Embodiment
Below in conjunction with the accompanying drawing among the present invention, the technical scheme among the present invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills are obtained under the prerequisite of not making creative work belongs to the scope of protection of the invention.
Below by drawings and Examples, the technical scheme of the embodiment of the invention is described in further detail.
Fig. 1 is the flow chart of security incident detection method first embodiment of the present invention.As shown in Figure 1, the embodiment of the invention provides a kind of security incident detection method, comprising:
Step 101, obtain the probability that current event takes place;
Step 102, the probability that takes place when current event carry out rule match according to the correlation rule storehouse to current event during less than predetermined threshold value;
Step 103, judge whether that the match is successful, if the match is successful, then execution in step 104, otherwise, execution in step 105;
Step 104, definite this current incident are the known safe incident;
Step 105, definite this current incident are unknown security incident.
In embodiments of the present invention, when whether certain current event of detection is security incident, at first obtain the probability that this current incident takes place, probability according to the current event generation, carry out the security incident screening, when this probability during less than predetermined threshold value, promptly current event is a small probability event, then according to the correlation rule storehouse of having set up current event is carried out rule match.If the match is successful, then current event is confirmed as the known safe incident, otherwise, current event is confirmed as unknown security incident.Follow-uply can do corresponding response to this known safe incident according to the attribute of known safe incident.And can do further operation to unknown security incident.The susceptibility of security incident screening be can change by the size of adjusting predetermined threshold value, thereby the rate of false alarm and the rate of failing to report of whole security incident detection method influenced.Security incident in the present embodiment comprises incidents such as abnormal flow or malicious attack.
The security incident detection method that the embodiment of the invention provides can be deployed in any controlled network zone, as zone, metropolitan area network gateway, position, boundary, wide area network edge, intranet etc.Fig. 2 disposes schematic diagram for the network site of security incident detection method first embodiment of the present invention.In network area as shown in Figure 2, the position that the security incident detection method can be disposed has: security gateway, fire compartment wall, secure router, border intrusion detection device, security incident detector etc.
The embodiment of the invention is only carried out rule match to probability less than the incident of predetermined threshold value by a kind of security incident detection method is provided, and has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 3 is the flow chart of security incident detection method second embodiment of the present invention.As shown in Figure 3, on the basis of said method first embodiment, step 101 can comprise:
Step 301, according to the attribute of current event, current event is quantized, obtain the quantized value of current event;
Step 302, according to the quantized value of current event, utilize partial match estimation (Prediction byPartial Match; Hereinafter to be referred as: PPM) algorithm, obtain the probability that current event takes place.
In embodiments of the present invention, at first according to the attribute of current event, as IP address, the journal file of current event or the code etc. of makeing mistakes, current event is quantized, promptly the means of current event by sampling, quantification, be converted into the bigit (standard quantized data) within certain span, as the integer between 0 to 255.Can adopt following formula to quantize:
<quantized value 〉=quantization function (<event attribute 1 〉,<event attribute 2〉...).
Then, the quantized value according to step 301 obtains utilizes the PPM algorithm, obtains each possibility that current event takes place, and table 1 is a probability of happening dynamic prediction table, predicts the outcome to provide.
Table 1
Incident |
Predicted value |
??0 |
Integer value 1 |
??1 |
Integer value 2 |
??2 |
Integer value 3 |
??... |
??... |
Wherein, the historical statistics value that integer value 1 presentation of events 0 takes place, the historical statistics value that integer value 2 presentation of events 1 take place, by that analogy, after current event takes place, as molecule, all integer value sums are as denominator in will showing with the predicted value of current event correspondence, and the value of trying to achieve is the probability that current event takes place.
On the basis of technique scheme, step 102 can comprise:
Step 303, the probability that takes place when current event obtain the classification and matching rule during less than predetermined threshold value from the correlation rule storehouse, this classification and matching rule comprises matched rule descriptor, security incident classification, Event Description and response mode to be included into;
Step 304, current event is carried out rule match according to the classification and matching rule.
The probability that takes place when current event mates the classification and matching rule in current event and the correlation rule storehouse during less than predetermined threshold value one by one, and this matching process also can be distributed parallel processing process.If the match is successful, then current event is confirmed as the known safe incident, and be divided in the relevant classification, otherwise, current event is confirmed as unknown security incident.
