CN101697545A - Security incident correlation method and device as well as network server - Google Patents
Security incident correlation method and device as well as network server Download PDFInfo
- Publication number
- CN101697545A CN101697545A CN200910208806A CN200910208806A CN101697545A CN 101697545 A CN101697545 A CN 101697545A CN 200910208806 A CN200910208806 A CN 200910208806A CN 200910208806 A CN200910208806 A CN 200910208806A CN 101697545 A CN101697545 A CN 101697545A
- Authority
- CN
- China
- Prior art keywords
- rule
- alarm
- original
- security incident
- scene
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012545 processing Methods 0.000 claims abstract description 15
- 239000000203 mixture Substances 0.000 claims description 19
- 238000012098 association analyses Methods 0.000 claims description 15
- 238000001914 filtration Methods 0.000 claims description 15
- 230000004927 fusion Effects 0.000 claims description 14
- 238000006243 chemical reaction Methods 0.000 claims description 10
- 238000012731 temporal analysis Methods 0.000 claims description 9
- 238000000700 time series analysis Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 7
- 238000010276 construction Methods 0.000 claims description 4
- 238000012821 model calculation Methods 0.000 claims description 4
- 230000008878 coupling Effects 0.000 description 11
- 238000010168 coupling process Methods 0.000 description 11
- 238000005859 coupling reaction Methods 0.000 description 11
- 241001123248 Arma Species 0.000 description 6
- 230000015572 biosynthetic process Effects 0.000 description 5
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 210000001072 colon Anatomy 0.000 description 2
- 230000013011 mating Effects 0.000 description 2
- 230000001932 seasonal effect Effects 0.000 description 2
- 230000000840 anti-viral effect Effects 0.000 description 1
- 238000005311 autocorrelation function Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000010998 test method Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to security incident correlation method and device as well as a network server, wherein the method comprises the following steps of: converting a new alarm into a fact when receiving the new alarm; selecting all rules related to the fact from a preset rule base so as to form a rule set; sequentially inquiring the rules in the rule set and obtaining a security incident according to one rule when inquiring that all facts included in the rule in the rule set happen. In the embodiment of the invention, one fact corresponds to one rule set, thereby obtaining the security incident through inquiring whether all facts included in the rule in the rule set happen or not without recording an intermediate state, achieving higher processing speed and realizing online real-time matching of the security incident.
Description
Technical field
The embodiment of the invention relates to network field, relates in particular to a kind of security incident correlating method, device and the webserver.
Background technology
Network has been played the part of more and more important effect in people's daily life, the application in commerce simultaneously is also more and more.Network security is the major issue in the network application, and in network, the security incident management platform is used for the warning information that the managing alarm device reports.The following problem of ubiquity in the present security incident management platform: can not discern normal behaviour and cause wrong report; Can not discern the alarm that repeats that single attack causes a plurality of alarm devices; Can not discern the complex attack behavior that constitutes by a plurality of steps.Because these problems can produce a large amount of journal files and warning information, make real attack information be submerged in the mass data.In order to address the above problem, prior art has proposed maintenance fire compartment wall and intrusion detection feature, it is constant to keep the deployment of anti-viral software in network node, adopt a Centroid to concentrate and receive these warning information, and these warning information are done association analysis handle, to reduce wrong report, avoid repetition of alarms, to increase attack detecting rate, just so-called attack scene rebuilding.
Particularly, prior art provides a kind of rule-based method, its basic thought is: will be decomposed into some attack steps by the attack scene that manual analysis obtains, extract the feature of each attack step, utilize logical language that these steps are linked up then, produce a correlation rule corresponding and this attack scene; When new alarm arrived, each steps in sequence that attribute and this correlation rule of alarm newly is included was mated, if this attribute and wherein part steps the match is successful, then this part steps is noted as intermediateness; Newly alarm when arriving when the next one, on the basis of intermediateness, proceed coupling, all the match is successful in steps until the institute of correlation rule, then generates security incident.This method needs the record intermediateness when the new alarm attributes of coupling, influenced the speed of coupling, can not realize real-time coupling.
Summary of the invention
The embodiment of the invention provides a kind of security incident correlating method, device and the webserver, in order to realize real-time coupling.
The embodiment of the invention provides a kind of security incident correlating method, comprising:
When receiving new alarm, described new alarm is converted into the fact;
In the rule base that presets, select the strictly all rules relevant, the composition rule collection with the described fact;
Inquire about the rule in the described rule set, when all facts that rule comprised in inquiring described rule set have all taken place, obtain security incident according to this rule.
The embodiment of the invention provides a kind of security incident associated apparatus, comprising:
Conversion module is used for when receiving new alarm, and described new alarm is converted into the fact;
The rule set composition module is used at the rule base that presets, and selects the strictly all rules relevant with the described fact, the composition rule collection;
The incident acquisition module, the rule that is used for inquiring about described rule set when all facts that rule comprised in inquiring described rule set have all taken place, obtains security incident according to this rule.
The embodiment of the invention provides a kind of webserver, comprises above-mentioned security incident associated apparatus.
The embodiment of the invention is when receiving new alarm, to newly alarm and be converted into the fact, in the rule base that presets, select and true relevant strictly all rules formation rule collection, rule in the sequential query rule set, when a certain all facts that rule comprised in inquiring rule set have all taken place, obtain security incident according to this rule.In the embodiment of the invention, whether a true corresponding rule set has all obtained security incident by inquiring about the fact that rule is comprised in this rule set, does not need to write down intermediateness, processing speed is very fast, has realized the online in real time coupling of security incident.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the flow chart of the embodiment of the invention one security incident correlating method;
Fig. 2 is the flow chart of the embodiment of the invention two security incident correlating methods;
Fig. 3 is the flow chart of step 210 and step 211 in the embodiment of the invention two security incident correlating methods;
Fig. 4 is the structural representation of the embodiment of the invention one security incident associated apparatus;
Fig. 5 is the structural representation of the embodiment of the invention two security incident associated apparatus.
Embodiment
Below by drawings and Examples, the technical scheme of the embodiment of the invention is described in further detail.
Fig. 1 is the flow chart of the embodiment of the invention one security incident correlating method.As shown in Figure 1, present embodiment specifically comprises the steps:
Step 101, when receiving new alarm, will newly alarm and be converted into the fact;
The rule that step 103, rule searching are concentrated when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.
Concrete, the rule that rule searching is concentrated can be inquired about according to the order that is provided with.
Above-mentioned steps is carried out under online mode, and the rule base that wherein presets disposes formation under off-line or online mode, stored a plurality of rules in the rule base of this setting.In each embodiment of following the present invention, at least two all are expressed as a plurality of.
In above-mentioned steps 101, when receiving new alarm, can adopt inference engine newly to alarm and be converted into the fact, this fact comprises the certain attributes of new alarm.
In above-mentioned steps 102, according to the certain attributes of the new alarm that comprises in the fact, a plurality of rules in the rule base and the fact are carried out related, obtain the rule set that constitutes with true relevant rule, i.e. a true corresponding rule set.
In above-mentioned steps 103, the rule that rule searching is concentrated, inquiry and true rule of mating, the rule that all facts that inquiry is just comprised have all taken place obtains security incident according to this rule.
The described security incident correlating method of present embodiment, when receiving new alarm, to newly alarm and be converted into the fact, in the rule base that presets, select and true relevant strictly all rules formation rule collection, rule in the sequential query rule set when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.In the embodiment of the invention, whether a true corresponding rule set has all obtained security incident by inquiring about the fact that rule is comprised in this rule set, does not need to write down intermediateness, processing speed is very fast, has realized the online in real time coupling of security incident.
Fig. 2 is the flow chart of the embodiment of the invention two security incident correlating methods.Present embodiment can be included in pre-configured rule base under off-line or the online mode on the basis of embodiment one, particularly, the building process of this rule base comprises:
Utilize Time series analysis method, a plurality of original alarms that collect are carried out association analysis, draw more than one and attack scene, each is attacked scene be converted into a plurality of rules step by step, constitute this rule base.Wherein a plurality of original alarms can be the alarm that sends from various alarm equipments in advance when online.
Further, as shown in Figure 2, specifically comprise the steps:
Step 201, according to presetting rule, a plurality of original alarms that collect are repeated to alarm fusion treatment.
This step can be in advance unified the form of a plurality of original alarms that collect to handle.
Particularly, this step can repeat to alarm fusion treatment with a plurality of original alarms that collect according to the rule about alarm attributes that presets; That is to say that this step is utilized the similitude of alarm attributes, repeat to alarm fusion treatment.By repeating to alarm fusion treatment, the alarm quantity of original alarm fusion treatment for needing of several repetitions specifically can be able to be kept one of them, remove other and repeat alarm, repeat alarm thereby reduced.
Alarm attributes comprises: alarm identifier (ID), attack type, protocol type, source address, destination address, source port, destination interface, time, alarm equipment type and priority etc.Above-mentioned preset about the rule of alarm attributes can for: 1) when two original alarms except the time, other attributes are all identical, and the time difference is in specified scope (as 2s), think that then these two original alarms are the alarms that repeat to same attack of same alarm equipment, can carry out fusion treatment; 2) when two original alarms except time and alarm equipment type, other attributes are all identical, and the time difference thinks that then these two original alarms are the alarms that repeat to same attack of different alarm equipments, can carry out fusion treatment in specified scope (as 10s).
Step 202, according to the attribute of original alarm, a plurality of original alarms are carried out clustering processing form a plurality of original alarm groups.
Clustering processing is meant except asynchronism(-nization), the original alarm that other attribute is all identical is classified as a class, form an original alarm group, each group original alarm group is exactly an all identical alarm sequence along the time shaft distribution of other attributes except the time like this.
Background alarm group in step 203, a plurality of original alarm groups of filtration, this step is an optional step.
Have a large amount of background alarm groups in a plurality of original alarm groups after the clustering processing, these background alarm groups are garbage.This step can adopt " Ljung " box method of testing to come detection background alarm group, thereby filters, and this method is specially hypothesis background alarm group and has random character, utilizes the auto-correlation function of these random characters to come detection background alarm group.This step also can be utilized some expertise identification background alarm groups, can also utilize probability inference (or even authentication techniques) to come detection background alarm group.
Step 204, a plurality of original alarm group medium priorities of filtration are lower than the alarm group of setting threshold, and this step is an optional step.
Present embodiment can calculate the priority of each original alarm group according to the assets (as operating system, protocol type or attack type etc.) of system, when being greater than or equal to setting threshold, priority thinks then that this original alarm group is the alarm group that need carry out subsequent treatment, only handles these alarm groups in the subsequent process.
