Embodiment
Below in conjunction with the accompanying drawing among the present invention, the technical scheme among the present invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, the every other embodiment that those of ordinary skills obtain under the prerequisite of not making creative work belongs to the scope of protection of the invention.
Below by drawings and Examples, the technical scheme of the embodiment of the invention is described in further detail.
Fig. 1 is the flow chart of security incident detection method the first embodiment of the present invention.As shown in Figure 1, the embodiment of the invention provides a kind of security incident detection method, comprising:
Step 101, obtain the probability that current event occurs;
Step 102, the probability that occurs when current event carry out rule match according to the correlation rule storehouse to current event during less than predetermined threshold value;
Step 103, judge whether that the match is successful, if the match is successful, then execution in step 104, otherwise, execution in step 105;
Step 104, definite this current event are the known safe event;
Step 105, definite this current event are unknown security incident.
In embodiments of the present invention, when whether certain current event of detection is security incident, at first obtain the probability that this current event occurs, probability according to the current event generation, carry out the security incident screening, when this probability during less than predetermined threshold value, namely current event is small probability event, then according to the correlation rule storehouse of having set up current event is carried out rule match.If the match is successful, then current event is confirmed as the known safe event, otherwise, current event is confirmed as unknown security incident.Follow-uply can according to the attribute of known safe event, do corresponding response to this known safe event.And can do further operation to unknown security incident.The susceptibility of security incident screening be can change by the size of adjusting predetermined threshold value, thereby rate of false alarm and the rate of failing to report of whole security incident detection method affected.Security incident in the present embodiment comprises the events such as abnormal flow or malicious attack.
The security incident detection method that the embodiment of the invention provides can be deployed in any controlled network zone, such as zone, metropolitan area network gateway, position, boundary, wide area network edge, intranet etc.Fig. 2 is that schematic diagram is disposed in the network site of security incident detection method the first embodiment of the present invention.In network area as shown in Figure 2, the position that the security incident detection method can be disposed has: security gateway, fire compartment wall, secure router, border intrusion detection device, security incident detector etc.
The embodiment of the invention is only carried out rule match to probability less than the event of predetermined threshold value by a kind of security incident detection method is provided, and has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 3 is the flow chart of security incident detection method the second embodiment of the present invention.As shown in Figure 3, on the basis of said method the first embodiment, step 101 can comprise:
Step 301, according to the attribute of current event, current event is quantized, obtain the quantized value of current event;
Step 302, according to the quantized value of current event, utilize partial match estimation (Prediction byPartial Match; Hereinafter to be referred as: PPM) algorithm, obtain the probability that current event occurs.
In embodiments of the present invention, at first according to the attribute of current event, such as IP address, the journal file of current event or the code etc. of makeing mistakes, current event is quantized, namely the means of current event by sampling, quantification, be converted into the bigit (criterion and quantity data) within certain span, such as the integer between 0 to 255.Can adopt following formula to quantize:
<quantized value 〉=quantization function (<event attribute 1 〉,<event attribute 2〉...).
Then, the quantized value according to step 301 obtains utilizes the PPM algorithm, obtains each possibility that current event occurs, and table 1 is probability of happening dynamic prediction table, predicts the outcome to provide.
Table 1
Event |
Predicted value |
0 |
Integer value 1 |
1 |
Integer value 2 |
2 |
Integer value 3 |
... |
... |
Wherein, the historical statistics value that integer value 1 presentation of events 0 occurs, the historical statistics value that integer value 2 presentation of events 1 occur, by that analogy, after current event occurs, the predicted value that current event is corresponding is as molecule, and all integer value sums are as denominator in will showing, and the value of trying to achieve is the probability that current event occurs.
On the basis of technique scheme, step 102 can comprise:
Step 303, the probability that occurs when current event obtain the classification and matching rule during less than predetermined threshold value from the correlation rule storehouse, this classification and matching rule comprises matched rule descriptor, security incident classification, Event Description and response mode to be included into;
Step 304, according to the classification and matching rule current event is carried out rule match.
The probability that occurs when current event mates the classification and matching rule in current event and the correlation rule storehouse during less than predetermined threshold value one by one, and this matching process also can be distributed parallel processing process.If the match is successful, then current event is confirmed as the known safe event, and be divided in the relevant classification, otherwise, current event is confirmed as unknown security incident.
