CN115225386A - Business identification and risk analysis method and system based on event sequence correlation fusion - Google Patents

Business identification and risk analysis method and system based on event sequence correlation fusion Download PDF

Info

Publication number
CN115225386A
CN115225386A CN202210858081.3A CN202210858081A CN115225386A CN 115225386 A CN115225386 A CN 115225386A CN 202210858081 A CN202210858081 A CN 202210858081A CN 115225386 A CN115225386 A CN 115225386A
Authority
CN
China
Prior art keywords
alarm
event
risk
abnormal
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210858081.3A
Other languages
Chinese (zh)
Other versions
CN115225386B (en
Inventor
朱誉
向丽玲
杨银国
于珍
伍双喜
陆秋瑜
秦颖婕
骆晓明
华威
杨璧瑜
徐子森
刘杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Power Grid Co Ltd
Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd
Original Assignee
Guangdong Power Grid Co Ltd
Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Power Grid Co Ltd, Electric Power Dispatch Control Center of Guangdong Power Grid Co Ltd filed Critical Guangdong Power Grid Co Ltd
Priority to CN202210858081.3A priority Critical patent/CN115225386B/en
Publication of CN115225386A publication Critical patent/CN115225386A/en
Application granted granted Critical
Publication of CN115225386B publication Critical patent/CN115225386B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The invention provides a service identification and risk analysis method and system based on event sequence correlation fusion, wherein the method comprises the following steps: collecting network alarm log data with preset duration, and constructing a corresponding event sequence mode library according to the network alarm log data; constructing statistical characteristic quantity according to the alarm event sequences of the same community mode in the event sequence mode library, and carrying out abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result; and performing service identification and risk analysis according to the abnormal interval detection result and the preset event characteristic identification detection standard to obtain a corresponding identification analysis result, and updating the identification analysis result to a pre-established risk event knowledge base. The method and the system realize effective correlation analysis of mass alarm log data of the industrial Internet, not only can efficiently identify business risks and facilitate grasping of the overall alarm safety situation, but also can study, judge and trace the source of high-risk alarms with reliable and effective risks, and improve the application value of a supervision system.

