CN101668012A - Method and device for detecting security event - Google Patents
Method and device for detecting security event Download PDFInfo
- Publication number
- CN101668012A CN101668012A CN 200910093960 CN200910093960A CN101668012A CN 101668012 A CN101668012 A CN 101668012A CN 200910093960 CN200910093960 CN 200910093960 CN 200910093960 A CN200910093960 A CN 200910093960A CN 101668012 A CN101668012 A CN 101668012A
- Authority
- CN
- China
- Prior art keywords
- current event
- security incident
- classification
- rule
- incident
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The embodiment of the invention discloses a method and a device for detecting a security event. The method comprises the following steps: acquiring the occurrence probability of the current even; whenthe occurrence probability of the current event is smaller than a preset threshold value, carrying out rule matching on the current event according to an associated rule base; if the matching is successful, confirming that the current event is a known security event; and otherwise, confirming that the current event is an unknown security event. The device comprises an acquiring module and a matching module. The embodiment of the invention reduces the operation amount by just carrying out the rule matching on the event with the probability smaller than the preset threshold value, thereby ensuring the detecting instantaneity of the security event and improving the defecting efficiency.
Description
Technical field
The present invention relates to the communications field, particularly a kind of security incident detection method and device.
Background technology
Along with the continuous development of information technology with popularize, information security issue is serious day by day.In the computer network, the quantity of security incidents such as malicious attack, illegal invasion, viral wooden horse, leakage of information, catastrophic failure, the Traffic Anomaly trend that increases by geometric progression.Security incident constitutes a serious threat to computer network system, is necessary to take effective measure to take precautions against, monitors, handles various security incidents, with the normal operation of safeguards system.And the detection of the security incident link that just is absolutely necessary, the purpose that detects security incident is for follow-up security incident to be reported to the police and responded operation such as processing.
Existing security incident detection method mainly contains: based on the rule association method of security incident modeling, based on causal correlating method and cluster association method.Wherein, must at first set up detailed security feature based on the rule association method of security incident modeling and describe the storehouse, from a plurality of angles such as condition, environment every kind of security incident is described, set up the automaton that is used to analyze security feature then, security feature is described the storehouse to be handled, produce correlation rule, according to correlation rule current event is carried out pattern matching to detect security incident at last; Must set up the prerequisite and the result of various security incidents in advance based on causal correlating method, the prerequisite of the result that reports to the police previously and follow-up warning is mated producing correlation rule, and the matching detection of carrying out security incident according to correlation rule; The cluster association method is at each attribute design similarity function in the current event, be used to calculate the similarity degree between the corresponding attribute of current event and known safe incident, and then at incident design similarity function itself, be used to calculate two similarity degrees between the incident, will be defined as security incident with the big current event of known safe incident similarity.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: advance and based on causal correlating method based on the rule association method of security incident modeling, the correlation rule of setting up in advance that places one's entire reliance upon mates, can only detect the security incident of known type, detection efficiency is not high, must bring in constant renewal in the feature description storehouse, simultaneously because need mate all information collected and the correlation rule of setting up in advance, and more and more huger correlation rule makes operand increase, and has influenced the real-time that security incident detects; The cluster association method, adopted the method for statistics to handle, the result who draws often lacks clear and definite practical significance, some incident can only be classified as a class, and the feature of such incident can't be described, and then can't carry out follow-up response and handle, and owing to will carry out cluster to all information of collecting, make operand bigger, influenced the real-time that security incident detects.
Summary of the invention
The embodiment of the invention provides a kind of security incident detection method and device, to reduce operand, guarantees the real-time that security incident detects, and improves detection efficiency.
The embodiment of the invention provides a kind of security incident detection method, comprising:
Obtain the probability that current event takes place;
The probability that takes place when described current event carries out rule match according to the correlation rule storehouse to described current event during less than predetermined threshold value; If the match is successful, determine that then described current event is the known safe incident, otherwise, determine that described current event is unknown security incident.
