CN100518089C - Security event associative analysis method and system - Google Patents

Security event associative analysis method and system Download PDF

Info

Publication number
CN100518089C
CN100518089C CNB2006101035200A CN200610103520A CN100518089C CN 100518089 C CN100518089 C CN 100518089C CN B2006101035200 A CNB2006101035200 A CN B2006101035200A CN 200610103520 A CN200610103520 A CN 200610103520A CN 100518089 C CN100518089 C CN 100518089C
Authority
CN
China
Prior art keywords
event
rule
module
original alert
correlation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2006101035200A
Other languages
Chinese (zh)
Other versions
CN1878093A (en
Inventor
连一峰
鲍旭华
汪波
徐君
李闻
冯萍慧
吴强
胡安平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2006101035200A priority Critical patent/CN100518089C/en
Publication of CN1878093A publication Critical patent/CN1878093A/en
Application granted granted Critical
Publication of CN100518089C publication Critical patent/CN100518089C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses an analyzing of correlation method and system of safe affair, which is characterized by the following: adopting paralleling mechanism of regular correlation and statistic correlation; obtaining only one safe affair through arbitration; realizing advantage supplement through two correlation patterns; make up itself defect. The invention avoids fuzziness of statistic correlation and confers regular correlation for detecting ability of unknown attack, which improves self-studying ability for entire detecting system.

