CN101562537A - Distributed self-optimized intrusion detection alarm associated system - Google Patents

Distributed self-optimized intrusion detection alarm associated system Download PDF

Info

Publication number
CN101562537A
CN101562537A CNA200910062128XA CN200910062128A CN101562537A CN 101562537 A CN101562537 A CN 101562537A CN A200910062128X A CNA200910062128X A CN A200910062128XA CN 200910062128 A CN200910062128 A CN 200910062128A CN 101562537 A CN101562537 A CN 101562537A
Authority
CN
China
Prior art keywords
warning
module
storehouse
information
alarm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA200910062128XA
Other languages
Chinese (zh)
Other versions
CN101562537B (en
Inventor
王乘
蒋少华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN200910062128XA priority Critical patent/CN101562537B/en
Publication of CN101562537A publication Critical patent/CN101562537A/en
Application granted granted Critical
Publication of CN101562537B publication Critical patent/CN101562537B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Alarm Systems (AREA)

Abstract

The invention discloses a distributed self-optimized intrusion detection alarm associated system, which comprises a local alarm associated analysis module, a system response component, an overall associated analysis module, a human-computer interface module, an intrusion detection unit and a plurality of databases. The system utilizes the property of an intrusion detection system, alarm multimedia message weighting information and the like to improve the accuracy rate and reduce the processed data quantity, can achieve automatic optimized configuration by means of three feedback loops to avoid the influence of error configuration, and can support distributed application environment and expansibility through the combination of local association and overall association; the system response component can automatically execute related response actions so as to reduce the workload of a security administrator and have more response time; and the human-computer interface module provides a convenient and quick management interface for the security administrator so as to reduce the using threshold of the system. The system overcomes the defects of the prior system, remarkably improves the detection accuracy rate and efficiency of the system, can defend distributed large-scale intrusion, and is suitable for modern distributed network application environments.

