CN101582788A - Grading processing method and grading processing system for security event - Google Patents
Grading processing method and grading processing system for security event Download PDFInfo
- Publication number
- CN101582788A CN101582788A CNA2008101063290A CN200810106329A CN101582788A CN 101582788 A CN101582788 A CN 101582788A CN A2008101063290 A CNA2008101063290 A CN A2008101063290A CN 200810106329 A CN200810106329 A CN 200810106329A CN 101582788 A CN101582788 A CN 101582788A
- Authority
- CN
- China
- Prior art keywords
- security incident
- frequency
- security
- incident
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention relates to a grading processing method and a grading processing system for a security event. The method comprises the following steps: obtaining a security event generated by a security system in real time and storing the security event after analysis, wherein source address information and destination address information are contained in the security event; when set processing time arrives, counting an estimated value of damage degree according to a security grade, the frequency, an address distribution parameter and a configured operation parameter of each security event and confirming the damage grade of the security event according to the obtained estimated value; and processing the security event according to the damage grade of each security event and a mode which corresponds to the damage grade. The grading processing system comprises a security event obtaining device, a security event counting device, a security event estimating device, a security event processing device and a storage device which are connected in sequence. The invention can grade the damage degree of a great number of security events and process the security events in time according to a plurality of objective factors.
Description
Technical field
The present invention relates to processing method, relate in particular to a kind of hierarchical processing method security incident to security incident.
Background technology
Security incident is generated by safety system, and safety system refers to the application system that intrusion detection, vulnerability scanning, audit, fire compartment wall, UTM etc. carry out safety monitoring, protection to custom system.
Disparate networks safety monitoring, safeguards system all can generate a large amount of security alarm incidents.For example systems such as intruding detection system (IDS), vulnerability scanning, audit are as safety monitoring system, can finish safety is constituted any any one behavior that may threaten to report to the police, and promptly generate security incident.But because in actual motion, possible threat is many, therefore shows can generate a large amount of security incidents in the application of these systems, and some is a leak, some is illegal act, some is important audit actions.The incident of these different attributes, enormous amount, of a great variety, make the safety guarantee personnel effectively to analyze, find wherein most important, urgent incident and processing in time.
In order to address this problem, be to be foundation at present with incident level of security and quantity, the extent of injury of security incident is sorted, be convenient to handle according to the order of importance and emergency successively.But this method is only with reference to level of security and 2 event arguments of frequency of incident, too simple, can not carry out true objectively classification to the extent of injury of incident, therefore can't adapt to most important, the most urgent incident and the timely demand of handling of discovery in the actual use, may cause the processing of most important, the most urgent security incident is delayed, cause heavy losses.
Summary of the invention
The technical problem to be solved in the present invention provides a kind of hierarchical processing method and system to security incident, can carry out classification and processing in time to the extent of injury of a large amount of security incidents according to a plurality of objective factors.
For the extent of injury to security incident is carried out objective analysis, need to consider the various aspects of a security incident comprehensively, by the further investigation that the security incident regularity is carried out, the present invention proposes following and the practical relevant parameter of its harmfulness:
Incident percentage: refer to the frequency of an incident, with the percentage of the frequency summation of all incidents.Obviously, the percentage numerical value of incident is big more, and the incidence of this incident is just high, and is just important more.
The event source address distributes: the source address of an incident distributes wide, may be to attack the promoter to distribute extensively, also may distribute wide by victim, comparatively speaking, event distribution extensively illustrates incident more seriously, distributes to concentrate, the explanation incident is diffusion not, and is only in limited range, therefore not too serious.
The incident destination address distributes: the destination address of an incident distributes wide, may be that victim distributes extensively, also may be to attack the promoter to distribute extensively, comparatively speaking, event distribution extensively illustrates incident more seriously, distributes to concentrate, the explanation incident is diffusion not, and is only in limited range, therefore not too serious.
Event number changes: the variation of an incident generation quantity can illustrate the variation tendency of this incident diffusion.The event number quantitative change is big, and it is serious to illustrate that this incident becomes, and event number diminishes, and the alleviation that this incident becomes is described.
The incident ratio changes: the change of event number and does not mean that the incident ratio becomes big greatly, because the incident total amount also can change.The variation of incident ratio, identical with the variation of event number, can reflect the variation of the incident order of severity, promptly the incident ratio becomes big, and it is serious to illustrate that this incident becomes, and the incident ratio diminishes, and the alleviation that this incident becomes is described.
Event source address changes in distribution: the source address changes in distribution of an incident, can reflect the development trend of this incident equally.The address distributes and becomes wide, and the explanation incident becomes seriously, the alleviation otherwise explanation becomes.
Incident destination address changes in distribution: the destination address changes in distribution of an incident, can reflect the development trend of this incident equally.The address distributes and becomes wide, and the explanation incident becomes seriously, the alleviation otherwise explanation becomes.
The incident level of security: the incident level of security is the key factor that influences the incident order of severity.A high-level incident can support tens, up to a hundred rudimentary incidents, and these characteristics, and the effect on above-mentioned Several Parameters is identical.