Description

Security event associative analysis method and system
Technical field
The present invention relates to the network security technology field, be specifically related to a kind of security event associative analysis method and system.
Background technology
Along with computer technology and development of internet technology, safety issue more and more comes into one's own.Common safety means have fire compartment wall, intruding detection system (IDS:Intrusion Detection System), certificate granting (CA:Certificate Authority) system, integrity checking instrument, antivirus software etc.These security components can produce warning message when abnormal conditions occur.In addition, some systems also can produce the relevant daily record of safety with application program.These warning messages and daily record are commonly referred to as original alert event.The different original alert event of originating often overlaps each other, related or interdepend, and data volume is huge, makes safety management work become and becomes increasingly complex, the safety officer need tackle to have redundancy in a large number and concerns crisscross warning message each other; In addition, it is can't be detected that a lot of attacks only rely on single security component, has only the affair alarm that each assembly is produced to carry out association analysis and comprehensively judgement, could accurately find also timely these attacks of preventing.Address these problems, must adopt the association analysis technology, main association analysis technology comprises following several at present:
One, the rule association method based on the attack modeling of the systems design laboratory of Stamford international research institute (SRI International:Stanford Research InstituteInternational) proposition.Design procedure is:
Set up detailed attack and describe the storehouse, every kind of attack is described from a plurality of angles such as condition, environment;
Foundation is used for the automaton of analytical attack feature, handles attacking the description storehouse, produces correlation rule;
Set up the warning MM, original alert event is carried out pattern matching and produces security incident according to correlation rule.
The shortcoming of the method is to depend on rationally to be described in advance accurately to attacking scene, if comprise attack step unknown or that be not detected in the attack process, then can't carry out association process, therefore not take precautions against ability for attack pattern new or the unknown.
Two, based on prerequisite/result's corresponding technology.This technology is the improvement to above-mentioned SRI corresponding technology, and main handling process is as follows:
Set up the prerequisite (prerequisites) and the result (consequences) of various attack step in advance;
The result that reports to the police previously and the prerequisite of follow-up warning are mated to reach related purpose;
Set up the scene of multi-step attack according to match condition.
This method uses super report to the police (Hyper-Alert) to represent prerequisite and the result who reports to the police, the attack scene that generates is represented with super warning associated diagram (Hyper-Alert Correlation Graph), on the basis of associated diagram, can further carry out event analysis function based on man-machine interaction.This method is no longer dependent on predefined attack scene, but related performance depends on the modeling to attacking, and promptly at the prerequisite and the result of every alarm settings, still lacks identification and strick precaution ability for attack mode new or the unknown.
Three, cluster association technology.What cluster association adopted is a kind of algorithm, rather than the mode association of rule match.The processing mode of this method is as follows:
At each field design similarity function in the incident, be used to calculate the similarity degree between the corresponding field of two incidents;
On the basis of previous step,, be used to calculate similar degree between two incidents at incident design similarity function itself;
When handling original alert event, similar each other event correlation is got up, utilize the method for adjustment function parameter, obtain the result of different levels from different perspectives.
The shortcoming of the method is to adopt the mode of statistics to handle, and the result who draws often lacks clear and definite practical significance.
Summary of the invention
The object of the present invention is to provide a kind of security event associative analysis method and system that unknown attack is taken precautions against ability but also can be obtained accurate conclusion as far as possible that not only had.
To achieve the object of the present invention, the technical scheme of being taked is: a kind of security event associative analysis method comprises: collect original alert event; To original alert event carry out respectively rule-based association analysis and based on the statistics association analysis; The security incident that rule association and statistical correlation produce is respectively arbitrated, obtained unique security incident.
Preferably, before original alert event is carried out association analysis, also original alert event is filtered according to the filtering rule that presets.
Further preferably, the original alert event that buffer memory is collected directly will satisfy the original alert event of filtering rule and delete, and then the original alert event in the buffer memory will be carried out association analysis from buffer queue according to the filtering rule that presets.
Described association analysis based on statistics preferably includes: add up the distribution of original alert event on specified attribute; When the accumulative total threat degree of original alert event on certain or certain several attribute level surpasses threshold value, produce security incident.
Described specified attribute can comprise source address, destination address, agreement and three attributes of port.
Preferably, after the association analysis based on statistics produces security incident, also the original alert event sequence of described security incident correspondence is carried out data mining, produce the correlation rule that rule-based association analysis is suitable for.
Described data mining preferably includes: is basis for estimation with support greater than assign thresholds, find out show attack process in the original alert event sequence the event type sequence as sequence of rules; For every regular sequence, at each attribute of its each node, the respective value of adding up all examples respectively will be greater than the value of the min confidence alternate item as this attribute; For every regular sequence, add up the similarity relation between the different node attribute values of all examples, determine the dependence of attribute in the rule.