Description

Business identification and risk analysis method and system based on event sequence correlation fusion
Technical Field
The invention relates to the technical field of industrial internet network security, in particular to a service identification and risk analysis method, a system, computer equipment and a storage medium based on event sequence correlation fusion.
Background
In recent years, with the vigorous development of industrial internet information systems, a large number of information service systems and cloud infrastructure are widely deployed, so that the normal operation of the industrial internet is supported, the intelligent, informatization and automation levels of the industrial internet are continuously improved, the real-time performance of industrial internet production control decisions is greatly improved, and the production capacity of the industrial internet is improved. Meanwhile, network security risks faced by an information side are increasingly highlighted, and risks such as protocol vulnerability, weak edge equipment security protection capability, frequent information system loopholes and the like pose great threats to information protection and security production of the industrial internet.
In order to solve the serious challenge brought by the network security problem, the industrial internet deploys a large number of security protection facilities and flow monitoring equipment, such as an intrusion detection system, an intrusion protection system, a Web application protection system, application layer flow cleaning, honeypots and the like, on an information side and an intranet area, and performs real-time monitoring and analysis on the operation behaviors of internal users and servers and external request data. Safety analysis personnel can combine the monitoring equipment alarm and expert knowledge to quickly and effectively study, judge and respond to the network safety event. However, as the network protection boundary of the industrial internet is continuously expanded, the alarm protection rule system is continuously enhanced, the number of network alarms tends to rise exponentially, the false alarm phenomenon is gradually prominent, and security analysts face great alarm analysis pressure and disposal burden; in addition, the existing network alarm monitoring and analyzing system mainly analyzes and processes a single alarm, and mainly comprises an overall security situation perception function, an alarm real-time pushing and monitoring function, a key equipment asset mapping function, a high-risk attack automatic early warning function and the like.
Disclosure of Invention
The invention aims to provide a service identification and risk analysis method based on event sequence correlation fusion, which extracts and constructs alarm event sequences with increasing risk levels from massive network alarm log data, extracts statistical characteristic quantities based on the event sequence quantity and alarm type changes, and adopts an abnormal interval detection mechanism to carry out abnormal interval detection and correlation fusion analysis on the statistical characteristic quantities so as to identify typical conventional service events and potential high-risk events in massive alarms, thereby effectively solving the technical defects, realizing the filtering of typical conventional services and the investigation of alarm risks, facilitating the grasp of the overall alarm safety situation, and assisting safety analysts to carry out reliable and effective risk research, judgment and traceability analysis on the high-risk alarms.
In order to achieve the above objects, it is necessary to provide a service identification and risk analysis method, system, computer device and storage medium based on event sequence association fusion.
In a first aspect, an embodiment of the present invention provides a service identification and risk analysis method based on event sequence association fusion, where the method includes the following steps:
collecting network alarm log data with preset duration, and constructing a corresponding event sequence pattern library according to the network alarm log data; the network alarm log data is multi-source heterogeneous alarm log data; the event sequence pattern library comprises alarm event sequences of a plurality of different community patterns;
constructing statistical characteristic quantity according to the alarm event sequences of the same community mode in the event sequence mode library, and carrying out abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result; the statistical characteristic quantity comprises an incremental event sequence quantity and an alarm type quantity; the abnormal interval detection result comprises an abnormal interval range of each statistical characteristic quantity;
performing service identification and risk analysis according to the abnormal interval detection result and a preset event characteristic identification detection standard to obtain a corresponding identification analysis result, and updating the identification analysis result to a pre-established risk event knowledge base; the risk event repository includes typical regular business events, low risk alarm events, external abnormal IP events, and potentially high risk events.
Further, the step of constructing a corresponding event sequence pattern library according to the network alarm log data includes:
normalizing the network alarm log data to obtain alarm log characteristic quantity; the alarm log characteristic quantity comprises alarm occurrence time, a source IP address, a destination IP address, an alarm type, description information and a threat level;
determining the time interval of the alarm event sequence according to the distribution condition of the alarm log characteristic quantity and the duration of the real attack event;
merging the alarm log characteristic quantities of each time interval in the preset duration according to the same community principle to form a single-center type alarm community, and extracting the community mode of each single-center type alarm community; the same community principle is that the source IP addresses are the same or the destination IP addresses are the same;
extracting alarm event sequences meeting preset conditions in each time interval according to each community mode and alarm log characteristic quantity, and constructing an event sequence mode library according to the alarm event sequences of each community mode in each time interval in preset duration; the preset conditions are that the time sequence exists and the alarm risk level is increased; the alarm event sequence comprises a time interval, a source IP address, a destination IP address, an alarm type sequence, a threat level sequence and a repetition time sequence.
Further, the step of extracting the alarm event sequence satisfying the preset condition in each time interval according to each community mode and the alarm log characteristic quantity includes:
sorting the alarm log characteristic quantities of the alarm events in each alarm community according to the alarm occurrence time, and judging whether the current alarm event sequence is empty or whether the threat level corresponding to the current alarm event is not lower than that of the last alarm event, if so, adding the current alarm event to the current alarm event sequence, otherwise, constructing a new alarm event sequence.
Further, the step of performing abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result includes:
determining an abnormal point threshold according to a statistical analysis method and a 3 sigma principle, and performing abnormal detection on the statistical characteristic quantity by adopting a double-threshold method endpoint detection mechanism according to the abnormal point threshold to obtain an abnormal interval detection result; the outlier threshold comprises a high energy threshold and a low energy threshold, respectively represented as:
MH=mean+k*std
ML=mean+l*std
in the formula ,
Figure BDA0003756304050000041
Figure BDA0003756304050000042
where MH and ML are denoted as a high energy threshold and a low energy threshold, respectively;
Figure BDA0003756304050000043
representing the ith statistical characteristic quantity; n represents the number of statistical characteristic quantities; mean and std represent the mean and standard deviation of the statistical characteristic quantity, respectively; k and l represent multiples of the standard deviation in the high and low energy thresholds, respectively.
Further, the step of performing anomaly detection on the statistical characteristic quantity by using a double-threshold method endpoint detection mechanism according to the anomaly threshold value to obtain the detection result of the anomaly interval includes:
carrying out primary global abnormal point detection on the statistical characteristic quantity by adopting the high-energy threshold value to obtain abnormal point moments when all sequence values exceed the high-energy threshold value, and determining a corresponding high-threshold value interval;
and carrying out secondary interval detection on the high threshold interval by adopting a low energy threshold to obtain the detection result of the abnormal interval.
Further, the preset event feature identification detection standard comprises a first type of event identification detection standard, a second type of event identification detection standard, a third type of event identification detection standard and a fourth type of event identification detection standard; the first type of event identification detection standard is that the quantity of the increasing event sequences and the quantity of the alarm types are not abnormal; the second type of event identification detection standard is that the number of the sequence of the increasing event is changed suddenly and the number of the alarm types is not abnormal; the third type event identification detection standard is that the number of the increasing sequences and the number of the alarm types are abnormal at the same time; the fourth type of identification detection standard is that the number of the increasing sequences is not abnormal and the number of the alarm types is abnormal;
the step of performing service identification and risk analysis according to the abnormal interval detection result and the preset event characteristic identification detection standard to obtain a corresponding analysis identification result comprises the following steps:
searching a pre-established risk event knowledge base according to the abnormal interval detection result, if so, taking the corresponding event type in the risk event knowledge base as an analysis and identification result, otherwise, judging whether the abnormal interval detection result meets a first-class event identification detection standard;
if the abnormal interval detection result meets the first-class event identification detection standard, judging that the corresponding alarm event sequence is a typical conventional service event and updating the typical conventional service event sequence to a risk event knowledge base, otherwise, judging whether the abnormal interval detection result meets the second-class event identification detection standard or not;