Therefore, after removing level of security and frequency, distribute and each parameter situation of change security incident being carried out take all factors into consideration the address when classification is handled, can more objective and accurately finish the security incident extent of injury determined the suitably emergency processing of user of help safety system.
Based on above analysis, the invention provides a kind of hierarchical processing method to security incident, may further comprise the steps:
Obtain the security incident that safety system generates in real time, preserve after the parsing, comprised source address and destination address information in the security incident;
The processing time of setting then, according to the computing parameter of level of security, frequency and the address distributed constant and the configuration of each security incident, calculate the assessed value of the extent of injury, and determine its hazard level according to the assessed value that obtains;
According to the hazard level of each security incident, handle according to the mode of this rank correspondence.
Further, above-mentioned hierarchical processing method also can have following characteristics: the component of described calculating extent of injury assessed value comprises the frequency of security incident and/or the percentage of frequency, also comprises a kind of or combination in the distributed constant of following address:
The source address distribution entropy of security incident in this cycle calculated at the frequency of each source address and the frequency of this security incident by current safety incident in this cycle;
The destination address distribution entropy of security incident in this cycle calculated at the frequency of each destination address and the frequency of this security incident by current safety incident in this cycle;
Described frequency percentage is the ratio with the generation total degree of the frequency of security incident in one-period and all security incidents.
Further, above-mentioned hierarchical processing method also can have following characteristics:
When determining the hazard level of security incident, to each security incident, calculate one or more of following several rates of change, as the component that calculates extent of injury assessed value:
Frequency rate of change, the i.e. ratio of the frequency in the frequency in this cycle of security incident and last cycle;
Source address distribution changes of entropy rate, the i.e. ratio of the source address distribution moisture in the soil value in the source address distribution moisture in the soil value in this cycle of security incident and last cycle;
Destination address distribution changes of entropy rate, the i.e. ratio of the destination address distribution moisture in the soil value in the destination address distribution moisture in the soil value in this cycle of security incident and last cycle; And
Frequency percentage rate of change, the i.e. ratio of the frequency percentage in the frequency percentage in this cycle of security incident and last cycle.
Further, above-mentioned hierarchical processing method also can have following characteristics:
When calculating described rate of change, carry out following processing:
If the last cycle does not have the safety incident to take place, then the ratio changing value is 1;
If the ratio changing value that calculates less than 1, then removes 2, its number range exists: between the 0-0.5;
If the ratio changing value that calculates is greater than 1, then following processing exists its number range: between the 0.5-1: ratio changing value=1-(1/ ratio changing value).
Further, above-mentioned hierarchical processing method also can have following characteristics:
During the assessed value of the computationally secure incident extent of injury, this security incident that calculates earlier important corresponding weights and addition of multiply by configuration respectively, be that weighted sum is as the assessment initial value, and then will assess the corrected parameter that initial value multiply by the affiliated level of security correspondence of this security incident of configuration, to obtain the assessed value assessed value scope corresponding relatively, thereby determine its hazard level with hazard level.
Further, above-mentioned hierarchical processing method also can have following characteristics:
Described configuration information comprises the level of security that is the security incident configuration, the corrected parameter of each level of security, is used to calculate the weights of each component of hazard evaluation value and the assessed value scope of hazard level correspondence.
Classification treatment system to security incident provided by the invention comprises the security incident deriving means, security incident counting device, security incident apparatus for evaluating and the security incident processing unit that link to each other successively, and storage device, wherein:
Described security incident deriving means is used for obtaining in real time the security incident that safety system generates, and is saved in the storage device after the parsing and notifies described security incident counting device;
Described security incident counting device is used for according to the security incident notice of receiving the frequency of each security incident in this cycle, the generation total degree of all security incidents being counted, and the result outputs to described security incident apparatus for evaluating;
Described security incident apparatus for evaluating be used for the processing time of setting then, computing parameter according to level of security, frequency and the address distributed constant and the configuration of each security incident, calculate the assessed value of the extent of injury, and determine its hazard level according to the assessed value that obtains;
Described security incident processing unit is used for the hazard level according to each security incident, handles according to the mode of this rank correspondence;
Storage device is used to preserve the computing parameter of configuration, and buffer memory is carried out in security incident and parameter thereof.
Further, above-mentioned classification treatment system also can have following characteristics:
Described security incident counting device also calculates the frequency of each security incident at each source address and destination address, and the result outputs to described security incident apparatus for evaluating;
Described security incident apparatus for evaluating comprises timing unit, frequency percentage calculation unit, address distribution moisture in the soil value computing unit, assessment initial value computing unit, amending unit and stage unit, wherein:
Timing unit is used at the timing of setting then triggering other unit and carrying out corresponding computing;
Frequency percentage calculation unit, the ratio of the generation total degree of all security incidents outputs to and assesses the initial value computing unit in the frequency that is used to calculate each security incident in this cycle and this cycle;
Address distribution moisture in the soil value computing unit, be used for according to each security incident in this cycle at the frequency of each source address and/or destination address and the frequency of this security incident, calculate source address and/or the destination address distribution entropy of each security incident in this cycle, output to assessment initial value computing unit;
Assessment initial value computing unit, the frequency percentage, address distribution moisture in the soil value and the corresponding weight value that are used for according to each security incident are calculated its weighted sum, obtain assessing initial value and output to amending unit;
Amending unit is used for the assessment initial value according to each security incident of corrected parameter correction of level of security correspondence under the security incident of configuration, obtains the assessed value of its extent of injury, outputs to stage unit;
Stage unit is used for determining the hazard level of each security incident and being reported to the security incident processing unit according to the assessed value scope of the hazard level correspondence that disposes and the assessed value of the security incident extent of injury.