Description

Distributed self-optimized intrusion detection alarm associated system
Technical field
The invention belongs to the network security technology field, be specifically related to a kind of distributed self-optimized intrusion detection alarm associated system.
Background technology
At present in the security precautions technology of main flow, the strategy of fire compartment wall (Firewall) has determined that it can only be as the barrier of network boundary, and can not take precautions against the attack without fire compartment wall, also is difficult to take precautions against from the attack of network internal and the threat of internet worm; Present safe isolation technology ubiquity construction and maintenance cost height, use inconvenience, poor availability, transmission speed slowly and hardware fault rate height, need limitation such as private communication hardware and proprietary exchange agreement, thereby limited its range of application; The security evaluation technology then can not adopt different preventive means to guarantee network security according to different attack patterns; Intrusion detection (Intrusion Detection) technology is as the key of active defense technique, provide to internal attack, the real-time protection of external attack and misoperation, can before network system is endangered, tackle invasion, thereby obtain common attention.Yet still there are various deficiencies in existing Intrusion Detection Technique: reporting by mistake and failing to report still is the subject matter of restriction Intrusion Detection Technique development, lack convergence analysis and the function that gathers decision-making are carried out in security incident, shortage is to the global view of network safety situation, can not clearly find new and attack mode the unknown, be difficult to prediction and take precautions against some to have relevance and synergitic attack in force, also fail to realize with the coordination and response of other security protection facilities and cooperate, intruding detection system (IDS, Intrusion Detection System) real invasion intention has been flooded in the original warning of magnanimity that provides, and makes the network security manager be difficult to make right judgement.
Warning association analysis (Association Analysis) is the effective technology that addresses these problems, and mainly excavates correlation of data in the database.Two kinds of common corresponding technologies are correlation rule and sequence pattern, and correlation rule is to seek the correlation that occurs in same incident between the item, temporal correlation between the then searching incident of sequence pattern.
Association analysis can be classified to alarm logging, be merged with related, the warning that same attack is relevant is fused into a new warning, thereby reduced the warning number, made the network security manager make right judgement and to take suitable manner to come the problem that exists in the corrective networks invasion; The fusion of reporting to the police is exactly to utilize the original warning of attacking to generate new warning, with clear and definite concrete attack; Reporting to the police related is exactly to carry out association to merging the certain correlation function of new warning utilization that produces, and attacks information for the network security management personnel provide clear and definite invasion.The purpose of utilization association analysis method not only is to extract the attack of determining from a large amount of warnings, also can judge intruding detection system (IDS, Intrusion Detection System) wrong report information, for the network security manager provides decision-making foundation to the adjustment of security strategy and configuration, thereby improve the practicality of IDS, strengthen the fail safe of network.
In order to fully utilize the advantage of various detection techniques and testing product, it is learnt from other's strong points to offset one's weaknesses, know the actual time safety situation of whole network, people have proposed the related system of multiple warning, but these architecture ubiquity deficiencies: 1. lack the comprehensive of multiple detection technique: the intruding detection system advantage based on feature is high credible, shortcoming is that height is failed to report, and is low failing to report just based on unusual intruding detection system characteristics, high wrong report; The product that has detects accurately, but it is longer to detect the needed time, and it is short that the product that has detects the response time, but accuracy rate is low.2. lack optimized choice to association results: have based on the association results of correlation rule and sequence pattern multiple, wherein any more approaching real security postures? still lack the practical technique of in conjunction with the invasion that has taken place follow-up intrusion behavior being predicted and predicted rectification at present.3. lack support: along with the development of information technology to distributed environment, the scale of network constantly increases, the intruding detection system of traditional centralized processing is difficult to avoid single point failure, also being difficult to defending DDoS (Distributed Denial of Service) (Distributed Denial of Service, distributed denial of service attack) attacks.4. to the report of invasion with handle the characteristics do not consider goal systems.5. lack the consideration that alarm is shown for how much, do not comprise the information of invasion response opportunity aspect in the warning message of demonstration.6. existing intrusion detection warning associated framework can not dispose and optimize automatically, and system configuration can not converge to optimum state automatically, can not change automatically self to dispose according to operating position and improve accuracy rate and stability.
Summary of the invention
The objective of the invention is to overcome above-mentioned weak point, a kind of distributed self-optimized intrusion detection alarm associated system has been proposed, this system solved the poor reliability, the efficient that exist in the general intrusion detection alarm associated system low and can not Automatic Optimal etc. problem, can effectively improve and detect accuracy rate and efficient, be fit to modern distributed network applied environment.
Distributed self-optimized intrusion detection alarm associated system provided by the invention, comprise the alarm storehouse, monitored system information storehouse, intruding detection system characteristic storehouse, the association knowledge storehouse, local alarm association analysis module, the system responses parts, the weight information storehouse is accepted and believed in warning, intrusion attempt predicting candidate storehouse, the target system information storehouse, the global association analysis module, human-machine interface module and at least one intrusion detecting unit, each intrusion detecting unit includes report to the police a gathering and a Fusion Module, and at least one detects proxy module and at least one alarm filtering and standardization module;
The alarm storehouse is used for the warning message of storage specificationization;
Monitored system information storehouse is used to store the characteristic information of monitored system, comprises the operating system of monitored system employing and the system vulnerability of existence;
Intruding detection system characteristic storehouse is used to store the characteristic of intrusion detecting unit itself, comprises the detection mode that intrusion detecting unit adopts;
The association knowledge storehouse is used to store correlation rule and knowledge, for the warning association analysis provides related foundation;
The reliable information that the weight information storehouse is used to store intrusion alarm is accepted and believed in warning, comprises the time that warning has taken place and the number of times of warning;
Intrusion attempt predicting candidate storehouse is used to store intrusion attempt, comprises next step intrusion target;
The target system information storehouse is used for the characteristic information of the target that storage networking will protect;
Detect proxy module and be used to realize intrusion detection and produce original warning, and offer alarm filtering and standardization module;
Alarm filtering is used for filtering original warning obviously redundancy or incomplete warning with the standardization module, and standardization, makes the warning form unanimity of generation, and normalized warning message is submitted to reports to the police at last assembles and Fusion Module, stores the alarm storehouse simultaneously into;
Report to the police to assemble with Fusion Module and utilize monitored system information storehouse and intruding detection system characteristic storehouse, the normalized warning that receives is assembled and merged, obtain warning bunch, and submit to local alarm association analysis module;
Local alarm association analysis module utilizes the correlation rule in the association knowledge storehouse that association analysis bunch is carried out in the warning that receives, alert event after will handling then passes to the global association analysis module, and the weight information of accepting and believing that will report to the police stores into to report to the police and accepts and believe in the weight information storehouse, and the intrusion attempt of prediction is stored in the intrusion attempt prediction storehouse; In case local alarm association analysis module recognizes the generation of invasion, with regard to the reporting system response component;
The utilization of global association analysis module is reported to the police and is accepted and believed the information in weight information storehouse, intrusion attempt predicting candidate storehouse and target system information storehouse, the analysis result that each local alarm association analysis module is provided carries out comprehensively, obtain the security postures of whole network, detecting when invasion, i.e. the reporting system response component; The global association analysis module also provides three class feedback informations: the first kind is that intruding detection system characteristic storehouse is arrived in the information updating of reaction intruding detection system characteristics, second class is that the precedence information with new correlation rule or correlation rule is updated to the association knowledge storehouse, the 3rd class is the weight calculation Rule Information to be accepted and believed in intrusion attempt prediction rule and knowledge, warning be updated to local alarm association analysis module, produces to report to the police with influence and accepts and believe the rule and the regular priority weight of weight information, intrusion attempt predicting candidate scheme; The global association analysis module is undertaken alternately by human-machine interface module and user;
The system responses parts are carried out network and are disconnected according to the notice of local association analysis module and the transmission of global association analysis module, and the further generation of invading is avoided in response such as disaster recovery action.
The present invention combines multiple detection technique, and compatible various intruding detection systems by the alarm association, can effectively improve accuracy rate and efficient, minimizing redundant warning and the false alarm of detection; Introduce monitored system information storehouse and can improve invading the evaluation accuracy of disaster, measurable invasion is to the hazard rating of goal systems and possible dangerous act; By information such as intruding detection system characteristic storehouse and monitored system information storehouses, can revise mistake and the error that may introduce in the intrusion detection process, provide assurance for improving related accuracy of warning and efficient; In system, introduce intrusion attempt predicting candidate storehouse, with the possible intrusion attempt of unified management, for the assessment of intrusion attempt prediction effect provides foundation; Utilizing reports to the police accepts and believe the weight information storehouse provides the assessment foundation for the letter validity of reporting to the police, and can adjust the weight of accepting and believing of warning message according to feedback information, with further raising accuracy, reduces and misrepresents deliberately, fails to report; Special target identification module provides decision-making foundation for the target of judging invasion; Local alarm association analysis module and global association analysis module provide the part and the global safety situation of network from the angle of local and the overall situation to the user respectively, and the step and the trend that take place for invasion provide direct prediction and checking; The system responses parts can automatically perform network and disconnect, and response such as disaster recovery action has reduced safety officer's workload, strives for more response time, allow the safety officer attentively handle the invasion of other complexity or prepare to respond; Human-computer interaction interface then provides conveniently management interface for the safety officer, has improved safety officer's operating efficiency, has reduced system and has used threshold.
On the whole, the present invention has overcome the deficiency of existing intruding detection system and existing intrusion detection alarm associated system, greatly improves the function of existing corresponding technology and framework; Improved systematic function effectively.Particularly, advantage of the present invention is as follows with the original creation point:
1) support is distributed