if the abnormal interval detection result meets the second type of event identification detection standard and the central IP is important asset equipment or safety audit equipment, judging that the corresponding alarm event sequence is a low-risk alarm event and updating the low-risk alarm event sequence to a risk event knowledge base, otherwise, judging whether the abnormal interval detection result meets a third type of event identification detection standard or not;
if the abnormal interval detection result meets the third type of event identification detection standard, judging whether the central IP of the corresponding alarm event sequence is a forbidden external IP or an internal safety inspection device, if so, judging that the corresponding alarm event sequence is a non-abnormal event, otherwise, determining that the corresponding abnormal interval range is a high-risk interval, and judging that the corresponding alarm event sequence is a high-risk event;
if the abnormal interval detection result does not meet the third type of event identification detection standard, judging whether the abnormal interval detection result meets the fourth type of event identification detection standard, if so, determining that the corresponding abnormal interval range is a potential risk interval, and judging that the corresponding alarm event sequence is a potential high-risk event;
and constructing a corresponding alarm type association diagram according to the alarm event sequences of the high-risk interval and the potential risk interval, comprehensively analyzing to obtain a corresponding threat level according to the alarm type association diagram, and updating to a risk event knowledge base.
Further, the step of constructing a corresponding alarm type association graph according to the alarm event sequences of the high risk interval and the potential risk interval respectively comprises:
and taking the alarm type of each alarm event sequence as a node, determining a node label according to the alarm description information and the alarm threat level, determining a directed edge according to the time sequence between the alarm types and the association relationship of the increasing threat level, and constructing to obtain the alarm type association graph.
In a second aspect, an embodiment of the present invention provides a service identification and risk analysis system based on event sequence association fusion, where the system includes:
the mode construction module is used for collecting network alarm log data with preset duration and constructing a corresponding event sequence mode library according to the network alarm log data; the network alarm log data is multi-source heterogeneous alarm log data; the event sequence pattern library comprises alarm event sequences of a plurality of different community patterns;
the abnormal detection module is used for constructing statistical characteristic quantity according to the alarm event sequences of the same community mode in the event sequence mode library and carrying out abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result; the statistical characteristic quantity comprises an incremental event sequence quantity and an alarm type quantity; the abnormal interval detection result comprises abnormal interval ranges of all the statistical characteristic quantities;
the risk identification module is used for carrying out service identification and risk analysis according to the abnormal interval detection result and the preset event characteristic identification detection standard to obtain a corresponding identification analysis result, and updating the identification analysis result to a pre-established risk event knowledge base; the risk event repository includes typical regular business events, low risk alarm events, external abnormal IP events, and potentially high risk events.
In a third aspect, an embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method when executing the computer program.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the above method.
The application provides a service identification and risk analysis method, a system, a computer device and a storage medium based on event sequence correlation fusion, and the method realizes the technical scheme that multi-source heterogeneous network alarm log data with preset duration are collected, after an event sequence mode library comprising a plurality of alarm event sequences with different community modes is constructed according to the network alarm log data, statistical characteristic quantities comprising increasing event sequence quantity and alarm type quantity are constructed according to the alarm event sequences with the same community mode in the event sequence mode library, abnormal interval detection is carried out on the statistical characteristic quantities by adopting a double-threshold method endpoint detection mechanism to obtain an abnormal interval detection result, service identification and risk analysis are carried out according to the abnormal interval detection result and a preset event characteristic identification detection standard, typical conventional service events, low-risk alarm events and potential high-risk events are identified, and the abnormal interval detection result is updated to a pre-established risk event knowledge base according to the corresponding identification and analysis result. Compared with the prior art, the business identification and risk analysis method based on event sequence correlation fusion is based on an event sequence space-time fusion correlation analysis method, the alarm log information collected by a large number of heterogeneous network security devices deployed on the information side of the industrial internet is processed in a normalized mode, the high-level semantic information reflecting potential attack behaviors is extracted to construct an event sequence pattern library, various time sequence characteristic analysis methods and alarm type spatial domain correlation relations are applied to identify typical conventional business events and potential security risks, the defect of weak correlation analysis capability of the existing alarm monitoring system is effectively overcome, the hidden correlation relations existing among historical alarm events are more intuitively and comprehensively mined and analyzed by using the event sequence correlation analysis instead of a traditional single alarm analysis mode, the overall alarm security situation can be grasped, the problems that high-risk events are easy to miss and incomplete in traceability analysis and the like can be effectively solved, the work load of alarm event offline duplication can be effectively reduced through the establishment and the update of a risk event knowledge base, the work efficiency can be improved, the application value of an alarm monitoring management system can be further provided for the safe operation of the industrial internet.
Drawings
Fig. 1 is a schematic view of an application scenario of a service identification and risk analysis method based on event sequence association fusion in an embodiment of the present invention;
FIG. 2 is a schematic flow chart of a service identification and risk analysis method based on event sequence association fusion according to an embodiment of the present invention;
fig. 3 a and b respectively show a schematic diagram of detecting an abnormal interval of the number of ascending sequences and a schematic diagram of detecting an abnormal interval of the number of alarm types in the embodiment of the present invention;
in fig. 4, a and b respectively show a schematic diagram of the number change of the increment sequence and a schematic diagram of the number change of the alarm type of the alarm event sequence satisfying the first type of event identification detection criteria in the embodiment of the present invention;
fig. 5 a and b respectively show a schematic diagram of the number change of the ascending sequence and a schematic diagram of the number change of the alarm type of the alarm event sequence satisfying the second type of event identification detection criteria in the embodiment of the present invention;
in fig. 6, a and b respectively show a schematic diagram of the number change of the increment sequence and a schematic diagram of the number change of the alarm type of the alarm event sequence satisfying the third type of event identification detection criteria in the embodiment of the present invention;
fig. 7 a and b respectively show a schematic diagram of the number change of the increment sequence and a schematic diagram of the number change of the alarm type of the alarm event sequence satisfying the fourth type of event identification detection criteria in the embodiment of the present invention;
in fig. 8, a and b respectively show schematic diagrams of association between the alarm types of the abnormal regions with central IPs 212.101.31.212 and 196.187.197.130 in the embodiment of the present invention;
FIG. 9 is a schematic structural diagram of a business identification and risk analysis system based on event sequence association fusion according to an embodiment of the present invention;
fig. 10 is an internal structural view of a computer device in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments, and it is obvious that the embodiments described below are part of the embodiments of the present invention, and are only used for illustrating the present invention, but not for limiting the scope of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The service identification and risk analysis method based on event sequence association and fusion provided by the invention can be applied to the terminal or the server shown in figure 1. The terminal can be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers and portable wearable devices, and the server can be implemented by an independent server or a server cluster formed by a plurality of servers. The server collects mass network alarm log data, extracts and constructs an alarm event sequence with increasing risk level according to the service identification and risk analysis method based on event sequence correlation fusion provided by the invention, extracts statistical characteristic quantity based on the event sequence quantity and alarm type change, performs abnormal interval detection and correlation fusion analysis on the statistical characteristic quantity by adopting an abnormal interval detection mechanism to identify typical conventional service events, low-risk alarm events and potential high-risk events in mass alarms, updates a risk event knowledge base for subsequent alarm risk research according to the identification and analysis result, and sends the identification and analysis result to a terminal for viewing and use; the following embodiments will describe the service identification and risk analysis method based on event sequence association fusion in detail.
In one embodiment, as shown in fig. 2, a service identification and risk analysis method based on event sequence association fusion is provided, which includes the following steps:
s11, collecting network alarm log data with preset duration, and constructing a corresponding event sequence mode library according to the network alarm log data; the network alarm log data is multi-source heterogeneous alarm log data; the event sequence pattern library comprises alarm event sequences of a plurality of different community patterns;
the method comprises the steps that preset duration and collection channels of network alarm log data can be set according to actual application requirements, for example, collected monthly alarm data of desensitization treatment of related IP addresses of monitoring equipment of different manufacturers in an alarm log historical database at an information side of a certain power company has the characteristics of diversified formats and alarm isomerism, alarm event sequences with a sequence existing in time and increasing alarm risk levels are extracted after normalization treatment is carried out, and a corresponding event sequence mode library is generated; specifically, the step of constructing a corresponding event sequence pattern library according to the network alarm log data includes:
normalizing the network alarm log data to obtain alarm log characteristic quantity; the alarm log characteristic quantity comprises alarm occurrence time, a source IP address, a destination IP address, an alarm type, description information and a threat level; the normalization processing can be understood as analyzing various types of network alarm log data according to respective corresponding data formats, and extracting alarm log characteristic quantities of various network alarm log data shown in table 1;
TABLE 1 alarm Log feature quantity example
Time of occurrence Source IP Destination IP Type of alarm Description information Threat level
2011-11-0109:51:00 20.203.51.128 212.101.31.204 Critical event auditing Behavior monitoring Low risk
2011-11-0109:57:14 196.187.197.90 212.101.31.204 Host exploit Application design deficiency Middle-risk
2011-11-0109:57:49 20.101.6.191 212.101.31.204 Middleware bugs Struts2 vulnerabilities High risk
Determining the time interval of the alarm event sequence according to the distribution condition of the alarm log characteristic quantity and the duration of the real attack event; if the known real attack duration is less than 30 minutes historically and the total alarm distribution is about three thousand alarms in an hour, the length of the time interval extracted by the event sequence mode can be set to be 30 minutes, namely the length of the time interval is reasonably set in specific application according to the distribution of the alarm log characteristic quantity and the duration of the historical real attack event, and the given time interval length is only an exemplary description;
merging the alarm log characteristic quantities of each time interval in the preset duration according to the same community principle to form a single-center type alarm community, and extracting the community mode of each single-center type alarm community; the same community principle is that the source IP addresses are the same or the destination IP addresses are the same, for example, the community mode structure to which the three alarm log feature quantities in table 1 belong is <, 212.101.31.204>, that is, the destination IP addresses are all communities of 212.101.31.204; based on the community mode structure of each alarm log characteristic quantity, converting the corresponding alarm information into alarm events shown in the table 2, and generating a corresponding alarm event sequence through the following steps;
table 2 three example alarm events that construct a sequence of alarm events
timeStamp sip Dip (unreal IP) category severity
2011-11-0109:51:00 * 212.101.31.204 Audit of key events (behavior monitoring) Low risk
2011-11-0109:57:14 * 212.101.31.204 Host computer leak utilization (application design defect) Middle-risk
2011-11-0109:57:49 * 212.101.31.204 Middleware leak (Struts 2 leak) High risk
Extracting alarm event sequences meeting preset conditions in each time interval according to each community mode and alarm log characteristic quantity, and constructing an event sequence mode library according to the alarm event sequences of each community mode in each time interval in preset duration; the preset conditions are that the time sequence exists and the alarm risk level is increased; the alarm event sequence comprises a time interval, a source IP address, a destination IP address, an alarm type sequence, a threat level sequence and a repetition frequency sequence; the alarm Event sequence can be understood as a time sequence Event _ seq constructed by establishing the alarm Event according to the chronological order and the increasing relationship of the threat level, and the structure is as follows:
Event_seq=(timeSpan,sip,dip,category_seq,severity_seq)
wherein, the timeSpan is the time interval, the category _ seq is the alarm type sequence, and the preference _ seq is the threat level sequence;
specifically, the step of extracting the alarm event sequence meeting the preset condition in each time interval according to each community mode and the alarm log characteristic quantity includes:
sorting alarm log characteristic quantities of alarm events in each alarm community according to alarm occurrence time, and judging whether a current alarm event sequence is empty or whether a threat level corresponding to the current alarm event is not lower than that of a last alarm event, if so, adding the current alarm event to the current alarm event sequence, otherwise, constructing a new alarm event sequence;
the method for constructing the sequence of the alarm events is illustrated by taking three alarm events listed in table 2 as an example, all three events in table 2 satisfy the same mode structure <, 212.101.31.204>, and have a precedence relationship at the occurrence time, and the threat levels show an increasing relationship, so that an alarm Event sequence Event _ seq = < timeSpan, > 212.101.31.204, key Event audit (behavior monitoring) -host vulnerability utilization (application design defect) -middleware (Struts 2 vulnerability), low risk-medium risk-high risk > is formed. In practical application, when 30 minutes is taken as a time interval, four alarm event sequences in a certain time interval with a mode structure of <, 212.101.31.208> shown in table 3 can be obtained, the number of the incremental sequences in the interval of 2011-11-0100;
TABLE 3 Pattern Structure four alarm event sequences in a certain time interval
timeSpan sip dip category_seq severity_seq
2011-11-0101:00:00 * 212.101.31.208 Suspicious scanning behavior 2
2011-11-0101:00:00 * 212.101.31.208 Information leakage-suspicious scanning behavior 1-2
2011-11-0101:00:00 * 212.101.31.208 Information leakage-suspicious scanning behavior 1-2
2011-11-0101:00:00 * 212.101.31.208 Information leakage-suspicious scanning behavior 1-2
The embodiment is based on an event sequence space-time fusion association analysis method, alarm log information collected by a large number of heterogeneous network security devices deployed at an industrial internet information side is normalized, high-level semantic information reflecting potential attack behaviors is extracted, an event sequence pattern library is constructed, sequential characteristic analysis and alarm type space domain association analysis are conveniently carried out subsequently, and effective and reliable data support is provided for overcoming the defect that the existing alarm monitoring system is weak in association analysis capability;
s12, constructing statistical characteristic quantity according to the alarm event sequences of the same community mode in the event sequence mode library, and carrying out abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result; the statistical characteristic quantity comprises an incremental event sequence quantity and an alarm type quantity; the abnormal interval detection result comprises abnormal interval ranges of all the statistical characteristic quantities; the statistical characteristic quantity can be understood as two types of statistical characteristic quantities which are obtained by counting the number of the incremental event sequences and the type number of the alarm types in each time interval and are used for time sequence analysis; based on the construction results of the two types of feature statistics, focusing on the global abnormal change trend, and setting a high-energy threshold MH and a low-energy threshold ML for abnormal interval detection by applying a statistical analysis method and a 3 sigma principle to identify the abnormal interval range of each statistical feature quantity; specifically, the step of performing abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result includes:
determining an abnormal point threshold according to a statistical analysis method and a 3 sigma principle, and performing abnormal detection on the statistical characteristic quantity by adopting a double-threshold method endpoint detection mechanism according to the abnormal point threshold to obtain an abnormal interval detection result; the outlier threshold includes a high energy threshold and a low energy threshold, respectively represented as:
MH=mean+k*std
ML=mean+l*std
in the formula ,
Figure BDA0003756304050000131
Figure BDA0003756304050000132
where MH and ML are denoted as a high energy threshold and a low energy threshold, respectively;
Figure BDA0003756304050000133
representing the ith statistical characteristic quantity; n represents the number of statistical characteristic quantities; mean and std represent the mean and standard deviation of the statistical characteristic quantity, respectively; k and l respectively represent the multiple of the standard deviation in the high energy threshold and the low energy threshold, the specific numerical value is selected and adjusted according to the specific service scene, and preferably, four times of the standard deviation and two times of the standard deviation are respectively selected to set the high energy threshold and the low energy threshold;
specifically, the step of performing anomaly detection on the statistical characteristic quantity by using a double-threshold method endpoint detection mechanism according to the anomaly threshold to obtain the detection result of the anomaly interval includes:
carrying out primary global abnormal point detection on the statistical characteristic quantity by adopting the high-energy threshold value to obtain abnormal point moments when all sequence values exceed the high-energy threshold value, and determining a corresponding high-threshold value interval;