The embodiment of the invention also provides a kind of security incident checkout gear, comprising:
Acquisition module is used to obtain the probability that current event takes place;
Matching module, the probability that the described current event that is used for obtaining when described acquisition module takes place carry out rule match according to the correlation rule storehouse to described current event during less than predetermined threshold value; If the match is successful, determine that then described current event is the known safe incident, otherwise, determine that described current event is unknown security incident.
The embodiment of the invention is only carried out rule match to probability less than the incident of predetermined threshold value by a kind of security incident detection method and device are provided, and has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Description of drawings
In order to be illustrated more clearly in the technical scheme among the present invention, the accompanying drawing of required use is done to introduce simply in will describing embodiment below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of security incident detection method first embodiment of the present invention;
Fig. 2 disposes schematic diagram for the network site of security incident detection method first embodiment of the present invention;
Fig. 3 is the flow chart of security incident detection method second embodiment of the present invention;
Fig. 4 is the flow chart of security incident detection method specific embodiment of the present invention;
Fig. 5 is the structural representation of security incident checkout gear first embodiment of the present invention;
Fig. 6 is the structural representation of security incident checkout gear second embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing among the present invention, the technical scheme among the present invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills are obtained under the prerequisite of not making creative work belongs to the scope of protection of the invention.
Below by drawings and Examples, the technical scheme of the embodiment of the invention is described in further detail.
Fig. 1 is the flow chart of security incident detection method first embodiment of the present invention.As shown in Figure 1, the embodiment of the invention provides a kind of security incident detection method, comprising:
In embodiments of the present invention, when whether certain current event of detection is security incident, at first obtain the probability that this current incident takes place, probability according to the current event generation, carry out the security incident screening, when this probability during less than predetermined threshold value, promptly current event is a small probability event, then according to the correlation rule storehouse of having set up current event is carried out rule match.If the match is successful, then current event is confirmed as the known safe incident, otherwise, current event is confirmed as unknown security incident.Follow-uply can do corresponding response to this known safe incident according to the attribute of known safe incident.And can do further operation to unknown security incident.The susceptibility of security incident screening be can change by the size of adjusting predetermined threshold value, thereby the rate of false alarm and the rate of failing to report of whole security incident detection method influenced.Security incident in the present embodiment comprises incidents such as abnormal flow or malicious attack.
The security incident detection method that the embodiment of the invention provides can be deployed in any controlled network zone, as zone, metropolitan area network gateway, position, boundary, wide area network edge, intranet etc.Fig. 2 disposes schematic diagram for the network site of security incident detection method first embodiment of the present invention.In network area as shown in Figure 2, the position that the security incident detection method can be disposed has: security gateway, fire compartment wall, secure router, border intrusion detection device, security incident detector etc.
The embodiment of the invention is only carried out rule match to probability less than the incident of predetermined threshold value by a kind of security incident detection method is provided, and has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 3 is the flow chart of security incident detection method second embodiment of the present invention.As shown in Figure 3, on the basis of said method first embodiment, step 101 can comprise:
In embodiments of the present invention, at first according to the attribute of current event, as IP address, the journal file of current event or the code etc. of makeing mistakes, current event is quantized, promptly the means of current event by sampling, quantification, be converted into the bigit (standard quantized data) within certain span, as the integer between 0 to 255.Can adopt following formula to quantize:
<quantized value 〉=quantization function (<event attribute 1 〉,<event attribute 2〉...).
Then, the quantized value according to step 301 obtains utilizes the PPM algorithm, obtains each possibility that current event takes place, and table 1 is a probability of happening dynamic prediction table, predicts the outcome to provide.
Table 1
| Incident | Predicted value |
| ??0 | Integer value 1 |
| ??1 | Integer value 2 |
| ??2 | Integer value 3 |
| ??... | ??... |
Wherein, the historical statistics value that integer value 1 presentation of events 0 takes place, the historical statistics value that integer value 2 presentation of events 1 take place, by that analogy, after current event takes place, as molecule, all integer value sums are as denominator in will showing with the predicted value of current event correspondence, and the value of trying to achieve is the probability that current event takes place.
On the basis of technique scheme, step 102 can comprise:
The probability that takes place when current event mates the classification and matching rule in current event and the correlation rule storehouse during less than predetermined threshold value one by one, and this matching process also can be distributed parallel processing process.If the match is successful, then current event is confirmed as the known safe incident, and be divided in the relevant classification, otherwise, current event is confirmed as unknown security incident.
Further, on the basis of technique scheme, after step 105, can also comprise:
The classification of the unknown security incident after step 306, definite classification are handled.
Attribute according to unknown security incident utilizes clustering method, with the processing of classifying of several incidents that are confirmed as unknown security incident.Analyze the attribute of each the unknown security incident after classification is handled, to determine the classification of all kinds of unknown security incidents, the classification of this moment can be the classification of known safe incident, also can be new security incident classification.
Further, after above-mentioned steps 306, can also comprise:
The classification of step 307, the unknown security incident after handling according to classification generates new classification and matching rule;
When the classification of determining is new security incident classification, according to the classification of unknown security incident, generates new classification and matching rule, and the classification and matching rule that this is new adds the correlation rule storehouse to, prepare against the safety detection of successor.
The embodiment of the invention is by providing a kind of security incident detection method, utilize the PPM algorithm to obtain the probability that incident takes place, only probability is carried out rule match less than the incident of predetermined threshold value, and can not rely on predefined correlation rule storehouse and detect unknown security incident, reduced operand, thereby guaranteed the real-time that security incident detects, and improved detection efficiency.
Fig. 4 is the flow chart of security incident detection method specific embodiment of the present invention.As shown in Figure 4, the embodiment of the invention provides a kind of concrete security incident detection method, comprising:
The predicted value of step 404, incident N1 adds up, promptly<and the predicted value of incident N1 〉=<predicted value of incident N1 〉+1;
The embodiment of the invention is only carried out rule match to probability less than the incident of predetermined threshold value by a kind of security incident detection method is provided, and has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 5 is the structural representation of security incident checkout gear first embodiment of the present invention.As shown in Figure 5, the embodiment of the invention provides a kind of security incident checkout gear, comprising: acquisition module 51 and matching module 52.Wherein, acquisition module 51 is used to obtain the probability that current event takes place; The probability that the current event obtained when acquisition module 51 of being used for matching module 52 takes place carries out rule match according to the correlation rule storehouse to current event during less than predetermined threshold value; If the match is successful, determine that then current event is the known safe incident, otherwise, determine that current event is unknown security incident.
In embodiments of the present invention, when whether certain current event of detection is security incident, at first acquisition module 51 obtains the probability that this current incident takes place, probability according to the current event generation, carry out the security incident screening, when this probability during less than predetermined threshold value, promptly current event is a small probability event, and then matching module 52 carries out rule match according to the correlation rule storehouse of having set up to current event.If the match is successful, then current event is confirmed as the known safe incident, otherwise, current event is confirmed as unknown security incident.Follow-uply can do corresponding response to this known safe incident according to the attribute of known safe incident.And can do further operation to unknown security incident.The susceptibility of security incident screening be can change by the size of adjusting predetermined threshold value, thereby the rate of false alarm and the rate of failing to report of whole security incident detection method influenced.Security incident in the present embodiment comprises incidents such as abnormal flow or malicious attack.
The embodiment of the invention is by providing a kind of security incident checkout gear, and matching module 52 only carries out rule match to probability less than the incident of predetermined threshold value, has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 6 is the structural representation of security incident checkout gear second embodiment of the present invention.As shown in Figure 6, on the basis of said apparatus first embodiment, acquisition module 51 can comprise: the quantifying unit 61 and first acquiring unit 62.Wherein, quantifying unit 61 is used for the attribute according to current event, and current event is quantized, and obtains the quantized value of current event; First acquiring unit 62 is used for the quantized value of the current event obtained according to quantifying unit 61, utilizes the partial match estimation algorithm, obtains the probability of current event.