Further, on the basis of technique scheme, after step 105, can also comprise:
Step 305, according to the attribute of unknown security incident, utilize clustering method, to the unknown security incident processing of classifying;
The classification of the unknown security incident after step 306, definite classification are processed.
Attribute according to unknown security incident utilizes clustering method, with the processing of classifying of several events that are confirmed as unknown security incident.Analyze the attribute of each the unknown security incident after classification is processed, to determine the classification of all kinds of unknown security incidents, the classification of this moment can be the classification of known safe event, also can be new security incident classification.
Further, after above-mentioned steps 306, can also comprise:
The classification of step 307, the unknown security incident after processing according to classification generates new classification and matching regular;
Step 308, the classification and matching rule that this is new are added the correlation rule storehouse to.
When the classification of determining is new security incident classification, according to the classification of unknown security incident, generates new classification and matching rule, and the classification and matching rule that this is new adds the correlation rule storehouse to, prepare against the safety detection of successor.
The embodiment of the invention is by providing a kind of security incident detection method, utilize the PPM algorithm to obtain the probability that event occurs, only probability is carried out rule match less than the event of predetermined threshold value, and can not rely on predefined correlation rule storehouse and detect unknown security incident, reduced operand, thereby guaranteed the real-time that security incident detects, and improved detection efficiency.
Fig. 4 is the flow chart of security incident detection method specific embodiment of the present invention.As shown in Figure 4, the embodiment of the invention provides a kind of concrete security incident detection method, comprising:
Step 401, read the property value of current event;
Step 402, according to formula<quantized value=quantization function (<event attribute 1 〉,<event attribute 2〉...) current event is quantized;
Step 403, according to the predicted value of formula R=<event N1/<whole predicted values of events, obtain the probability R that event N1 occurs;
The predicted value of step 404, event N1 is cumulative, namely<and the predicted value of event N1 〉=<predicted value of event N1 〉+1;
Step 405, whether judge probability R greater than predetermined threshold value, if then execution in step 406, otherwise, execution in step 407;
Step 406, determine that this event is common event, then execution in step 401;
Step 407, determine that this event is security incident;
Step 408, read the quantized value of this security incident;
Step 409, the attribute of this security incident of reducing;
Step 410, from the correlation rule storehouse, obtain a classification and matching rule;
Step 411, according to this classification and matching rule current event is carried out rule match, if the match is successful, then execution in step 412, otherwise, execution in step 413;
Step 412, determine that current event is the known safe event, should current event output to corresponding response processing unit;
Step 413, judge whether from the correlation rule storehouse, to have obtained all classification and matching rules, if then execution in step 414, otherwise, execution in step 410;
Step 414, determine that current event is unknown security incident, current event is carried out alarm, and carry out the operations such as follow-up cluster.
The embodiment of the invention is only carried out rule match to probability less than the event of predetermined threshold value by a kind of security incident detection method is provided, and has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 5 is the structural representation of security incident checkout gear the first embodiment of the present invention.As shown in Figure 5, the embodiment of the invention provides a kind of security incident checkout gear, comprising: acquisition module 51 and matching module 52.Wherein, acquisition module 51 is used for obtaining the probability that current event occurs; The probability that matching module 52 is used for the current event generation of obtaining when acquisition module 51 carries out rule match according to the correlation rule storehouse to current event during less than predetermined threshold value; If the match is successful, determine that then current event is the known safe event, otherwise, determine that current event is unknown security incident.
In embodiments of the present invention, when whether certain current event of detection is security incident, at first acquisition module 51 obtains the probability that this current event occurs, probability according to the current event generation, carry out the security incident screening, when this probability during less than predetermined threshold value, namely current event is small probability event, and then matching module 52 carries out rule match according to the correlation rule storehouse of having set up to current event.If the match is successful, then current event is confirmed as the known safe event, otherwise, current event is confirmed as unknown security incident.Follow-uply can according to the attribute of known safe event, do corresponding response to this known safe event.And can do further operation to unknown security incident.The susceptibility of security incident screening be can change by the size of adjusting predetermined threshold value, thereby rate of false alarm and the rate of failing to report of whole security incident detection method affected.Security incident in the present embodiment comprises the events such as abnormal flow or malicious attack.
The embodiment of the invention is by providing a kind of security incident checkout gear, and matching module 52 only carries out rule match to probability less than the event of predetermined threshold value, has reduced operand, thereby has guaranteed the real-time that security incident detects, and has improved detection efficiency.
Fig. 6 is the structural representation of security incident checkout gear the second embodiment of the present invention.As shown in Figure 6, on the basis of said apparatus the first embodiment, acquisition module 51 can comprise: quantifying unit 61 and the first acquiring unit 62.Wherein, the attribute that quantifying unit 61 is used for according to current event quantizes current event, obtains the quantized value of current event; The first acquiring unit 62 utilizes the partial match estimation algorithm for the quantized value of the current event of obtaining according to quantifying unit 61, obtains the probability of current event.
In embodiments of the present invention, at first quantifying unit 61 is according to the attribute of current event, such as IP address, the journal file of current event or the code etc. of makeing mistakes, current event is quantized, namely the means of current event by sampling, quantification, be converted into the bigit (criterion and quantity data) within certain span, such as the integer between 0 to 255.Can adopt following formula to quantize:
<quantized value 〉=quantization function (<event attribute 1 〉,<event attribute 2〉...).
Then, the first acquiring unit 62 utilizes the PPM algorithm according to the quantized value that quantifying unit 61 obtains, and obtains the probability that current event occurs.
On the basis of technique scheme, matching module 52 can comprise: second acquisition unit 63 and matching unit 64.Wherein, second acquisition unit 63 is used for obtaining the classification and matching rule from the correlation rule storehouse, and this classification and matching rule comprises matched rule descriptor, security incident classification, Event Description and response mode to be included into; Matching unit 64 is used for according to the classification and matching rule that second acquisition unit 63 obtains current event being carried out rule match.
The probability that occurs when current event is during less than predetermined threshold value, and matching unit 64 mates the classification and matching rule in current event and the correlation rule storehouse one by one, and this matching process also can be distributed parallel processing process.If the match is successful, then current event is confirmed as the known safe event, and be divided in the relevant classification, otherwise, current event is confirmed as unknown security incident.
Further, on the basis of technique scheme, the security incident checkout gear that the embodiment of the invention provides can also comprise: sort module 65 and determination module 66.Wherein, sort module 65 is used for the attribute according to unknown security incident, utilizes clustering method, to the unknown security incident processing of classifying; Determination module 66 is used for determining the classification of the unknown security incident after sort module 65 classification are processed.
Sort module 65 is utilized clustering method according to the attribute of unknown security incident, with the processing of classifying of several events that are confirmed as unknown security incident.Determination module 66 is analyzed the attribute of each the unknown security incident after classification is processed, and to determine the classification of all kinds of unknown security incidents, the classification of this moment can be the classification of known safe event, also can be new security incident classification.
Further, the security incident checkout gear that the embodiment of the invention provides can also comprise: generation module 67 and interpolation module 68.Wherein, generation module 67 is used for the classification according to the unknown security incident after the classification processing, generates new classification and matching rule; Adding module 68 is used for adding the new classification and matching rule that generation module 67 generates to the correlation rule storehouse.
When the classifications of determining when determination module 66 are new security incident classification, the classification of the unknown security incident after generation module 67 is processed according to classification, generate new classification and matching rule, add the module 68 classification and matching rule that this is new and add the correlation rule storehouse to, in order to the safety detection of successor.
The embodiment of the invention is by providing a kind of security incident checkout gear, the first acquiring unit 62 utilizes the PPM algorithm to obtain the probability that event occurs, matching unit 64 only carries out rule match to probability less than the event of predetermined threshold value, and can not rely on predefined correlation rule storehouse and detect unknown security incident, reduced operand, thereby guaranteed the real-time that security incident detects, and improved detection efficiency.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential hardware platform, can certainly all implement by hardware, but the former is better execution mode in a lot of situation.Based on such understanding, technical scheme of the present invention is to can embodying with the form of software product in whole or in part that background technology contributes, this computer software product can be stored in the storage medium, such as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
It should be noted that at last: above embodiment is only in order to technical scheme of the present invention to be described but not limit it, although with reference to preferred embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment or be equal to replacement technical scheme of the present invention, and these modifications or be equal to replacement and also can not make amended technical scheme break away from the spirit and scope of technical solution of the present invention.