Further, above-mentioned classification treatment system also can have following characteristics:
Described security incident apparatus for evaluating also comprises the rate of change computing unit, be used to calculate following rate of change one or more and the result outputed to assessment initial value computing unit:
Frequency percentage rate of change, the i.e. ratio of the frequency percentage in the frequency percentage in this cycle of security incident and last cycle;
Frequency rate of change, the i.e. ratio of the frequency in the frequency in this cycle of security incident and last cycle;
Source address distribution changes of entropy rate, the i.e. ratio of the source address distribution moisture in the soil value in the source address distribution moisture in the soil value in this cycle of security incident and last cycle;
Destination address distribution changes of entropy rate, the i.e. ratio of the destination address distribution moisture in the soil value in the destination address distribution moisture in the soil value in this cycle of security incident and last cycle;
Correspondingly, one or more in the frequency, frequency percentage, source address distribution moisture in the soil value and the destination address distribution moisture in the soil value that need each computation of Period is gone out of the address distribution moisture in the soil value computing unit in described security incident counting device and/or the security incident apparatus for evaluating are cached to described storage device.
Further, above-mentioned classification treatment system also can have following characteristics:
Described storage device is used to frequency, frequency percentage, source address distribution entropy and the destination address distribution entropy of each security incident of preserving security incident, calculating in each cycle, for the corrected parameter of the level of security of security incident configuration, each level of security, be used to calculate the weights of each component of hazard evaluation value and the assessed value scope of hazard level correspondence.
Therefore, the present invention can carry out objective, accurately classification to a large amount of security incidents that safety system generates, thereby make the Security Officer suitably to handle according to the actual extent of injury of incident the hierarchical processing method of security incident.Particularly:
A, the present invention can carry out objective, analyzing and processing accurately to a large amount of security incidents, provides the assessed value of the extent of injury.
B according to the extent of injury assessed value of incident, can carry out the ordering and the classification of the extent of injury to incident, thereby personnel easy to use handles according to the order of importance and emergency of incident.
C, each parameter in the operation method of the present invention can be made amendment by configuration file, reaches maximum user customizableization.
Description of drawings
Fig. 1 is the flow chart of the embodiment of the invention to the hierarchical processing method of security incident.
Fig. 2 is the sample of embodiment of the invention configuration file.
Fig. 3 is the structure chart of embodiment of the invention security incident classification treatment system.
Embodiment
The present invention distributes to level of security, frequency, address and the parameter relevant with the security incident extent of injury such as parameter situation of change carried out comprehensive assessment, thereby more objective and accurately finish definite and processing to the security incident hazard level.
Classification with IDS system safety incident is treated to example below, describes the present invention in detail with specific implementation in conjunction with the accompanying drawings.
Fig. 1 illustrates the flow chart of present embodiment to the hierarchical processing method of security incident, may further comprise the steps:
S110 obtains the security incident that safety system generates in real time, preserves after the parsing, has comprised source address and destination address information in the security incident;
Present embodiment is that the calling interface function reads the security incident that the IDS system generates, and is kept at after the parsing in the buffering area that distributes into each incident.
S120, the processing time of setting then according to the parameters such as level of security, frequency, address distribution and parameter variation of configuration information and each security incident, is determined its hazard level;
Above-mentioned configuration information comprises the level of security that is the security incident configuration, the corrected parameter of each level of security, and the weights that are used to calculate each component of hazard evaluation value, also can comprise the assessed value scope of hazard level correspondence.
The level of security of security incident can read from incident defined file (event.data), and the computing parameter can (ea.ini) read from the module parameter defined file.File format please refer to Fig. 2.As can be seen, the event definition file comprises the ID coding and the level of security of all security incidents in the system.The module parameter defined file comprises in system's computing all required computing parameters as the weights of the weighted sum of 7 computing components, the corrected parameter of 3 level of securitys.
S130 according to the hazard level of each security incident and the processing policy of configuration, handles according to the processing mode of correspondence.
For example, incident (the most serious incident) for three grades of hazard level, need by Realtime Alerts instruments such as SMS, phone, warning lamps, in time notify the related personnel, taking urgent measure is solved, and comprises that interrupt network connects (preventing to divulge a secret), restarts system (ensureing professional normal) or the like; For the incident of hazard level secondary, can pass through methods such as mail, screen window, notify the related personnel, handle according to actual conditions; For the incident (the lightest incident) of hazard level one-level, can pass through methods such as form every day, the announcement related personnel is convenient to increase the overall understanding of safety guarantee personnel to the running status and the trend of system.
When wherein determining the security incident hazard level among the step S120, the generation total degree N of the frequency of each security incident, all security incidents in this cycle of statistics earlier, security incident carry out following the processing to each security incident that takes place in this cycle then at the frequency of each source address and destination address:
A) the frequency percentage of calculating current safety incident, the i.e. ratio of the generation total degree of the frequency of current safety incident and all security incidents in this cycle;
B) according to current safety incident in this cycle the frequency of each source address and the frequency of this security incident (equal all source addresses frequency add up and), calculate the source address distribution entropy of current safety incident in this cycle, formula is as follows:
Source address moisture in the soil={ [(the current safety incident is at address 1 frequency/current safety incident total degree)
* log (the current safety incident is at address 1 frequency/current safety incident total degree)]
+●●●
+ [(the current safety incident is at address n frequency/current safety incident total degree)
* log (the current safety incident is at address n frequency/current safety incident total degree)]
* [100/log (maximum address number)]
C) according to current safety incident in this cycle the frequency of each destination address and the frequency of this security incident (equal all destination addresses frequency add up and), calculate the destination address distribution entropy of current safety incident in this cycle, formula is similar to source address distribution entropy.
Frequency, frequency percentage, source address distribution entropy and the destination address distribution entropy of each security incident should be preserved the calculating that is used for relevant parameter rate of change of following one-period in this cycle.
More than 3 CALCULATION OF PARAMETERS order do not need special qualification.
D) search the above-mentioned parameter of current safety incident in the last cycle, carry out following calculating:
● calculate frequency percentage rate of change, i.e. the ratio of the frequency percentage in the frequency percentage in current safety this cycle of incident and last cycle.
● calculate the frequency rate of change, i.e. the ratio of the frequency in the frequency in current safety this cycle of incident and last cycle.
● calculate source address changes of entropy rate, i.e. the ratio of the source address distribution moisture in the soil value in the source address distribution moisture in the soil value in current safety this cycle of incident and last cycle.
● calculate destination address changes of entropy rate, i.e. the ratio of the destination address distribution moisture in the soil value in the destination address distribution moisture in the soil value in current safety this cycle of incident and last cycle.
In this step, for the data that make above 4 rate of change parameters in the scope of 0-1, carry out following processing:
If the last cycle does not have the safety incident to take place, then the ratio changing value is 1;
If the ratio changing value that calculates less than 1, then removes 2, its number range exists: between the 0-0.5;
If the ratio changing value that calculates is greater than 1, then following processing exists its number range: between the 0.5-1: ratio changing value=1-(1/ ratio changing value)
E) calculate the weighted sum of 7 components obtaining above, that is:
Weighted sum=epercent * frequency percentage
+ Esentropy * source address distribution entropy
+ edentropy * destination address distribution entropy
+ epratio * frequency percentage rate of change
+ enratio5 * frequency rate of change
+ eseratio * source address distribution changes of entropy rate
+ ederatio * destination address distribution changes of entropy rate
Epercent, Esentropy, edentropy, epratio, enratio5 etc. are respectively the weights of respective components, and these weights can dispose.
F) corrected parameter of the level of security correspondence of incident safe in utilization is revised the assessment initial value of each incident, draws the assessed value of the final security incident extent of injury, can determine the hazard level that it is corresponding according to configuration, that is:
The assessed value of the incident extent of injury=assessment initial value * rank corrected parameter
Describe with the example in the practical application below, it is as follows to suppose that each basic parameter that obtains is added up in tested a certain security incident in this cycle:
| Parameter name | Parameter values | Explanation |
| All incident generation total degrees | 500 | |
| All incident generation total degree rates of change | 0 | |
| This incident frequency | 50 | |
| This event source address number | 10 | Be evenly distributed |
| This incident destination address number | 10 | Be evenly distributed |
| This incident frequency changes | 0 | |
| This event source address change | 0 | |
| This incident destination address changes | 0 | |
| This incident level of |
2 |
As can be seen, this incident takes place 50 times, is evenly distributed in 10 source addresses and destination address, and each address takes place 5 times.The address greatest measure is made as 256.Here 256 are address maximum number values in should using, the final result numerical value that is used for the computing of revised version item is between 1-100.In addition, suppose that in this example all kinds of parameters are changed to 0, the parameter value of promptly going up one-period is 0.
Go out the numerical value of each component based on above Parameter Calculation:
| The computing component | Computing formula | Result of calculation numerical value |
| Frequency percentage | 50/500 | 10% |
| The source address entropy | 10×(5/50)lg(5/50) ×(-100/lg(256) | 41.5% |
| The destination address entropy | 10×(5/50)lg(5/50) ×(-100/lg(256) | 41.5% |
| Frequency percentage rate of change | 0 | 0 |
| The frequency rate of change | 0 | 0 |
| Source address changes of entropy rate | 0 | 0 |
| Destination address changes of entropy rate | 0 | 0 |
| Event level | 0.8 | 0.8 |
In should using, the incident harmful grade is divided into three grades, and the corrected parameter of one-level correspondence is 1.0, and the corrected parameter of secondary correspondence is that the corrected parameter of 0.8, three grade of correspondence is 0.5.
Calculate weighted sum:
0.25×10+0.25×41.5+0.25×41.5
+0.0625×0+0.0625×0+0.0625×0+0.0625×0
=23.3
According to drawing final hazard level numerical value after the correction of rank correction value:
23.3×0.8=18.6
Suppose to divide and be with the hazard level that system provides:
One-level (extent of injury is minimum): 0-20
Secondary (in the middle of the extent of injury): 10-20
Three grades of (extent of injury is the highest): 30-100
Therefore, the hazard level that can determine this incident is a secondary.Can handle according to the processing policy of this rank correspondence then.Each rank can also sort by hazard level numerical value, so that the most urgent incident of priority treatment.
Correspondingly, as shown in Figure 3, the security incident classification treatment system of present embodiment comprises security incident deriving means, security incident counting device, security incident apparatus for evaluating and the security incident processing unit that connects successively, and the storage device that is connected with security incident deriving means, security incident counting device, security incident apparatus for evaluating, wherein:
The security incident deriving means is used for obtaining in real time the security incident that safety system generates, and is saved in the storage device after the parsing and notifies the security incident counting device, comprises source address and destination address information in the security incident of obtaining;
The security incident counting device is used for according to the security incident notice of receiving, frequency, the generation total degree of all security incidents, each security incident to each security incident in this cycle are counted at the frequency of each source address and destination address, the result outputs to the security incident apparatus for evaluating, and the frequency of each security incident is saved in storage device;
The security incident apparatus for evaluating further comprises:
Timing unit is used at the timing of setting then triggering other unit and carrying out corresponding computing.
Frequency percentage calculation unit is used to calculate the frequency of each security incident in this cycle and the ratio of the generation total degree of all security incidents in this cycle, outputs to assessment initial value computing unit and is saved in storage device.
Source address distribution moisture in the soil value computing unit, be used for according to each security incident in this cycle at the frequency of each source address and the frequency of this security incident, calculate the source address distribution entropy of each security incident in this cycle, output to assessment initial value computing unit and be saved in storage device.
Destination address distribution moisture in the soil value computing unit, be used for according to each security incident in this cycle at the frequency of each destination address and the frequency of this security incident, calculate the destination address distribution entropy of each security incident in this cycle, output to assessment initial value computing unit and be saved in storage device.
The rate of change computing unit is used to search the parameter of current safety incident in the last cycle, calculates following rate of change: frequency percentage rate of change, the i.e. ratio of the frequency percentage in the frequency percentage in this cycle of security incident and last cycle; Frequency rate of change, the i.e. ratio of the frequency in the frequency in this cycle of security incident and last cycle; Source address distribution changes of entropy rate, the i.e. ratio of the source address distribution moisture in the soil value in the source address distribution moisture in the soil value in this cycle of security incident and last cycle; Destination address distribution changes of entropy rate, the i.e. ratio of the destination address distribution moisture in the soil value in the destination address distribution moisture in the soil value in this cycle of security incident and last cycle.Above rate of change need output to assessment initial value computing unit.
Assessment initial value computing unit, the weights that are used for frequency percentage, source address distribution moisture in the soil value, destination address distribution moisture in the soil value and above-mentioned 4 rates of change and configuration according to each security incident calculate its weighted sum, obtain assessing initial value and output to amending unit;
Amending unit is used for according to the level of security and the corresponding corrected parameter thereof of the security incident of disposing the assessment initial value of each security incident being revised, and draws the assessed value of the final security incident extent of injury, and outputs to stage unit;
Stage unit is used for determining the hazard level of each security incident and being reported to the security incident processing unit according to the assessed value scope of the hazard level correspondence that disposes and the assessed value of the security incident extent of injury of receiving;
Described security incident processing unit is used for according to the hazard level of security incident and the processing policy of configuration security incident being handled.
Storage device be used to each security incident of preserving security incident, calculating in each cycle frequency, frequency percentage, source address distribution entropy and destination address distribution entropy, be the corrected parameter of the level of security of security incident configuration, each level of security, the weights of each component that calculate the hazard evaluation value and the assessed value scope of hazard level correspondence etc.
Should be noted that, the above-mentioned parameter that the present invention adopts is used to assess the extent of injury is not to be artificially and subjectively to select, but according to the regularity between the security incident and the extent of injury, can objectively respond the factor of the parameter of the extent of injury as assessment, and utilize said system to carry out computing, thereby can be more objective and determine the harm of security incident exactly, and then can directly obtain the technique effect that improves internet security to the most urgent security incident priority treatment according to the hazard rating of security incident.
On the basis of the foregoing description, various conversion can also be arranged, for example, when assessment, might not use above-mentioned 7 components simultaneously, on the basis of existing technology, distribute in entropy, destination address distribution entropy, frequency percentage rate of change, frequency rate of change, source address distribution changes of entropy rate and the destination address distribution changes of entropy rate one or combination in any of source address also is fine as the component of assessment, because all can be objective to a certain extent the degree of reaction harm, so prior art also is to have reached better technique effect relatively.Assembled scheme is wherein described in summary of the invention.And, except 6 kinds of components of above-mentioned increase, can also select for use other parameter relevant such as other rate of change value etc. to assess according to thinking of the present invention with the security incident extent of injury.
Claims (10)
1, a kind of hierarchical processing method to security incident may further comprise the steps:
Obtain the security incident that safety system generates in real time, preserve after the parsing, comprised source address and destination address information in the security incident;
The processing time of setting then, according to the computing parameter of level of security, frequency and the address distributed constant and the configuration of each security incident, calculate the assessed value of the extent of injury, and determine its hazard level according to the assessed value that obtains;
According to the hazard level of each security incident, handle according to the mode of this rank correspondence.
2, hierarchical processing method as claimed in claim 1 is characterized in that: the component of described calculating extent of injury assessed value comprises the frequency of security incident and/or the percentage of frequency, also comprises a kind of or combination in the distributed constant of following address:
The source address distribution entropy of security incident in this cycle calculated at the frequency of each source address and the frequency of this security incident by current safety incident in this cycle;
The destination address distribution entropy of security incident in this cycle calculated at the frequency of each destination address and the frequency of this security incident by current safety incident in this cycle;
Described frequency percentage is the ratio with the generation total degree of the frequency of security incident in one-period and all security incidents.
3, hierarchical processing method as claimed in claim 2 is characterized in that:
When determining the hazard level of security incident, to each security incident, calculate one or more of following several rates of change, as the component that calculates extent of injury assessed value:
Frequency rate of change, the i.e. ratio of the frequency in the frequency in this cycle of security incident and last cycle;
Source address distribution changes of entropy rate, the i.e. ratio of the source address distribution moisture in the soil value in the source address distribution moisture in the soil value in this cycle of security incident and last cycle;
Destination address distribution changes of entropy rate, the i.e. ratio of the destination address distribution moisture in the soil value in the destination address distribution moisture in the soil value in this cycle of security incident and last cycle; And
Frequency percentage rate of change, the i.e. ratio of the frequency percentage in the frequency percentage in this cycle of security incident and last cycle.
4, hierarchical processing method as claimed in claim 3 is characterized in that: when calculating described rate of change, carry out following processing:
If the last cycle does not have the safety incident to take place, then the ratio changing value is 1;
If the ratio changing value that calculates less than 1, then removes 2, its number range exists: between the 0-0.5;
If the ratio changing value that calculates is greater than 1, then following processing exists its number range: between the 0.5-1: ratio changing value=1-(1/ ratio changing value).
5, as claim 2 or 3 described hierarchical processing methods, it is characterized in that:
During the assessed value of the computationally secure incident extent of injury, this security incident that calculates earlier important corresponding weights and addition of multiply by configuration respectively, be that weighted sum is as the assessment initial value, and then will assess the corrected parameter that initial value multiply by the affiliated level of security correspondence of this security incident of configuration, to obtain the assessed value assessed value scope corresponding relatively, thereby determine its hazard level with hazard level.
6, hierarchical processing method as claimed in claim 5 is characterized in that:
Described configuration information comprises the level of security that is the security incident configuration, the corrected parameter of each level of security, is used to calculate the weights of each component of hazard evaluation value and the assessed value scope of hazard level correspondence.
7, a kind of classification treatment system to security incident is characterized in that, comprises the security incident deriving means, security incident counting device, security incident apparatus for evaluating and the security incident processing unit that link to each other successively, and storage device, wherein:
Described security incident deriving means is used for obtaining in real time the security incident that safety system generates, and is saved in the storage device after the parsing and notifies described security incident counting device;
Described security incident counting device is used for according to the security incident notice of receiving the frequency of each security incident in this cycle, the generation total degree of all security incidents being counted, and the result outputs to described security incident apparatus for evaluating;
Described security incident apparatus for evaluating be used for the processing time of setting then, computing parameter according to level of security, frequency and the address distributed constant and the configuration of each security incident, calculate the assessed value of the extent of injury, and determine its hazard level according to the assessed value that obtains;
Described security incident processing unit is used for the hazard level according to each security incident, handles according to the mode of this rank correspondence;
Storage device is used to preserve the computing parameter of configuration, and buffer memory is carried out in security incident and parameter thereof.
8, classification treatment system as claimed in claim 7 is characterized in that:
Described security incident counting device also calculates the frequency of each security incident at each source address and destination address, and the result outputs to described security incident apparatus for evaluating;
Described security incident apparatus for evaluating comprises timing unit, frequency percentage calculation unit, address distribution moisture in the soil value computing unit, assessment initial value computing unit, amending unit and stage unit, wherein:
Timing unit is used at the timing of setting then triggering other unit and carrying out corresponding computing;
Frequency percentage calculation unit, the ratio of the generation total degree of all security incidents outputs to and assesses the initial value computing unit in the frequency that is used to calculate each security incident in this cycle and this cycle;
Address distribution moisture in the soil value computing unit, be used for according to each security incident in this cycle at the frequency of each source address and/or destination address and the frequency of this security incident, calculate source address and/or the destination address distribution entropy of each security incident in this cycle, output to assessment initial value computing unit;
Assessment initial value computing unit, the frequency percentage, address distribution moisture in the soil value and the corresponding weight value that are used for according to each security incident are calculated its weighted sum, obtain assessing initial value and output to amending unit;
Amending unit is used for the assessment initial value according to each security incident of corrected parameter correction of level of security correspondence under the security incident of configuration, obtains the assessed value of its extent of injury, outputs to stage unit;
Stage unit is used for determining the hazard level of each security incident and being reported to the security incident processing unit according to the assessed value scope of the hazard level correspondence that disposes and the assessed value of the security incident extent of injury.
9, classification treatment system as claimed in claim 8 is characterized in that:
Described security incident apparatus for evaluating also comprises the rate of change computing unit, be used to calculate following rate of change one or more and the result outputed to assessment initial value computing unit:
Frequency percentage rate of change, the i.e. ratio of the frequency percentage in the frequency percentage in this cycle of security incident and last cycle;
Frequency rate of change, the i.e. ratio of the frequency in the frequency in this cycle of security incident and last cycle;
Source address distribution changes of entropy rate, the i.e. ratio of the source address distribution moisture in the soil value in the source address distribution moisture in the soil value in this cycle of security incident and last cycle;
Destination address distribution changes of entropy rate, the i.e. ratio of the destination address distribution moisture in the soil value in the destination address distribution moisture in the soil value in this cycle of security incident and last cycle;
Correspondingly, one or more in the frequency, frequency percentage, source address distribution moisture in the soil value and the destination address distribution moisture in the soil value that need each computation of Period is gone out of the address distribution moisture in the soil value computing unit in described security incident counting device and/or the security incident apparatus for evaluating are cached to described storage device.
10, classification treatment system as claimed in claim 9 is characterized in that:
Described storage device is used to frequency, frequency percentage, source address distribution entropy and the destination address distribution entropy of each security incident of preserving security incident, calculating in each cycle, for the corrected parameter of the level of security of security incident configuration, each level of security, be used to calculate the weights of each component of hazard evaluation value and the assessed value scope of hazard level correspondence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101063290A CN101582788B (en) | 2008-05-12 | 2008-05-12 | Grading processing method and grading processing system for security event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101063290A CN101582788B (en) | 2008-05-12 | 2008-05-12 | Grading processing method and grading processing system for security event |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101582788A true CN101582788A (en) | 2009-11-18 |
| CN101582788B CN101582788B (en) | 2011-08-31 |
Family
ID=41364763
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101063290A Active CN101582788B (en) | 2008-05-12 | 2008-05-12 | Grading processing method and grading processing system for security event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101582788B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894353A (en) * | 2010-05-24 | 2010-11-24 | 中国人民解放军军事医学科学院微生物流行病研究所 | Unexpected biological event field hazard evaluation simulation system |
| CN103036905A (en) * | 2012-12-27 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Method and device of enterprise network safety analysis |
| CN103178988A (en) * | 2013-02-06 | 2013-06-26 | 中电长城网际系统应用有限公司 | Method and system for monitoring virtualized resources with optimized performance |
| CN103209386A (en) * | 2012-02-21 | 2013-07-17 | 广州三星通信技术研究有限公司 | Mobile terminal used for prompting user in case of being tracked and method thereof |
| CN104486324A (en) * | 2014-12-10 | 2015-04-01 | 北京百度网讯科技有限公司 | Method and system for identifying network attack |
| CN104601604A (en) * | 2014-06-12 | 2015-05-06 | 国家电网公司 | Network security situation analyzing method |
| CN104866436A (en) * | 2014-06-12 | 2015-08-26 | 国家电网公司 | Method for storing massive security incidents |
| CN106462702A (en) * | 2014-06-16 | 2017-02-22 | 西门子公司 | Method and system for obtaining and analysing forensic data in a distributed computer infrastructure |
| CN107733693A (en) * | 2017-09-22 | 2018-02-23 | 中国人民解放军国防科技大学 | Network security operation and maintenance capability evaluation method and system based on security event statistics |
| CN110094292A (en) * | 2019-06-19 | 2019-08-06 | 国电联合动力技术有限公司 | Marine tidal-current energy generator group multilevel security protects system and method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005510A (en) * | 2007-01-19 | 2007-07-25 | 南京大学 | Network real time risk evaluating method for comprehensive loop hole |
-
2008
- 2008-05-12 CN CN2008101063290A patent/CN101582788B/en active Active
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894353B (en) * | 2010-05-24 | 2015-03-18 | 中国人民解放军军事医学科学院微生物流行病研究所 | Unexpected biological event field hazard evaluation simulation system |
| CN101894353A (en) * | 2010-05-24 | 2010-11-24 | 中国人民解放军军事医学科学院微生物流行病研究所 | Unexpected biological event field hazard evaluation simulation system |
| CN103209386B (en) * | 2012-02-21 | 2016-08-03 | 广州三星通信技术研究有限公司 | For pointing out the tracked mobile terminal of user and method thereof |
| CN103209386A (en) * | 2012-02-21 | 2013-07-17 | 广州三星通信技术研究有限公司 | Mobile terminal used for prompting user in case of being tracked and method thereof |
| CN103036905A (en) * | 2012-12-27 | 2013-04-10 | 北京神州绿盟信息安全科技股份有限公司 | Method and device of enterprise network safety analysis |
| CN103178988A (en) * | 2013-02-06 | 2013-06-26 | 中电长城网际系统应用有限公司 | Method and system for monitoring virtualized resources with optimized performance |
| CN104866436B (en) * | 2014-06-12 | 2018-02-02 | 国家电网公司 | Magnanimity security incident storage method |
| CN104601604B (en) * | 2014-06-12 | 2019-03-15 | 国家电网公司 | Network safety situation analysis method |
| CN104601604A (en) * | 2014-06-12 | 2015-05-06 | 国家电网公司 | Network security situation analyzing method |
| CN104866436A (en) * | 2014-06-12 | 2015-08-26 | 国家电网公司 | Method for storing massive security incidents |
| CN106462702A (en) * | 2014-06-16 | 2017-02-22 | 西门子公司 | Method and system for obtaining and analysing forensic data in a distributed computer infrastructure |
| US10257216B2 (en) | 2014-06-16 | 2019-04-09 | Siemens Aktiengesellschaft | Method and system for obtaining and analyzing forensic data in a distributed computer infrastructure |
| CN106462702B (en) * | 2014-06-16 | 2019-12-10 | 西门子公司 | Method and system for acquiring and analyzing electronic forensic data in a distributed computer infrastructure |
| CN104486324B (en) * | 2014-12-10 | 2018-02-27 | 北京百度网讯科技有限公司 | Identify the method and system of network attack |
| CN104486324A (en) * | 2014-12-10 | 2015-04-01 | 北京百度网讯科技有限公司 | Method and system for identifying network attack |
| CN107733693A (en) * | 2017-09-22 | 2018-02-23 | 中国人民解放军国防科技大学 | Network security operation and maintenance capability evaluation method and system based on security event statistics |
| CN110094292A (en) * | 2019-06-19 | 2019-08-06 | 国电联合动力技术有限公司 | Marine tidal-current energy generator group multilevel security protects system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101582788B (en) | 2011-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101582788B (en) | Grading processing method and grading processing system for security event | |
| CN111859393B (en) | Risk assessment system and method based on situation awareness alarm | |
| CN107204876B (en) | Network security risk assessment method | |
| CN111865981B (en) | Network security vulnerability assessment system and method | |
| CN111865982B (en) | Threat assessment system and method based on situation awareness alarm | |
| CN107733834B (en) | Data leakage protection method and device | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| RU2017118317A (en) | SYSTEM AND METHOD FOR AUTOMATIC CALCULATION OF CYBER RISK IN BUSINESS CRITICAL APPLICATIONS | |
| CN112003846B (en) | Credit threshold training method, IP address detection method and related device | |
| CN110348718B (en) | Service index monitoring method and device and electronic equipment | |
| CN106559803A (en) | A kind of base station construction appraisal procedure and device | |
| CN106033516B (en) | A kind of method, apparatus and system detecting terminal source code security | |
| KR20090001609A (en) | Cyber threat forecasting system and method therefor | |
| CN110493043B (en) | Distributed situation awareness calling method and device | |
| CN114615016B (en) | Enterprise network security assessment method and device, mobile terminal and storage medium | |
| CN116366374B (en) | Security assessment method, system and medium for power grid network management based on big data | |
| CN116015922B (en) | Network security situation analysis method, device and equipment of electric power Internet of things | |
| CN113206797A (en) | Flow control method and device, electronic equipment and storage medium | |
| CN112784281A (en) | Safety assessment method, device, equipment and storage medium for industrial internet | |
| CN112822153A (en) | Method and system for discovering suspicious threats based on DNS log | |
| CN117375982A (en) | Network situation safety monitoring system | |
| CN117596174A (en) | Iron tower video data cloud transmission adjustment and measurement method, system and medium | |
| CN115378711A (en) | Industrial control network intrusion detection method and system | |
| CN105825130B (en) | A kind of information security method for early warning and device | |
| Anandita et al. | Implementation of dendritic cell algorithm as an anomaly detection method for port scanning attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Patentee after: VENUSTECH GROUP Co.,Ltd. Address before: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Patentee before: BEIJING VENUSTECH Inc. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20161110 Address after: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Patentee after: BEIJING VENUSTECH CYBERVISION Co.,Ltd. Address before: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Patentee before: VENUSTECH GROUP Co.,Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20170315 Address after: 100193 Beijing City, Haidian District, northeast Wang West Road, building 21, floor -1-3, floor four, room two, room 21, 2419 Patentee after: Beijing Credit Information Technology Co.,Ltd. Address before: 100193 Beijing city Haidian District Dongbeiwang qimingxingchenmansionproject Building No. 21 West Road No. 8 Zhongguancun Software Park Patentee before: BEIJING VENUSTECH CYBERVISION Co.,Ltd. |
|
| TR01 | Transfer of patent right |