The present invention also provides a kind of security event correlation analysis system, comprises event queue module, rule association module, statistical correlation module, structural analysis module; Described event queue module is collected and the original alert event of buffer memory, offers described rule association module and statistical correlation module respectively; Described rule association module is carried out pattern matching according to the correlation rule that presets to original alert event, produces security incident according to matching result; Described statistical correlation module is added up the distribution of original alert event based on attribute, produces security incident according to statistics; Described structural analysis module receives security incident from described rule association module and statistical correlation module, arbitrates to obtain unique security incident.
Preferably, above-mentioned security event correlation analysis system also comprises the event filtering module, the original alert event that described event filtering module is collected described event queue module according to the filtering rule that presets filters, and the original alert event that satisfies filtering rule is deleted from formation.
Preferably, above-mentioned security event correlation analysis system also comprises rule digging module and engine control module; Described rule digging module receives the security incident that described statistical correlation module produces, and the original alert event sequence of described security incident correspondence is carried out data mining, produces correlation rule, reports described engine control module; The correlation rule that described engine control module generates described rule digging module directly or after submitting to control desk to confirm dynamically updates in the described rule association module.
Adopt technique scheme, beneficial technical effects of the present invention is:
1) the present invention adopts the parallel method of rule association and statistical correlation, obtains unique security incident by arbitration, makes that the pluses and minuses of two kinds of interrelational forms are complimentary to one another, can either obtain not only to know the accurate detection of attack but also keep strick precaution ability to unknown attack; And when certain interrelational form breaks down can't work the time, another still can continue to handle original alert event, has improved the robustness of system;
2) the further employing of the present invention will be carried out the rule application of data mining acquisition in the method for rule association to statistical correlation, not only avoided the ambiguity of statistical correlation but also given the detectability of rule association to unknown attack, make whole detection architecture constantly self study and development, adapt to the needs of complex network security context more;
3) the present invention also provides the statistical correlation method based on property distribution, makes the cluster analysis of original alert event more convenient and flexible, simultaneously also has more clear and definite implication, is convenient to obtain fast and accurately the dependent event group of being concerned about;
4) preferred data digging method provided by the present invention can be analyzed in the accurately comprehensive multi-step attack behavior that imply the security incident of statistics acquisition, and the raising system is to the detection recognition capability of unknown attack.
Description of drawings
Also the present invention is described in further detail in conjunction with the accompanying drawings below by embodiment.
Fig. 1 is the embodiment of the invention one a security event associative analysis method schematic flow sheet;
Fig. 2 is the attack logic diagram example in the embodiment of the invention one rule association;
Fig. 3 is the related employed Matrix structural representation of the embodiment of the invention one statistics;
Fig. 4 is the embodiment of the invention two security event associative analysis method schematic flow sheets;
Fig. 5 is the embodiment of the invention three security event correlation analysis system modular structure schematic diagrames;
Fig. 6 is the embodiment of the invention four security event correlation analysis system modular structure schematic diagrames.
Embodiment
The invention provides a kind of security event associative analysis method and system, its core concept is that employing rule association and statistical correlation parallel mechanism obtain unique security incident by arbitration, to realize the mutual supplement with each other's advantages of two kinds of interrelational forms, remedy defective separately.The present invention further proposes, to carry out the rule application of data mining acquisition in rule association to statistical correlation, from the more profound fusion of carrying out two kinds of interrelational forms, not only avoided the ambiguity of statistical correlation but also given the detectability of rule association, improved the self-learning capability of whole detection architecture unknown attack.The present invention also provides preferred statistical correlation method and data digging method, improves the efficient and the accuracy of respective handling process.Below respectively the inventive method and system are elaborated.
Embodiment one, a kind of security event associative analysis method, flow process comprises as shown in Figure 1:
A1, collect original alert event; Original alert event comes from various safety means or hypervisor, for example fire compartment wall, IDS, antivirus software, system journal etc., the collection of original alert event can be centralized also can derive from distributed system, for ease of carrying out the processing of subsequent process, preferably the original alert event of collecting is carried out buffer memory and filtration, comprising:
The original alert event that A11, buffer memory are collected; Usually original alert event can be deposited with the form of event queue according to time sequencing;
A12, original alert event is filtered according to the filtering rule that presets; This step is simply handled original alert event, for example removes warning wrong and that repeat, or uses some simple rules to make the collection of warning message have certain purpose or tendentiousness, with the treating capacity that reduces subsequent process etc.;
For example, certain internal network has only used the address space of 192.168.0.1~192.168.0.64, then can adopt one to remove rule and " filter the not warning in 192.168.0.1~192.168.0.64 of destination address ", with wrong and irrelevant warning message filter out;
And for example, when event handling is busy, in order to take into account fail safe and efficient, can customized rules " ignoring threat level " less than 5 warning to avoid the consumption of a large amount of low level alert event to the system handles resource;
For another example, in last example, if destination address 192.168.0.1 is the server of being laid special stress on protecting, need to collect any other alert event of level so that general protection, then further customized rules " keep destination address be the warning of 192.168.0.1 " makes the alert event that points to this server can all obtain to handle;
A13, the original alert event that will satisfy filtering rule are deleted from buffer queue, certainly, for keeping the complete safe data message, also all original alert events can be backuped in the database;
A2, to original alert event carry out respectively rule-based association analysis and based on the statistics association analysis; Two kinds of association analysis modes can be simultaneously or asynchronous operation, and the original alert event that reads separately in the event queue is handled, and specifies as follows:
A21, rule-based association analysis, can adopt existing various rule match analysis mode, adopt the mode of organizational form coupling in this example, the correlation rule of original alert event sequence and the compound attack of description of presetting is carried out pattern matching, in case meet then produce security incident;
For guaranteeing the accurate performance to logical consequence, from reflecting the organizational form of compound attack in essence, the present invention adopts the rule syntax of strict difinition to describe correlation rule, and one group of single step is attacked and comprised following three kinds of membership credentials in the definition correlation rule:
Sequence relation: with " SEQ " expression, between single step is attacked strict causality is arranged, a back single step is attacked on the basis that must be based upon previous single step attack;
Coordination: with " AND " expression, single step does not have direct relation between attacking, but just can carry out next step attack after must all finishing;
Choice relation: with " OR " expression, several single steps are attacked can realize same effect, finishes anyly can carry out next step attack;
Organizing of correlation rule promptly reflects above three kinds of relations.Each regularization term must have " type " attribute, and its value is " SEQ ", " AND ", " OR " or " NONE ".Preceding 3 represent the membership credentials of its subordinate's regularization term, are not real occurrences, and " NONE " then represents actual related occurrence.The strictly all rules item is organized with the tree of strictness, and each leaf node must be the regularization term of " NONE " type, and each nonleaf node must be the regularization term of " SEQ ", " AND " or " OR " type.Fig. 2 has provided an example of the correlation rule that above-mentioned rule syntax represents with the form of attacking logic diagram.Regularization term 2,3,4,6,7 is a leaf node among Fig. 2, is real occurrence, and its type is " NONE "; Regularization term 0,1,5 is a nonleaf node, and the type of regularization term 1 is " OR ", and 2,3 need of expression occurrence are selected one and finished; The type of regularization term 5 is " AND ", and expression occurrence 6,7 need all be finished; The type of regularization term 0 is " SEQ ", and 1,4,5 corresponding incidents of expression regularization term should be finished in proper order.Line between the regularization term is represented relation each other, single solid arrow represents that this arrow node pointed is the father node (parent) of this arrow start node among Fig. 2, double-lined arrow represents that this arrow node pointed is the child node (child) of this arrow start node, dotted arrow represents that this arrow node pointed is the next brother node of this arrow start node, and " null " represents that then arrow points is empty.
In addition, can also use predefined keyword, the contact in correlation rule between the original alert event attribute of expression, for example: represent the alarm times that repeats is added up with occurrence and count; With the blanking time between the timeout presentation of events; In addition, but the mode quoted of service regeulations is also represented the attribute of the alert event that follow-up needs mate with the attribute (for example source address, destination address etc.) of the alert event that takes place before.
Original alert event sequence and the correlation rule that is described according to above-mentioned rule syntax are carried out pattern matching, can obtain to have the security incident of accurate meaning;
A22, based on the association analysis of statistics, can adopt existing cluster association technology, but generally need expend considerable time and resource, adopt preferred statistical correlation method provided by the invention in the present embodiment, comprising:
A221, the distribution of the original alert event of statistics on specified attribute; Consider from the practical application angle, there are three aspects the most important in the attribute of original alert event: source address, destination address, agreement and port, that is to say paid close attention to be to specific objective attack degree, the attack of initiating from particular source, attack at agreement and port, also comprise above-mentioned combination of attributes result certainly;
Statistical space based on these three attributes can be represented with data structure shown in Figure 3, is called the Matrix structure in this article.In this structure, represent three dimensions by three doubly linked lists, represent source address, destination address, agreement and port respectively.By per two nodes that dimension is drawn, for example the A node among Fig. 3 constitutes three two-dimentional doubly linked lists, as three faces of Matrix, represents the result of any two combinations of attributes.By the node that these faces are drawn, for example the B node among Fig. 3 constitutes a three-dimensional two-way chained list, and the situation of three attributes is paid close attention in expression simultaneously;
Each original alert event of handling all is added in the Matrix structure, and its position distribution in Matrix has determined its threaten degree on the different attribute aspect;
A222, when the accumulative total threat degree of original alert event on certain or certain several attribute level surpasses threshold value, produce security incident; Therefore the abnormal conditions that these statistics accumulation produce can mainly show as following several types by giving corresponding security incident comparatively clear and definite implication to the analysis of its distributed areas owing to closely related with three attributes:
Strong specific aim is attacked: by the attack source of concentrating, and the attack of carrying out at single destination address and port.For example the assailant repeatedly attempts attacking to the service that may have leak on the particular host;
The port distributing is attacked: by the attack source of concentrating, and the attack of carrying out at the different port of single destination address; TCP for example;
The source distributing is attacked: by the attack source that disperses, and the attack of carrying out at single destination address and port; For example distributed denial of service (DDoS) is attacked;
The purpose distributing is attacked: by the attack source of concentrating, and the attack of carrying out at the single-port of discrete target address; For example main frame scanning;
The centralized attack of originating: by the attack source of concentrating, the attack of carrying out at the destination address of disperseing and port; Starting stage of virus or worm propagation for example;
The centralized attack of purpose: by the attack source that disperses, the attack of carrying out at the different port of simple target address; For example a lot of distributed attacks all present this feature;
The sets of ports Chinese style is attacked: by the attack source that disperses, and the attack of carrying out at the same port of discrete target address; Automatically seek the process of puppet's machine before for example worm propagation, or ddos attack;
Adopt above-mentioned statistical correlation analytical method based on the Matrix data structure, can carry out data processing fast and effectively, produce significant security incident, and can obtain scope accurately and cover comprehensive corresponding event group, compare with existing statistical correlation method have efficiently, advantage accurately;
A3, the security incident that rule association and statistical correlation are produced are respectively arbitrated, and obtain unique security incident; Because rule association and statistical correlation adopt parallel mechanism, according to different modes original alert event formation is handled separately, might produce repetition even conflicting security incident report, can solve this situation, obtain unique security incident by arbitration; Arbitration can be adopted the method that structural analysis and comparison are carried out in the security incident of both sides' generation, abandon the result who compares the unclear no clear meaning of implication, because the result of rule association has the advantages that implication is clear and definite, confidence level is higher, therefore can serve as main guiding in actual applications with the result of rule association, and when unknown attack occurring, do not produce security incident and when having obtained to have the security incident of certain meaning by rule association, be as the criterion with the result of statistical correlation by statistical correlation.
Embodiment two, a kind of security event associative analysis method, flow process comprises as shown in Figure 4:
B1, collect original alert event;
B21, original alert event is carried out rule-based association analysis;
B22, to original alert event carry out based on the statistics association analysis;
B3, the security incident that rule association and statistical correlation are produced are respectively arbitrated, and obtain unique security incident;
The concrete manner of execution of above-mentioned steps is identical with corresponding steps among the embodiment one, the difference part of present embodiment and embodiment one is, step B22 carries out statistical correlation and produces security incident to original alert event after, also utilize data mining to obtain suitable correlation rule in the rule association analysis, specifically can adopt following method security incident:
B231, be basis for estimation greater than assign thresholds with support, find out show attack process in the original alert event sequence the event type sequence as sequence of rules;
Each all is the set of an original alert event by the security incident that statistical correlation produces.Incident in the set can sort by time of origin, and its type produces an event type sequence.In these sequences, the incident that has is the part of attack process, and the just wrong report that has.When a kind of new attack sequence occurs, and when having taken place repeatedly at short notice, this attacks formed event type sequence, will appear in a plurality of security incidents.Yet owing to there is the wrong report incident, the event type sequence of corresponding attack process often is a subsequence of this sequence.Therefore need to eliminate the influence of wrong report, find out the event type sequence that really shows attack process, support is as the occurrence frequency of certain subsequence in the whole event sequence, it is a basis for estimation preferably, when support during, can think that this subsequence may represent certain attack process greater than certain value.Specifically can adopt following processing procedure:, the pairing original alert event of each security incident is sorted 1) according to time of origin; 2) seek in all security incidents the frequency of occurrences greater than the primitive event type of minimum support,, optimize the sequence that previous step produces, remove all non-fundamental type unit as the fundamental type collection; 3) frequently collect as single order with the fundamental type collection, with wherein item combination and produce the alternative collection of second order, find out second order according to alternative collection traversal event type sequence and frequently collect, by that analogy, produce the alternative collection in three rank and frequent collection or the like, up to finding out all frequent collection.Detect the compound attack that a plurality of steps are arranged because association analysis is mainly used in, therefore, the length that can also limit the sequence of rules of seeking is greater than designated value.
B232, carry out vertical association for every regular sequence, that is, at each attribute of its each node, the respective value of adding up all examples respectively will be greater than the value of the min confidence alternate item as this attribute;