The present invention does not relate to concrete detection technique and the scheme of IDS, and is irrelevant with the bottom layer realization technology and the scheme of system, can compatible comprehensively use the heterogeneous system of multiple detection technique; Framework at the characteristics of distributed network, provides support to local intrusion attempt and overall identification of invading purpose in design, can finish the local association and the global association of warning according to topological classification; At distributed application characteristic, considered the influence that target of attack and network type calculate the critical degree of reporting to the police; In addition, the multistage interrelational form that system adopted had both overcome the single point failure of centralized association, had alleviated the load of each correlation engine again, and high-level more correlation engine institute warning amount to be processed is few more, and warning message is also abstract more.Therefore being fit to large-scale IDS warning handles.
2) accuracy height
The present invention can comprehensive multiple detection technique, and compatible various intruding detection systems effectively improve and detect accuracy rate and efficient; By related redundant warning and the false alarm of effectively reducing of reporting to the police; Introducing monitored system information storehouse improves invading the evaluation accuracy of disaster; Revise the mistake and the error that may exist in the intruding detection system by intruding detection system characteristic storehouse; And introduce the configuration error and the security set leak that may exist in three feedback loop correction intruding detection systems, upgrade in time and increase correlation rule, to discern the novel invasion of various the unknowns.
3) extensibility is good
The present invention supports distributed application environment, supports local association analysis and global association analysis, has effectively avoided intrinsic single point failure problem of centralized interconnected system and Centroid overload of power, forms the shortcoming of system bottleneck easily.The framework extensibility that the present invention proposes is good, can increase intrusion detecting unit and local alarm association analysis module etc. at any time, with the increase at any time that adapts to network size with dwindle.Separately realization is merged in the association of warning and gathering, and does not rely on the method for specific implementation alarm detection, can expand new corresponding technology at any time and report to the police the gathering integration technology.Alarm filtering and standardization module provide support for the warning associated treatment between the intruding detection system of variety classes different model, can introduce new intrusion detection product at any time.
4) support alarm to show for how much
Traditional alarm indication all is to carry out according to the number of times of reporting to the police, the hazard rating of warning, and the confidence level, the invasion that do not reflect warning need the pressing degree of handling, the information such as cost of responding to intrusions.When the present invention's critical degree of introduce reporting to the police in system first, and how much of being used to report to the police show provides the quantitative decision making foundation that should preferential answering occurs in which kind of invasion where for the safety officer.
5) self-optimizing
The present invention introduces three loops, has improved the accuracy of intruding detection system, has realized the self-optimizing and the self-configuring of system.A. high credible at based on the intrusion detection of characteristic matching, characteristics such as height wrong report based on unusual intruding detection system, introduced intruding detection system characteristic storehouse, be used for storing intruding detection system warning confidence level, warning age information, intruding detection system shortcoming and detect information such as blind spot.Feedback loop 1. in by upgrading intruding detection system characteristic storehouse, accurately reflect the characteristics of the warning of intruding detection system submission.B. in IDS warning association process, some specific intrusion behavior has multiple association results, in order to improve related accuracy, (related precondition is except comprising the specific invasion step and the precondition of invasion for various correlation rules are provided with preferential and related precondition in the association knowledge storehouse, other conditions and warning reliable information that satisfied invasion takes place have also been comprised, as have only some specific I DS product just losing of some specific intrusion alarm may occur, perhaps some specific I DS product has very high confidence level etc. in the context of detection to certain invasion, these information will help to improve the confidence level and the science of association results), feedback loop 2. in, can be by revising the correlation rule in the correlation rule storehouse, the priority of related precondition and correlation rule etc., realize the optimization of local alarm interrelating effect, further improve related accuracy and confidence level.C. in order to hold the security postures of the overall situation early, the present invention infers according to the association results of local alarm association analysis module earlier, obtain local intrusion attempt, and next step contingent intrusion behavior etc., various predicting the outcome sorted by the possibility size of inferring, store in the intrusion attempt predicting candidate storehouse, and the reporting system response component is taked corresponding responsive measures; In global association, according to the information in the intrusion attempt predicting candidate storehouse, the checking whether invasion sequence of certain prediction has taken place, and in time employs prevention and the blocking-up measure, guarantees the actual time safety and the invasion real-time response (as invasion blocking-up and disaster recovery) of network.By introducing feedback loop 3., can in time adjust the create-rule of intrusion attempt prediction scheme and the priority of rule, with the accuracy rate that improves the intrusion attempt prediction etc.In the actual application environment, the intruding detection system that has is when detecting invasion, spent is chronic, causing reports to the police does not accurately in time send to, influence the prediction (thinking that some specific invasion step does not take place or can not take place) of safety officer and system to invasion, 3. upgrade the create-rule of intrusion attempt prediction scheme and the priority of rule by feedback loop, allow system, improve forecasting accuracy in conjunction with the performance of some specific ID S product and the characteristics of function aspects.
6) immunologic function
The system responses parts are except taking corresponding responsive measures according to the attack intension of IDS deduction, the generation that reduces the risk of invasion or avoid invading; Can also download corresponding leak patch automatically or change some setting according to the instruction of other local alarm association analysis modules and global association analysis module.And then the active immunity of the system of realization, the invasion of avoiding having taken place is spread on network and is spread.
7) high-performance
The cluster fusion treatment can greatly reduce redundant warning information, has improved the warning processing speed, has optimized systematic function; Local association has greatly reduced the load of global association analysis module to the warning associated framework of the classification of global association, improve the throughput of whole system, made the network security manager can from the warning message of magnanimity, free, in time find the security threat focus; Multiple detection technique of integrated use and detection module have improved the accuracy rate of system; The system responses parts automatically perform the workload that response has reduced the safety officer, have improved system response time; Three feedback loops of system are that system configuration has been saved time and cost, have improved accuracy rate, reduce irrational prediction scheme and analyzing responding time, have improved the performance of system.
8) considered the characteristic information of goal systems characteristic and intrusion detection module
Goal systems difference, the security threat difference that it faces, the invasion disaster that identical invasion will cause are also different; Different intrusion detection modules is owing to adopt different detection technique and scheme, and it detects effect and also emphasizes particularly on different fields a little, and different intrusion detection modules complement one another, and can effectively remedy detection blind spot separately; And because used detection technique difference, it detects needed asynchronism(-nization).In conjunction with intruding detection system characteristic storehouse and target system information storehouse, can make the system's security threat that more morning, prediction more accurately faced and the security postures of network.The present invention is logical (to comprise the network type as goal systems by the target system information storehouse; application type, needs the information such as attack type of emphasis prevention at the grade that needs protection, the threat that may exist and leak type) and intruding detection system characteristic storehouse provide decision-making foundation accurately and effectively for security postures and invasion development trend, formulation security strategy and the responsive measures that the safety officer holds whole network.
9) support the management of global safety situation
Association analysis is divided into correlation rule and sequence pattern.Correlation between correlation rule can be excavated in same incident and to occur, sequence pattern then can the discovery incident between correlation on time and the space.Can find the generation rule and the pattern of attack, promptly attack the track chain.Attack track chain has reflected collaborative and the relevance between the attack, for the development trend of prediction attack, next step target of attack, the true purpose of attack provide decision-making foundation.These information both can be used for the strategy of configuration response module, improved the intelligent of response; Also can improve detection and defence capability, thereby avoid the generation of attack in force behavior.
Local alarm association analysis device and global association analysis module provide the part and the global safety situation of network respectively to the user from the angle local and overall situation; Intrusion attempt predicting candidate, target identification module and provide support for the security official holds global safety situation based on how much display modules of alarm of the critical degree of reporting to the police.Friendly human-machine interface module then provides conveniently management interface for the safety officer.
Description of drawings
Fig. 1 is the distributed self-optimized intrusion detection alarm associated system structural representation;
Fig. 2 is for detecting the proxy module structural representation;
Fig. 3 is alarm filtering and standardization processing modular structure schematic diagram;
Fig. 4 assembles and the Fusion Module structural representation for reporting to the police;
Fig. 5 is the human-machine interface module structural representation.
Embodiment
Below in conjunction with accompanying drawing the present invention is further done detailed explanation.
The present invention introduces three feedback loops to realize the Automatic Optimal of network, eliminates potential error configurations, and improves association knowledge and correlation rule automatically; Warning associated framework by classification is with flexible support distributed application environment, and comprehensive multiple technologies are to guarantee that system can realize the association analysis of reporting to the police efficiently in distributed environment.Divide from function and operation principle, system of the present invention comprises alarm storehouse 5, monitored system information storehouse 6, intruding detection system characteristic storehouse 7, association knowledge storehouse 8, local alarm association analysis module 9, system responses parts 10, reports to the police and accept and believe weight information storehouse 11, intrusion attempt predicting candidate storehouse 12, target system information storehouse 13, global association analysis module 14, human-machine interface module 15 and at least one intrusion detecting unit 4, each intrusion detecting unit 4 includes and detects proxy module 1, and alarm filtering is assembled and Fusion Module 3 with standardization module 2 and warning.Be the example function and the workflow thereof of 1 to 5 each building block of explanation native system in conjunction with the accompanying drawings with the system that comprises an intrusion detecting unit below.
Detecting proxy module 1 is used to realize intrusion detection and produces original warning.
As shown in Figure 2, detecting proxy module 1 comprises detector 1.1, detects engine 1.2 and warning engine 1.3.When attacking generation, the a plurality of detectors 1.1 that are deployed in diverse location obtain information, as system journal, network packet etc., detect invasion and the security threat that takes place by detecting engine 1.2, produce elementary warning by warning engine 1.3 then, submit to alarm filtering and handle with standardization module 2.
Alarm filtering is used to filter obvious redundancy or incomplete warning with standardization module 2, and the warning of standardization detection proxy module 1 submission, makes the warning form unanimity of generation, is convenient to the data interaction between each module in the system.
Alarm filtering comprises alarm filtering module 2.1, standardization processing module 2.2 with standardization module 2.
Alarm filtering module 2.1 receives from detecting the elementary warning that proxy module 1 is submitted to, filter out obviously identical redundant warning, and deletion error is reported to the police and the invalid warning of shortage important information, and the effective warning after will handling then outputs to standardization processing module 2.2.
2.2 pairs of original warnings of standardization processing module are carried out perfect, and completion standardization needed information of warning and field are abandoned irrelevant or unwanted garbage, and to reduce the conveying capacity of network alarming information, conserve network bandwidth improves system throughput and performance.And the definition intrusion detection significant field that must comprise in reporting to the police, and the form of field, meaning etc.A kind of specification of reference following (in the practical application, can do suitably to replenish and revise):
([AlertID=] [AlertSender=] [Time=] [Classification=] [Participant=] [Assessment=] [AdditionalData=]) ● AlertID: warning unique identification; ● AlertSender: describe the sender ID that reports to the police, or detect agency's ID; ● Time: describe date, the time relevant, contain CreateTime, TimeStamp and EndTime class with warning.CreateTime is the time that intrusion detection agent detects suspicious event, the effect of TimeStamp timestamp is a recording events more accurately, because in a certain second many incidents take place probably, for each warning message is provided with a unique timestamp (when TimeStamp handled by the integer number, in chronological sequence increment distributed).The EndTime Optional Field is reported to the police the concluding time.CreateTime and EndTime can adopt ISO8601:2000 to represent the form of date and time, and soon date and time adopts a character ' T ' to connect the date expression of shape such as YYYY-MM-DD and complete time on the date expression of time expression formation of HH:MM:SS.● Classification: describe attack type information, can store as Alert (warning), Heartbeat (heartbeat) in the IDMEF model
With information such as attack title and types; ● Participant: describe information such as warning source and target, comprise attack source IP, attack source MAC Address, attack source port, target of attack IP, destination-mac address, target port etc. can be expressed as [SourceIP=] [SourceMAC=] [SourcePort=] [DestIP=] [DestMAC=] [DestPort=] etc.; ● Assessment: comprise Impact (influence that incident may cause target), Action (responsive measures that detection components is taked incident), Confidence (detection components is to the confidence level of incident assessment), the critical degree information such as (UrgentDegree) of reporting to the police.● AdditionalData: describe the additional information of reporting to the police.
Alarm filtering occurs with detection proxy module 1 usually in pairs with standardization module 2, be deployed in the different test points on the network, be used for filtering and standardizing to detecting warning that proxy module 1 submits to, warning message after will standardizing is at last submitted to report to the police and is assembled and Fusion Module 3, stores alarm storehouse 5 simultaneously into.
Report to the police to assemble and be used for normalized warning is assembled and merged with Fusion Module 3.It comprises warning collector 3.1 and warning fusion device module 3.2.
Warning collector 3.1 receiving alarms filter the standardization of submitting to standardization module 2 and report to the police, and discern a plurality of warnings that same invasion triggers then, these warnings are classified as report to the police bunch.Bunch group alarm that is corresponding same attack of reporting to the police is gathered.The gathering of reporting to the police mainly is exactly the gathering relation of finding between a plurality of warnings.
Warning fusion device 3.2 receives warning that warning collectors 3.1 submit to bunch, in conjunction with the information (from monitored system information storehouse 6) of monitored system and the characteristic information (from intruding detection system characteristic storehouse 7) of intrusion detection agent, the fusion of reporting to the police.The purpose that merges is to create the new warning that comprises the various representative information in this warning bunch, the new leak situation of having considered monitored system itself of reporting to the police, to information such as which invasion immunity, also considered the advantage of intrusion detection agent and the information of warning underconfidence, false-alarm (wrong report) rate and rate of failing to report aspect that deficiency causes.The fields such as confidence level that standardization is reported to the police are made amendment, submit to local alarm association analysis module 9 then.
Usually, warning gathering and Fusion Module 3 are deployed between alarm filtering and standardization module 2 and the local alarm association analysis module 9.In the actual deployment, also may assemble with fusion function being dispersed in local association analysis module and alarm filtering and the standardization module reporting to the police, promptly indeterminate definition is reported to the police and is assembled and Fusion Module, but keeps its function, and is distributed in other modules.
Report to the police and assemble with Fusion Module 3 and can will assemble fusion from a plurality of alarm filterings and the data of standardization module 2, in the whole network, can comprise one or more intrusion detecting unit 4, each intrusion detecting unit 4 can comprise that again a warning is gathered in Fusion Module several 3 and at least one detects proxy module 1 and alarm filtering and standardization module 2.Alarm filtering is gathered in the several 3 〉=local alarm association analysis of Fusion Module module 9 with the quantity 〉=warning of standardization module 2.
Wherein, alarm storehouse 5 is used for the warning message of storage specificationization, and for system queries and use, the design of warning storage format is as the criterion can comprise the standardization warning message, also can suitably replenish other information.
Monitored system information storehouse 6 is used to store the characteristic information of monitored system, the information such as invasion history which kind of operating system what adopt as monitored system be, exist, take place in monitored system for which system vulnerability.Utilize these information, can judge that some invasion can successfully or obviously can not take place, thereby eliminate the wrong report that some IDS may exist.Though whole network can be shared a monitored system information storehouse, but in actual deployment, in order to save communication bandwidth, avoid single point failure, the monitored system information storehouse that also may have a plurality of independent distribution, and the data in these monitored system information database are separate, and function is identical, effect in whole system and related technology are also just the same, so still they can be regarded as an integral body.By existing database synchronization technology, can guarantee that they can be used as an integral body to any point on the network treats, just look like in fact only to exist a monitored system information storehouse the same.
Intruding detection system characteristic storehouse 7 is used to store some characteristics of intrusion detecting unit itself, the detection technique that is adopted as intrusion detecting unit 4 (as based on unusual, based on characteristic matching or state Network Based etc.), the response time of intrusion detecting unit, the advantage and disadvantage of intrusion detecting unit etc., utilize these information, can significantly improve the accuracy and the confidence level of whole system.For example, based on the unusual very high rate of false alarm that has, based on higher rate of failing to report of existing of characteristic matching, if report to the police and based on the mutual contradiction of the warning of characteristic matching or inconsistent based on unusual one, can think that based on unusual warning be wrong report, and to putting with higher confidence level based on characteristic matching.
Association knowledge storehouse 8 is used to store correlation rule (knowledge), for the warning association analysis provides related foundation.Can the formulating or utilize technology such as data mining to generate of correlation rule by the expert.Be example with the causalnexus in the association of reporting to the police below, its groundwork thinking is described.
Complete intrusion behavior comprises certain step and process usually, and in a complete attack process, the alert event that is triggered by single attack step may exist certain precondition (prerequisite alert event) and contingent consequence incident.As, the assailant may carry out vulnerability scanning earlier, finds to exist the main frame of leak, then according to the leak information that obtains, and then to target of attack initiation penetration attack, after obtaining the control of destination host, removes to attack other main frame again or realizes other purposes.In logic, these incidents all belong to same complex attack, have certain causality between them.
Suppose the prerequisite alert event A_cause that certain attack A takes place, the consequence incident B_effect of another attack B if under condition C, has: A _ cause ⊇ B _ effect Or A _ cause ⊆ B _ effect Set up, then think to have the causalnexus relation between these two attack A, B.
For two incidents (warning) that association exists causalnexus to concern, the form in association knowledge storehouse can be exemplified below.
Known enforcement Winnuke attacks two prerequisite conditions that need and is: destination host operation Windows operating system, opening simultaneously has the DNS service.Suppose that incident A is the Winnuke attack, incident B is the vulnerability scanning attack, and then A_cause is:
The operating system of Target IP 1 is Windows, and DNS is provided service
And B_effect is:
Obtain the OS Type of Target IP 2, and obtain the COS of Target IP 2
Then the association knowledge storehouse should comprise following information:
The action type of IP1=IP2 IP2 comprises the time of origin CreateTime of time EndTime<incident A that DNS Service events B finishes for the service of operation on the Windows IP2
In the practical application, because that the incidence relation between reporting to the police exists is a variety of, may there be other versions in the tissue in association knowledge storehouse and expression-form.
Local alarm association analysis module 9 is used for bunch carrying out association analysis to report to the police assembling the warning submitted to Fusion Module 3.
Local alarm association analysis module 9 at first utilizes configuration file (as rule file, file destination, motion file, rule match file) to carry out initialization, and wherein, rule file has defined needed strictly all rules of pattern matching and pattern; File destination has defined the target item in the pattern matching, and promptly pattern matching at which kind of situation is carried out; Motion file has defined all the response actions that may carry out in the pattern matching; The rule match document definition matching way between web application, analysis engine, response action and each rule etc.
After the initialization, local alarm association analysis device 9 will be according to the correlation rule in the association knowledge storehouse to bunch carrying out association analysis from report to the police assembling with the warning of Fusion Module 3, and the alert event after the processed passed to global association analysis module 14, and with the prediction intrusion attempt in intrusion attempt predicting candidate storehouse 12, to report to the police simultaneously and the weight information accepted and believed of various prediction scheme stores into to report to the police and accepts and believe in the information bank, for global association analysis module 14 interrelated decision of reporting to the police provides foundation.Taken place in case identify invasion, carried out the response action with regard to reporting system response component 10, the carrying out of blocking-up invasion in time tackled possible threat or carries out disaster recovery.
In whole distributed network, a local alarm association analysis module 9 may corresponding a plurality of warning gatherings and Fusion Module 3.The local alarm association analysis module that a plurality of functions are identical is deployed in the different place of physical location, is responsible for related fusion of warning of a part respectively, reports by mistake to eliminate, and reasonably infers and fail to report.
System responses parts 10 are used to carry out the intrusion response action.It automatically performs network and disconnects according to the instruction of local alarm association analysis module 9 and global association analysis module 14, and response such as disaster recovery action with the further generation of avoiding invading, is in time carried out disaster recovery, reduces the loss as far as possible.
The credibility information that weight information storehouse 11 is used to store intrusion alarm is accepted and believed in warning, comprises the time that warning has taken place, the number of times of warning etc.To once attacking, comprise a series of attack step usually, as: authority, lifting authority, enforcement invasion purpose scanning port and leak are attacked, obtained.This attack sequence is commonly referred to attacks the track chain.The attack step of attacking on the track chain of having realized successively is many more, and then the weight accepted and believed of Bao Jinging is just high more.Local alarm association analysis module 9 is accepted and believed these information stores in the weight information storehouse 11 to warning, and global association analysis module 14 will be invaded in view of the above and be analyzed and response.
Intrusion attempt predicting candidate storehouse 12 is used to store local alarm association analysis module 9 and analyzes the intrusion attempt information of forecasting that obtains, intrusion target prediction as invasion, inbreak method of taking and step prediction, and these information of forecastings store in the intrusion attempt predicting candidate storehouse 12.
Target system information storehouse 13 is used for the characteristic information of the possible target of attack of storage networking.A common attack at the Linux platform does not have any threat to the Windows system, and same, the specific invasion at windows platform often can not endanger linux system.In addition, can the attack of initiating at particular vulnerability successful, will depend on also whether goal systems exists relevant leak.The effect of goal systems in network also can influence the intrusion response action, as the attack at honey pot system, can ignore usually.The information of these goal systems will automatically be collected or user's configuration obtain by software, and be stored in the target system information storehouse 13.
Global association analysis module 14 is used for the result that each local alarm association analysis module 9 is analyzed is carried out analysis-by-synthesis, to obtain the security postures of whole network.It is the same with local alarm association analysis device 9, association analysis is carried out in the warning that receives, different is, what the overall situation was reported to the police related close examination is the global safety situation of whole network, when carrying out the assessment of global safety situation, also needs reference target system information storehouse, because the different goal systems (network type that comprises goal systems, the application service that moves on the goal systems, goal systems platform etc.) to the sensitivity of invasion, differences such as disaster recovery capability; And how much display modules 15.1 of the alarm in the human-machine interface module, human-computer interaction interface 15.2, target identification module 15.3 have also been supported in the output of global association analysis module 14 in a variety of forms respectively, the input of all right acceptor's machine interactive interface 15.2 etc., of paramount importancely be, global association analysis module 14 is according to resulting global safety situation, by three feedback loops relevant parameter and rule are revised, improved system the detection accuracy of invasion and the performance of system.
Human-machine interface module 15 is mainly used in man-machine interaction, comprises how much display modules 15.1 of alarm, human-computer interaction interface 15.2, target identification module 15.3.Wherein human-computer interaction interface 15.2 is used to receive user instruction and Control Parameter, how much display modules 15.1 of alarm are based on critical degree ordering and the classification of reporting to the police, the emergency situation that need handle with simple and clear geometric format display alarm, make the safety officer can know the place that invasion takes place rapidly, time, the target that threatens, information such as the development trend of invasion.Target identification module 15.3 is used for inferring, show the details of next step intrusion target specially, as the service that moves on the destination host, and the potential safety hazard of the existence of destination host, the defensive measure of having taked etc.The critical degree of warning that how much display modules of above-mentioned alarm 15.1 are related
Wherein how much display modules 15.1 of alarm have adopted the critical degree of reporting to the police to measure the criticality of warning, and the critical degree of reporting to the police is defined as follows:
The index of the importance of the warning extent of injury that the critical degree of reporting to the police is a concentrated expression, warning intrusion target, the confidence level of warning, the reasonable opportunity that invasion is responded, response cost etc., this index remedied research in the past and only considered which kind of invasion will cause the deficiency of more serious consequence, when provides the decision-making foundation that should preferential answering occurs in which kind of invasion where for the safety officer initiatively.Wherein the report to the police mathematical definition of critical degree:
AUD = ( α 1 I ( u ) + α 2 O ( v ) + α 3 H ( w ) + α 4 Σ i = 1 s C ti F i ) × N N 0 4 × T - T 0 T c - T 0 δ ( T ≤ T c ) + T - T v T c - T v δ ( T > T c ) × RC
In the formula: α 1, α 2, α 3, α 4Represent respectively network type, object of attack type, attack type with the factor of influence of attacking relevant indirect factor, and α 1+ α 2+ α 3+ α 4=1; I (u) ∈ (0,1] the expression different network type is to the influence degree of the critical degree of reporting to the police; O (v) represents the influence of v class target of attack object to critical degree; H (w) expression w class is attacked the influence to critical degree; C TiExpression is for t kind attack type, and the factor of influence of i kind factor in critical degree satisfies 0≤C Ti≤ 1 and Σ i = 1 s C ti = 1 . The value of factor i is F iN-alarm times, span be [0,1...N 0], N 0The warning maximum times is got natural number; T 0-initial time of fire alarming; The initial time of fire alarming of T-+pass the time, i.e. T-T 0=ET (passing the time); T c-desirable response time thresholding is the crash time that critical degree changes of reporting to the police, and critical before this degree increased with the time that passes, after this increases in time and reduces.The asynchronism(-nization) of different attack corresponding response, its value is drawn by experiment or is rule of thumb drawn by the expert; T v-handle the meaningless time of reporting to the police, surpass after this time, the critical degree of reporting to the police will not have marked change (minimum value); The cost value of RC-alarm response.
System work process
When invasion takes place, detect proxy module 1 according to information such as system journal, network packet, comprehensive various Intrusion Detection Technique detect the generation of invasion, produce then and report to the police, and submit to alarm filtering and standardization module 2;
Alarm filtering receives from the original warning that detects proxy module 1 with standardization module 2, filters imperfect, apparent error and redundant warning.Add appreciation information then to reporting to the police, as the ID of Impact (influence that incident may cause target), Action (responsive measures that detection components is taked incident), Confidence (detection components is to the confidence level of incident assessment), detector etc., the effective warning that produces information completely.Warning message storage and uniform after will standardizing simultaneously is in alarm storehouse 5, so that realize the unified management of warning.
Be submitted to report to the police gathering and Fusion Module 3 through the complete information after alarm filtering and 2 processing of standardization module.Common report to the police gathering and Fusion Module 3 corresponding at least one alarm filtering and standardization module 2, warning concentrating module 3.1 will be to being acted on behalf of by different detections, the warning of the same invasion of Ti Jiaoing is assembled (though be that same intrusion behavior triggers in a different manner, but reporting to the police, these act on behalf of from different detections, possible title, attack the expression-form of source and destination, the kind divisions of attacking etc. exist different), then the warning of redundancy is merged, merge same category information, in conjunction with the characteristic information of the monitored system in the monitored system information storehouse 6 (as operating system according to detected system, the leak situation can judge that some invasion can successfully or obviously can not take place, thereby eliminate the wrong report that some IDS may exist) and intruding detection system characteristic storehouse 7 in detect performance characteristics information about intruding detection system (as: it is low that certain detects agency's handling property, cause submitting to the time of warning serious time-delay to occur, and in fact, producing the invasion of reporting to the police is detected by other detections agency already, and finished response or handled, then this warning can be thought out-of-date redundant warning) handled, reject obviously wrong warning of part, reduce rate of false alarm, form unified and standard warning bunch at last.Warning Fusion Module 3.2 is accepted warning that concentrating module submits to bunch, in conjunction with the characteristic information of the information and the intruding detection system of monitored system, the fusion of reporting to the police.The purpose that merges is to create new the warning, and it comprises the various representational information in this warning bunch.
These bunch will carry out local association through the warning of overbunching and fusion in local alarm association analysis module 9.Bunch carry out association fusion to reporting to the police by the rule in the association knowledge storehouse 8 (knowledge), such as finding out an invasion sequence or attacking the invasion step that has taken place in the track chain, judge imminent invasion step and the behavior in the track chain of attacking, realize the identification of the part intention of attack.For invasion step and the behavior discerned, reporting system response component 10 is carried out corresponding response action.Local alarm association analysis module 9 invasion step that basis has taken place when carrying out association analysis and the degree of agreement of attacking the track chain, the weight information accepted and believed that to report to the police in conjunction with the situation of intrusion alarm (as: being a plurality of detections agencies or the multiple detection technique generation that all detected this invasion etc.) is written to warning and accepts and believe weight information storehouse 11, and the various possible intrusion attempt information that analysis obtains is recorded intrusion attempt predicting candidate storehouse 12.
Bunch also will be submitted to global association analysis module 14 through the warning after the local association and carry out further related fusion treatment, to obtain more overall security postures view, thereby excavate more massive, distributed, concurrent (also may be related, more approaching attack sequence on the time) intrusion behavior.The global association analysis module also with combining target system information storehouse 13 (as the objective network type, destination host information etc.) judge the extent of injury of attacking, the possible degree of attacking generation, invador's true invasion purpose etc., grasp assailant's global attack intention, at last, according to inferred results, reporting system response component 10 is carried out corresponding response action.System responses parts 10 handle accordingly to the alert event that needs summary responses or response afterwards from each layer according to the invasion intention of local alarm association analysis module 9 and 14 identifications of global association analysis module.As cut off connection, isolation, repair leak, system restoration etc.For the safety officer wins more multiple response opportunity, so not only can simplify response greatly, reduce the cost of response, can also guarantee the safety of network to greatest extent.Each layer in the correlation model all links to each other with the system responses parts, so that when needed can the OnNow response mechanism.
Global association analysis module 14 is after grasping assailant's overall situation intention, three class feedback informations will be provided: 1. the information that (1) will react the intruding detection system characteristics be updated to intruding detection system characteristic storehouse 7 through feedback loop, as improving or reduce the credible rate that certain intrusion detection module detects; (2) 2. the priority with new correlation rule or correlation rule be updated in the association knowledge storehouse 8 through feedback loop, as the priority that improves or reduce certain correlation rule and credibility etc.; (3) weight information computation rule etc. is accepted and believed in intrusion attempt prediction rule and knowledge, warning and 3. be updated to local alarm association analysis module through feedback loop, produce rule and the regular priority weight that weight information, intrusion attempt predicting candidate scheme are accepted and believed in warning with influence, as find to exist in the intrusion attempt predicting candidate storehouse high believable prediction, this can be predicted the priority raising of corresponding correlation rule etc.Above-mentioned feedback loop 1., 2., 3. as shown in Figure 1.
The final result of global association analysis module analysis will present to the safety officer by the alarm in the human-machine interface module 15 how much display modules 15.1, human-computer interaction interface 15.2, target identification modules 15.3.The safety officer also can revise system parameters by human-computer interaction interface 15.2, sends system's control command.
This system has solved the poor reliability that exists in the general intrusion detection warning associated framework (system), efficient is low, can not Automatic Optimal etc. problem, and introduce intruding detection system characteristic storehouse and the target system information storehouse is improved to the accuracy of intrusion detection with to attacking the accuracy of hazard assessment, introducing improves report to the police screening and display capabilities based on how much display modules of alarm of the critical degree of reporting to the police, introduce three feedback loops and realize the self-optimizing of intrusion detection association algorithm, make network configuration be converged in optimum state automatically, be particularly suitable for distributed isomery intrusion detection environment and use.
The present invention not only is confined to above-mentioned embodiment; persons skilled in the art are according to embodiment and the disclosed content of accompanying drawing; can adopt other multiple embodiment to implement the present invention; therefore; every employing project organization of the present invention and thinking; do some simple designs that change or change, all fall into the scope of protection of the invention.