Certainly this step is an optional step, when not carrying out this step, also can handle all original alarm groups in the subsequent process.
Present embodiment has set in advance a time range, represents with T.With T is unit, and each original alarm group is divided into the p section, adds up the quantity that drops on the original alarm in each T of chronomere in each original alarm group, constitutes time series.
Step 206, at any two the original alarm groups in a plurality of original alarm groups, utilize Granger causality check (Granger Causality Test, be called for short: the GCT) statistical value between the corresponding time series of these any two original alarm groups of Model Calculation, if statistical value satisfies the null hypothesis condition, then with two original alarm groups as an alarm to associating.
Introduced autoregression model (Autoregressive Model in the GCT model again, the AR model) and ARMA model (Autoregressive Moving Average Model be called for short:, be called for short: arma modeling), AR model and arma modeling all are to utilize the value match in time series past to be worth now, and this step can be utilized AR model or arma modeling.
For any two the original alarm groups in a plurality of original alarm groups, calculate the statistical value between the corresponding time series of two original alarm groups, the error that can utilize AR model or arma modeling to produce in fit procedure is particularly calculated this statistical value as input value, if two seasonal effect in time series statistical values satisfy the null hypothesis condition, then with two original alarm groups as an alarm to associating, and note down.
Step 206 obtains is that alarm is right more than one, this step search for these alarms between whether have common node, if common node is arranged, then they can be associated, constitute complete attack scene.
For instance, establish alarm that step 206 obtains to being: A->B, B->C, C->D, wherein A, B, C and D represent the original alarm group respectively, the direction of the time sequencing that arrow ">" expression takes place; According to above-mentioned alarm be: A->B->C->D to the attack scene that can make up.If the alarm that step 206 obtains is to being: A->C, B->C, C->D, the attack scene that then can make up is: A->C->D and B->C->D.
In inference engine, each rule can comprise regular head and rule body, and regular head can represent that this predicate is made up of predicate name and parameter with predicate, and rule body is to be made of the one or more facts that will inquire about, is the abstract summary of the fact that will inquire about.Adopt regular head to describe in the present embodiment and attack scene, adopt rule body to represent a kind of logical combination (comprising logical AND and/or logic NOT) of the attack step that this attack scene is included.
Present embodiment is attacked scene with each and is converted into a plurality of rules step by step, and attacking scene with DDOS below is example, and how analysis will attack scene is converted into rule.
DDOS generally is divided into following step:
The first step: " Sadmind_Ping " alarm, the assailant finds and may under fire " Sandmind " serve;
Second step: " Sadmind_Amslverify_Overflow " alarm, the assailant initiates to be linked in a large number victim host, causes the victim host buffer memory to overflow;
The 3rd step: " Rsh " alarm, the assailant duplicates one a section program and a .rhost file and move this section program in the victim host system;
The 4th step: " Mstream_Zombie " alarm is used for the background program of mail transmission/reception and the communication between the DDOS main frame (master) in DDOS internet (Internet).
The 5th step: " Stream_Dos " alarm, the true DDOS that is used for the background program initiation of mail transmission/reception in DDOS internet (Internet) attacks.
Above-mentioned attack scene can be expressed as the attack sequence:
xulieSadmind_Ping→Sadmind_Amslverify_Overflow→Rsh→Mstream_Zombie→Stream_Dos
Above-mentioned attack scene can be converted into following rule step by step:
DDOS1(destIP,time):-xulieSadmind_Ping(destIP,time)
DDOS2(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow(destIP,time)
DDOS3(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow(destIP,time),rsh(destIP,time)
DDOS4(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow(destIP,time),rsh(destIP,time),mstream_Zombie(destIP,time)
DDOS(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow?destIP,time),rsh(destIP,time),mstream_Zombie(destIP,time),stream_Dos(destIP,time)
Content before the above-mentioned regular colon is to be used to describe the regular head of attacking scene, content after the colon is to be used to represent to take place the rule body that this attacks a kind of logical combination of the included attack step of scene, in above-mentioned each rule body the logic of each several part content be " with ", for example: at DDOS2 (destIP, time) :-xulieSadmind_Ping (destIP, time), sadmind_Amslverify_Overflow (destIP, time) in this rule, the logic of " xulieSadmind_Ping (destIP; time) " and " sadmind_Amslverify_Overflow (destIP; time) " be " with ", it is two that the attack step that scene " DDOS2 (destIP, time) " need possess take place is attacked in expression.
Above-mentioned the 4th rule " DDOS4 (destIP, time) " represent that being about to take place DDOS attacks, under this attack scene, can send early warning, allow the keeper take certain measure to make and remedy, stop the harm that attack takes place or reduction is attacked.
Above-mentioned steps 201 to 208 is the process in presetting rule storehouse, can under offline mode or online mode, carry out, below step 209 be under online mode, to carry out to 211.
In inference engine, the fact represents with predicate that generally this predicate is made up of predicate name and parameter, can comprise a plurality of parameters so that enough information to be provided.To alarm newly in the present embodiment that to be converted into the alarm type be title, the alarm attributes fact as parameter, be pressed into true formation then.Wherein, alarm attributes can comprise arbitrary combination of Alarm ID, protocol type, source address, destination address, source port, destination interface, time, alarm equipment type, priority or above-mentioned information.
For instance, the new alarm that receives is:
[116:150:1](snort?decoder)Sadmind_Ping[Priority:3]03/08-00:27:51.177806 127.93.72.86:5032->131.84.1.31:26903 TCP?TTL:255TOS:0x8ID:24726 IpLen:20 DgmLen:40 DF?Seq:0x7BE9C279 Ack:0x0Win:0x4000 TcpLen:20
Should newly alarm the fact that transforms is:
Sadmind_Ping(24726,TCP,127.93.72.86:5032,131.84.1.31,177806,26903,03/08-00:27:51,snort,3)
Wherein, " Sadmind_Ping " is alarm type, " 24726 " are Alarm ID, and " TCP " is protocol type, and " 127.93.72.86:5032 " is source address, " 131.84.1.31 " is destination address, " 177806 " are source port, and " 26903 " are destination interface, and " 03/08-00:27:51 " is the time, " snort " is the alarm equipment type, and " 3 " are priority.
Step 210, in the rule base that presets, select the strictly all rules relevant, the composition rule collection with the fact.
Rule in step 211, the sequential query rule set when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.
Further, generate early warning or senior warning according to the security incident that obtains.
Fig. 3 is the flow chart of step 210 and step 211 in the embodiment of the invention two security incident correlating methods.As shown in Figure 3, may further include following steps:
Step 301, the selection strictly all rules relevant with the fact that step 209 obtains, the composition rule collection.
If there is no relevant with fact rule, then the rule set of Gou Chenging is empty.
Whether step 302, judgment rule collection are empty, if then execution in step 209; Otherwise execution in step 303.
Step 303, a rule concentrating of selective rule are in order inquired about all facts that this rule comprises.
Order is concentrated the true more rule that is comprised in this step for first selective rule.
Come the technical scheme of description of step 301 to 306 below with a concrete example.
If the fact is Sadmind_Ping (24726, TCP, 127.93.72.86:5032,131.84.1.31,177806,26903,03/08-00:27:51, snort, 3), in step 301, the rule relevant with this fact comprises five rules listing in the step 208, these five regular composition rule collection.In step 302, judge rule set not for empty, jump procedure 303.In step 303, select earlier the 5th rule in order, all that inquire that this rule comprises true for " xulieSadmind_Ping (and destIP, time); sadmind_Amslverify_Overflow destIP; time), rsh (destIP, time); mstream_Zombie (destIP; time), stream_Dos (destIP, time) ".In step 304, judge whether these facts all take place, if jump procedure 305 obtains the 5th security incident that rule is corresponding, generates senior warning, DDOS has taken place and has attacked in expression; If not, jump procedure 306, the 5th rule of deletion in rule set, jump procedure 302.
Then, select the 4th rule, judge whether the 4th fact that rule comprises all takes place, if, then obtain the 4th security incident that rule is corresponding, generate early warning, expression is about to take place DDOS and attacks, allow the keeper take certain measure to make and remedy, stop and attack the harm that takes place or reduce attack; If not, the 4th rule of deletion in rule set.
The rest may be inferred, until obtaining security incident or rule set for empty, jump procedure 209.
By above analysis as can be known, the security incident correlating method that provides of present embodiment has following advantage:
(1) in the present embodiment, a true corresponding rule set, comprise a plurality of and true relevant concrete rule in this rule set, a certain the fact that rule comprised all taken place in this rule set as if inquiring, then obtain security incident according to this rule, present embodiment does not need to write down intermediateness, and processing speed is very fast, has realized the online in real time coupling.
(2) present embodiment utilizes Time series analysis method, the a plurality of original alarms that collect are carried out association analysis, draw more than one and attack scene, do not rely on artificial description and attack scene, the alarm quantity of gathering increases greatly, do not need to know attack be how to take place or attack step between have what kind of contact, if the probability height that attack step takes place together, utilize the causality of Time series analysis method between just can finding to alarm, and then the attack scene of discovery unknown attack participation, thereby it is comprehensive to analyze the attack scene that obtains, and this attack scene can be used as the priori of inference engine, has strengthened the recognition capability of interconnected system; Comprehensively attack the rule that scene transforms according to this, the fact that new alarm transforms is mated, the new alarm that can not handle has seldom improved the efficient that association analysis is handled.
(3) present embodiment is before carrying out the association analysis processing, according to presetting rule, a plurality of original alarms that collect are repeated to alarm fusion treatment, reduced and repeated alarm, for further association analysis processing has reduced data pressure, provide related efficient.
(4) present embodiment is by filtering the background alarm, can the many garbages of filtering, and make association analysis handle and between the alarm that may comprise real attack, carry out, improved related efficient.
(5) the present embodiment original alarm group that priority can be higher than setting threshold is added up, and Tong Ji data volume is less like this, reduces the complexity of calculating; The original alarm group that present embodiment can constitute all alarms is added up, and can guarantee the related rate of system like this.
(6) present embodiment utilizes the online in real time matching process of inference engine realization to have the function of early warning or advanced alarm, provide useful information to responding system timely, be convenient to responding system and in time take corresponding measure, network is caused even more serious harm to prevent to attack.
Fig. 4 is the structural representation of the embodiment of the invention one security incident associated apparatus.As shown in Figure 4, present embodiment specifically comprises: conversion module 11, rule set composition module 12 and incident acquisition module 13.Wherein:
Rule set composition module 12 is used at the rule base that presets, and selects and true relevant strictly all rules, composition rule collection;
Concrete, when receiving new alarm, conversion module 11 can adopt inference engine newly to alarm and be converted into the fact, and this fact comprises the certain attributes of new alarm; Rule set composition module 12 is according to the certain attributes of the new alarm that comprises in the fact, a plurality of rules in the rule base and the fact carried out related, obtains the rule set that constitutes with true relevant rule, i.e. a true corresponding rule set; The rule that incident acquisition module 13 rule searching are concentrated, inquiry and true rule of mating, the rule that all facts that inquiry is just comprised have all taken place obtains security incident according to this rule, and the rule that concrete rule searching is concentrated can be inquired about according to the order that is provided with.
The processing procedure of rule set composition module 12 and incident acquisition module 13 can be referring to Fig. 3.
The described security incident associated apparatus of present embodiment, conversion module is when receiving new alarm, to newly alarm and be converted into the fact, the rule set composition module is in the rule base that presets, select and true relevant strictly all rules formation rule collection, the rule that incident acquisition module rule searching is concentrated when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.In the present embodiment, whether a true corresponding rule set has all obtained security incident by inquiring about the fact that rule is comprised in this rule set, does not need to write down intermediateness, and processing speed is very fast, has realized the online in real time coupling of security incident.
Fig. 5 is the structural representation of the embodiment of the invention two security incident associated apparatus.As shown in Figure 5, on the basis of said apparatus embodiment one, present embodiment can also comprise:
Preset module 14, this preset module 14 is used to utilize Time series analysis method, and a plurality of original alarms that collect are carried out association analysis, draws more than one and attacks scene, each is attacked scene be converted into rule step by step, the composition rule storehouse.
Further, preset module 14 can specifically comprise: cluster cell 15, time series unit 16, associative cell 17, construction unit 18 and regular conversion unit 19.Wherein:
Particularly, cluster cell 15 will be except asynchronism(-nization), the original alarm that other attribute is all identical is classified as a class, forms an original alarm group, and each group original alarm group is exactly an all identical alarm sequence along the time shaft distribution of other attributes except the time like this.Time series unit 16 is divided into the p section with each original alarm group, adds up the quantity that drops on the original alarm in each T of chronomere in each original alarm group, constitutes time series.Associative cell 17 is for any two the original alarm groups in a plurality of original alarm groups, calculate the statistical value between the corresponding time series of two original alarm groups, the error that can utilize AR model or arma modeling to produce in fit procedure is particularly calculated this statistical value as input value, if two seasonal effect in time series statistical values satisfy the null hypothesis condition, then with two original alarm groups as an alarm to associating, and note down.These alarms of construction unit 18 search between whether have common node, if common node is arranged, then they can be associated, constitute complete attack scene.Rule conversion unit 19 is attacked scene with each and is converted into a plurality of rules step by step, the composition rule storehouse.
Further again, preset module 14 can also comprise: first filter element 20 and second filter element 21.
Concrete, in another case, when not comprising second filter element 21 in the present embodiment, first filter element 20 can also be exported to time series unit 16 with a plurality of original alarm groups after filtering.
Particularly, first filter element 20 filters the background alarm group in a plurality of original alarm groups that obtain by cluster cell 15.By filtering background alarm group, can the many garbages of filtering, make association analysis handle and between the alarm that may comprise real attack, carry out, improved related efficient.
Particularly, in one case, second filter element 21 is exported to time series unit 16 after the original alarm group after filtering by first filter element 20 further can being filtered.In another case, when not having first filter element 20, second filter element 21 also can directly will select priority to be greater than or equal to the alarm group of setting threshold as the target alarms group in a plurality of original alarm groups that obtain at cluster cell 15, reconstitute the original alarm group by the target alarms group, pass to time series unit 15 and go to handle.That is to say that first filter element 20 and second filter element 21 can exist simultaneously, also can only have one of them.By of the filtration of these two filter elements to the original alarm group, can make the data volume of statistics less, reduce the complexity of calculating.
Preset module 14 can also comprise: integrated unit 22, this integrated unit 22 is used for according to presetting rule, and a plurality of original alarms that collect are repeated to alarm fusion treatment.
Particularly, integrated unit 22 can repeat to alarm fusion treatment with a plurality of original alarms that collect according to the rule about alarm attributes that presets; That is to say that integrated unit 22 utilizes the similitude of alarm attributes, repeat to alarm fusion treatment.Wherein, repeat alarm if several original alarms belong to, fusion treatment can be specially and keep one of them, removes other and repeats alarm, repeats alarm thereby reduced, and handles for further association analysis to have reduced data pressure, and related efficient is provided.
Present embodiment can also comprise:
Concrete, alarm module 23 generates early warning or senior warning after obtaining security incident, provide useful information to responding system timely, is convenient to responding system and in time takes corresponding measure, to prevent to attack network is caused even more serious harm.
The present embodiment preset module is utilized Time series analysis method, the a plurality of original alarms that collect are carried out association analysis, draw more than one and attack scene, do not rely on artificial description and attack scene, the alarm quantity of gathering increases greatly, do not need to know attack be how to take place or attack step between have what kind of contact, if the probability height that attack step takes place together, utilize the causality of Time series analysis method between just can finding to alarm, and then the attack scene of discovery unknown attack participation, thereby it is comprehensive to analyze the attack scene that obtains, and this attack scene can be used as the priori of inference engine, has strengthened the recognition capability of interconnected system; Comprehensively attack the rule that scene transforms according to this, the fact that new alarm transforms is mated, the new alarm that can not handle has seldom improved the efficient that association analysis is handled.Matching module can carry out the online in real time coupling to new alarm, and processing speed is very fast, and real-time is good.
The embodiment of the invention also provides a kind of webserver that comprises above-mentioned security incident associated apparatus.This webserver can be specially various watch-dogs, gateway device etc., by utilizing above-mentioned security incident associated apparatus, realized the online in real time coupling of security incident, and real-time is good.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is when carrying out, execution comprises the step of said method embodiment, and aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to the technical scheme of the explanation embodiment of the invention, is not intended to limit; Although the embodiment of the invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of each embodiment technical scheme of the embodiment of the invention.
Claims (10)
1. a security incident correlating method is characterized in that, comprising:
When receiving new alarm, described new alarm is converted into the fact;
In the rule base that presets, select the strictly all rules relevant, the composition rule collection with the described fact;
Inquire about the rule in the described rule set, when all facts that rule comprised in inquiring described rule set have all taken place, obtain security incident according to this rule.
2. security incident correlating method according to claim 1 is characterized in that, the building process of the described rule base that presets comprises:
Utilize Time series analysis method, at least two original alarms that collect are carried out association analysis, draw more than one and attack scene, each is attacked scene be converted at least two rules step by step, constitute described rule base.
3. security incident correlating method according to claim 2, it is characterized in that: each rule comprises regular head and rule body in described at least two rules, described regular head is used for describing attacks scene, and described rule body is used to represent to attack a kind of logical combination of the included attack step of scene.
4. security incident correlating method according to claim 2 is characterized in that, the described Time series analysis method of utilizing is carried out association analysis at least two original alarms that collect, and draws more than one to attack scene and comprise:
According to the attribute of described original alarm, described at least two original alarms are carried out clustering processing form at least two original alarm groups;
Each original alarm group carry out time seriesization;
At any two the original alarm groups in described at least two original alarm groups, utilize the statistical value between the corresponding time series of described two the original alarm groups of Granger causality check GCT Model Calculation; If described statistical value satisfies the null hypothesis condition, then with described two original alarm groups as an alarm to associating;
Right according to described alarm, make up and attack scene more than one.
5. security incident correlating method according to claim 4 is characterized in that, the building process of the described rule base that presets also comprises:
According to presetting rule, at least two original alarms that collect are repeated to alarm fusion treatment;
Described each original alarm group is carried out also comprising before the time seriesization:
Filter the background alarm group in described at least two original alarm groups;
Filter described at least two original alarm group medium priorities and be lower than the alarm group of setting threshold.
6. a security incident associated apparatus is characterized in that, comprising:
Conversion module is used for when receiving new alarm, and described new alarm is converted into the fact;
The rule set composition module is used at the rule base that presets, and selects the strictly all rules relevant with the described fact, the composition rule collection;
The incident acquisition module, the rule that is used for inquiring about described rule set when all facts that rule comprised in inquiring described rule set have all taken place, obtains security incident according to this rule.
7. security incident associated apparatus according to claim 6 is characterized in that, also comprises:
Preset module is used to utilize Time series analysis method, and at least two original alarms that collect are carried out association analysis, draws more than one and attacks scene, each is attacked scene be converted at least two rules step by step, constitutes described rule base.
8. security incident associated apparatus according to claim 7 is characterized in that, described preset module comprises:
Cluster cell is used for the attribute according to described original alarm, described at least two original alarms is carried out clustering processing form at least two original alarm groups;
The time series unit is used for each original alarm group carry out time seriesization;
Associative cell is used for any two the original alarm groups at described at least two original alarm groups, utilizes the statistical value between the corresponding time series of described two the original alarm groups of Granger causality check GCT Model Calculation; If described statistical value satisfies the null hypothesis condition, then with described two original alarm groups as an alarm to associating;
Construction unit, it is right to be used for according to described alarm, makes up and attacks scene more than one;
The rule conversion unit is used for that each is attacked scene and is converted at least two rules step by step, constitutes described rule base.
9. security incident associated apparatus according to claim 8 is characterized in that, described preset module also comprises:
Integrated unit is used for according to presetting rule, and at least two original alarms that collect are repeated to alarm fusion treatment;
First filter element is used for filtering the background alarm group of described at least two original alarm groups, and at least two original alarm groups after filtering are exported to second filter element;
Second filter element is used to filter the alarm group that described at least two original alarm group medium priorities are lower than setting threshold, and at least two original alarm groups after filtering are exported to described time series unit.
10. a webserver is characterized in that, comprises any described security incident associated apparatus as claim 6-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102088069A CN101697545B (en) | 2009-10-29 | 2009-10-29 | Security incident correlation method and device as well as network server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009102088069A CN101697545B (en) | 2009-10-29 | 2009-10-29 | Security incident correlation method and device as well as network server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101697545A true CN101697545A (en) | 2010-04-21 |
| CN101697545B CN101697545B (en) | 2012-08-08 |
Family
ID=42142619
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009102088069A Expired - Fee Related CN101697545B (en) | 2009-10-29 | 2009-10-29 | Security incident correlation method and device as well as network server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101697545B (en) |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101888309A (en) * | 2010-06-30 | 2010-11-17 | 中国科学院计算技术研究所 | Online log analysis method |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN103746961A (en) * | 2013-12-12 | 2014-04-23 | 中国人民解放军63928部队 | Method, apparatus and server for mining causal knowledge of network attack scenario |
| CN104219193A (en) * | 2013-05-29 | 2014-12-17 | 中国电信股份有限公司 | Method and system for correlation analysis of security events |
| CN104601361A (en) * | 2014-09-30 | 2015-05-06 | 北京科东电力控制系统有限责任公司 | Electric power secondary system safety incident analysis method for non-conformity strategy access |
| CN105099797A (en) * | 2014-04-21 | 2015-11-25 | 珠海市君天电子科技有限公司 | False alarm detection method and device |
| CN105103167A (en) * | 2013-04-05 | 2015-11-25 | 罗伯特·博世有限公司 | Information system and method for selecting and reproducing information, in particular for use in the workshop sector |
| CN105095319A (en) * | 2014-05-23 | 2015-11-25 | 邓寅生 | Time serialization based document identifying, associating, searching and showing system |
| CN105376193A (en) * | 2014-08-15 | 2016-03-02 | 中国电信股份有限公司 | Intelligent association analysis method and intelligent association analysis device for security events |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN105681274A (en) * | 2015-12-18 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Original warning information processing method and device |
| CN105827418A (en) * | 2015-01-04 | 2016-08-03 | 中国移动通信集团山东有限公司 | Communication network alarm correlation method and communication network alarm correlation device |
| CN105847029A (en) * | 2015-09-08 | 2016-08-10 | 南京联成科技发展有限公司 | Information security event automatic association and rapid response method and system based on big data analysis |
| CN105893526A (en) * | 2016-03-30 | 2016-08-24 | 上海坤士合生信息科技有限公司 | Multi-source data fusion system and method |
| CN106330852A (en) * | 2015-07-06 | 2017-01-11 | 纬创资通股份有限公司 | Abnormality prediction method, abnormality prediction system, and abnormality prediction device |
| CN107018013A (en) * | 2017-03-10 | 2017-08-04 | 京信通信技术(广州)有限公司 | A kind of alarm reporting method and equipment |
| CN109374053A (en) * | 2018-11-13 | 2019-02-22 | 深圳市中广控信息科技有限公司 | A kind of Internet of Things computer lab management platform based on event-driven response |
| CN109450671A (en) * | 2018-10-22 | 2019-03-08 | 北京安信天行科技有限公司 | A kind of log multiple groups close alarm classifying method and system |
| CN109542891A (en) * | 2018-10-18 | 2019-03-29 | 北京新唐思创教育科技有限公司 | Data fusion method and computer storage medium |
| CN110166307A (en) * | 2019-07-02 | 2019-08-23 | 中国工商银行股份有限公司 | The method and apparatus that warning information is handled |
| CN110278100A (en) * | 2018-03-14 | 2019-09-24 | 中国移动通信集团广东有限公司 | Method, apparatus, electronic equipment and the storage medium of early warning processing |
| CN110545276A (en) * | 2019-09-03 | 2019-12-06 | 新华三信息安全技术有限公司 | threat event warning method and device, warning equipment and machine-readable storage medium |
| CN110661819A (en) * | 2019-10-31 | 2020-01-07 | 杭州世导通讯有限公司 | DDOS (distributed denial of service) prevention system |
| CN111865899A (en) * | 2020-06-02 | 2020-10-30 | 中国科学院信息工程研究所 | Threat-driven cooperative acquisition method and device |
| CN113422763A (en) * | 2021-06-04 | 2021-09-21 | 桂林电子科技大学 | Alarm correlation analysis method constructed based on attack scene |
| CN113728581A (en) * | 2019-05-29 | 2021-11-30 | 国际商业机器公司 | System and method for SIEM rule classification and conditional execution |
| CN114091704A (en) * | 2021-11-26 | 2022-02-25 | 奇点浩翰数据技术(北京)有限公司 | Alarm suppression method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6141749A (en) * | 1997-09-12 | 2000-10-31 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with stateful packet filtering |
| CN100414868C (en) * | 2003-06-24 | 2008-08-27 | 北京邮电大学 | Data merging mechanism for large distributive intrusion inspecting system |
| CN100518089C (en) * | 2006-07-19 | 2009-07-22 | 华为技术有限公司 | Security event associative analysis method and system |
| CN101222360B (en) * | 2008-01-22 | 2012-09-05 | 中兴通讯股份有限公司 | Regulation engine system and method for establishing alarm regulation association |
-
2009
- 2009-10-29 CN CN2009102088069A patent/CN101697545B/en not_active Expired - Fee Related
Cited By (44)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101888309B (en) * | 2010-06-30 | 2012-07-04 | 中国科学院计算技术研究所 | Online log analysis method |