Each node in the rule all has attributes such as source address, destination address, agreement, source port, destination interface, time of origin.Therefore, a main purpose of carrying out data mining is exactly the probable value that obtains these attributes, suppose that obtaining length in previous step is rapid is M sequence of rules RS, and the subsequence in the individual original alert event of its corresponding N is called N the example of RS, is designated as S respectively 1, S 2... S NCan adopt the selection foundation of confidence level as each nodal community of sequence of rules, confidence level is the occurrence frequency of certain property value in all examples.At each attribute of each node in the rule, add up the respective value in its all examples, all are surpassed the alternate item of the value of min confidence as this attribute.For example, the attack of particular step may be primarily aimed at particular port or specific server, and the port attribute of this item or address properties just should be the highest value of corresponding occurrence frequency in the rule so.
B233, carry out horizontal association, that is, add up the similarity relation between the different node attribute values of all examples, determine the dependence of attribute in the rule for every regular sequence;
Each node in the rule is not only relevant in the order, and property value is often also interrelated separately for it.For example in the multi-step attack, one step of back often attack with back at same destination address, and worm propagation is often at same port of different target or the like.Therefore need add up the similarity relation between wherein different node attribute values at all examples of rule, thus the dependence of attribute in the clear and definite rule.
Determine the attribute of each regularization term and the dependence between attribute like this, can generate the correlation rule that can be used in the rule analysis.Certainly, the correlation rule that is automatically obtained by data mining also might be that implication is fuzzy or insignificant, for after the validity that guarantees rule can submit to the keeper with the rule of excavating and confirm, is applied in the rule association again.Certainly, for guaranteeing the protection capability of safety system to the burst unknown attack, also can adopt the rule that to excavate to be applied to immediately during rule association analyzes, but limit its entry-into-force time, or determine strategies such as its effective period setting the frequency that is effectively mated in service time according to it.
Present embodiment is the accurate judgement of rule association with statistical correlation to further reinforcement of the detecting ability of unknown attack, make security event associative analysis method of the present invention that the ability of self study and development can be arranged, to be adapted to fast-developing and changeable attack technology, improved the automatic protection capability and the level of system.
Embodiment three, a kind of security event correlation analysis system as shown in Figure 5, comprise event queue module 11, rule association module 12, statistical correlation module 13, structural analysis module 14, event filtering module 15;
Event queue module 11 is collected original alert event, and original alert event is offered rule association module 12 and statistical correlation module 13 respectively;
The original alert event that event filtering module 15 is collected event queue module 11 according to the filtering rule that presets filters, and the original alert event that will satisfy filtering rule is deleted from event queue;
Rule association module 12 is carried out pattern matching according to the correlation rule that presets to original alert event, produces security incident according to matching result;
The original alert event of statistical correlation module 13 statistics produces security incident based on the distribution of attribute according to statistics;
Structural analysis module 14 receives security incident from rule association module 12 and statistical correlation module 13, arbitrates obtaining unique security incident.
The security event associative analysis method that is provided among the applicable embodiment one of present embodiment security event correlation analysis system.
Embodiment four, a kind of security event correlation analysis system, as shown in Figure 6, comprise event queue module 21, rule association module 22, statistical correlation module 23, structural analysis module 24, event filtering module 25, rule digging module 26 and engine control module 27;
Event queue module 21 is obtained original alert event and buffer memory from engine control module 27, and original alert event is offered rule association module 22 and statistical correlation module 23 respectively;
The original alert event that event filtering module 25 is collected event queue module 21 according to the filtering rule that presets filters, and the original alert event that will satisfy filtering rule is deleted from event queue;
Rule association module 22 is carried out pattern matching according to the correlation rule that presets to original alert event, produces security incident according to matching result;
The original alert event of statistical correlation module 23 statistics produces security incident based on the distribution of attribute according to statistics;
Structural analysis module 24 receives security incident from rule association module 22 and statistical correlation module 23, arbitrates obtaining unique security incident, and reports engine control module 27.
The security incident that rule digging module 26 receiving and counting relating modules 23 produce, the original alert event sequence of obtaining described security incident correspondence from event queue module 21 line data of going forward side by side excavates, and produces correlation rule, reports engine control module 27;
Engine control module 27 is carried out whole systems and outside operation-interface work and to the Control work of each module in the system, comprise the conventional original alert event of reception and buffer into event queue module 21, control desk is submitted in unique security incident that structural analysis module 24 produces, and the running (control line does not draw in Fig. 6) etc. of controlling other each modules; In the present embodiment, the correlation rule that engine control module 27 also generates rule digging module 26 directly or after submitting to control desk to confirm dynamically updates in the rule association module 22.
The security event associative analysis method that is provided among the applicable embodiment two of present embodiment security event correlation analysis system.
More than security event associative analysis method provided by the present invention and system are described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.

Claims (9)

1, a kind of security event associative analysis method is characterized in that, comprising:
Collect original alert event;
To original alert event carry out respectively rule-based association analysis and based on the statistics association analysis; Described association analysis based on statistics comprises: add up the distribution of original alert event on specified attribute; When the accumulative total threat degree of original alert event on certain or certain several attribute level surpasses threshold value, produce security incident;
The security incident that rule association and statistical correlation produce is respectively arbitrated, obtained unique security incident.
2, security event associative analysis method according to claim 1 is characterized in that: before original alert event is carried out association analysis, also according to the filtering rule that presets original alert event is filtered.
3, security event associative analysis method according to claim 2, it is characterized in that: the original alert event that buffer memory is collected, directly from buffer queue, will satisfy the original alert event of filtering rule according to the filtering rule that presets and delete, and then the original alert event in the buffer memory will be carried out association analysis.
4, security event associative analysis method according to claim 1 is characterized in that: described specified attribute comprises source address, destination address, agreement and three attributes of port.
5, according to any described security event associative analysis method of claim 1~4, it is characterized in that: after the association analysis based on statistics produces security incident, also the original alert event sequence of described security incident correspondence is carried out data mining, produce the correlation rule that rule-based association analysis is suitable for.
6, security event associative analysis method according to claim 5 is characterized in that, described data mining comprises:
Is basis for estimation with support greater than assign thresholds, find out show attack process in the original alert event sequence the event type sequence as sequence of rules;
For every regular sequence, at each attribute of its each node, the respective value of adding up all examples respectively will be greater than the value of the min confidence alternate item as this attribute;
For every regular sequence, add up the similarity relation between the different node attribute values of all examples, determine the dependence of attribute in the rule.
7, a kind of security event correlation analysis system is characterized in that: comprise event queue module, rule association module, statistical correlation module, structural analysis module;
Described event queue module is collected and the original alert event of buffer memory, offers described rule association module and statistical correlation module respectively;
Described rule association module is carried out pattern matching according to the correlation rule that presets to original alert event, produces security incident according to matching result;
Described statistical correlation module is added up the distribution of original alert event on specified attribute; When the accumulative total threat degree of original alert event on certain or certain several attribute level surpasses threshold value, produce security incident;
Described structural analysis module receives security incident from described rule association module and statistical correlation module, arbitrates to obtain unique security incident.
8, security event correlation analysis system according to claim 7, it is characterized in that: also comprise the event filtering module, the original alert event that described event filtering module is collected described event queue module according to the filtering rule that presets filters, and the original alert event that satisfies filtering rule is deleted from formation.
9, according to claim 7 or 8 described security event correlation analysis systems, it is characterized in that: also comprise rule digging module and engine control module;
Described rule digging module receives the security incident that described statistical correlation module produces, and the original alert event sequence of described security incident correspondence is carried out data mining, produces correlation rule, reports described engine control module;
The correlation rule that described engine control module generates described rule digging module directly or after submitting to control desk to confirm dynamically updates in the described rule association module.
CNB2006101035200A 2006-07-19 2006-07-19 Security event associative analysis method and system Expired - Fee Related CN100518089C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006101035200A CN100518089C (en) 2006-07-19 2006-07-19 Security event associative analysis method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006101035200A CN100518089C (en) 2006-07-19 2006-07-19 Security event associative analysis method and system

Publications (2)

Publication Number Publication Date
CN1878093A CN1878093A (en) 2006-12-13
CN100518089C true CN100518089C (en) 2009-07-22

Family

ID=37510400

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006101035200A Expired - Fee Related CN100518089C (en) 2006-07-19 2006-07-19 Security event associative analysis method and system

Country Status (1)

Country Link
CN (1) CN100518089C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI736258B (en) * 2020-05-11 2021-08-11 臺灣銀行股份有限公司 Device enhancement order analysis method

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399658B (en) * 2007-09-24 2011-05-11 北京启明星辰信息技术股份有限公司 Safe log analyzing method and system
CN101325520B (en) * 2008-06-17 2010-08-18 南京邮电大学 Method for locating and analyzing fault of intelligent self-adapting network based on log
CN101668012B (en) * 2009-09-23 2013-01-30 成都市华为赛门铁克科技有限公司 Method and device for detecting security event
CN101697545B (en) * 2009-10-29 2012-08-08 成都市华为赛门铁克科技有限公司 Security incident correlation method and device as well as network server
CN101789931B (en) * 2009-12-31 2012-12-05 暨南大学 Network intrusion detection system and method based on data mining
CN101937447B (en) * 2010-06-07 2012-05-23 华为技术有限公司 Alarm association rule mining method, and rule mining engine and system
CN101887573A (en) * 2010-06-11 2010-11-17 北京邮电大学 Social network clustering correlation analysis method and system based on core point
CN101938486B (en) * 2010-09-09 2013-06-12 东软集团股份有限公司 Event rule relevance analysis method and device
CN102571469B (en) * 2010-12-23 2014-11-19 北京启明星辰信息技术股份有限公司 Attack detecting method and device
CN102790981B (en) * 2012-06-29 2015-04-22 石化盈科信息技术有限责任公司 Real-time warning method under space-time dynamic mode of sensor network
CN104158677B (en) * 2013-05-15 2018-08-07 北京捷诺视讯数码科技有限公司 A kind of safety state analysis alarm method
CN103905418B (en) * 2013-11-12 2017-02-15 北京安天电子设备有限公司 APT multi-dimensional detection and defense system and method
CN104050151A (en) * 2014-06-05 2014-09-17 北京江南天安科技有限公司 Security incident feature analysis method and system based on predicate deduction
CN105376193B (en) * 2014-08-15 2019-06-04 中国电信股份有限公司 The intelligent association analysis method and device of security incident
US10162969B2 (en) * 2014-09-10 2018-12-25 Honeywell International Inc. Dynamic quantification of cyber-security risks in a control system
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN105512210A (en) * 2015-11-27 2016-04-20 网神信息技术(北京)股份有限公司 Correlated event type detection method and device
CN105471882A (en) * 2015-12-08 2016-04-06 中国电子科技集团公司第三十研究所 Behavior characteristics-based network attack detection method and device
CN105656699B (en) * 2016-03-29 2018-12-04 网宿科技股份有限公司 The alarm management method and system of content distributing network
CN109218255B (en) * 2017-06-30 2021-06-04 中国电信股份有限公司 Safety protection method, control system and safety protection system
CN110321369A (en) * 2019-05-16 2019-10-11 国电南瑞科技股份有限公司 A kind of rail traffic event analysis system and method based on big data
CN111865899B (en) * 2020-06-02 2021-07-13 中国科学院信息工程研究所 Threat-driven cooperative acquisition method and device
CN111709022B (en) * 2020-06-16 2022-08-19 桂林电子科技大学 Hybrid alarm association method based on AP clustering and causal relationship
CN111767730B (en) * 2020-07-07 2023-09-22 腾讯科技(深圳)有限公司 Event type identification method and device
CN112688956B (en) * 2020-12-29 2023-04-28 科来网络技术股份有限公司 Real-time security detection method and system based on association rule
CN114143020B (en) * 2021-09-06 2023-10-31 北京许继电气有限公司 Rule-based network security event association analysis method and system
CN114374597A (en) * 2021-12-27 2022-04-19 浪潮通信信息系统有限公司 Fault processing method, device, equipment and product of network event

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI736258B (en) * 2020-05-11 2021-08-11 臺灣銀行股份有限公司 Device enhancement order analysis method

Also Published As

Publication number Publication date
CN1878093A (en) 2006-12-13

Similar Documents

Publication Publication Date Title
CN100518089C (en) Security event associative analysis method and system
Wang et al. An exhaustive research on the application of intrusion detection technology in computer network security in sensor networks
CN108769051B (en) Network intrusion situation intention assessment method based on alarm fusion
CN111741023B (en) Attack studying and judging method, system and medium for network attack and defense test platform
CN101399658A (en) Safe log analyzing method and system
CN104539626A (en) Network attack scene generating method based on multi-source alarm logs
CN100362803C (en) Network safety warning system based on cluster and relavance
CN103368979A (en) Network security verifying device based on improved K-means algorithm
US10129273B2 (en) System and methods for computer network security involving user confirmation of network connections
CN106850647B (en) Malicious domain name detection algorithm based on DNS request period
US20170288979A1 (en) Blue print graphs for fusing of heterogeneous alerts
CN110474885A (en) Alert correlation analysis method based on time series and IP address
Zhang et al. Intrusion detection in SCADA systems by traffic periodicity and telemetry analysis
US20220131864A1 (en) Method and system for establishing application whitelisting
CN114189367A (en) Safety log analysis system based on knowledge graph
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
CN108900516A (en) A kind of cyberspace loophole merger platform distribution service system
CN101202744A (en) Devices for self-learned detecting helminth and method thereof
Kun et al. Network security situation evaluation method based on attack intention recognition
CN110912753B (en) Cloud security event real-time detection system and method based on machine learning
Kong et al. Research on situation analysis technology of network security incidents
CN117596078B (en) Model-driven user risk behavior discriminating method based on rule engine implementation
Du et al. A Multi-source Alarm Information Fusion Processing Method for Network Attack Situation
CN115499245B (en) Real-time in-process alarming method and system based on association detection
Adebowale et al. An overview of database centred intrusion detection systems

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090722

CF01 Termination of patent right due to non-payment of annual fee