Claims (4)

1, a kind of distributed self-optimized intrusion detection alarm associated system, it is characterized in that: this system comprises alarm storehouse (5), monitored system information storehouse (6), intruding detection system characteristic storehouse (7), association knowledge storehouse (8), local alarm association analysis module (9), system responses parts (10), weight information storehouse (11) is accepted and believed in warning, intrusion attempt predicting candidate storehouse (12), target system information storehouse (13), global association analysis module (14), human-machine interface module (15) and at least one intrusion detecting unit (4), each intrusion detecting unit (4) includes report to the police a gathering and a Fusion Module (3), and at least one detects proxy module (1) and at least one alarm filtering and standardization module (2);
Alarm storehouse (5) is used for the warning message of storage specificationization;
Monitored system information storehouse (6) is used to store the characteristic information of monitored system, comprises the operating system of monitored system employing and the system vulnerability of existence;
Intruding detection system characteristic storehouse (7) is used to store the characteristic of intrusion detecting unit (4) itself, comprises the detection mode that intrusion detecting unit adopts;
Association knowledge storehouse (8) is used to store correlation rule and knowledge, for the warning association analysis provides related foundation;
The credible weight information that weight information storehouse (11) is used to store intrusion alarm is accepted and believed in warning, comprises the time that warning has taken place and the number of times of warning;
Intrusion attempt predicting candidate storehouse (12) is used to store intrusion attempt, comprises next step intrusion target;
Target system information storehouse (13) is used for the characteristic information of the target that storage networking will protect;
Detect proxy module (1) and be used to realize intrusion detection and produce original warning, and offer alarm filtering and standardization module (2);
Alarm filtering is used for filtering original warning obviously redundancy or incomplete warning with standardization module (2), and standardization, make the warning form unanimity of generation, normalized warning message is submitted to reports to the police at last assembles and Fusion Module (3), stores alarm storehouse (5) simultaneously into;
Report to the police to assemble with Fusion Module (3) and utilize monitored system information storehouse (6) and intruding detection system characteristic storehouse (7), the normalized warning that receives is assembled and merged, obtain warning bunch, and offer local alarm association analysis module (9);
Local alarm association analysis module (9) utilizes the correlation rule in the association knowledge storehouse (8) that association analysis bunch is carried out in the warning that receives, alert event after will handling then passes to global association analysis module (14), and the weight information of accepting and believing that will report to the police stores into to report to the police and accepts and believe in the weight information storehouse (11), and the intrusion attempt of prediction is stored in the intrusion attempt prediction storehouse (12); In case local alarm association analysis module (9) recognizes the generation of invasion, with regard to reporting system response component (10);
Global association analysis module (14) utilization is reported to the police and is accepted and believed the information of weight information storehouse (11), intrusion attempt predicting candidate storehouse (12) and target system information storehouse (13), the analysis result that each local alarm association analysis module (9) is provided carries out comprehensively, obtain the security postures of whole network, detecting when invasion, i.e. reporting system response component (10); Global association analysis module (14) also provides three class feedback informations: the first kind is that intruding detection system characteristic storehouse (7) is arrived in the information updating of reaction intruding detection system characteristic, second class is that the precedence information with new correlation rule or correlation rule is updated to association knowledge storehouse (8), the 3rd class is the weight calculation Rule Information to be accepted and believed in intrusion attempt prediction rule and knowledge, warning be updated to local alarm association analysis module, produces to report to the police with influence and accepts and believe the rule and the regular priority weight of weight information, intrusion attempt predicting candidate scheme; Global association analysis module (14) carries out alternately with the user by human-machine interface module (15);
System responses parts (10) are carried out the response action according to the notice of local association analysis module and the transmission of global association analysis module, avoid the further generation of invading.
2, distributed self-optimized intruding detection system warning interconnected system according to claim 1 is characterized in that: human-machine interface module (15) comprises alarm how much display modules (15.1), human-computer interaction interface (15.2) and target identification modules (15.3);
Human-computer interaction interface (15.2) is used to receive user instruction and Control Parameter,
Alarm how much display modules (15.1) are based on critical degree ordering and the classification of reporting to the police, the emergency situation that need handle with geometric format display alarm;
Target identification module (15.3) is used to show next step the information of inferring of intrusion target.
3, distributed self-optimized intruding detection system warning interconnected system according to claim 1 and 2 is characterized in that: alarm filtering comprises alarm filtering module (2.1) and standardization processing module (2.2) with standardization module (2);
Alarm filtering module (2.1) receives from detecting the elementary warning that proxy module (1) is submitted to, filter out obviously identical redundant warning, and deletion error is reported to the police and the invalid warning of shortage important information, and the effective warning after will handling then outputs to standardization processing module (2.2);
Standardization processing module (2.2) is carried out perfect to original warning, completion standardization needed information of warning and field, abandon the garbage that has nothing to do or do not need to submit to, reduce the conveying capacity of network alarming information, and the important field that must comprise in the definition intrusion detection warning and the form of field.
4, distributed self-optimized intruding detection system warning interconnected system according to claim 1 and 2 is characterized in that: detect proxy module (1) and comprise a plurality of detectors (1.1), detection engine (1.2) and the warning engine (1.3) that is deployed in diverse location; Detector (1.1) is used to obtain the information of main frame and network, detect engine (1.2) by detecting the INFORMATION DISCOVERY invasion information of main frame and network, offer warning engine (1.3), warning engine (1.3) produces elementary warning, submits to alarm filtering and handles with standardization module (2).
CN200910062128XA 2009-05-19 2009-05-19 Distributed self-optimized intrusion detection alarm associated system Expired - Fee Related CN101562537B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910062128XA CN101562537B (en) 2009-05-19 2009-05-19 Distributed self-optimized intrusion detection alarm associated system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910062128XA CN101562537B (en) 2009-05-19 2009-05-19 Distributed self-optimized intrusion detection alarm associated system

Publications (2)

Publication Number Publication Date
CN101562537A true CN101562537A (en) 2009-10-21
CN101562537B CN101562537B (en) 2011-04-20

Family

ID=41221169

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910062128XA Expired - Fee Related CN101562537B (en) 2009-05-19 2009-05-19 Distributed self-optimized intrusion detection alarm associated system

Country Status (1)

Country Link
CN (1) CN101562537B (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164135A (en) * 2011-04-14 2011-08-24 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102638445A (en) * 2011-12-27 2012-08-15 中国航天科工集团第二研究院七〇六所 Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device
CN102693598A (en) * 2011-03-22 2012-09-26 无锡国科微纳传感网科技有限公司 Method and system for intrusion alarm priority obtaining
CN102882893A (en) * 2012-10-30 2013-01-16 吉林大学 Alarming cooperative system based on blackboard structure
CN102970188A (en) * 2012-12-06 2013-03-13 贵州电网公司六盘水供电局 110kV digital transformer substation security network
CN103152227A (en) * 2013-03-26 2013-06-12 北京启明星辰信息技术股份有限公司 Integrated real-time detection system and detection method coping with network threats and attacks
CN103414581A (en) * 2013-07-24 2013-11-27 佳都新太科技股份有限公司 Equipment fault alarm, prediction and processing mechanism based on data mining
CN103617705A (en) * 2013-12-10 2014-03-05 北京邮电大学 Rule-based method and system for alarming of Internet of things
CN104009870A (en) * 2014-05-30 2014-08-27 浙江大学城市学院 WLAN wireless intrusion alarm aggregation method
CN104219253A (en) * 2014-10-13 2014-12-17 吉林大学 Multi-step attack alarm associated network service interface development method
CN104394140A (en) * 2014-11-21 2015-03-04 南京邮电大学 Virtual network optimization method based on SDN
CN104462981A (en) * 2013-09-12 2015-03-25 深圳市腾讯计算机系统有限公司 Detecting method and device for vulnerabilities
CN104811452A (en) * 2015-04-30 2015-07-29 北京科技大学 Data mining based intrusion detection system with self-learning and classified early warning functions
CN106506566A (en) * 2017-01-12 2017-03-15 成都信息工程大学 Hidden network attack Initiative Defense model and construction method based on pulse immunity
WO2017088700A1 (en) * 2015-11-27 2017-06-01 阿里巴巴集团控股有限公司 Early-warning decision method, node and sub-system
WO2017152877A1 (en) * 2016-03-11 2017-09-14 中兴通讯股份有限公司 Network threat event evaluation method and apparatus
CN107734610A (en) * 2017-09-15 2018-02-23 维沃移动通信有限公司 Message treatment method, mobile terminal and computer-readable recording medium
CN108769019A (en) * 2018-05-29 2018-11-06 深圳智达机械技术有限公司 A kind of smart home security protection system
CN109376537A (en) * 2018-11-06 2019-02-22 杭州安恒信息技术股份有限公司 A kind of assets methods of marking and system based on multiple-factor fusion
CN109688105A (en) * 2018-11-19 2019-04-26 中国科学院信息工程研究所 A kind of threat warning message generation method and system
CN110322474A (en) * 2019-07-11 2019-10-11 史彩成 A kind of image motive target real-time detection method based on unmanned aerial vehicle platform
CN110430212A (en) * 2019-08-14 2019-11-08 杭州安恒信息技术股份有限公司 The Internet of Things of multivariate data fusion threatens cognitive method and system
CN112506999A (en) * 2020-12-17 2021-03-16 夏红梅 Cloud computing and artificial intelligence based big data mining method and digital content center
CN113765843A (en) * 2020-06-01 2021-12-07 深信服科技股份有限公司 Method, device and equipment for detecting identification detection capability and readable storage medium
CN115454781A (en) * 2022-10-08 2022-12-09 杭银消费金融股份有限公司 Data visualization display method and system based on enterprise architecture system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9710364B2 (en) 2015-09-04 2017-07-18 Micron Technology Licensing, Llc Method of detecting false test alarms using test step failure analysis

Cited By (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102693598A (en) * 2011-03-22 2012-09-26 无锡国科微纳传感网科技有限公司 Method and system for intrusion alarm priority obtaining
CN102693598B (en) * 2011-03-22 2014-03-12 感知技术无锡有限公司 Method and system for intrusion alarm priority obtaining
CN102164135B (en) * 2011-04-14 2014-02-19 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102164135A (en) * 2011-04-14 2011-08-24 上海红神信息技术有限公司 Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack
CN102638445A (en) * 2011-12-27 2012-08-15 中国航天科工集团第二研究院七〇六所 Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device
CN102638445B (en) * 2011-12-27 2015-03-25 中国航天科工集团第二研究院七〇六所 Feedback type multistep network attack intelligent detection method and feedback type multistep network attack intelligent detection device
CN102882893A (en) * 2012-10-30 2013-01-16 吉林大学 Alarming cooperative system based on blackboard structure
CN102970188A (en) * 2012-12-06 2013-03-13 贵州电网公司六盘水供电局 110kV digital transformer substation security network
CN102970188B (en) * 2012-12-06 2015-09-09 贵州电网公司六盘水供电局 A kind of 110kV digital transformer substation secure network
CN103152227A (en) * 2013-03-26 2013-06-12 北京启明星辰信息技术股份有限公司 Integrated real-time detection system and detection method coping with network threats and attacks
CN103414581A (en) * 2013-07-24 2013-11-27 佳都新太科技股份有限公司 Equipment fault alarm, prediction and processing mechanism based on data mining
CN104462981B (en) * 2013-09-12 2019-01-04 深圳市腾讯计算机系统有限公司 leak detection method and device
CN104462981A (en) * 2013-09-12 2015-03-25 深圳市腾讯计算机系统有限公司 Detecting method and device for vulnerabilities
CN103617705A (en) * 2013-12-10 2014-03-05 北京邮电大学 Rule-based method and system for alarming of Internet of things
CN103617705B (en) * 2013-12-10 2016-01-13 北京邮电大学 A kind of rule-based Internet of Things alarm method and system
CN104009870A (en) * 2014-05-30 2014-08-27 浙江大学城市学院 WLAN wireless intrusion alarm aggregation method
CN104219253A (en) * 2014-10-13 2014-12-17 吉林大学 Multi-step attack alarm associated network service interface development method
CN104394140A (en) * 2014-11-21 2015-03-04 南京邮电大学 Virtual network optimization method based on SDN
CN104394140B (en) * 2014-11-21 2018-03-06 南京邮电大学 A kind of virtual network optimization method based on SDN
CN104811452A (en) * 2015-04-30 2015-07-29 北京科技大学 Data mining based intrusion detection system with self-learning and classified early warning functions
CN106817340A (en) * 2015-11-27 2017-06-09 阿里巴巴集团控股有限公司 The method of early warning decision, node and subsystem
US11102240B2 (en) 2015-11-27 2021-08-24 Alibaba Group Holding Limited Early-warning decision method, node and sub-system
WO2017088700A1 (en) * 2015-11-27 2017-06-01 阿里巴巴集团控股有限公司 Early-warning decision method, node and sub-system
WO2017152877A1 (en) * 2016-03-11 2017-09-14 中兴通讯股份有限公司 Network threat event evaluation method and apparatus
CN107181726A (en) * 2016-03-11 2017-09-19 中兴通讯股份有限公司 Cyberthreat case evaluating method and device
CN106506566A (en) * 2017-01-12 2017-03-15 成都信息工程大学 Hidden network attack Initiative Defense model and construction method based on pulse immunity
CN107734610B (en) * 2017-09-15 2020-11-13 维沃移动通信有限公司 Message processing method, mobile terminal and computer readable storage medium
CN107734610A (en) * 2017-09-15 2018-02-23 维沃移动通信有限公司 Message treatment method, mobile terminal and computer-readable recording medium
CN108769019A (en) * 2018-05-29 2018-11-06 深圳智达机械技术有限公司 A kind of smart home security protection system
CN109376537A (en) * 2018-11-06 2019-02-22 杭州安恒信息技术股份有限公司 A kind of assets methods of marking and system based on multiple-factor fusion
CN109376537B (en) * 2018-11-06 2020-09-15 杭州安恒信息技术股份有限公司 Asset scoring method and system based on multi-factor fusion
CN109688105A (en) * 2018-11-19 2019-04-26 中国科学院信息工程研究所 A kind of threat warning message generation method and system
CN109688105B (en) * 2018-11-19 2020-07-07 中国科学院信息工程研究所 Threat alarm information generation method and system
CN110322474A (en) * 2019-07-11 2019-10-11 史彩成 A kind of image motive target real-time detection method based on unmanned aerial vehicle platform
CN110430212A (en) * 2019-08-14 2019-11-08 杭州安恒信息技术股份有限公司 The Internet of Things of multivariate data fusion threatens cognitive method and system
CN113765843A (en) * 2020-06-01 2021-12-07 深信服科技股份有限公司 Method, device and equipment for detecting identification detection capability and readable storage medium
CN113765843B (en) * 2020-06-01 2022-09-30 深信服科技股份有限公司 Method, device and equipment for detecting identification detection capability and readable storage medium
CN112506999A (en) * 2020-12-17 2021-03-16 夏红梅 Cloud computing and artificial intelligence based big data mining method and digital content center
CN112506999B (en) * 2020-12-17 2021-07-16 福建顶点软件股份有限公司 Cloud computing and artificial intelligence based big data mining method and digital content server
CN115454781A (en) * 2022-10-08 2022-12-09 杭银消费金融股份有限公司 Data visualization display method and system based on enterprise architecture system
CN115454781B (en) * 2022-10-08 2023-05-16 杭银消费金融股份有限公司 Data visualization display method and system based on enterprise architecture system

Also Published As

Publication number Publication date
CN101562537B (en) 2011-04-20

Similar Documents

Publication Publication Date Title
CN101562537B (en) Distributed self-optimized intrusion detection alarm associated system
US11336669B2 (en) Artificial intelligence cyber security analyst
Hubballi et al. False alarm minimization techniques in signature-based intrusion detection systems: A survey
CN100531219C (en) A network worm detection method and its system
CN107239707A (en) A kind of threat data processing method for information system
Siraj et al. Intrusion sensor data fusion in an intelligent intrusion detection system architecture
CN102111420A (en) Intelligent NIPS framework based on dynamic cloud/fire wall linkage
CN110336827A (en) A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning
US11258825B1 (en) Computer network monitoring with event prediction
CN108123939A (en) Malicious act real-time detection method and device
CN104601553A (en) Internet-of-things tampering invasion detection method in combination with abnormal monitoring
CN109063205A (en) A kind of construction of knowledge base method of network-oriented safety
CN106209902A (en) A kind of network safety system being applied to intellectual property operation platform and detection method
CN115733762A (en) Monitoring system with big data analysis capability
CN117692345B (en) IT operation method and system based on artificial intelligence
Siraj et al. Multi-level alert clustering for intrusion detection sensor data
CN102195975A (en) Intelligent NIPS (Network Intrusion Prevention System) framework for quantifying neural network based on mobile agent (MA) and learning vector
Shanmugam et al. Hybrid intrusion detection systems (HIDS) using Fuzzy logic
Herrero et al. Multiagent systems for network intrusion detection: A review
Wu et al. Dynamic hierarchical distributed intrusion detection system based on multi-agent system
Liu et al. Method for network anomaly detection based on Bayesian statistical model with time slicing
Huailin et al. Research on adaptive distributed intrusion detection system model based on Multi-Agent
Dong et al. Design of Network Security Situation Awareness and Early Warning System Based on Big Data
Bologna et al. Dependability and survivability of large complex critical infrastructures
Huang et al. Research on network communication model and network security technology through big data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110420

Termination date: 20120519