In embodiments of the present invention, at first quantifying unit 61 is according to the attribute of current event, as IP address, the journal file of current event or the code etc. of makeing mistakes, current event is quantized, promptly the means of current event by sampling, quantification, be converted into the bigit (standard quantized data) within certain span, as the integer between 0 to 255.Can adopt following formula to quantize:
<quantized value 〉=quantization function (<event attribute 1 〉,<event attribute 2〉...).
Then, first acquiring unit 62 utilizes the PPM algorithm according to the quantized value that quantifying unit 61 obtains, and obtains the probability that current event takes place.
On the basis of technique scheme, matching module 52 can comprise: second acquisition unit 63 and matching unit 64.Wherein, second acquisition unit 63 is used for obtaining the classification and matching rule from the correlation rule storehouse, and this classification and matching rule comprises matched rule descriptor, security incident classification, Event Description and response mode to be included into; The classification and matching rule that matching unit 64 is used for obtaining according to second acquisition unit 63 is carried out rule match to current event.
The probability that takes place when current event is during less than predetermined threshold value, and matching unit 64 mates the classification and matching rule in current event and the correlation rule storehouse one by one, and this matching process also can be distributed parallel processing process.If the match is successful, then current event is confirmed as the known safe incident, and be divided in the relevant classification, otherwise, current event is confirmed as unknown security incident.
Further, on the basis of technique scheme, the security incident checkout gear that the embodiment of the invention provides can also comprise: sort module 65 and determination module 66.Wherein, sort module 65 is used for the attribute according to unknown security incident, utilizes clustering method, to the unknown security incident processing of classifying; Determination module 66 is used for determining the classification of the unknown security incident after sort module 65 classification are handled.
Further, the security incident checkout gear that the embodiment of the invention provides can also comprise: generation module 67 and interpolation module 68.Wherein, generation module 67 is used for the classification according to the unknown security incident after the classification processing, generates new classification and matching rule; Adding module 68 is used for adding the new classification and matching rule that generation module 67 generates to the correlation rule storehouse.
When the classifications of determining when determination module 66 are new security incident classification, the classification of the unknown security incident after generation module 67 is handled according to classification, generate new classification and matching rule, add the module 68 classification and matching rule that this is new and add the correlation rule storehouse to, in order to the safety detection of successor.
The embodiment of the invention is by providing a kind of security incident checkout gear, first acquiring unit 62 utilizes the PPM algorithm to obtain the probability that incident takes place, matching unit 64 only carries out rule match to probability less than the incident of predetermined threshold value, and can not rely on predefined correlation rule storehouse and detect unknown security incident, reduced operand, thereby guaranteed the real-time that security incident detects, and improved detection efficiency.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential hardware platform, can certainly all implement, but the former is better execution mode under a lot of situation by hardware.Based on such understanding, all or part of can the embodying that technical scheme of the present invention contributes to background technology with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.
Claims (10)
1, a kind of security incident detection method is characterized in that, comprising:
Obtain the probability that current event takes place;
The probability that takes place when described current event carries out rule match according to the correlation rule storehouse to described current event during less than predetermined threshold value; If the match is successful, determine that then described current event is the known safe incident, otherwise, determine that described current event is unknown security incident.
2, want 1 described security incident detection method according to right, it is characterized in that, the described probability that obtains the current event generation comprises:
According to the attribute of current event, described current event is quantized, obtain the quantized value of described current event;
According to the quantized value of described current event, utilize the partial match estimation algorithm, obtain the probability that described current event takes place.
3, security incident detection method according to claim 1 and 2 is characterized in that, describedly according to the correlation rule storehouse described current event is carried out rule match and comprises:
From described correlation rule storehouse, obtain the classification and matching rule;
According to described classification and matching rule described current event is carried out rule match.
4, security incident detection method according to claim 1 and 2 is characterized in that, after described definite described current event is unknown security incident, also comprises:
Attribute according to described unknown security incident utilizes clustering method, to the described unknown security incident processing of classifying;
Determine the classification of the unknown security incident after classification is handled.
5, security incident detection method according to claim 4 is characterized in that, after the classification of the unknown security incident after described definite classification is handled, also comprises:
Classification according to the unknown security incident after the described classification processing generates new classification and matching rule;
Add described new classification and matching rule to described correlation rule storehouse.
6, a kind of security incident checkout gear is characterized in that, comprising:
Acquisition module is used to obtain the probability that current event takes place;
Matching module, the probability that the described current event that is used for obtaining when described acquisition module takes place carry out rule match according to the correlation rule storehouse to described current event during less than predetermined threshold value; If the match is successful, determine that then described current event is the known safe incident, otherwise, determine that described current event is unknown security incident.
7, want 6 described security incident checkout gears according to right, it is characterized in that described acquisition module comprises:
Quantifying unit is used for the attribute according to current event, and described current event is quantized, and obtains the quantized value of described current event;
First acquiring unit is used for the quantized value of the described current event obtained according to described quantifying unit, utilizes the partial match estimation algorithm, obtains the probability of described current event.
8, want 6 or 7 described security incident checkout gears according to right, it is characterized in that described matching module comprises:
Second acquisition unit is used for obtaining the classification and matching rule from described correlation rule storehouse;
Matching unit is used for according to the described classification and matching rule that described second acquisition unit obtains described current event being carried out rule match.
9, want 6 or 7 described security incident checkout gears according to right, it is characterized in that, also comprise:
Sort module is used for the attribute according to described unknown security incident, utilizes clustering method, to the described unknown security incident processing of classifying;
Determination module is used for determining the classification of the unknown security incident after described sort module classification is handled.
10, want 9 described security incident checkout gears according to right, it is characterized in that, also comprise:
Generation module is used for the classification according to the unknown security incident after the described classification processing, generates new classification and matching rule;
Add module, be used for adding the described new classification and matching rule that described generation module generates to described correlation rule storehouse.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910093960 CN101668012B (en) | 2009-09-23 | 2009-09-23 | Method and device for detecting security event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910093960 CN101668012B (en) | 2009-09-23 | 2009-09-23 | Method and device for detecting security event |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101668012A true CN101668012A (en) | 2010-03-10 |
| CN101668012B CN101668012B (en) | 2013-01-30 |
Family
ID=41804452
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910093960 Expired - Fee Related CN101668012B (en) | 2009-09-23 | 2009-09-23 | Method and device for detecting security event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101668012B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| KR20130136923A (en) * | 2012-06-05 | 2013-12-13 | 로베르트 보쉬 게엠베하 | Method and system for diagnosing a functional unit connected to a control unit in a motor vehicle |
| CN103812676A (en) * | 2012-11-08 | 2014-05-21 | 深圳中兴网信科技有限公司 | Apparatus and method for realizing log data real-time association |
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN105516152A (en) * | 2015-12-15 | 2016-04-20 | 云南大学 | Abnormal behavior detection method |
| CN105991609A (en) * | 2015-03-02 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Risk event determining method and device |
| CN107517216A (en) * | 2017-09-08 | 2017-12-26 | 瑞达信息安全产业股份有限公司 | A kind of network safety event correlating method |
| CN108563961A (en) * | 2018-04-13 | 2018-09-21 | 中国民航信息网络股份有限公司 | The recognition methods of data desensitization platform sensitive data, device, equipment and medium |
| CN111597084A (en) * | 2019-02-20 | 2020-08-28 | 长鑫存储技术有限公司 | Safety early warning method and device, electronic equipment and storage medium |
| CN113343228A (en) * | 2021-06-30 | 2021-09-03 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100384143C (en) * | 2004-08-24 | 2008-04-23 | 华为技术有限公司 | Method for detecting user to make malicious IP scanning |
| CN100518089C (en) * | 2006-07-19 | 2009-07-22 | 华为技术有限公司 | Security event associative analysis method and system |
-
2009
- 2009-09-23 CN CN 200910093960 patent/CN101668012B/en not_active Expired - Fee Related
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| KR20130136923A (en) * | 2012-06-05 | 2013-12-13 | 로베르트 보쉬 게엠베하 | Method and system for diagnosing a functional unit connected to a control unit in a motor vehicle |
| CN103471855A (en) * | 2012-06-05 | 2013-12-25 | 罗伯特·博世有限公司 | Method and system for diagnosing a functional unit connected to a control unit in a motor vehicle |
| KR102109736B1 (en) * | 2012-06-05 | 2020-05-12 | 로베르트 보쉬 게엠베하 | Method and system for diagnosing a functional unit connected to a control unit in a motor vehicle |
| CN103812676A (en) * | 2012-11-08 | 2014-05-21 | 深圳中兴网信科技有限公司 | Apparatus and method for realizing log data real-time association |
| CN105991609B (en) * | 2015-03-02 | 2019-08-23 | 阿里巴巴集团控股有限公司 | A kind of risk case determines method and device |
| CN105991609A (en) * | 2015-03-02 | 2016-10-05 | 阿里巴巴集团控股有限公司 | Risk event determining method and device |
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN105516152B (en) * | 2015-12-15 | 2019-03-29 | 云南大学 | Anomaly detection method |
| CN105516152A (en) * | 2015-12-15 | 2016-04-20 | 云南大学 | Abnormal behavior detection method |
| CN107517216A (en) * | 2017-09-08 | 2017-12-26 | 瑞达信息安全产业股份有限公司 | A kind of network safety event correlating method |
| CN107517216B (en) * | 2017-09-08 | 2020-02-21 | 瑞达信息安全产业股份有限公司 | Network security event correlation method |
| CN108563961A (en) * | 2018-04-13 | 2018-09-21 | 中国民航信息网络股份有限公司 | The recognition methods of data desensitization platform sensitive data, device, equipment and medium |
| CN111597084A (en) * | 2019-02-20 | 2020-08-28 | 长鑫存储技术有限公司 | Safety early warning method and device, electronic equipment and storage medium |
| CN113343228A (en) * | 2021-06-30 | 2021-09-03 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
| CN113343228B (en) * | 2021-06-30 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101668012B (en) | 2013-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101668012B (en) | Method and device for detecting security event | |
| US9479518B1 (en) | Low false positive behavioral fraud detection | |
| EP1741223B1 (en) | Method, apparatus and computer program for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
| US20070226803A1 (en) | System and method for detecting internet worm traffics through classification of traffic characteristics by types | |
| KR102091076B1 (en) | Intelligent security control system and method using mixed map alert analysis and non-supervised learning based abnormal behavior detection method | |
| CN101557327A (en) | Intrusion detection method based on support vector machine (SVM) | |
| CN101459537A (en) | Network security situation sensing system and method based on multi-layer multi-angle analysis | |
| CN105656693B (en) | A kind of method and system of the information security abnormality detection based on recurrence | |
| CN107016298B (en) | Webpage tampering monitoring method and device | |
| CN103888282A (en) | Network intrusion alarm method and system based on nuclear power plant | |
| CN110324323A (en) | A kind of new energy plant stand relates to net end real-time, interactive process exception detection method and system | |
| CN112671767A (en) | Security event early warning method and device based on alarm data analysis | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN111934951A (en) | Network packet loss detection method and device | |
| KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
| Ebrahimi et al. | Automatic attack scenario discovering based on a new alert correlation method | |
| CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
| CN110149303B (en) | Party-school network security early warning method and early warning system | |
| CN115801307A (en) | Method and system for carrying out port scanning detection by using server log | |
| CN112839029B (en) | Botnet activity degree analysis method and system | |
| CN110677271B (en) | Big data alarm method, device, equipment and storage medium based on ELK | |
| Chaturvedi et al. | Anomaly detection in network using data mining techniques | |
| JP7081953B2 (en) | Alert notification device and alert notification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130130 Termination date: 20190923 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |