CN101599958A - Correlation engine system and data processing method thereof based on scene - Google Patents
Correlation engine system and data processing method thereof based on scene Download PDFInfo
- Publication number
- CN101599958A CN101599958A CNA2009100231683A CN200910023168A CN101599958A CN 101599958 A CN101599958 A CN 101599958A CN A2009100231683 A CNA2009100231683 A CN A2009100231683A CN 200910023168 A CN200910023168 A CN 200910023168A CN 101599958 A CN101599958 A CN 101599958A
- Authority
- CN
- China
- Prior art keywords
- plug
- unit
- scene
- correlation engine
- incident
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of correlation engine system and data processing method thereof, mainly solve the autgmentability of existing security management center existence and the shortcoming of very flexible based on scene.This system mainly is made up of card module and nucleus module, and card module is gathered the difference in functionality that plug-in unit, scene analysis plug-in unit and response output inserter are realized correlation engine system by configuration and Installation Events form expansion plugin, incident; Nucleus module is described as an attack scene of constantly carrying out state transformation by administrative center with whole attack process, and the alarm information that each detecting sensor is reported carries out association analysis and processing, has realized the collaborative work and the unified management of each detecting sensor.The present invention has flexible configuration, be easy to expand and advantage that verification and measurement ratio is high, is applicable to the data processing and the analysis of various security management centers and intruding detection system.
Description
Technical field
The invention belongs to the computer security technical field, particularly a kind of correlation engine system based on scene is used for the secure data that the network equipment that comprises router, switch, fire compartment wall, intruding detection system and server produces is handled.
Background technology
In recent years, computer network is from originally as just a kind of communication mode, develop into the computer environment infrastructure, the especially Internet that are commonly used, become the important infrastructure that government, enterprise, financial institution and thousands of user are relied on.
Meanwhile, the security monitoring of computer network and management also become an important problem hereto.A very long time, people adopt intruding detection system IDS product to solve this problem, information on IDS monitoring host computer system or the network, by network packet, operating system are called, record of the audit and application log file inquire about, search the feature of malicious act, in the hope of finding the generation of attack.
IDS uses based on the attack detecting of statistics with based on the attack detecting dual mode processing events formation of pattern: in the attack detection system based on statistics, the historical data of system activity state, process and user's anticipatory behavior all is used to construct the description of a normal system operation, then, intruding detection system attempts to find to depart from the attack that normal condition is described, the advantage of this system is that it can discern the attack of prior the unknown, but also paid the cost of higher rate of false alarm thereupon, in addition, when the environment of a system applies, be difficult to describe its normal condition a DYNAMIC COMPLEX; Detection system based on pattern provides a kind of opposite method, mode detecting system has set in advance a series of attack mode and has described, these attack modes are described and are used for mating relevant Audit data, and identification attack, this system pays close attention to the analytical auditing data, usually this series products has lower rate of false alarm, but simultaneously, it also can only discern limited, modeled attack.
At present, along with people's awareness of safety constantly strengthens, safety means are disposed more and more widely, security incident is more and more, in the face of the management of magnanimity secure data and the high rate of false alarm of security incident, press for the centralized and unified management and the monitoring of security information, the correlation engine analytical technology that is applied to security management center SOC is by integrated use certain or multiple association mode and association algorithm, find out safe correlation and degree of correlation thereof between the security incident that process standard that the different safety means from zones of different report turns to consolidation form, the potential threat early warning is found.
Current correlation engine analytical technology comprises: rule association, statistical correlation, leak association are related with behavior.This rule association is described safe correlation between the different security incidents by correlation rule, but attacks powerless to the invasion new, undiscovered mistake that continues to bring out out; The key of this statistical correlation art is how to set up secure data baseline and secure threshold and how to revise secure data baseline and secure threshold, if threshold value is provided with too smallly, causes the wrong report problem; Otherwise, cause failing to report problem; In this leak association, if there are security breaches in the goal systems that security incident relates to, and the service that security incident relates to is based on these security breaches, and so, the behavior that security incident relates to just may be the attack that utilizes this system vulnerability; Behavior association does not meet behavior pattern in the normal behaviour rule base by definition, judges whether user behavior is unusual, but the difference between normal and unusual is little, is easy to generate wrong report and fails to report.The technical merit of correlation engine has determined security management center to resist the ability of threat to a great extent.
Security management center is a kind of safety management system based on event correlation, and it uses a large amount of incident collectors that distribute, and these incident collectors have disposed a large amount of attack model, are used to analyze the security incident of being gathered.At present, the safety management product of security firm is various, and they are applied to the different application field, perhaps different operating system, but having and have following problem in various degree all:
1. Gu Ding Event origin lacks expandability;
2. Jing Tai attack detecting pattern can't dynamic load and expansion;
3. Jing Tai response mode can't effectively satisfy the demand that the user network environment constantly changes;
Existing disparate networks safety management product is all for specific application or environment exploitation, incident collector wherein, behavior detecting pattern and response mode all at exist, concrete safe practice realizes its supervision, control with manage, in case have when in new safe practice rise or the network environment non-mainstream demand for security being arranged, after only obtaining the approval and process product up-gradation of network security management production manufacturer, these new technologies just can be applied, and are difficult to configuration, expansion and Long-distance Control.
Summary of the invention
The objective of the invention is to overcome the deficiency of above-mentioned prior art, a kind of modular correlation engine technological system and data processing method thereof based on scene are provided, the result who the security incident stack of a series of decomposition is thought in the attack infiltration of computer system and caused, and whole attack process is described as an attack scene of constantly carrying out state transformation, with this to each intrusion-detection sensor such as intruding detection system, fire compartment wall, operating system, the alarm information that application system and Anti-Virus report carries out unified association analysis and processing, the final intrusion behavior that forms is judged, and make corresponding response, thereby realize the collaborative work of each intrusion-detection sensor, the detection performance of raising system, the flexibility of enhanced system and extensibility.
For achieving the above object, the correlation engine system based on scene of the present invention comprises:
Nucleus module is used for realizing the logic function of correlation engine descriptive language, and according to the security incident that the card module collection comes scene state is carried out transition and operate;
Card module, be used to nucleus module to load different feature cards, make correlation engine be expanded into the correlation engine that has specific function, detects particular attack from one with using the nucleus module that has nothing to do, and by upgrading and the expansion of the different plug-in units realizations in installation or the upgrading nucleus module to the correlation engine function; This card module is converted into a kind of unified format to concrete detection, identification, response processing procedure of attacking by the correlation engine descriptive language, utilizes the transition of scene state to carry out logic analysis by nucleus module then, realizes the processing to security incident.
Described card module comprises:
The event format expansion plugin is used for defining the title and the quantity of safe condition that correlation engine relates to, security incident, jump condition, and gives specific expression meaning for it, is used to connect other kinds plug-in unit, makes it collaborative work under uniform definition;
Incident is gathered plug-in unit, input as correlation engine, be used to monitor the warning information of protected system and each intrusion-detection sensor, therefrom gather security incident, and convert it into unified format, be sent to the scene analysis plug-in unit that is installed in the nucleus module, described intrusion-detection sensor comprises intruding detection system, fire compartment wall, operating system, application system and Anti-Virus;
The scene analysis plug-in unit, be used to construct a scene that state variation takes place to carry out with security incident, the function that it is realized according to the correlation engine needs, with independently safe condition, security incident and jump condition element connect, attack or process of osmosis to detect, the scene that changes takes place in the safe condition that simulates protected system with security incident, this scene analysis plug-in unit is inserted into nucleus module the security incident that incident collection plug-in unit provides is handled, and result is returned to the response output inserter;
The response output inserter, be used for result's output of correlation engine, the concrete function that it will be realized according to correlation engine, when current safety is transferred to some specific state, result according to the scene analysis plug-in unit, judge to detect corresponding attack or permeability behavior, thereby make response, the warning message of output consolidation form.
Described nucleus module comprises:
Event queue is used for the storage incident and gathers the security event data that plug-in unit sends;
Administrative center is used to write down current state, by dispatching security incident, judgement and triggering the transition that jump condition drives current state, provides the result of this incident;
Message queue is used for the result at storage administration center;
This event queue is given administrative center after getting access to data, and administrative center analyzes this incident by the scene analysis plug-in unit, and sends analysis result to message queue.
Described correlation engine descriptive language, be used to provide the attack process of the specific syntactic description of a cover to computer system, and convert attack process to model of place based on state/transition, it adopts one group of predefined safe condition to represent computer system resource situation and safe correlation behavior at a time, certain specific computer process of osmosis is described as a series of security incident, when predefined jump condition is satisfied in security incident, the safe condition generation transition that system is current, the safe condition that all are relevant with this process of osmosis, security incident, jump condition and the relation between them constitute attacks scene.
The correlation engine language can be applied in different applied environments quickly and easily as a kind of expansion language, describes various infiltrations and attack process, and can carry out system extension under the prerequisite that does not change other plug-in unit and nucleus module, and this extended mode comprises:
When existing intrusion-detection sensor remains unchanged, but when having new association analysis mode to provide, only the scene analysis plug-in unit that need write gets final product;
When existing intrusion-detection sensor and association analysis mode remain unchanged, but when having new response policy to dispose, only the response output inserter that need write gets final product;
Add fashionablely as new intrusion-detection sensor, only need write with the incident of its coupling and gather plug-in unit, and revise the form expansion plugin and get final product.
For achieving the above object, the correlation engine data processing method based on scene of the present invention comprises:
A. initialization step
(A1) operation nucleus module, and be its load events form expansion plugin, make other each plug-in unit collaborative work;
(A2) gather plug-in unit for the nucleus module load events, and the initialization event formation, make nucleus module reception incident gather the security incident that plug-in unit sends;
(A3) activation scenario divides plug-in unit for nucleus module loads also, and the definition scene indicates the rule that various security incidents are handled and analyzed, and makes it to come into force;
(A4) load and activate the response output inserter for nucleus module, the definition response policy, and make it to come into force;
(A5) the activation incident is gathered plug-in unit, and incident is gathered plug-in unit and started working, and security incident will produce successively, and correlation engine enters the association analysis stage to security incident;
B. association process step
(B1) incident is gathered plug-in unit and collect security incident from the warning information of protected system and intrusion detection detector, submits to nucleus module;
(B2) nucleus module is gathered the security incident that plug-in unit sends to each incident and is dispatched, and sends the scene analysis plug-in unit successively to;
(B3) the scene analysis plug-in unit is worked under the driving of security incident, when security incident is satisfied the jump condition of setting in the scene with relevant information, then current safe condition is transformed to the terminal state of this jump condition, when safe condition is transferred to certain location, the notice core detects attack, and sends the information in the scene to nucleus module;
(B4) nucleus module is dispatched notice and the information that the scene analysis plug-in unit is sent, and it is issued specific response output inserter;
(B5) the response output inserter receives the information that nucleus module is sent, and makes response according to response policy.
Description of drawings
Fig. 1 is a system construction drawing of the present invention;
The system construction drawing that Fig. 2 sets for the embodiment of the invention;
The scene state schematic diagram that Fig. 3 sets for the embodiment of the invention;
The flow chart of data processing figure that Fig. 4 sets for the embodiment of the invention.
Embodiment
With reference to Fig. 1, the correlation engine system based on scene of the present invention comprises:
Nucleus module, be used to realize the logic analysis function of correlation engine descriptive language, data message according to input, the transition of record current safe state, collection and scheduling security incident, judgement and triggering jump condition, driving current state, and provide result according to the state of final transition, be the bottom layer realization basis of correlation engine, irrelevant with concrete application;
Card module, be used to nucleus module to load different plug-in units, make correlation engine be expanded into the correlation engine that has specific function, detects particular attack from a nucleus module that has nothing to do with application, and, has the function of security incident definition, secure data detection, security incident processing and processing response by the upgrading and the expansion of the plug-in unit realization in installation or the upgrading nucleus module to the correlation engine function; This card module is converted into a kind of unified format to concrete detection, identification, response processing procedure of attacking by the correlation engine descriptive language, give nucleus module after the information data formatization and handle obtaining then, nucleus module utilizes the transition of scene state to carry out logic analysis, realization is to the processing of security incident, and a processing structure feeds back to card module.
Described card module comprises event format expansion plugin, incident collection plug-in unit, scene analysis plug-in unit and response output inserter four class plug-in units.This event format expansion plugin is the basis of all plug-in unit collaborative works, connects other each plug-in units, and has defined title, the quantity of elements such as the safe condition that relates in the nucleus module, security incident, jump condition, and has given specific expression meaning for it; This incident is gathered the input that plug-in unit is used for correlation engine system, be used for monitoring protected system and receive the warning information that each intrusion-detection sensor sends, therefrom gather security incident, convert it into unified format by the correlation engine descriptive language, and be sent to the event queue in the nucleus module; The concrete function that this scene analysis plug-in unit will be realized according to correlation engine, independently elements such as safe condition, security incident, jump condition connect, constitute one and attack scene, the scene that the safe condition that simulates protected system changes with the generation of security incident, security incident according to the event queue input drives scene state then, detects specific attack or process of osmosis; This response output inserter is used for the output of correlation engine, the concrete function that it will be realized according to correlation engine, when current safe state is transferred to some specific state, be judged to be and detect corresponding attack or permeability behavior, make response according to the process information that administrative center sends, the warning message of output consolidation form.
Described nucleus module comprises event queue, administrative center and message queue.This event queue is used for the storage incident and gathers the security event data that plug-in unit sends, and hands to administrative center; This administrative center utilizes the security incident of event queue input that the scene analysis plug-in unit of installing is driven, and according to the state of final transition, detects specific attack or process of osmosis, the final result that provides this incident, and send to event queue; After event queue is received result, store and send to the event response module.
Described correlation engine descriptive language is that a cover is used irrelevant specific syntax, is used to describe the attack to computer system, converts attack process to based on state/transition model of place; This language is represented computer system resource situation at a time and security-related state with one group of predefined safe condition, certain specific computer process of osmosis is described as a series of sequential attacks, and all safe conditions relevant with this process of osmosis, security incident, jump condition and the relation between them constitute attacks scene, when predefined jump condition is satisfied in security incident, the safe condition generation transition that system is current, this language is as a kind of expansion language, can be applied in different applied environments quickly and easily, various infiltrations and attack process are described, and can under the prerequisite that does not change other plug-in unit and nucleus module, carry out this extended mode of system extension and comprise: when existing intrusion-detection sensor remains unchanged, but when having new association analysis mode to provide, only the scene analysis plug-in unit that need write gets final product; When existing intrusion-detection sensor and association analysis mode remain unchanged, but when having new response policy to dispose, only the response output inserter that need write gets final product; Add fashionablely as new intrusion-detection sensor, only need write with the incident of its coupling and gather plug-in unit, and revise the form expansion plugin and get final product.
To realize that detection and response to SSH password guessing attack are example, specify data processing method below based on the correlation engine system of scene.
The mode of detection SSH password guessing attack commonly used is the daily record of landing failure in the surveillance about SSH, and set a thresholding, land the number of times of failure above thresholding in case find certain IP, just be judged to be SSH password guessing attack one time, this mode is difficult to balance rate of false alarm and rate of failing to report; And processing method of the present invention is analyzed by the behavioural characteristic that SSH is attacked, the alarm information that detects the based on network intrusion detection detector of network sweep and detect the Host Based intrusion detection detector that lands failure combined carry out association analysis, just can accurately discern SSH password guessing attack.
With reference to Fig. 2, the correlation engine system of the detection SSH password guessing attack embodiment of setting up with the present invention, its configuration relation is:
A., the computer C that operation SSH service is installed is in computer network N, and the intrusion detection detector S1 that installation is used for the supervisory computer system journal in this computer, and the intrusion detection detector S2 that is used to detect network sweep is installed in network simultaneously;
B. analyze by the behavioural characteristic that SSH is attacked, in the form expansion plugin E of correlation engine, set form and " safety ", " sensitivity ", " under fire " three safe conditions and " finding scanning ", " authentification failure ", " overtime " three jump conditions of correlation engine internal storage information.Should " safety " state representation system be in a safe condition, " sensitivity " expression system is in may be by attacking state, " under fire " the state representation system is in by the attack state, expression computer network N is scanned " to find scanning ", " authentification failure " expression computer C authentication failure when landing, " overtime " is illustrated in does not have new incident to take place in the setting-up time.
C. in correlation engine, according to the defined form of form expansion plugin E, generate the incident that is complementary with intrusion detection device S1, S2 and gather plug-in unit P1 and P2, be respectively applied for the information that receives S1 and S2 transmission, and format receiving the information of coming, generate corresponding security incident;
D. in security engine, dispose scene analysis plug-in unit based on form expansion plugin E, and generate a scene that detects SSH password guessing attack with reference to Fig. 3, this scene is made up of " safety ", " sensitivity ", " under fire " three safe conditions and " finding scanning ", " authentification failure ", " overtime " three jump conditions, system is initially in " safety " state, when triggering jump condition " discovery scanning ", system mode is transitted towards " sensitivity " state; When " sensitivity " state, when triggering jump condition " overtime ", system mode is transitted towards " safety " state, and when triggering jump condition " authentification failure ", system mode is transitted towards " under fire " state;
E. configuration, is reported to the police to the keeper, and computer C is operated control when the safe condition of scene analysis plug-in unit is in " under fire " based on the response output inserter of form expansion plugin E in correlation engine.
With reference to Fig. 4, the data processing method of the embodiment that the present invention is set up comprises:
With the initial safe state of scene analysis plug-in unit S for being changed to " safety ", the expression system is current not to be attacked;
2. when intrusion detection detector S1 detects among the computer C SSH and lands the failure daily record, send a warning message and P1 is given in the address of initiating the distance host of the request of landing; When intrusion detection detector S2 finds that network sweep is attacked, send a warning message and P2 is given in the address of the distance host of initiating to scan;
3. after P1 receives the warning information of S2 transmission, generate " authentification failure " security incident, and extract the address A of the distance host of initiating scanning, send to association analysis engine S;
4. analyze plug-in unit when scene and receive when receiving " finding scanning " security incident of the remote address A that P2 sends, just current safe condition is transferred to " sensitivity " from " safely ", start a timer simultaneously;
5. if before timer finishes, do not receive " authentification failure " security incident of the corresponding remote address A that P1 sends, then current safe state shifted back " safety "; If before timer finishes, receive " authentification failure " security incident of the corresponding remote address A that P1 sends, then current safe condition is transferred to " under fire " from " sensitivity ", judge this moment and found the SSH password guessing attack of once initiating, and send analysis result to the response output inserter from address A;
6. the response output inserter sends warning message to the manager when finding SSH password guessing attack, cuts off the communication of computer C with assailant's address A simultaneously.
Claims (7)
1. correlation engine system based on scene comprises:
Nucleus module is used to realize the logic function of correlation engine descriptive language, and according to the security incident that the card module collection comes scene state is carried out transition and operate;
Card module, be used to nucleus module to load different feature cards, make correlation engine be expanded into the correlation engine that has specific function, detects particular attack from one with using the nucleus module that has nothing to do, and by upgrading and the expansion of the different plug-in units realizations in installation or the upgrading nucleus module to the correlation engine function;
Described card module is converted into a kind of unified format to concrete detection, identification, response processing procedure of attacking by the correlation engine descriptive language, utilizes the transition of scene state to carry out logic analysis by nucleus module then, realizes the processing to security incident.
2. correlation engine system according to claim 1, wherein said card module comprises:
The event format expansion plugin is used for defining the title and the quantity of safe condition that correlation engine relates to, security incident, jump condition, and gives specific expression meaning for it, is used to connect other kinds plug-in unit, makes it collaborative work under uniform definition;
Incident is gathered plug-in unit, as the input of correlation engine, be used to monitor the warning information of protected system and each intrusion-detection sensor, therefrom gather security incident, and convert it into unified format, be sent to the scene analysis plug-in unit that is installed in the nucleus module;
The scene analysis plug-in unit, be used to construct a scene that state variation takes place to carry out with security incident, the function that it is realized according to the correlation engine needs, with independently safe condition, security incident and jump condition element connect, attack or process of osmosis to detect, the scene that changes takes place in the safe condition that simulates protected system with security incident, this scene analysis plug-in unit is inserted into nucleus module the security incident that incident collection plug-in unit provides is handled, and result is returned to the response output inserter;
The response output inserter, be used for result's output of correlation engine, the concrete function that it will be realized according to correlation engine, when current safety is transferred to some specific state, result according to the scene analysis plug-in unit, judge to detect corresponding attack or permeability behavior, thereby make response, the warning message of output consolidation form.
3. correlation engine system according to claim 1, wherein said nucleus module comprises:
Event queue is used for the storage incident and gathers the security event data that plug-in unit sends;
Administrative center is used to write down current state, by dispatching security incident, judgement and triggering the transition that jump condition drives current state, provides the result of this incident;
Message queue is used for the result at storage administration center;
This event queue is given administrative center after getting access to data, and administrative center analyzes this incident by the scene analysis plug-in unit, and sends analysis result to message queue.
4. correlation engine system according to claim 1, wherein said correlation engine descriptive language, be used to provide the attack process of the specific syntactic description of a cover to computer system, and convert attack process to model of place based on state/transition, it adopts one group of predefined safe condition to represent computer system resource situation and safe correlation behavior at a time, certain specific computer process of osmosis is described as a series of security incident, when predefined jump condition is satisfied in security incident, the safe condition generation transition that system is current, the safe condition that all are relevant with this process of osmosis, security incident, jump condition and the relation between them constitute attacks scene.
5. correlation engine system according to claim 2, wherein said intrusion-detection sensor comprises intruding detection system, fire compartment wall, operating system, application system and Anti-Virus.
6. correlation engine system according to claim 4, wherein said correlation engine language is as a kind of expansion language, can be applied in different applied environments quickly and easily, various infiltrations and attack process are described, and can under the prerequisite that does not change other plug-in unit and nucleus module, carry out system extension, this extended mode comprises:
When existing intrusion-detection sensor remains unchanged, but when having new association analysis mode to provide, only the scene analysis plug-in unit that need write gets final product;
When existing intrusion-detection sensor and association analysis mode remain unchanged, but when having new response policy to dispose, only the response output inserter that need write gets final product;
Add fashionablely as new intrusion-detection sensor, only need write with the incident of its coupling and gather plug-in unit, and revise the form expansion plugin and get final product.
7. correlation engine data processing method based on scene comprises:
A. initialization step
(A1) operation nucleus module, and be its load events form expansion plugin, make other each plug-in unit collaborative work;
(A2) gather plug-in unit for the nucleus module load events, and the initialization event formation, make nucleus module reception incident gather the security incident that plug-in unit sends;
(A3) activation scenario divides plug-in unit for nucleus module loads also, and the definition scene indicates the rule that various security incidents are handled and analyzed, and makes it to come into force;
(A4) load and activate the response output inserter for nucleus module, the definition response policy, and make it to come into force;
(A5) the activation incident is gathered plug-in unit, and incident is gathered plug-in unit and started working, and security incident will produce successively, and correlation engine enters the association analysis stage to security incident;
B. association process step
(B1) incident is gathered plug-in unit and collect security incident from the warning information of protected system and intrusion detection detector, submits to nucleus module;
(B2) nucleus module is gathered the security incident that plug-in unit sends to each incident and is dispatched, and sends the scene analysis plug-in unit successively to;
(B3) the scene analysis plug-in unit is worked under the driving of security incident, when security incident is satisfied the jump condition of setting in the scene with relevant information, then current safe condition is transformed to the terminal state of this jump condition, when safe condition is transferred to certain location, the notice core detects attack, and sends the information in the scene to nucleus module;
(B4) nucleus module is dispatched notice and the information that the scene analysis plug-in unit is sent, and it is issued specific response output inserter;
(B5) the response output inserter receives the information that nucleus module is sent, and makes response according to response policy.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100231683A CN101599958A (en) | 2009-07-02 | 2009-07-02 | Correlation engine system and data processing method thereof based on scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2009100231683A CN101599958A (en) | 2009-07-02 | 2009-07-02 | Correlation engine system and data processing method thereof based on scene |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101599958A true CN101599958A (en) | 2009-12-09 |
Family
ID=41421205
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2009100231683A Pending CN101599958A (en) | 2009-07-02 | 2009-07-02 | Correlation engine system and data processing method thereof based on scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101599958A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102377780A (en) * | 2011-10-18 | 2012-03-14 | 中国科学院计算技术研究所 | Network security collaborative linkage system and method |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
| CN103166773A (en) * | 2011-12-09 | 2013-06-19 | 国家电网公司 | Method and system for monitoring operation state of server |
| CN103746961A (en) * | 2013-12-12 | 2014-04-23 | 中国人民解放军63928部队 | Method, apparatus and server for mining causal knowledge of network attack scenario |
| CN106062765A (en) * | 2014-02-26 | 2016-10-26 | 三菱电机株式会社 | Attack detection device, attack detection method, and attack detection program |
| CN106686014A (en) * | 2017-03-14 | 2017-05-17 | 北京深思数盾科技股份有限公司 | Prevention method and prevention device of cyber attacks |
| CN106888256A (en) * | 2017-02-21 | 2017-06-23 | 广州神马移动信息科技有限公司 | Distributed monitoring system and its monitoring and dispatching method and device |
| CN111813843A (en) * | 2019-04-12 | 2020-10-23 | 阿里巴巴集团控股有限公司 | Data processing method, device and platform |
| CN117609990A (en) * | 2023-09-18 | 2024-02-27 | 中国电子科技集团公司第十五研究所 | Self-adaptive safety protection method and device based on scene association analysis engine |
-
2009
- 2009-07-02 CN CNA2009100231683A patent/CN101599958A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102377780A (en) * | 2011-10-18 | 2012-03-14 | 中国科学院计算技术研究所 | Network security collaborative linkage system and method |
| CN103166773A (en) * | 2011-12-09 | 2013-06-19 | 国家电网公司 | Method and system for monitoring operation state of server |
| CN102546638B (en) * | 2012-01-12 | 2014-07-09 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
| CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
| CN103746961B (en) * | 2013-12-12 | 2017-03-15 | 中国人民解放军63928部队 | A kind of causal knowledge method for digging of cyber attack scenarios, device and server |
| CN103746961A (en) * | 2013-12-12 | 2014-04-23 | 中国人民解放军63928部队 | Method, apparatus and server for mining causal knowledge of network attack scenario |
| CN106062765A (en) * | 2014-02-26 | 2016-10-26 | 三菱电机株式会社 | Attack detection device, attack detection method, and attack detection program |
| CN106888256A (en) * | 2017-02-21 | 2017-06-23 | 广州神马移动信息科技有限公司 | Distributed monitoring system and its monitoring and dispatching method and device |
| CN106888256B (en) * | 2017-02-21 | 2021-06-04 | 阿里巴巴(中国)有限公司 | Distributed monitoring system and monitoring and scheduling method and device thereof |
| CN106686014A (en) * | 2017-03-14 | 2017-05-17 | 北京深思数盾科技股份有限公司 | Prevention method and prevention device of cyber attacks |
| CN111813843A (en) * | 2019-04-12 | 2020-10-23 | 阿里巴巴集团控股有限公司 | Data processing method, device and platform |
| CN111813843B (en) * | 2019-04-12 | 2024-06-11 | 阿里巴巴集团控股有限公司 | Data processing method, device and platform |
| CN117609990A (en) * | 2023-09-18 | 2024-02-27 | 中国电子科技集团公司第十五研究所 | Self-adaptive safety protection method and device based on scene association analysis engine |
| CN117609990B (en) * | 2023-09-18 | 2024-05-10 | 中国电子科技集团公司第十五研究所 | Self-adaptive safety protection method and device based on scene association analysis engine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101599958A (en) | Correlation engine system and data processing method thereof based on scene | |
| CN103944915B (en) | A kind of industrial control system threat detection defence installation, system and method | |
| CN101309180B (en) | Security network invasion detection system suitable for virtual machine environment | |
| EP2080317B1 (en) | Apparatus and a security node for use in determining security attacks | |
| CN101176331B (en) | Computer network intrusion detection system and method | |
| CN103718170A (en) | Systems and methods for distributed rule-based correlation of events | |
| CN102546638A (en) | Scene-based hybrid invasion detection method and system | |
| CN102195991A (en) | Terminal security management and authentication method and system | |
| CN106411562A (en) | Electric power information network safety linkage defense method and system | |
| CN103391216A (en) | Alarm and blocking method for illegal external connections | |
| EP2517437A1 (en) | Intrusion detection in communication networks | |
| CN102123149A (en) | Service-oriented large-scale network security situational assessment device and method | |
| CN103726742A (en) | Vertical type fingerprint confidential cabinet and control system thereof | |
| CN102684944A (en) | Method and device for detecting intrusion | |
| CN113098906B (en) | Application method of micro honeypots in modern families | |
| CN106537872A (en) | Method for detecting an attack in a communication network | |
| CN102257787A (en) | Network analysis | |
| CN104484915A (en) | Intelligent door lock grading defence organizing method and grading defence organizing system thereof | |
| CN100450012C (en) | Invasion detecting system and method based on mobile agency | |
| Qu et al. | A network security situation evaluation method based on DS evidence theory | |
| CN110162978A (en) | A kind of terminal security risk assessment management method, apparatus and system | |
| Frattini et al. | Facing cyber-physical security threats by PSIM-SIEM integration | |
| CN103530965B (en) | Supermarket remote shelf monitor burglary-resisting system and method for work thereof | |
| CN106878338B (en) | Telecontrol equipment gateway firewall integrated machine system | |
| EP2911362B1 (en) | Method and system for detecting intrusion in networks and systems based on business-process specification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20091209 |