Further, on the basis of technique scheme, after step 105, can also comprise:
Step 305, according to the attribute of unknown security incident, utilize clustering method, to the unknown security incident processing of classifying;
The classification of the unknown security incident after step 306, definite classification are handled.
Attribute according to unknown security incident utilizes clustering method, with the processing of classifying of several incidents that are confirmed as unknown security incident.Analyze the attribute of each the unknown security incident after classification is handled, to determine the classification of all kinds of unknown security incidents, the classification of this moment can be the classification of known safe incident, also can be new security incident classification.
Further, after above-mentioned steps 306, can also comprise:
The classification of step 307, the unknown security incident after handling according to classification generates new classification and matching rule;
Step 308, the classification and matching rule that this is new are added the correlation rule storehouse to.
When the classification of determining is new security incident classification, according to the classification of unknown security incident, generates new classification and matching rule, and the classification and matching rule that this is new adds the correlation rule storehouse to, prepare against the safety detection of successor.
The embodiment of the invention is by providing a kind of security incident detection method, utilize the PPM algorithm to obtain the probability that incident takes place, only probability is carried out rule match less than the incident of predetermined threshold value, and can not rely on predefined correlation rule storehouse and detect unknown security incident, reduced operand, thereby guaranteed the real-time that security incident detects, and improved detection efficiency.
Fig. 4 is the flow chart of security incident detection method specific embodiment of the present invention.As shown in Figure 4, the embodiment of the invention provides a kind of concrete security incident detection method, comprising:
Step 401, read the property value of current event;
Step 402, according to formula<quantized value=quantization function (<event attribute 1 〉,<event attribute 2〉...) current event is quantized;
Step 403, according to the predicted value of formula R=<incident N1/<whole predicted values of incidents, obtain the probability R that incident N1 takes place;
The predicted value of step 404, incident N1 adds up, promptly<and the predicted value of incident N1 〉=<predicted value of incident N1 〉+1;
Step 405, whether judge probability R greater than predetermined threshold value, if then execution in step 406, otherwise, execution in step 407;
Step 406, determine that this incident is a common event, execution in step 401 then;
Step 407, determine that this incident is security incident;
Step 408, read the quantized value of this security incident;
Step 409, the attribute of this security incident of reducing;
Step 410, from the correlation rule storehouse, obtain a classification and matching rule;
Step 411, according to this classification and matching rule current event is carried out rule match, if the match is successful, then execution in step 412, otherwise, execution in step 413;
Step 412, determine that current event is the known safe incident, should current incident output to corresponding response processing unit;
Step 413, judge whether from the correlation rule storehouse, to have obtained all classification and matching rules, if then execution in step 414, otherwise, execution in step 410;
Step 414, determine that current event is unknown security incident, current event is alarmed, and carried out operations such as follow-up cluster.
The embodiment of the invention is only carried out rule match to probability less than the incident of predetermined threshold value by a kind of security incident detection method is provided, and has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 5 is the structural representation of security incident checkout gear first embodiment of the present invention.As shown in Figure 5, the embodiment of the invention provides a kind of security incident checkout gear, comprising: acquisition module 51 and matching module 52.Wherein, acquisition module 51 is used to obtain the probability that current event takes place; The probability that the current event obtained when acquisition module 51 of being used for matching module 52 takes place carries out rule match according to the correlation rule storehouse to current event during less than predetermined threshold value; If the match is successful, determine that then current event is the known safe incident, otherwise, determine that current event is unknown security incident.
In embodiments of the present invention, when whether certain current event of detection is security incident, at first acquisition module 51 obtains the probability that this current incident takes place, probability according to the current event generation, carry out the security incident screening, when this probability during less than predetermined threshold value, promptly current event is a small probability event, and then matching module 52 carries out rule match according to the correlation rule storehouse of having set up to current event.If the match is successful, then current event is confirmed as the known safe incident, otherwise, current event is confirmed as unknown security incident.Follow-uply can do corresponding response to this known safe incident according to the attribute of known safe incident.And can do further operation to unknown security incident.The susceptibility of security incident screening be can change by the size of adjusting predetermined threshold value, thereby the rate of false alarm and the rate of failing to report of whole security incident detection method influenced.Security incident in the present embodiment comprises incidents such as abnormal flow or malicious attack.
The embodiment of the invention is by providing a kind of security incident checkout gear, and matching module 52 only carries out rule match to probability less than the incident of predetermined threshold value, has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 6 is the structural representation of security incident checkout gear second embodiment of the present invention.As shown in Figure 6, on the basis of said apparatus first embodiment, acquisition module 51 can comprise: the quantifying unit 61 and first acquiring unit 62.Wherein, quantifying unit 61 is used for the attribute according to current event, and current event is quantized, and obtains the quantized value of current event; First acquiring unit 62 is used for the quantized value of the current event obtained according to quantifying unit 61, utilizes the partial match estimation algorithm, obtains the probability of current event.
In embodiments of the present invention, at first quantifying unit 61 is according to the attribute of current event, as IP address, the journal file of current event or the code etc. of makeing mistakes, current event is quantized, promptly the means of current event by sampling, quantification, be converted into the bigit (standard quantized data) within certain span, as the integer between 0 to 255.Can adopt following formula to quantize:
<quantized value 〉=quantization function (<event attribute 1 〉,<event attribute 2〉...).
Then, first acquiring unit 62 utilizes the PPM algorithm according to the quantized value that quantifying unit 61 obtains, and obtains the probability that current event takes place.
On the basis of technique scheme, matching module 52 can comprise: second acquisition unit 63 and matching unit 64.Wherein, second acquisition unit 63 is used for obtaining the classification and matching rule from the correlation rule storehouse, and this classification and matching rule comprises matched rule descriptor, security incident classification, Event Description and response mode to be included into; The classification and matching rule that matching unit 64 is used for obtaining according to second acquisition unit 63 is carried out rule match to current event.
The probability that takes place when current event is during less than predetermined threshold value, and matching unit 64 mates the classification and matching rule in current event and the correlation rule storehouse one by one, and this matching process also can be distributed parallel processing process.If the match is successful, then current event is confirmed as the known safe incident, and be divided in the relevant classification, otherwise, current event is confirmed as unknown security incident.
Further, on the basis of technique scheme, the security incident checkout gear that the embodiment of the invention provides can also comprise: sort module 65 and determination module 66.Wherein, sort module 65 is used for the attribute according to unknown security incident, utilizes clustering method, to the unknown security incident processing of classifying; Determination module 66 is used for determining the classification of the unknown security incident after sort module 65 classification are handled.
Sort module 65 is utilized clustering method according to the attribute of unknown security incident, with the processing of classifying of several incidents that are confirmed as unknown security incident.Determination module 66 is analyzed the attribute of each the unknown security incident after classification is handled, and to determine the classification of all kinds of unknown security incidents, the classification of this moment can be the classification of known safe incident, also can be new security incident classification.
Further, the security incident checkout gear that the embodiment of the invention provides can also comprise: generation module 67 and interpolation module 68.Wherein, generation module 67 is used for the classification according to the unknown security incident after the classification processing, generates new classification and matching rule; Adding module 68 is used for adding the new classification and matching rule that generation module 67 generates to the correlation rule storehouse.
When the classifications of determining when determination module 66 are new security incident classification, the classification of the unknown security incident after generation module 67 is handled according to classification, generate new classification and matching rule, add the module 68 classification and matching rule that this is new and add the correlation rule storehouse to, in order to the safety detection of successor.
The embodiment of the invention is by providing a kind of security incident checkout gear, first acquiring unit 62 utilizes the PPM algorithm to obtain the probability that incident takes place, matching unit 64 only carries out rule match to probability less than the incident of predetermined threshold value, and can not rely on predefined correlation rule storehouse and detect unknown security incident, reduced operand, thereby guaranteed the real-time that security incident detects, and improved detection efficiency.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential hardware platform, can certainly all implement, but the former is better execution mode under a lot of situation by hardware.Based on such understanding, all or part of can the embodying that technical scheme of the present invention contributes to background technology with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.