carrying out secondary interval detection on the high threshold interval by adopting a low energy threshold to obtain an abnormal interval detection result; in the secondary interval detection process, if the time interval between two high-threshold abnormal intervals is less than a certain time (one hour), the two high-threshold abnormal intervals are considered to belong to the same abnormal event, the corresponding high-threshold abnormal intervals can be merged, the detection range of the abnormal intervals is expanded, and the abnormal interval range of each statistical characteristic quantity shown in fig. 3 is finally obtained as an abnormal interval detection result; fig. 3 shows a schematic diagram of detection of two types of abnormal statistical intervals with 212.101.31.198 as a central node, where (a) is a detection result of an abnormal interval with an increasing sequence number, and (b) is a detection result of an abnormal interval with an alarm type number, where the position of a point-like straight line is an interval where an abnormal event is located, and the number fluctuation of other abnormal intervals which are not classified is considered acceptable in a statistical sense;
in the embodiment, the event sequence association analysis is used for replacing the traditional single alarm analysis mode, and a method of association analysis of various time sequence characteristics and alarm type spatial domains is adopted for service identification and risk analysis, so that the hidden association relation existing between historical alarm events is more intuitively and comprehensively mined and analyzed, and the problems of high-risk event omission, incomplete traceability analysis and the like are effectively solved.
S13, performing service identification and risk analysis according to the abnormal interval detection result and a preset event characteristic identification detection standard to obtain a corresponding identification analysis result, and updating the identification analysis result to a pre-established risk event knowledge base; the risk event knowledge base comprises typical conventional business events, low risk alarm events, external abnormal IP events and potential high risk events;
the preset event characteristic identification detection standard can be understood as a detection standard formulated according to the actual service condition of the information network alarm data in the industrial internet scene, for example, low-risk alarm events such as periodic security audit and request protocol error mostly present the characteristic of stable alarm type number, and high-risk alarm events such as security exercise events and real attack events are accompanied by the sharp increase of attack IP addresses and alarm type number; based on this, for the security events reflected by the abnormal intervals of the two types of statistical characteristic quantities, the event feature identification detection criteria including the first type of event identification detection criteria, the second type of event identification detection criteria, the third type of event identification detection criteria and the fourth type of event identification detection criteria are preferably formulated: the first type of event identification detection standard is that the number of the increasing event sequences and the number of the alarm types are not abnormal, two statistics of the alarm event sequences are kept at a relatively stable level, most of the statistics is caused by the internet response data flow triggering rule, and the threat level is very low; the second type of event identification detection standard is that the number of the increasing event sequences is suddenly changed, the number of the alarm types is not abnormal, the number of the alarm events is increased suddenly at a certain moment, but the number of the alarm types is kept relatively stable or slightly increased, and is mostly caused by security audit events or periodic services; the third type of event identification detection standard is that the number of increasing sequences and the number of alarm types are abnormal at the same time, most of the alarm events are triggered by rare external IP addresses (the number of alarms generated in a single month is less than 5) and internal security scanning or real attack events, certain security risks exist, and further analysis and study are needed; the fourth type of identification detection standard is that the number of the increasing sequences is not abnormal and the number of the alarm types is abnormal, and most of abnormal alarm events indicate that the system is subjected to malicious attack behaviors and needs to be analyzed and traced immediately;
based on the determined event characteristic identification detection standard, performing service identification and risk analysis according to the abnormal interval detection result obtained by the method; specifically, the step of performing service identification and risk analysis according to the abnormal interval detection result and the preset event feature identification detection standard to obtain a corresponding analysis identification result includes:
searching a pre-established risk event knowledge base according to the abnormal interval detection result, if so, taking the corresponding event type in the risk event knowledge base as an analysis and identification result, otherwise, judging whether the abnormal interval detection result meets a first-class event identification detection standard; the risk event knowledge base can be understood as an event knowledge base which is constructed according to historical network alarm log data analysis results and contains known typical conventional business events, low-risk alarm events, external abnormal IP events and potential high-risk events, when an unknown abnormal interval is detected actually, the risk event knowledge base is searched to judge whether the known business event or the risk event exists, and the analysis and the identification are carried out on abnormal conditions which do not exist in the risk event knowledge base by adopting the preset event feature identification detection standard, so that the semi-automatic event feature identification and the safety risk research and judgment analysis are realized, and the overall safety situation is convenient to grasp quickly;
if the abnormal interval detection result meets the first-class event identification detection standard, judging that the corresponding alarm event sequence is a typical conventional service event and updating the typical conventional service event sequence to a risk event knowledge base, otherwise, judging whether the abnormal interval detection result meets the second-class event identification detection standard or not; the analysis result of a typical conventional service event is shown in fig. 4, the two types of statistical characteristic quantities change steadily and have no mutation type, the central IP 196.187.197.90 is security audit equipment in a company, vulnerability detection is continuously carried out on an important equipment server in an intranet of the company in the whole month, and the sequence number and the type keep changing steadily;
if the abnormal interval detection result meets the second type of event identification detection standard and the central IP is important asset equipment or safety audit equipment, judging that the corresponding alarm event sequence is a low-risk alarm event and updating the low-risk alarm event sequence to a risk event knowledge base, otherwise, judging whether the abnormal interval detection result meets the third type of event identification detection standard or not; the analysis result of the low-risk alarm event is shown in fig. 5, the alarm number is suddenly changed but the type is stable, the center IP 212.101.31.190 is the external service server IP address of the company, the sequence number is increased only in a part of time period to generate sudden change, and the sudden increase of the access amount is caused by confirming that a certain service is opened in the same day;
if the abnormal interval detection result meets the third type of event identification detection standard, judging whether the central IP of the corresponding alarm event sequence is a forbidden external IP or an internal safety inspection device, if so, judging that the corresponding alarm event sequence is a non-abnormal event, otherwise, determining that the corresponding abnormal interval range is a high-risk interval, and judging that the corresponding alarm event sequence is a high-risk event; when the central IP of the alarm event sequence is the blocked external IP, fewer (less than 5 times) alarms occur in the whole preset time duration and are concentrated in a certain time interval, and no alarm is given in other time intervals, the situation is also judged as a global abnormal point by an abnormal interval detection algorithm, so that the detection result of the abnormal event is interfered, and therefore when a potential safety risk and a high-risk event are identified, the non-abnormal event which does not need to be specially processed needs to be eliminated; the detection result of the high-risk interval is shown in fig. 6, the two types of statistical characteristic quantities are abnormal at the same time, alarms may continuously occur in an important equipment server in a company in the whole month, the quantity of the increasing sequence and the quantity of the alarm types are suddenly changed in a certain time period, and the high-risk interval is more likely to be caused by security exercises or attack of malicious scripts, and the threat level is higher;
if the abnormal interval detection result does not meet the third type of event identification detection standard, judging whether the abnormal interval detection result meets the fourth type of event identification detection standard, if so, determining that the corresponding abnormal interval range is a potential risk interval, and judging that the corresponding alarm event sequence is a potential high risk event; the detection and identification result of the potential risk interval is shown in fig. 7, only the alarm types are abnormal, the number of the alarm types increases rapidly in two days of 11 months, 20 days and 11 months, 25 days, and is likely to be subjected to malicious automatic script penetration test, the threat level is high, and reexamination treatment is urgently needed;
respectively constructing corresponding alarm type association graphs according to the alarm event sequences of the high-risk intervals and the potential risk intervals, comprehensively analyzing according to the alarm type association graphs to obtain corresponding threat levels, and updating the threat levels to a risk event knowledge base; in order to ensure the accuracy of business identification and risk analysis results, the high-risk event and the potential high-risk event identified through the steps are preferably further analyzed and confirmed and threat level evaluated by combining an alarm type association diagram, so that historical unknown risks can be reliably and effectively recorded and processed; specifically, the step of constructing a corresponding alarm type association graph according to the alarm event sequences of the high risk interval and the potential risk interval respectively includes:
taking the alarm type of each alarm event sequence as a node, determining a node label according to alarm description information and an alarm threat level, determining a directed edge according to a time sequence between the alarm types and an association relation of increasing threat levels, and constructing to obtain an alarm type association graph; the alarm type association graph is a directed graph generated based on the alarm event sequence definition as shown in fig. 8 a-b: the alarm types are nodes of a graph, a label corresponding to each node comprises the alarm types, alarm description information and alarm threat levels, the alarm threat levels are represented by integers (such as 0, 1, 2, etc.), and the larger the numerical value is, the higher the threat level is; the direction of the directed edge between the nodes represents the time sequence and the risk level increasing incidence relation between the alarm types; security analysts can analyze whether a chain attack process exists among alarm types based on such alarm type association graphs, for example, port scanning is followed by password brute force cracking or deserialization vulnerability utilization is followed by sensitive information collection, and comprehensively judge the security risk level (threat level) of an abnormal interval;
fig. 8a shows an alarm type association diagram of a central IP address 212.101.31.212 in an abnormal time period of 11 months and 25 days, and it can be seen from the diagram that a large number of different alarm types are generated in 60 minutes, although the threat level of most nodes is relatively low, mainly the CVE vulnerability is used for performing remote command execution type alarms, and such an attack mode has a large security risk. The whole attack process is similar to the penetration test behavior of a malicious automatic script, part of attack types appear in the alarm information of a plurality of servers, the attack types can be vulnerability scanning of security audit equipment or potential real attack behaviors, the attack types have higher security threat level, and the handling condition of the alarm event at the time and IP (Internet protocol) seal-off information need to be further confirmed;
fig. 8b shows an alarm type association graph in an abnormal time period of 196.187.197.130 in a 29-month evening at 11 month, where the central IP is 196.187.197.130, and compared with fig. 8, the threat level of the alarm type is generally higher, but the ring structures among alarm type blocks are significantly increased, which indicates that the relationship among the alarm types in the time period is not significant, and the alarm types are mostly basic vulnerability utilization types such as configuration errors, weak passwords, directory traversal, information leakage, and cross-site scripting attack.
According to the method, after multisource heterogeneous network alarm log data with preset duration are collected, a corresponding event sequence mode library comprising alarm event sequences with different community modes is built according to the network alarm log data, statistical characteristic quantities comprising increasing event sequence quantity and alarm type quantity are built according to the alarm event sequences with the same community mode in the event sequence mode library, abnormal interval detection is carried out on the statistical characteristic quantities by adopting a double-threshold method endpoint detection mechanism, an abnormal interval detection result is obtained, service identification and risk analysis are carried out according to the abnormal interval detection result and a preset event characteristic identification detection standard, typical conventional service events, low-risk alarm events and potential high-risk events are identified, the technical scheme of a pre-established risk event knowledge base is updated according to the corresponding identification analysis result, association is carried out on the alarm log data from a brand-new angle, interpretable analysis is carried out on typical conventional services and potential attack behaviors through association of the abnormal interval, the general alarm security situation and the potential risk distribution situation of security analysts and the potential risk events are assisted, the burden of security analysts can be effectively reduced, the security analysis personnel work monitoring result is based on the basis of the existing alarm event monitoring event analysis results, and the existing alarm event knowledge base is further, the reliability of the existing alarm event identification and the security system is improved, and the reliability of the existing security risk protection system is facilitated.
In one embodiment, as shown in fig. 9, there is provided a service identification and risk analysis system based on event sequence association fusion, the system comprising:
the system comprises a mode construction module 1, a time sequence mode database and a time sequence analysis module, wherein the mode construction module is used for collecting network alarm log data with preset time length and constructing a corresponding event sequence mode database according to the network alarm log data; the network alarm log data is multi-source heterogeneous alarm log data; the event sequence pattern library comprises alarm event sequences of a plurality of different community patterns;
the abnormal detection module 2 is used for constructing statistical characteristic quantity according to the alarm event sequences of the same community mode in the event sequence mode library, and carrying out abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result; the statistical characteristic quantity comprises an incremental event sequence quantity and an alarm type quantity; the abnormal interval detection result comprises abnormal interval ranges of all the statistical characteristic quantities;
the risk identification module 3 is used for carrying out service identification and risk analysis according to the abnormal interval detection result and the preset event characteristic identification detection standard to obtain a corresponding identification analysis result, and updating the identification analysis result to a pre-established risk event knowledge base; the risk event repository includes typical regular business events, low risk alarm events, external abnormal IP events, and potentially high risk events.
For specific limitations of a service identification and risk analysis system based on event sequence association and fusion, reference may be made to the above limitations of a service identification and risk analysis method based on event sequence association and fusion, which are not described herein again. All modules in the service identification and risk analysis system based on event sequence correlation fusion can be wholly or partially realized through software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
Fig. 10 shows an internal structure diagram of a computer device in one embodiment, and the computer device may be specifically a terminal or a server. As shown in fig. 10, the computer apparatus includes a processor, a memory, a network interface, a display, and an input device, which are connected through a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to realize a business identification and risk analysis method based on event sequence association fusion. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those of ordinary skill in the art that the architecture shown in FIG. 10 is merely a block diagram of some of the structures associated with the present solution and is not intended to limit the computing devices to which the present solution may be applied, and that a particular computing device may include more or less components than those shown, or may combine certain components, or have a similar arrangement of components.
In one embodiment, a computer device is provided, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the steps of the above method being performed when the computer program is executed by the processor.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method.
In summary, the embodiment of the present invention provides a method, a system, a computer device and a storage medium for service identification and risk analysis based on event sequence association and fusion, the service identification and risk analysis method based on event sequence association fusion realizes the collection of multi-source heterogeneous network alarm log data with preset duration, and according to the network alarm log data, constructing corresponding event sequence pattern library including alarm event sequences of several different community patterns, constructing statistical characteristic quantity including increment event sequence quantity and alarm type quantity according to alarm event sequence of the same community mode in the event sequence mode base, and the statistical characteristic quantity is detected in abnormal interval by adopting a double-threshold method endpoint detection mechanism to obtain the detection result of the abnormal interval, and according to the abnormal interval detection result and the preset event characteristic identification detection standard, combining the alarm association relation graph to carry out service identification and risk analysis, identifying typical conventional service events, low-risk alarm events and potential high-risk events, and updating to a pre-established risk event knowledge base according to the corresponding recognition and analysis results, the method realizes effective correlation analysis of mass alarm log data of the industrial Internet, can not only efficiently identify typical conventional services and potential security risks, facilitate the filtration of the typical conventional services and the investigation of alarm risks, but also grasp the overall alarm security situation, and can assist the security analysis personnel to report an emergency and ask for help the high risk to report an emergency and ask for help the security analysis personnel carry out reliable effectual risk study and judge and analysis of tracing to the source, reduce security analysis personnel work burden, promote corresponding work efficiency, still be convenient for other current alarm monitoring systems integrated use that report an emergency and ask for help the application value of whole alarm monitoring system, provide reliable guarantee for industrial internet's safe operation.
The embodiments in this specification are described in a progressive manner, and all the same or similar parts of the embodiments are directly referred to each other, and each embodiment is described with emphasis on differences from other embodiments. In particular, as for the system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points. It should be noted that, the technical features of the embodiments may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express some preferred embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for those skilled in the art, without departing from the technical principle of the present invention, several improvements and substitutions can be made, and these improvements and substitutions should also be regarded as the protection scope of the present application. Therefore, the protection scope of the present patent shall be subject to the protection scope of the claims.

Claims (10)

1. A service identification and risk analysis method based on event sequence correlation fusion is characterized by comprising the following steps:
collecting network alarm log data with preset duration, and constructing a corresponding event sequence mode library according to the network alarm log data; the network alarm log data is multi-source heterogeneous alarm log data; the event sequence pattern library comprises alarm event sequences of a plurality of different community patterns;
constructing statistical characteristic quantity according to the alarm event sequences of the same community mode in the event sequence mode library, and carrying out abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result; the statistical characteristic quantity comprises an incremental event sequence quantity and an alarm type quantity; the abnormal interval detection result comprises abnormal interval ranges of all the statistical characteristic quantities;
performing service identification and risk analysis according to the abnormal interval detection result and a preset event characteristic identification detection standard to obtain a corresponding identification analysis result, and updating the identification analysis result to a pre-established risk event knowledge base; the risk event repository includes typical regular business events, low risk alarm events, external abnormal IP events, and potentially high risk events.
2. The method for service identification and risk analysis based on event sequence association fusion as claimed in claim 1, wherein the step of constructing the corresponding event sequence pattern library according to the network alarm log data comprises:
carrying out normalization processing on the network alarm log data to obtain alarm log characteristic quantity; the alarm log characteristic quantity comprises alarm occurrence time, a source IP address, a destination IP address, an alarm type, description information and a threat level;
determining the time interval of the alarm event sequence according to the distribution condition of the alarm log characteristic quantity and the duration of the real attack event;
merging the alarm log characteristic quantities of each time interval in the preset duration according to the same community principle to form a single-center type alarm community, and extracting the community mode of each single-center type alarm community; the same community principle is that the source IP addresses are the same or the destination IP addresses are the same;
extracting alarm event sequences meeting preset conditions in each time interval according to each community mode and alarm log characteristic quantity, and constructing an event sequence mode library according to the alarm event sequences of each community mode in each time interval in preset duration; the preset conditions are that the time sequence exists and the alarm risk level is increased; the alarm event sequence comprises a time interval, a source IP address, a destination IP address, an alarm type sequence, a threat level sequence and a repetition time sequence.
3. The method for service identification and risk analysis based on event sequence association and fusion as claimed in claim 2, wherein the step of extracting the alarm event sequences meeting the preset conditions in each time interval according to each community mode and the alarm log characteristic quantity comprises:
sorting the alarm log characteristic quantities of the alarm events in each alarm community according to the alarm occurrence time, and judging whether the current alarm event sequence is empty or whether the threat level corresponding to the current alarm event is not lower than that of the last alarm event, if so, adding the current alarm event to the current alarm event sequence, otherwise, constructing a new alarm event sequence.
4. The method for service identification and risk analysis based on event sequence association and fusion as claimed in claim 2, wherein the step of performing abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result comprises:
determining an abnormal point threshold according to a statistical analysis method and a 3 sigma principle, and performing abnormal detection on the statistical characteristic quantity by adopting a double-threshold method endpoint detection mechanism according to the abnormal point threshold to obtain an abnormal interval detection result; the outlier threshold comprises a high energy threshold and a low energy threshold, respectively represented as:
MH=mean+k*std
ML=mean+l*std
in the formula ,
Figure FDA0003756304040000021
Figure FDA0003756304040000022
where MH and ML are denoted high energy threshold and low energy threshold, respectively;
Figure FDA0003756304040000031
representing the ith statistical characteristic quantity; n represents the number of statistical characteristic quantities; mean and std represent the mean and standard deviation of the statistical characteristic quantity, respectively; k and l represent multiples of the standard deviation in the high and low energy thresholds, respectively.
5. The method for service identification and risk analysis based on event sequence association and fusion as claimed in claim 4, wherein the step of performing anomaly detection on the statistical characteristic quantity by using a dual-threshold method endpoint detection mechanism according to the anomaly threshold to obtain the detection result of the anomaly interval comprises:
carrying out primary global abnormal point detection on the statistical characteristic quantity by adopting the high-energy threshold value to obtain abnormal point moments when all sequence values exceed the high-energy threshold value, and determining a corresponding high-threshold value interval;
and carrying out secondary interval detection on the high threshold interval by adopting a low energy threshold to obtain the detection result of the abnormal interval.
6. The method for service identification and risk analysis based on event sequence association fusion as claimed in claim 1, wherein the preset event feature identification detection criteria include a first type of event identification detection criteria, a second type of event identification detection criteria, a third type of event identification detection criteria and a fourth type of event identification detection criteria; the first type of event identification detection standard is that the quantity of the increasing event sequences and the quantity of the alarm types are not abnormal; the second type of event identification detection standard is that the number of the sequence of the incremental events is changed suddenly and the number of the alarm types is not abnormal; the third type event identification detection standard is that the number of the increasing sequences and the number of the alarm types are abnormal at the same time; the fourth type of identification detection standard is that the number of the increasing sequences is not abnormal and the number of the alarm types is abnormal;
the step of performing service identification and risk analysis according to the abnormal interval detection result and the preset event characteristic identification detection standard to obtain a corresponding analysis identification result comprises the following steps:
searching a pre-established risk event knowledge base according to the abnormal interval detection result, if so, taking the corresponding event type in the risk event knowledge base as an analysis and identification result, otherwise, judging whether the abnormal interval detection result meets a first-class event identification detection standard;
if the abnormal interval detection result meets the first-class event identification detection standard, judging that the corresponding alarm event sequence is a typical conventional service event and updating the typical conventional service event sequence to a risk event knowledge base, otherwise, judging whether the abnormal interval detection result meets the second-class event identification detection standard or not;
if the abnormal interval detection result meets the second type of event identification detection standard and the central IP is important asset equipment or safety audit equipment, judging that the corresponding alarm event sequence is a low-risk alarm event and updating the low-risk alarm event sequence to a risk event knowledge base, otherwise, judging whether the abnormal interval detection result meets the third type of event identification detection standard or not;
if the abnormal interval detection result meets the third type of event identification detection standard, judging whether the central IP of the corresponding alarm event sequence is a forbidden external IP or an internal safety inspection device, if so, judging that the corresponding alarm event sequence is a non-abnormal event, otherwise, determining that the corresponding abnormal interval range is a high-risk interval, and judging that the corresponding alarm event sequence is a high-risk event;
if the abnormal interval detection result does not meet the third type of event identification detection standard, judging whether the abnormal interval detection result meets the fourth type of event identification detection standard, if so, determining that the corresponding abnormal interval range is a potential risk interval, and judging that the corresponding alarm event sequence is a potential high-risk event;
and constructing a corresponding alarm type association diagram according to the alarm event sequences of the high-risk interval and the potential risk interval, comprehensively analyzing to obtain a corresponding threat level according to the alarm type association diagram, and updating to a risk event knowledge base.
7. The service identification and risk analysis method based on event sequence association fusion as claimed in claim 6, wherein the step of constructing the corresponding alarm type association diagram according to the alarm event sequences of the high risk interval and the potential risk interval respectively comprises:
and taking the alarm type of each alarm event sequence as a node, determining a node label according to the alarm description information and the alarm threat level, determining a directed edge according to the time sequence between the alarm types and the association relationship of the increasing threat level, and constructing to obtain the alarm type association graph.
8. A service identification and risk analysis system based on event sequence association fusion, the system comprising:
the mode construction module is used for collecting network alarm log data with preset duration and constructing a corresponding event sequence mode library according to the network alarm log data; the network alarm log data is multi-source heterogeneous alarm log data; the event sequence pattern library comprises alarm event sequences of a plurality of different community patterns;
the abnormal detection module is used for constructing statistical characteristic quantity according to the alarm event sequences of the same community mode in the event sequence mode library and carrying out abnormal interval detection on the statistical characteristic quantity to obtain an abnormal interval detection result; the statistical characteristic quantity comprises the quantity of the increasing event sequences and the quantity of the alarm types; the abnormal interval detection result comprises an abnormal interval range of each statistical characteristic quantity;
the risk identification module is used for carrying out service identification and risk analysis according to the abnormal interval detection result and the preset event characteristic identification detection standard to obtain a corresponding identification analysis result, and updating the identification analysis result to a pre-established risk event knowledge base; the risk event repository includes typical regular business events, low risk alarm events, external abnormal IP events, and potentially high risk events.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 7 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
CN202210858081.3A 2022-07-20 2022-07-20 Business identification and risk analysis method and system based on event sequence association fusion Active CN115225386B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210858081.3A CN115225386B (en) 2022-07-20 2022-07-20 Business identification and risk analysis method and system based on event sequence association fusion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210858081.3A CN115225386B (en) 2022-07-20 2022-07-20 Business identification and risk analysis method and system based on event sequence association fusion

Publications (2)

Publication Number Publication Date
CN115225386A true CN115225386A (en) 2022-10-21
CN115225386B CN115225386B (en) 2023-05-19

Family

ID=83614513

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210858081.3A Active CN115225386B (en) 2022-07-20 2022-07-20 Business identification and risk analysis method and system based on event sequence association fusion

Country Status (1)

Country Link
CN (1) CN115225386B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115776409A (en) * 2023-01-29 2023-03-10 信联科技(南京)有限公司 Industrial network security event basic data directional acquisition method and system
CN115983646A (en) * 2023-03-20 2023-04-18 章和技术(广州)有限公司 Method for evaluating risk of network equipment of transformer substation and related equipment
CN116633608A (en) * 2023-05-16 2023-08-22 江苏信创网安数据科技有限公司 Risk prediction method and system for network security
CN116915500A (en) * 2023-09-05 2023-10-20 武汉万数科技有限公司 Security detection method and system for access equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333195A (en) * 2020-11-10 2021-02-05 西安电子科技大学 APT attack scene reduction detection method and system based on multi-source log correlation analysis
CN114301712A (en) * 2021-12-31 2022-04-08 西安交通大学 Industrial internet alarm log correlation analysis method and system based on graph method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333195A (en) * 2020-11-10 2021-02-05 西安电子科技大学 APT attack scene reduction detection method and system based on multi-source log correlation analysis
CN114301712A (en) * 2021-12-31 2022-04-08 西安交通大学 Industrial internet alarm log correlation analysis method and system based on graph method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王静;高昆仑;卞超轶;梁潇;: "基于大数据的能源集团统一运行监测与安全预警平台", 电信科学 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115776409A (en) * 2023-01-29 2023-03-10 信联科技(南京)有限公司 Industrial network security event basic data directional acquisition method and system
CN115983646A (en) * 2023-03-20 2023-04-18 章和技术(广州)有限公司 Method for evaluating risk of network equipment of transformer substation and related equipment
CN115983646B (en) * 2023-03-20 2023-06-02 章和技术(广州)有限公司 Method for evaluating risk of network equipment of transformer substation and related equipment thereof
CN116633608A (en) * 2023-05-16 2023-08-22 江苏信创网安数据科技有限公司 Risk prediction method and system for network security
CN116633608B (en) * 2023-05-16 2024-01-30 江苏信创网安数据科技有限公司 Risk prediction method and system for network security
CN116915500A (en) * 2023-09-05 2023-10-20 武汉万数科技有限公司 Security detection method and system for access equipment
CN116915500B (en) * 2023-09-05 2023-11-17 武汉万数科技有限公司 Security detection method and system for access equipment

Also Published As

Publication number Publication date
CN115225386B (en) 2023-05-19

Similar Documents

Publication Publication Date Title
US11336669B2 (en) Artificial intelligence cyber security analyst
US20210273960A1 (en) Cyber threat defense system and method
Lunt IDES: An intelligent system for detecting intruders
CN115225386A (en) Business identification and risk analysis method and system based on event sequence correlation fusion
US20210273973A1 (en) SOFTWARE AS A SERVICE (SaaS) USER INTERFACE (UI) FOR DISPLAYING USER ACTIVITIES IN AN ARTIFICIAL INTELLIGENCE (AI)-BASED CYBER THREAT DEFENSE SYSTEM
JP7302019B2 (en) Hierarchical Behavior Modeling and Detection Systems and Methods for System-Level Security
US20220360597A1 (en) Cyber security system utilizing interactions between detected and hypothesize cyber-incidents
US11258825B1 (en) Computer network monitoring with event prediction
US9961047B2 (en) Network security management
US20230011004A1 (en) Cyber security sandbox environment
US20230132703A1 (en) Capturing Importance In A Network Using Graph Theory
Nkosi et al. Insider threat detection model for the cloud
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN116668054A (en) Security event collaborative monitoring and early warning method, system, equipment and medium
Hubballi Pairgram: Modeling frequency information of lookahead pairs for system call based anomaly detection
Amiri et al. A complete operational architecture of alert correlation
Xu et al. [Retracted] Method of Cumulative Anomaly Identification for Security Database Based on Discrete Markov chain
CN115514582B (en) Industrial Internet attack chain correlation method and system based on ATT &amp; CK
Cinque et al. Mining Dependability Properties from System Logs: What We Learned in the Last 40 Years
Pithode et al. A Study on Log Anomaly Detection using Deep Learning Techniques
Long et al. MDATA Model Based Cyber Security Knowledge Representation and Application
Bahmani et al. Introducing a Two-step Strategy Based on Deep Learning to Enhance the Accuracy of Intrusion Detection Systems in the Network
Liang et al. Outlier-based Anomaly Detection in Firewall Logs
Zeng An Intrusion Detection System Based on Big Data for Power System
Yang et al. A Multi-step Attack Detection Framework for the Power System Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant