CN101034974A - Associative attack analysis and detection method and device based on the time sequence and event sequence - Google Patents
Associative attack analysis and detection method and device based on the time sequence and event sequence Download PDFInfo
- Publication number
- CN101034974A CN101034974A CNA2007100649337A CN200710064933A CN101034974A CN 101034974 A CN101034974 A CN 101034974A CN A2007100649337 A CNA2007100649337 A CN A2007100649337A CN 200710064933 A CN200710064933 A CN 200710064933A CN 101034974 A CN101034974 A CN 101034974A
- Authority
- CN
- China
- Prior art keywords
- association analysis
- incident
- basic
- sequence
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
This invention is based on the time and events sequence to analysis attacking detection methods and devices involved in exchange for the function of the network. It is a methods and devices to prevent removing data from the data transmission channel without permission .The method provides a complex text-based attack description language to make the user can amend the built-related characteristics, and add new features of related events. The present invention include: basic rules of the incident, the rules of the association, first level detection engine, correlation analysis engine. The whole process of attacking are described more comprehensive and reasonable taking into account the time factor and the order of events Such description and testing which distinct the basic incidents more carefully are more in line with the requirements of detecting attacks. The invention also describes the relation between alarm incident and not alarm incident.
Description
Technical field
The present invention is based on that the association analysis attack detection method of time series and sequence of events and device relate to the function of exchange is the network of feature, being a kind of method that prevents to take out from data transmission channel without permission data, is a kind of core key technology method and apparatus that is used for Network Intrusion Detection System (NIDS:Network Intrusion Detection System).
Background technology
Network Intrusion Detection System (NIDS) is installed in the protected network segment, is set to promiscuous mode by its packet capturing network interface card, the packet of flowing through is caught, is analyzed, and then the behavior of violating the normal behaviour rule is responded, reports to the police.NIDS generally adopts two class technology to carry out the detection of security incident at present: the abnormality detection technology of the matching technique of data characteristics Network Based and flow behavior Network Based.The mode of the common use characteristic coupling of traditional detection method is mated data packets for transmission in the network and intrusion feature database one by one, if in network data, find the attack signature data, then the generating feature incident is carried out event alarm (incident of being reported to the police being referred to as the network characterization incident at this) then.
The shortcoming of characteristic matching technology is that it can only be described the fragment of attack process, therefore in testing process, also can only realize for the detection of attacking fragment, this has caused rate of false alarm and rate of failing to report all very high to a large extent, and, this detection technique also can't realize the detection for the unknown characteristics attack, just because of traditional characteristic matching technology exists these defectives, so this paper has proposed a kind of novel detection technique: based on the association analysis detection technique of time series and sequence of events.The method of the association analysis between this detection technique employing incident, carry out describing mode for attack based on action process, improved the comprehensive and accuracy of describing for attacking with this, improve the accuracy of the warning of nids system, and can be to a great extent the attack of UNKNOWN TYPE be detected.
In existing NIDS product, the association analysis method that exists mainly be the attack sequence of simply serving as theme with the time based on seasonal effect in time series detection, another is exactly simply based on the correlating method between the alert event of sequence of events, this correlating method belongs to the analytical technology of one dimension in essence, i.e. a life period dimension or incident dimension, so these two kinds of technology exist following limitation:
1. the association of one-dimensional degree is too simple, considers the time series characteristic of attack and associated sequence of events characteristic simultaneously, so still can't realize comprehensive accurate description for the attack of complexity
2. simply can't distinguish attaching relation between the attack exactly, can only the contact between the incident can't be navigated to session-level by IP to simply incident being carried out the association of coarseness based on four-tuple based on the detection method of sequence of events.
Summary of the invention
The objective of the invention is to design a kind of description and detection method at the complex attack incident, this method provides the descriptive language of a kind of text based for the complex attack incident, on the basis of single attack, finish for the single incident sequence based on the seasonal effect in time series analysis, and detect the attack that takes place in the network with this, this describing method provides the user interface that is simple and easy to dispose, make user and developer can on-the-spotly revise built-in linked character, simultaneously also can on-the-spot feature of adding new correlating event.
The technical solution used in the present invention is: the association analysis attack detection method based on time series and sequence of events comprises: basic event rules storehouse, association analysis rule base, one-level detect engine, association analysis engine, operating procedure:
Define the step of basic event rules;
The step of definition association analysis rule;
The step that the basic incident that meets the association analysis condition is detected;
Basic incident is carried out the step of the analysis of time series and sequence of events;
The step of reporting to the police.
Substep in the step of the basic event rules of described definition:
Define the behavior of various single attack fragment the form of expression, be characterized as basic event rules substep;
Add various basic event rules to basic event rules storehouse substep.
Substep in the step of described definition association analysis rule:
The substep that the formed in chronological order behavior of a plurality of single attack fragments is the behavior sequence rule in the definition various attack incident;
The various actions sequence rules is added to the substep of association analysis rule base.
Substep in the described step that the basic incident that meets the association analysis condition is detected:
Message in the network is carried out simply substep based on the feature detection of pattern matching;
Report the basic incident substep of correlating event to the association analysis engine.
Substep in the step of the described analysis of basic incident being carried out time series and sequence of events:
The substep of the association analysis in the same session four-tuple;
The substep of the association analysis between the different sessions four-tuple;
The substep of the association analysis that the basis incident takes place in the limiting time interval;
The substep of the association analysis of basis incident existence condition;
The substep of the non-existent association analysis of basis incident;
Whether the judgement basis event sets satisfies the association analysis definition rule.
Association analysis attack detecting device based on time series and sequence of events comprises:
To the form of expression of various single attack fragment behavior, the basic event definition unit that characterizing definition is basic event rules;
The association analysis rule definition unit that the formed in chronological order behavior of a plurality of single attack fragments in the various attack incident is defined for the behavior sequence rule;
The one-level that the basic incident that meets the association analysis condition is detected detects engine;
Basic incident is carried out the association analysis engine of the analysis of time series and sequence of events;
The related warning device that the incident that satisfies the association analysis definition rule is reported to the police.
Described basic event definition unit comprises:
Define the behavior of various single attack fragment the form of expression, be characterized as the basic event rules definition device of basic event rules;
Store the basic event rules storehouse of various basic event rules.
Described association analysis rule definition unit comprises:
The association analysis rule definition device that the formed in chronological order behavior of a plurality of single attack fragments is the behavior sequence rule in the definition various attack incident;
Store the association analysis rule base of various actions sequence rules.
The invention has the beneficial effects as follows:
1. the present invention compares with the detection method of simple characteristic matching, to be coupling by simply certain characteristic matching that exists in the attack process being promoted for the detection of attacking for whole attack process, is to describe whole attack process with the description of attack by describing the lifting of attack segment simply, thereby the description to attack is comprehensive more, reasonable, and is also more accurate for the detection of attacking simultaneously.
2. this method has been considered the factor of the order between time factor and incident simultaneously, so, description for attack has been used two dimensions simultaneously with detection, this description and detection meet the requirement of attack detecting more, so this detection technique also can guarantee the accuracy of testing result more.
3. the present invention has carried out further differentiation for basic incident, be interior correlating event of differentiating sessions and the correlating event between session, the technicality that this has just deeper excavated and described between the basic incident makes to distinguish to occur in interior complex attack of session and the complex attack between the session.
4. the present invention compares with traditional method, incidence relation between the IDS alert event not only can be described out, not alert event and the incidence relation between the alert event have also been described out simultaneously, this make association variation more between the incident, rationalize, also make detection further to distinguish, improve the accuracy rate that detects generation incident and not generation incident.
Description of drawings
Below in conjunction with drawings and Examples the present invention is done further narration.
Fig. 1 method operation logic of the present invention block diagram:
Fig. 2 principle of device block diagram of the present invention.
Embodiment
Embodiment one:
At first define the noun that uses in this patent:
Detected certain next attack of mode of single attack---use characteristic coupling.
Single incident sequence---an attack sequence of forming by single attack.
Association analysis---the association to each attack in the single incident sequence is analyzed.
The basis incident---be present among the single incident sequence, and need carry out association analysis single attack.
The group that four elements of source IP, purpose IP, source port, destination interface during session four-tuple---TCP connects are formed.
The described association analysis attack detection method of present embodiment based on time series and sequence of events, the operation logic block diagram as shown in Figure 1, be on the network data package base of catching, data on flows is carried out total statistics, analysis, detection, after the attack that detects single step, again these attacks are carried out the analysis of two dimensions, i.e. time dimension and sequence of events dimension.And whether there is the testing result of attack in the network after on the basis of this analysis, drawing association.
This method comprises the steps:
(1) form of expression of definition various single attack fragment behavior, be characterized as basic event rules.And add various basic event rules to basic event rules storehouse.
(2) the formed in chronological order behavior of a plurality of single attack fragments is the behavior sequence rule in the definition various attack incident.And add the various actions sequence rules to the association analysis rule base.
(3) one-level detection engine carries out simple feature detection based on pattern matching to the message in the network, and reports the basic incident of correlating event to the association analysis engine.
(4) the association analysis engine carries out the analysis of seasonal effect in time series analysis and sequence of events to the basic incident that one-level detection engine reports, and analysis result is judged.
Define the behavioural characteristic of single attack fragment:
The behavioural characteristic that only meets the single incident fragment is only the required further analysis of association analysis engine.For example, the behavioural characteristic that the single incident fragment can be set is the scanning at 135 ports in the network, and agreement is MSRPC, so, have only the scan event that satisfies this condition just can deliver to the behavior correlation engine and further analyze, so meet the basic incident that all incidents of this condition all are referred to as correlating event.
The basic incident of correlating event not only can be mated the network packet of the 3rd layer and the 4th layer, and can carry out the fine mode coupling of dialogue-based four-tuple and protocal analysis technology to the packet of any agreement in the network, so just improved the accuracy rate of the basic reporting events of correlating event.
One-level detects engine and reports the basic incident of correlating event according to the result of coupling, generally comprises event id and the time of origin and the session quaternary group information of basic incident in the reporting information of these basic incidents.
The behavioural characteristic of definition correlating event:
The association analysis engine at first carries out the grouping of dialogue-based four-tuple to the basic incident that reports, basic incident is marked off basic incident in the session four-tuple and the basic incident between the session four-tuple, and each basic incident added among the correlating event formation in the associated session, between session, and the state of change correlating event formation, if the state of correlating event has satisfied the defined attack status flag of certain correlating event, will report relevant association analysis incident.
The implication of correlating event feature is meant, in advance cutting is carried out in certain attack, whole attack is cut into several committed steps, and define the contingent time series of these committed steps, wherein each committed step all is directed to a specific basic incident, in other words, if these basic incidents time series that predefined is good takes place, so just think that the attack of correlating event representative takes place
Correlating event can define the attack of multiple situation, specifically comprises:
1) association analysis in the same session four-tuple.
2) association analysis between the different sessions four-tuple.
3) association analysis of basic incident generation in the limiting time interval.
4) association analysis of basic incident existence condition.
5) the non-existent association analysis of basic incident.
These situations can make up under certain conditions, describe complicated more attack with this, accomplish the accurate detection to the complex attack behavior.
For above-mentioned five kinds of complex attack behaviors being detected with a kind of uniform way, the present invention has adopted the definition grammer of association analysis, like this in definition association analysis feature, only a new association analysis regular expression need be in rule file, added, and this program code needn't be removed to ask.
The association analysis attribute grammar:
The syntactic definition of association analysis characterizing definition language formalization is as follows:
The association analysis rule: :=basic event rules unit [relation rule unit, unit]
Event rules unit, basis: :=agreement variable comparison operator value
The agreement variable:: the expression formula of=sign protocol characteristic
Comparison operator: :=<! ~ e
The unit relation: :=﹠amp; Or |
Value: :=character string or decimal data
Specify below:
1) association analysis basis event representation formula is used ﹠amp; Or | be divided into a plurality of basic event rules unit, each basic event rules unit is a Boolean; If use ﹠amp; Connect, then having only a plurality of regular unit all is really to talk about the association base rule just the match is successful; If use | connect, as long as have in then a plurality of basic event rules one for really talking about the association analysis base rule even if the match is successful;
2) each association analysis base rule be suitable for-connects, and represents the sequencing that basic incident takes place.
3) relatively symbol (<, 〉) right part is a numerical value.
4) association analysis basis incident uses associ_base to carry out mark, the association analysis incident uses associ_4key to carry out mark in the session, the association analysis incident uses associ_2key to carry out mark between session, and two kinds of association analysis incidents all can be used with a kind of association analysis basis incident.
5) association analysis basis incident can define two kinds of existence conditions: promptly have a certain basic incident and do not have a certain basic incident, exist a certain basic incident to be meant that this is related if be thought of as the basic incident that this correlating event must take place in the merit warning, do not exist a certain basic incident to be meant that this is related if being thought of as merit reports to the police, the basic incident of correlating event then can not take place.
The basic incident of 6) association analysis incident is the incident segment that one-level detects the engine real-time report.
7) this association analysis method can define the time interval of taking place between the association analysis event base incident, can stipulate that promptly the time interval that two association analysis basis incidents successively take place can not surpass certain value, otherwise, even the basic incident of all of association analysis incident all according to necessarily occurring in sequence, can not produce the warning of correlating event.
Basis incident and correlating event rule are given an example:
The basic incident of three correlating events of definition, article one is the MSRPC_ connection request, its event id is 0x95635a3c; Second is that the MSRPC_Printer printf calls, and its event id is 0x95635a3d; Article three, be MSRPC_ function call parameter overlength, its event id is 0x95635a3e,
Then:
1) institute's requested service is MSRPC in certain session if NIDS detects, and will report an incident so, i.e. MSRPC connection request, and the main basis for estimation that detects this incident is to finish at the TCP three-way handshake of 445 ports or 135 ports.
2) after article one basis incident MSRPC connection request produces, if find to have occurred in the follow-up message in this session being directed to the connection request of Printer service, so just report second basis incident MSRPC_Printer printf to call, the detection main points of this incident are that the order of SMB header is 0x25, and the UUID of MSRPC request simultaneously is 8d9f4e40-a03d-11ce-8f69-08003e30051b.
3) on the basis that has detected second basis incident, the entrained function parameter of MSRPC has surpassed 256 bytes in this session if detected, and will report the 3rd basic incident so: MSRPC_ function call parameter overlength.
4) definition MSRPC_Printer buffer overflow attack incident, the type of this incident is association analysis in the session, and protocol type is MSRPC, and the basic incident of this association analysis is exactly three top basic incidents, and this association analysis incident is defined as:
Event id be the incident of 0x95635a3c take place=event id be the incident of 0x95635a3d take place=event id is that the incident of 0x95635a3e takes place.
5) if the basic incident of top three association analysiss takes place in order successively, will report correlating event MSRPC_Printer buffer overflow attack so.
The processing procedure of association analysis engine:
The association analysis engine at first will read in the rule definition of each basic incident successively, and the rule of each basic incident is initialised to basic event rules concentrates.
After the rule set of initialization basis incident, need to load the matched rule of correlating event, the matched rule of correlating event uses linear data structure to preserve, each node in the lienar for data structure need be preserved the ID of a basic incident in the correlating event matched rule, simultaneously, this node also needs initialization and the corresponding association analysis state value of this node.
After end is finished in initialization, the detection-phase of association analysis will be entered, each rule that at first to be one-level event detection engine concentrate for the message in the network and basic event rules is compared one by one, if the rule of a certain basic incident is satisfied, to find in company's table of correlating event associated therewith along pointer chain so, and the state of this basis incident in will even showing is changed to 1, and (default value is to be to take place) promptly takes place
If the state of certain bar basis incident during association analysis is even shown is changed to take place, immediately this company's table is checked with regard to needs so, all be triggered, report this association analysis incident so immediately if find all incidents
Embodiment two:
Based on the association analysis attack detecting device of time series and sequence of events, theory diagram includes as shown in Figure 2:
Event definition unit, basis, association analysis rule definition unit, one-level event detection engine, association analysis detect engine.
Event definition unit, basis: the needed basic incident of association analysis incident is mainly finished in this unit, i.e. the definition work of incident segment, and basic incident can be defined on any protocol hierarchy, and basic incident can Shi Yong ﹠amp; With | operator is carried out complicated definition.
Association analysis rule definition unit: this module is mainly finished the definition work of association analysis incident, relation between the basic incident is defined, this definition need be considered two factors: the sequencing of the time of origin between the basic incident, event sequence between the fragment incident (this moment may be irrelevant with the priority of time).
One-level detects engine, the task that this engine will be finished is exactly according to the definition of defined association analysis basis incident network message to be mated one by one, and report detected association analysis basis incident, this module to adopt key technologies such as protocal analysis, agreement self-identifying, stream reorganization, fragment reorganization, preliminary treatment, pattern matching to guarantee the accuracy of detection of incident segment simultaneously.
Association analysis detects engine: this engine is further put the association analysis basis incident that the one-level engine is reported in order, and whether the judgement basis event sets satisfy the association analysis definition rule, if satisfy, then reports the association analysis incident.
Claims (8)
1. based on the association analysis attack detection method of time series and sequence of events, comprising: basic event rules storehouse, association analysis rule base, one-level detect engine, association analysis engine, it is characterized in that described step:
Define the step of basic event rules;
The step of definition association analysis rule;
The step that the basic incident that meets the association analysis condition is detected;
Basic incident is carried out the step of the analysis of time series and sequence of events;
The step of reporting to the police.
2. the association analysis attack detection method based on time series and sequence of events according to claim 1 is characterized in that the substep in the step of the basic event rules of described definition:
Define the behavior of various single attack fragment the form of expression, be characterized as basic event rules substep;
Add various basic event rules to basic event rules storehouse substep.
3. the association analysis attack detection method based on time series and sequence of events according to claim 1 is characterized in that the substep in the step of described definition association analysis rule:
The substep that the formed in chronological order behavior of a plurality of single attack fragments is the behavior sequence rule in the definition various attack incident;
The various actions sequence rules is added to the substep of association analysis rule base.
4. the association analysis attack detection method based on time series and sequence of events according to claim 1 is characterized in that the substep in the described step that the basic incident that meets the association analysis condition is detected:
Message in the network is carried out simply substep based on the feature detection of pattern matching;
Report the basic incident substep of correlating event to the association analysis engine.
5. the association analysis attack detection method based on time series and sequence of events according to claim 1 is characterized in that the substep in the step of the described analysis of basic incident being carried out time series and sequence of events:
The substep of the association analysis in the same session four-tuple;
The substep of the association analysis between the different sessions four-tuple;
The substep of the association analysis that the basis incident takes place in the limiting time interval;
The substep of the association analysis of basis incident existence condition;
The substep of the non-existent association analysis of basis incident;
Whether the judgement basis event sets satisfies the association analysis definition rule.
6. based on the association analysis attack detecting device of time series and sequence of events, comprising:
To the form of expression of various single attack fragment behavior, the basic event definition unit that characterizing definition is basic event rules;
The association analysis rule definition unit that the formed in chronological order behavior of a plurality of single attack fragments in the various attack incident is defined for the behavior sequence rule;
The one-level that the basic incident that meets the association analysis condition is detected detects engine;
Basic incident is carried out the association analysis engine of the analysis of time series and sequence of events;
The related warning device that the incident that satisfies the association analysis definition rule is reported to the police.
7. the association analysis attack detecting device based on time series and sequence of events according to claim 6 is characterized in that described basic event definition unit comprises:
Define the behavior of various single attack fragment the form of expression, be characterized as the basic event rules definition device of basic event rules;
Store the basic event rules storehouse of various basic event rules.
8. the association analysis attack detecting device based on time series and sequence of events according to claim 6 is characterized in that described association analysis rule definition unit comprises:
The association analysis rule definition device that the formed in chronological order behavior of a plurality of single attack fragments is the behavior sequence rule in the definition various attack incident;
Store the association analysis rule base of various actions sequence rules.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100649337A CN101034974A (en) | 2007-03-29 | 2007-03-29 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100649337A CN101034974A (en) | 2007-03-29 | 2007-03-29 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101034974A true CN101034974A (en) | 2007-09-12 |
Family
ID=38731296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100649337A Pending CN101034974A (en) | 2007-03-29 | 2007-03-29 | Associative attack analysis and detection method and device based on the time sequence and event sequence |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101034974A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902441A (en) * | 2009-05-31 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Intrusion detection method capable of realizing sequence attacking event detection |
| CN103116724A (en) * | 2013-03-14 | 2013-05-22 | 北京奇虎科技有限公司 | Method and device for detecting dangerous behavior of program sample |
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN103945422A (en) * | 2013-01-22 | 2014-07-23 | 中国移动通信集团山东有限公司 | Method and equipment for controlling work order |
| CN104468545A (en) * | 2014-11-26 | 2015-03-25 | 中国航天科工集团第二研究院七〇六所 | Network security correlation analysis method based on complex event processing |
| CN105592044A (en) * | 2015-08-21 | 2016-05-18 | 杭州华三通信技术有限公司 | Message attack detection method and device |
| CN105659245A (en) * | 2013-11-06 | 2016-06-08 | 迈克菲公司 | Context-aware network forensics |
| CN105681274A (en) * | 2015-12-18 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Original warning information processing method and device |
| CN106921608A (en) * | 2015-12-24 | 2017-07-04 | 华为技术有限公司 | One kind detection terminal security situation method, apparatus and system |
| CN107481039A (en) * | 2017-07-27 | 2017-12-15 | 平安科技(深圳)有限公司 | A kind of event-handling method and terminal device |
| CN108616381A (en) * | 2018-02-28 | 2018-10-02 | 北京奇艺世纪科技有限公司 | A kind of event correlation alarm method and device |
| CN109791402A (en) * | 2016-10-06 | 2019-05-21 | 三菱电机株式会社 | Time series data processing unit |
| CN112688956A (en) * | 2020-12-29 | 2021-04-20 | 成都科来网络技术有限公司 | Real-time safety detection method and system based on association rule |
-
2007
- 2007-03-29 CN CNA2007100649337A patent/CN101034974A/en active Pending
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902441B (en) * | 2009-05-31 | 2013-05-15 | 北京启明星辰信息技术股份有限公司 | Intrusion detection method capable of realizing sequence attacking event detection |
| CN101902441A (en) * | 2009-05-31 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Intrusion detection method capable of realizing sequence attacking event detection |
| CN103312679B (en) * | 2012-03-15 | 2016-07-27 | 北京启明星辰信息技术股份有限公司 | The detection method of senior constant threat and system |
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN103945422A (en) * | 2013-01-22 | 2014-07-23 | 中国移动通信集团山东有限公司 | Method and equipment for controlling work order |
| CN103945422B (en) * | 2013-01-22 | 2017-06-20 | 中国移动通信集团山东有限公司 | A kind of method and apparatus being controlled to work order |
| CN103116724B (en) * | 2013-03-14 | 2015-08-12 | 北京奇虎科技有限公司 | The method of locator(-ter) sample hazardous act and device |
| CN103116724A (en) * | 2013-03-14 | 2013-05-22 | 北京奇虎科技有限公司 | Method and device for detecting dangerous behavior of program sample |
| CN105659245A (en) * | 2013-11-06 | 2016-06-08 | 迈克菲公司 | Context-aware network forensics |
| CN104468545A (en) * | 2014-11-26 | 2015-03-25 | 中国航天科工集团第二研究院七〇六所 | Network security correlation analysis method based on complex event processing |
| CN105592044A (en) * | 2015-08-21 | 2016-05-18 | 杭州华三通信技术有限公司 | Message attack detection method and device |
| CN105592044B (en) * | 2015-08-21 | 2019-05-07 | 新华三技术有限公司 | Message aggression detection method and device |
| CN105681274A (en) * | 2015-12-18 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Original warning information processing method and device |
| CN105681274B (en) * | 2015-12-18 | 2019-02-01 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of original alarm information processing |
| CN106921608A (en) * | 2015-12-24 | 2017-07-04 | 华为技术有限公司 | One kind detection terminal security situation method, apparatus and system |
| CN106921608B (en) * | 2015-12-24 | 2019-11-22 | 华为技术有限公司 | A kind of detection terminal security situation method, apparatus and system |
| US10735374B2 (en) | 2015-12-24 | 2020-08-04 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for detecting terminal security status |
| US11431676B2 (en) | 2015-12-24 | 2022-08-30 | Huawei Technologies Co., Ltd. | Method, apparatus, and system for detecting terminal security status |
| CN109791402A (en) * | 2016-10-06 | 2019-05-21 | 三菱电机株式会社 | Time series data processing unit |
| CN107481039A (en) * | 2017-07-27 | 2017-12-15 | 平安科技(深圳)有限公司 | A kind of event-handling method and terminal device |
| CN108616381A (en) * | 2018-02-28 | 2018-10-02 | 北京奇艺世纪科技有限公司 | A kind of event correlation alarm method and device |
| CN108616381B (en) * | 2018-02-28 | 2021-10-15 | 北京奇艺世纪科技有限公司 | Event correlation alarm method and device |
| CN112688956A (en) * | 2020-12-29 | 2021-04-20 | 成都科来网络技术有限公司 | Real-time safety detection method and system based on association rule |
| CN112688956B (en) * | 2020-12-29 | 2023-04-28 | 科来网络技术股份有限公司 | Real-time security detection method and system based on association rule |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101034974A (en) | Associative attack analysis and detection method and device based on the time sequence and event sequence | |
| CN1741526A (en) | Method and system for detecting exception flow of network | |
| CN1845066A (en) | Automatic protocol recognition method and system | |
| CN101035111A (en) | Intelligent protocol parsing method and device | |
| CN1655518A (en) | Network security system and method | |
| CN1829953A (en) | Method and system for displaying network security incidents | |
| CN1771709A (en) | Network attack signature generation | |
| CN108337266B (en) | Efficient protocol client vulnerability discovery method and system | |
| CN101039326A (en) | Service flow recognition method, apparatus and method and system for defending distributed refuse attack | |
| JP5066544B2 (en) | Incident monitoring device, method, and program | |
| CN1578227A (en) | Dynamic IP data packet filtering method | |
| CN101075256A (en) | System and method for real-time auditing and analyzing database | |
| CN1878093A (en) | Security event associative analysis method and system | |
| CN110912889A (en) | Network attack detection system and method based on intelligent threat intelligence | |
| CN1725709A (en) | Method of linking network equipment and invading detection system | |
| CN109766694A (en) | Program protocol white list linkage method and device of industrial control host | |
| CN104022924A (en) | Method for detecting HTTP (hyper text transfer protocol) communication content | |
| CN1866283A (en) | System and method for implementing regular system triggering | |
| CN109951419A (en) | A kind of APT intrusion detection method based on attack chain attack rule digging | |
| CN110460611A (en) | Full flow attack detecting technology based on machine learning | |
| CN113542311B (en) | Method for detecting and backtracking defect host in real time | |
| CN1878322A (en) | Fault positioning method and device | |
| CN110839042B (en) | Flow-based self-feedback malicious software monitoring system and method | |
| KR100846835B1 (en) | Method and apparatus for Security Event Correlation Analysis based on Context Language | |
| CN1257632C (en) | Firm gateway system and its attack detecting method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070912 |