiple data sources can determine whether the data is suspicious. If not, it is necessary to be familiar with the storage platform of the corresponding data and the query language of the data.
Therefore, how to provide a more efficient and low-threshold network security detection method and system becomes a technical problem to be solved urgently in the industry.
Disclosure of Invention
The invention provides a network security detection method and a network security detection system based on structured event data search, which are used for solving the defect that detection is fragile due to the fact that only a failure index IOCs is concerned in the prior art and realizing the network security detection based on the structured event data search.
The invention provides a network security detection method based on structured event data search, which comprises the following steps:
determining an event function according to suspicious event data, and executing query on a structurally stored event data set based on the event function to obtain a behavior data query result;
determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior;
the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
According to the network security detection method based on structured event data search, the suspicious event data are event data which are obtained through detection of a preset detection model and comprise suspicious items; the suspicious item comprises a suspicious IP and/or a suspicious event type;
the step of executing a preset security operation for the malicious behavior comprises:
determining antagonistic behavior against the malicious behavior according to an ATT & CK model;
the countermeasure is taken as a security operation and executed.
According to the network security detection method based on structured event data search provided by the invention, the step of executing query on the event data set stored in a structured manner based on the event function to obtain the query result of the behavior data comprises the following steps:
if the event function is determined to belong to a cache event function set, calling cache data according to the event function to obtain a behavior data query result;
the cache data comprises the behavior data query result of the event function in the cache event function set.
The invention provides a network security detection method based on structured event data search, which further comprises the following steps:
and if the event data set stored in the structured mode is determined to be updated, the cache data is correspondingly updated.
According to the network security detection method based on structured event data search, provided by the invention, the event data in the structured stored event data set comprises an event task ID item, an event time item, an event type item and an event description item;
the event task ID item, the event time item, the event type item and the event description item are obtained by extracting a log file, wherein the log file comprises any one or any combination of a system log, a database log and a program log.
According to the network security detection method based on structured event data search provided by the invention, the data structure of the structured stored event data set is a B-Tree structure taking an event type item as an index.
According to the network security detection method based on structured event data search, provided by the invention, the event function comprises an event type item to be inquired, which is determined according to the suspicious event data;
the event function further comprises at least one condition term; the condition item comprises an event task ID item, an event time item or an event description item to be inquired, which is determined according to the suspicious event data;
a plurality of condition items are connected through AND or logical signs;
the event function further comprises at least one aggregate analysis term; the aggregation analysis item comprises a counting item, a filtering item, a time arrangement item, an event type arrangement item or a matching degree arrangement item;
the counting item is used for adding the occurrence times of the event type item to be queried in the behavior data query result; the filter item is used for carrying out secondary filtering on the basis of the behavior data query result; the time arrangement item, the event type arrangement item and the matching degree arrangement item are respectively used for displaying the behavior data query result in a time sequence, an event type sequence and a matching degree sequence.
The invention also provides a network security detection system based on structured event data search, which comprises:
the query module is used for determining an event function according to suspicious event data and executing query on the event data set stored in a structured manner based on the event function to obtain a behavior data query result;
the safety module is used for determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior;
the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein when the processor executes the program, the steps of the network security detection method based on the structured event data search are realized.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when being executed by a processor, implements the steps of the method for detecting network security based on structured event data search as described in any of the above.
The present invention also provides a computer program product comprising a computer program, which when executed by a processor implements the steps of the method for detecting network security based on structured event data search as described in any one of the above.
The invention provides a network security detection method and a system based on structured event data search, which are characterized in that an event data set which is structurally stored is queried through an event function, so that a behavior data query result comprising at least one event data is obtained, the concerned gravity center of network security detection is converted into behavior itself from the traditional collapse index IOCs, namely one or more event functions are determined based on suspicious event data, the event function is used for retrieving and querying the event data set which is structurally stored, so that a behavior (suspicious behavior) corresponding to the suspicious event is obtained, and if the behavior is malicious behavior, preset security operation is executed according to the malicious behavior. Through the network security detection based on the events and the behaviors, on one hand, the problems of detection fragility and invalidity when unknown attacks are found in the traditional collapse index IOCs scheme are avoided, namely, the identification reference of the malicious behaviors is converted into actual events from abstract parameters, and the network security detection based on the events and the behaviors has better intuitiveness; on the other hand, the grammar complexity and the threshold of entry of retrieval are reduced, so that a practitioner does not need to master a complex data structure and query language and only needs to query events and behaviors; in addition, based on the event data set of the structured storage, log files of different data sources can be collected and fused, so that the aggregation analysis of a plurality of data sources is more efficient and convenient.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a network security detection method based on structured event data search according to the present invention;
FIG. 2 is a second schematic flowchart of the network security detection method based on structured event data search according to the present invention;
FIG. 3 is a third schematic flowchart of a network security detection method based on structured event data search according to the present invention;
FIG. 4 is a schematic structural diagram of a network security detection system based on structured event data search according to the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Reference numerals:
401: a query module;
402: a security module;
510: a processor;
520: a communication interface;
530: a memory;
540: a communication bus.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The network security detection method based on structured event data search of the present invention is described below with reference to fig. 1 to 3.
As shown in fig. 1, the present embodiment provides a network security detection method based on structured event data search, including:
step 102, determining an event function according to suspicious event data, and executing query on a structurally stored event data set based on the event function to obtain a behavior data query result;
104, determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing a preset safety operation aiming at the malicious behavior;
the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
The execution subject of the embodiment is preferably a network security detection program; the network security detection program can be a program which runs in real time or a program which is executed regularly (repeatedly);
for the network security detection program running in real time, the structured storage event data set is updated in real time, namely the content of at least one log file is to be added to the structured storage event data set in real time; the network security detection program runs in real time, monitors event data, and if the event data is judged to meet preset suspicious standards (such as warning a certain ip in an access log, warning a certain behavior of certain software in a Syslog, and the like), the event data is used as suspicious event data, and the step 102 and the step 104 are sequentially executed.
For the network security detection program executed regularly (repeatedly), the structured storage event data set is updated regularly (repeatedly), namely the content of at least one log file is added to the structured storage event data set by the regular (repeated) structured storage; the network security detection program runs regularly (repeatedly), and if it is judged during running that the event data meets the preset suspicious standard (for example, a warning is generated for a certain ip in the access log, a warning is generated for a certain behavior of a certain software in the Syslog, and the like), the event data is used as suspicious event data, and step 102 and step 104 are sequentially executed.
The network security detection program executed regularly (repeatedly) may obtain a plurality of suspicious event data in each operation cycle, and in a preferred embodiment, the network security detection program executes steps 102 and 104 on each suspicious event data in sequence.
It is worth noting that a structured stored event data set essentially embodies abstract data in a log file as independent or associated events, e.g., abstract data in an access log file:
13.66.139.0 - - [19/Dec/2020:13:57:26 +0100] "GET /index.php
Figure 792324DEST_PATH_IMAGE001
option=com_phocagallery&view=category&id=1:almhuette-raith&Itemid=53 HTTP/1.1" 200 32653 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" "-"
the following events may be specified:
event task ID: 13.66.139.0 (Access IP);
event time: [19/Dec/2020:13:57:26 +0100] (access time);
event type: 200 (request state);
event description:
GET (request mode);
index.php
Figure 809959DEST_PATH_IMAGE001
option=com_phocagallery&view=category&id=1:almhuette-raith&itemid =53 HTTP/1.1 (request address);
32653 (number of requested bytes);
mozilla/5.0 (compatible; bindbot/2.0; + http:// www.bing.com/bindbot. htm) (browser information requested by agent).
And the format of the event function corresponds to the data structure of the event data set. In the above example of the access log, the event function may be defined for any one or any combination of an event task ID, an event time, an event type, and an event description, so that the query results in behavior data satisfying the event function.
In a preferred embodiment, the suspicious event data is event data which is detected by a preset detection model and comprises suspicious items; the suspect entry includes a suspect IP and/or a suspect event type.
In an alternative embodiment, regardless of the network security detection program running in real time or the network security detection program executed regularly (repeatedly), when step 102 is executed, multiple event functions can be determined and obtained through the same suspicious event data, and the step "execute query on the event data set stored in a structured manner based on the event functions to obtain the query result based on the event functions" and step 104 are repeatedly executed according to different event functions.
The beneficial effect of this embodiment lies in:
the method comprises the steps of querying a structurally stored event data set through an event function to obtain a behavior data query result comprising at least one event data, converting a concerned gravity center of network security detection from a traditional collapse index IOCs into a behavior, namely determining one or more event functions based on suspicious event data, retrieving and querying the structurally stored event data set through the event functions to obtain a behavior (suspicious behavior) corresponding to the suspicious event, and executing preset security operation according to the malicious behavior if the behavior is the malicious behavior. Through the network security detection based on the events and the behaviors, on one hand, the problems of detection fragility and invalidity when unknown attacks are found in the traditional collapse index IOCs scheme are avoided, namely, the identification reference of the malicious behaviors is converted into actual events from abstract parameters, and the network security detection based on the events and the behaviors has better intuitiveness; on the other hand, the grammar complexity and the threshold of entry of retrieval are reduced, so that a practitioner does not need to master a complex data structure and query language and only needs to query events and behaviors; in addition, based on the event data set of the structured storage, log files of different data sources can be collected and fused, so that the aggregation analysis of a plurality of data sources is more efficient and convenient.
According to the above embodiment, in the present embodiment:
as shown in fig. 2, the step 102 of determining an event function according to suspicious event data, and executing a query on a structurally stored event data set based on the event function to obtain a behavior data query result includes:
step 1022, determining an event function according to the suspicious event data;
step 1024, if the event function is determined to belong to the cache event function set, calling cache data according to the event function to obtain a behavior data query result;
the cache data comprises the behavior data query result of the event function in the cache event function set.
In an optional embodiment, the network security monitoring method further includes:
and if the event data set stored in the structured mode is determined to be updated, the cache data is correspondingly updated.
The beneficial effect of this embodiment lies in:
and a temporary cache can be introduced for frequent query of the same statement, and when newly increasing or updating the stored data, cache updating is executed, so that the real-time accuracy of the data is ensured.
According to any of the embodiments described above, in this embodiment:
the event data in the structured stored event data set comprises an event task ID item, an event time item, an event type item and an event description item.
The event task ID item, the event time item, the event type item and the event description item are obtained by extracting a log file, wherein the log file comprises any one or any combination of a system log, a database log and a program log.
Various log files and structured storage methods thereof in the embodiment will be exemplified below.
1. Linxu Syslog type data:
<30>Oct 9 22:33:20 hlfedora auditd[1787]: The audit daemon is exiting.
after structured storage:
<30> event type;
oct 922: 33:20 hlfedora event time;
(iii) an audio [1787] The audio daemon is instance. event description;
2. mysql log data:
2015-12-23T02:25:30.984395Z 2 [ERROR] Could not use /tmp/mysql_query.log for logging (error 13 - Permission denied). Turning logging off for the server process. To turn it on again: fix the cause, then either restart the query logging by using "SET GLOBAL GENERAL_LOG=ON" or restart the MySQL server.
after structured storage:
[ ERROR ] event type;
2015-12-23T02:25:30.984395Z 2 event time;
cold not use/tmp/MySQL _ query.log for logging (error 13-Permission), Turning logging off for the server process. To turn it acquisition, fix the use, the heat restart the query logging by using "SET GLOBAL GENERAL _ LOG = ON" or restart the MySQL server event description;
3. the Java program uses Log4j generated Log:
12 Oct 2015 22:23:30,162 45 [main] INFO MyApp - Exiting application.
after structured storage:
INFO event type
12 Oct 201522: 23:30,16245 event time
MyApp-identifying application event description
The beneficial effect of this embodiment lies in:
the query difficulty is reduced, the complex query and analysis are completed in the simplest language, and the problem that the detection threshold is high in the prior art is solved, namely, multiple data sources are required to be analyzed for detecting suspicious behaviors, and whether the data are suspicious can be determined only through the aggregation analysis of the multiple data sources. If not, it is necessary to be familiar with the storage platform of the corresponding data and the query language of the data.
According to any of the embodiments described above, in this embodiment:
the data structure of the structured stored event data set is a B-Tree structure indexed by event type entries.
The event function comprises an event type item to be inquired, which is determined according to the suspicious event data.
The beneficial effect of this embodiment lies in:
the whole storage structure of the data is in a B-Tree form, the event type field is used as an index of the data structure, and the B-Tree can be used for enabling each index to store more data, so that the query times are reduced as far as possible, and the query speed is improved.
On the basis of the present embodiment, in a preferred embodiment:
the event function further comprises at least one condition term; the condition item comprises an event task ID item, an event time item or an event description item to be inquired, which is determined according to the suspicious event data.
A plurality of the condition items are connected through AND or logical signs.
The event function further comprises at least one aggregate analysis term; the aggregation analysis item comprises a count item (count process), a filter item (filter), a time line item (head), an event type line item (tail) or a matching degree line item (sort process);
the counting item is used for adding the occurrence times of the event type item to be queried in the behavior data query result; the filter item is used for carrying out secondary filtering on the basis of the behavior data query result; the time arrangement item, the event type arrangement item and the matching degree arrangement item are respectively used for displaying the behavior data query result in a time sequence, an event type sequence and a matching degree sequence.
The polymerization analysis items in this example will be exemplified below.
counting process counts the occurrence frequency of a certain event type;
the result is filtered again by filter timestamp > = "2018-09-09" to obtain data of 2018, 9 months and 9 days later;
head 5 outputs the first 5 matched data;
tail 10 outputs the 10 most recently occurring pieces of data;
sort processes are displayed sorted by event type.
The implementation method can further increase the query efficiency of the behavior data.
According to any of the embodiments described above, in this embodiment:
as shown in fig. 3, if it is determined that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, the step 104 of executing a preset security operation for the malicious behavior includes:
1042, determining the suspicious event data corresponding to the malicious behavior according to the behavior data query result
Step 1044 of determining an antagonistic behavior against the malicious behavior according to the ATT & CK model;
step 1046, taking the countermeasure as a safe operation and executing.
The beneficial effect of this embodiment lies in:
the ATT & CK framework of MITRE helps us to focus defense strategies on these malicious behaviors. ATT & CKTM is well suited to divert the detection process towards behavior-based detection by organizing defensive spyware techniques and behaviors into a tactical and technical matrix. The comprehensive and powerful antagonistic behavior model is provided, and the event collection architecture which supports searching and real-time detection and is constructed by matching with the embodiment converts traditional data into event behavior data, so that a network security detection task can be realized more efficiently.
A more complete embodiment will be provided from an overall implementation perspective.
The embodiment mainly comprises three stages, wherein the first stage unifies the format of event data, the second stage converts the data into the event data, and the third stage stores the data according to a preset format, and the detailed process is as follows:
1. the event data is structurally stored, the data format of the event is unified, the event comprises an event type ID, an event type, description, a unique ID for storing the event, a task ID for triggering the event, severity and occurrence time, and data fields required by people can be expanded;
2. ordinary data is converted into event data, and 13.66.139.0- - [19/Dec/2020:13:57:26 +0100 by taking common access log as an example] "GET /index.php
Figure 898001DEST_PATH_IMAGE001
option=com_phocagallery&view=category&id=1:almhuette-raith&Itemid=53 HTTP/1.1" 200 32653 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" "-"
The data structure is: the method comprises the following steps that a user IP, access time, a request mode, an access address, an access state, a transmitted byte number, a last webpage of a current page, an operating system/browser version/browser kernel information and the like can be used for carrying out regular matching conversion on data, and the access state of a focus of interest of a user is taken as an event type;
3. the query for an event needs to match the event type with the condition, so a where key is used to associate the two together, the condition may include and, or, not, compare the data including <, < =, | =, > and in, and support wildcards, for example, query data of the log error event type occurring at a certain time: 500 where time > = 2020-01-01 and time < = 2020-01-02; the overall format can be summarized as: a type where condition;
4. the query may also be a combined query using pipeline symbol | splicing for a plurality of events, the pipeline operation may be a splicing of a plurality of query statements, or may be an aggregation analysis operation for the previous query, for example, the number of times of occurrence of the query network card event: network word true | count; in addition to count, unique, filter, head, tail, sort, etc. may be defined, the keywords any are introduced, and the simplest query any where true is queried;
5. the whole storage structure of the data is in a B-Tree form, the event type field is used as an index of the data structure, and the B-Tree can be used for enabling each index to store more data, so that the query times are reduced as much as possible, and the query speed is increased;
6. and a temporary cache can be introduced for frequent query of the same statement, and when newly increasing or updating the stored data, cache updating is executed, so that the real-time accuracy of the data is ensured.
The key points of this embodiment are as follows:
1. taking a field needing special attention as an event type;
2. the grammar structure is simplified, and a complex query can be constructed by using simple grammar;
3. aiming at the event type data, storing the event type as an index, and integrally using a B-Tree form;
4. a temporary cache is introduced, so that the query efficiency is improved;
5. the query form is not limited to the use of event data only, and data in other formats can be applied in the same way, and only the type field needs to be determined.
In this embodiment, the model may detect behavior data, and convert common data into behavior data for use by the model, and when the model generates a suspicious alarm, we may quickly trace to the source and locate through this simple syntax query.
Log generates a warning to a certain IP in the access, and the operation behavior of all the IP is inquired through any where process id = = suspicious IP;
for another example, the model generates an alert for a certain behavior of a certain software in Syslog, and the software is queried for specific information about the behavior via a <30> where true.
The beneficial effect of this embodiment lies in:
the method comprises the steps of querying a structurally stored event data set through an event function to obtain a behavior data query result comprising at least one event data, converting a concerned gravity center of network security detection from a traditional collapse index IOCs into a behavior, namely determining one or more event functions based on suspicious event data, retrieving and querying the structurally stored event data set through the event functions to obtain a behavior (suspicious behavior) corresponding to the suspicious event, and executing preset security operation according to the malicious behavior if the behavior is the malicious behavior. Through the network security detection based on the events and the behaviors, on one hand, the problems of detection fragility and invalidity when unknown attacks are found in the traditional collapse index IOCs scheme are avoided, namely, the identification reference of the malicious behaviors is converted into actual events from abstract parameters, and the network security detection based on the events and the behaviors has better intuitiveness; on the other hand, the grammar complexity and the threshold of entry of retrieval are reduced, so that a practitioner does not need to master a complex data structure and query language and only needs to query events and behaviors; in addition, based on the event data set of the structured storage, log files of different data sources can be collected and fused, so that the aggregation analysis of a plurality of data sources is more efficient and convenient.
The following describes the network security detection apparatus based on structured event data search according to the present invention, and the network security detection apparatus based on structured event data search described below and the network security detection method based on structured event data search described above may be referred to in correspondence.
As shown in fig. 4, the present embodiment provides a network security detection system based on structured event data search, including:
the query module 401 is configured to determine an event function according to suspicious event data, and perform query on a structurally stored event data set based on the event function to obtain a behavior data query result;
a security module 402, configured to determine that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and execute a preset security operation for the malicious behavior;
the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
The suspicious event data are event data which are obtained through detection of a preset detection model and comprise suspicious items; the suspect entry includes a suspect IP and/or a suspect event type.
The query module 401 includes:
the cache module is used for determining that the event function belongs to a cache event function set, and calling cache data according to the event function to obtain a behavior data query result;
the cache data comprises the behavior data query result of the event function in the cache event function set.
The system further comprises:
and the cache updating module is used for determining that the structured stored event data set is updated, and updating the cache data correspondingly.
The event data in the structured stored event data set comprises an event task ID item, an event time item, an event type item and an event description item.
The event task ID item, the event time item, the event type item and the event description item are obtained by extracting a log file, wherein the log file comprises any one or any combination of a system log, a database log and a program log.
The data structure of the structured stored event data set is a B-Tree structure indexed by event type entries.
The event function comprises an event type item to be inquired, which is determined according to the suspicious event data.
The event function further comprises at least one condition term; the condition item comprises an event task ID item, an event time item or an event description item to be inquired, which is determined according to the suspicious event data.
A plurality of the condition items are connected through AND or logical signs.
The event function further comprises at least one aggregate analysis term; the aggregation analysis item comprises a counting item, a filtering item, a time arrangement item, an event type arrangement item or a matching degree arrangement item;
the counting item is used for adding the occurrence times of the event type item to be queried in the behavior data query result; the filter item is used for carrying out secondary filtering on the basis of the behavior data query result; the time arrangement item, the event type arrangement item and the matching degree arrangement item are respectively used for displaying the behavior data query result in a time sequence, an event type sequence and a matching degree sequence.
The security module 402 comprises:
a countermeasure module to determine a countermeasure behavior against the malicious behavior according to an ATT & CK model;
and the execution module is used for taking the countermeasure as a safe operation and executing the countermeasure.
The beneficial effect of this embodiment lies in:
the method comprises the steps of querying a structurally stored event data set through an event function to obtain a behavior data query result comprising at least one event data, converting a concerned gravity center of network security detection from a traditional collapse index IOCs into a behavior, namely determining one or more event functions based on suspicious event data, retrieving and querying the structurally stored event data set through the event functions to obtain a behavior (suspicious behavior) corresponding to the suspicious event, and executing preset security operation according to the malicious behavior if the behavior is the malicious behavior. Through the network security detection based on the events and the behaviors, on one hand, the problems of detection fragility and invalidity when unknown attacks are found in the traditional collapse index IOCs scheme are avoided, namely, the identification reference of the malicious behaviors is converted into actual events from abstract parameters, and the network security detection based on the events and the behaviors has better intuitiveness; on the other hand, the grammar complexity and the threshold of entry of retrieval are reduced, so that a practitioner does not need to master a complex data structure and query language and only needs to query events and behaviors; in addition, based on the event data set of the structured storage, log files of different data sources can be collected and fused, so that the aggregation analysis of a plurality of data sources is more efficient and convenient.
Fig. 5 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 5: a processor (processor)510, a communication Interface (Communications Interface)520, a memory (memory)530 and a communication bus 540, wherein the processor 510, the communication Interface 520 and the memory 530 communicate with each other via the communication bus 540. Processor 510 may invoke logic instructions in memory 530 to perform a method for network security detection based on structured event data search, the method comprising: determining an event function according to suspicious event data, and executing query on a structurally stored event data set based on the event function to obtain a behavior data query result; determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior; the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
Furthermore, the logic instructions in the memory 530 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention further provides a computer program product, where the computer program product includes a computer program, the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, a computer can execute the network security detection method based on structured event data search provided by the above methods, and the method includes: determining an event function according to suspicious event data, and executing query on a structurally stored event data set based on the event function to obtain a behavior data query result; determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior; the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to execute the method for detecting network security based on structured event data search provided by the above methods, the method including: determining an event function according to suspicious event data, and executing query on a structurally stored event data set based on the event function to obtain a behavior data query result; determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior; the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A network security detection method based on structured event data search is characterized by comprising the following steps:
determining an event function according to suspicious event data, and executing query on a structurally stored event data set based on the event function to obtain a behavior data query result;
determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior;
the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
2. The network security detection method based on structured event data search according to claim 1, wherein the suspicious event data is event data detected by a preset detection model and including suspicious items; the suspicious item comprises a suspicious IP and/or a suspicious event type;
the step of executing a preset security operation for the malicious behavior comprises:
determining antagonistic behavior against the malicious behavior according to an ATT & CK model;
the countermeasure is taken as a security operation and executed.
3. The method for detecting network security based on structured event data search of claim 1, wherein the step of performing query on the structured stored event data set based on the event function to obtain the query result of the behavior data comprises:
if the event function is determined to belong to a cache event function set, calling cache data according to the event function to obtain a behavior data query result;
the cache data comprises the behavior data query result of the event function in the cache event function set.
4. The method for detecting network security based on structured event data search of claim 1, further comprising:
and if the event data set stored in the structured mode is determined to be updated, the cache data is correspondingly updated.
5. The network security detection method based on structured event data search is characterized in that the event data in the structured stored event data set comprises an event task ID item, an event time item, an event type item and an event description item;
the event task ID item, the event time item, the event type item and the event description item are obtained by extracting a log file, wherein the log file comprises any one or any combination of a system log, a database log and a program log.
6. The method according to claim 5, wherein the data structure of the structured event data set is a B-Tree structure indexed by event type item.
7. The network security detection method based on structured event data search of claim 7, wherein the event function comprises an event type item to be queried, which is determined according to the suspicious event data;
the event function further comprises at least one condition term; the condition item comprises an event task ID item, an event time item or an event description item to be inquired, which is determined according to the suspicious event data;
a plurality of condition items are connected through AND or logical signs;
the event function further comprises at least one aggregate analysis term; the aggregation analysis item comprises a counting item, a filtering item, a time arrangement item, an event type arrangement item or a matching degree arrangement item;
the counting item is used for adding the occurrence times of the event type item to be queried in the behavior data query result; the filter item is used for carrying out secondary filtering on the basis of the behavior data query result; the time arrangement item, the event type arrangement item and the matching degree arrangement item are respectively used for displaying the behavior data query result in a time sequence, an event type sequence and a matching degree sequence.
8. A network security detection system based on structured event data search, comprising:
the query module is used for determining an event function according to suspicious event data and executing query on the event data set stored in a structured manner based on the event function to obtain a behavior data query result;
the safety module is used for determining that the suspicious event data corresponds to a malicious behavior according to the behavior data query result, and executing preset safety operation aiming at the malicious behavior;
the event function is a query function for positioning corresponding behavior data according to the suspicious event data; the behavior data comprises at least one event data; the structured stored event data set is obtained by extracting a log file.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method for detecting network security based on structured event data search according to any one of claims 1 to 12 when executing the program.
10. A non-transitory computer readable storage medium, on which a computer program is stored, wherein the computer program, when being executed by a processor, implements the steps of the network security detection method based on structured event data search according to any one of claims 1 to 12.
CN202210174679.0A 2022-02-25 2022-02-25 Network security detection method and system based on structured event data search Pending CN114244634A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210174679.0A CN114244634A (en) 2022-02-25 2022-02-25 Network security detection method and system based on structured event data search

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210174679.0A CN114244634A (en) 2022-02-25 2022-02-25 Network security detection method and system based on structured event data search

Publications (1)

Publication Number Publication Date
CN114244634A true CN114244634A (en) 2022-03-25

Family

ID=80748174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210174679.0A Pending CN114244634A (en) 2022-02-25 2022-02-25 Network security detection method and system based on structured event data search

Country Status (1)

Country Link
CN (1) CN114244634A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120284221A1 (en) * 2009-11-17 2012-11-08 Jerome Naifeh Methods and apparatus for analyzing system events
US20160034525A1 (en) * 2014-07-31 2016-02-04 Splunk Inc. Generation of a search query to approximate replication of a cluster of events

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120284221A1 (en) * 2009-11-17 2012-11-08 Jerome Naifeh Methods and apparatus for analyzing system events
US20160034525A1 (en) * 2014-07-31 2016-02-04 Splunk Inc. Generation of a search query to approximate replication of a cluster of events

Similar Documents

Publication Publication Date Title
US9507848B1 (en) Indexing and querying semi-structured data
US11418485B2 (en) Pattern-based malicious URL detection
CN110740141A (en) integration network security situation perception method, device and computer equipment
US10097569B2 (en) System and method for tracking malware route and behavior for defending against cyberattacks
CN111881011A (en) Log management method, platform, server and storage medium
CN111294233A (en) Network alarm statistical analysis method, system and computer readable storage medium
WO2020014663A1 (en) Systems and methods for detecting obfuscated malware in obfuscated just-in-time (jit) compiled code
CN112347501A (en) Data processing method, device, equipment and storage medium
US20230007014A1 (en) Detection of replacement/copy-paste attacks through monitoring and classifying api function invocations
Azodi et al. A new approach to building a multi-tier direct access knowledgebase for IDS/SIEM systems
CN113901484A (en) Vulnerability management method and device based on risks
CN114048227A (en) SQL statement anomaly detection method, device, equipment and storage medium
CN112714118B (en) Network traffic detection method and device
Namanya et al. Evaluation of automated static analysis tools for malware detection in Portable Executable files
WO2019195065A1 (en) Staged dynamic taint flow inference
CA3227649A1 (en) Distributed system for file analysis and malware detection
Li et al. Converting unstructured system logs into structured event list for anomaly detection
CN112306820A (en) Log operation and maintenance root cause analysis method and device, electronic equipment and storage medium
CN116821903A (en) Detection rule determination and malicious binary file detection method, device and medium
CN114244634A (en) Network security detection method and system based on structured event data search
Makanju et al. An evaluation of entropy based approaches to alert detection in high performance cluster logs
CN115361182A (en) Botnet behavior analysis method and device, electronic equipment and medium
US10990676B1 (en) File collection method for subsequent malware detection
CN112989403B (en) Database damage detection method, device, equipment and storage medium
CN112686029A (en) SQL new sentence identification method and device for database audit system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20220325

RJ01 Rejection of invention patent application after publication