| CN101888309A (en) * | 2010-06-30 | 2010-11-17 | 中国科学院计算技术研究所 | Online log analysis method |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
| CN103312679B (en) * | 2012-03-15 | 2016-07-27 | 北京启明星辰信息技术股份有限公司 | The detection method of senior constant threat and system |
| CN105103167A (en) * | 2013-04-05 | 2015-11-25 | 罗伯特·博世有限公司 | Information system and method for selecting and reproducing information, in particular for use in the workshop sector |
| CN105103167B (en) * | 2013-04-05 | 2020-10-16 | 罗伯特·博世有限公司 | Information system and method for selecting and reproducing information, in particular for use in the workshop sector |
| CN104219193A (en) * | 2013-05-29 | 2014-12-17 | 中国电信股份有限公司 | Method and system for correlation analysis of security events |
| CN103746961B (en) * | 2013-12-12 | 2017-03-15 | 中国人民解放军63928部队 | A kind of causal knowledge method for digging of cyber attack scenarios, device and server |
| CN103746961A (en) * | 2013-12-12 | 2014-04-23 | 中国人民解放军63928部队 | Method, apparatus and server for mining causal knowledge of network attack scenario |
| CN105099797A (en) * | 2014-04-21 | 2015-11-25 | 珠海市君天电子科技有限公司 | False alarm detection method and device |
| CN105095319A (en) * | 2014-05-23 | 2015-11-25 | 邓寅生 | Time serialization based document identifying, associating, searching and showing system |
| CN105095319B (en) * | 2014-05-23 | 2019-04-19 | 邓寅生 | The mark of document based on time series, association, the system searched for and showed |
| CN105376193A (en) * | 2014-08-15 | 2016-03-02 | 中国电信股份有限公司 | Intelligent association analysis method and intelligent association analysis device for security events |
| CN105376193B (en) * | 2014-08-15 | 2019-06-04 | 中国电信股份有限公司 | The intelligent association analysis method and device of security incident |
| CN104601361B (en) * | 2014-09-30 | 2020-08-11 | 北京科东电力控制系统有限责任公司 | Power secondary system security event analysis method for non-policy-compliant access |
| CN104601361A (en) * | 2014-09-30 | 2015-05-06 | 北京科东电力控制系统有限责任公司 | Electric power secondary system safety incident analysis method for non-conformity strategy access |
| CN105827418A (en) * | 2015-01-04 | 2016-08-03 | 中国移动通信集团山东有限公司 | Communication network alarm correlation method and communication network alarm correlation device |
| CN105827418B (en) * | 2015-01-04 | 2019-07-05 | 中国移动通信集团山东有限公司 | A kind of communication network warning correlating method and device |
| CN106330852A (en) * | 2015-07-06 | 2017-01-11 | 纬创资通股份有限公司 | Abnormality prediction method, abnormality prediction system, and abnormality prediction device |
| CN106330852B (en) * | 2015-07-06 | 2019-06-25 | 纬创资通股份有限公司 | Abnormality prediction method, abnormality prediction system, and abnormality prediction device |
| CN105847029A (en) * | 2015-09-08 | 2016-08-10 | 南京联成科技发展有限公司 | Information security event automatic association and rapid response method and system based on big data analysis |
| CN105847029B (en) * | 2015-09-08 | 2019-08-09 | 南京联成科技发展股份有限公司 | A kind of information security events auto-associating and quick response system based on big data |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN105681274A (en) * | 2015-12-18 | 2016-06-15 | 北京神州绿盟信息安全科技股份有限公司 | Original warning information processing method and device |
| CN105681274B (en) * | 2015-12-18 | 2019-02-01 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of original alarm information processing |
| CN105893526A (en) * | 2016-03-30 | 2016-08-24 | 上海坤士合生信息科技有限公司 | Multi-source data fusion system and method |
| CN107018013A (en) * | 2017-03-10 | 2017-08-04 | 京信通信技术(广州)有限公司 | A kind of alarm reporting method and equipment |
| CN110278100B (en) * | 2018-03-14 | 2022-04-15 | 中国移动通信集团广东有限公司 | Early warning processing method and device, electronic equipment and storage medium |
| CN110278100A (en) * | 2018-03-14 | 2019-09-24 | 中国移动通信集团广东有限公司 | Method, apparatus, electronic equipment and the storage medium of early warning processing |
| CN109542891A (en) * | 2018-10-18 | 2019-03-29 | 北京新唐思创教育科技有限公司 | Data fusion method and computer storage medium |
| CN109542891B (en) * | 2018-10-18 | 2021-04-09 | 北京新唐思创教育科技有限公司 | Data fusion method and computer storage medium |
| CN109450671A (en) * | 2018-10-22 | 2019-03-08 | 北京安信天行科技有限公司 | A kind of log multiple groups close alarm classifying method and system |
| CN109374053A (en) * | 2018-11-13 | 2019-02-22 | 深圳市中广控信息科技有限公司 | A kind of Internet of Things computer lab management platform based on event-driven response |
| CN113728581A (en) * | 2019-05-29 | 2021-11-30 | 国际商业机器公司 | System and method for SIEM rule classification and conditional execution |
| CN113728581B (en) * | 2019-05-29 | 2024-04-19 | 勤达睿公司 | System and method for SIEM rule classification and condition execution |
| CN110166307A (en) * | 2019-07-02 | 2019-08-23 | 中国工商银行股份有限公司 | The method and apparatus that warning information is handled |
| CN110545276A (en) * | 2019-09-03 | 2019-12-06 | 新华三信息安全技术有限公司 | threat event warning method and device, warning equipment and machine-readable storage medium |
| CN110545276B (en) * | 2019-09-03 | 2022-06-21 | 新华三信息安全技术有限公司 | Threat event warning method and device, warning equipment and machine-readable storage medium |
| CN110661819A (en) * | 2019-10-31 | 2020-01-07 | 杭州世导通讯有限公司 | DDOS (distributed denial of service) prevention system |
| CN111865899A (en) * | 2020-06-02 | 2020-10-30 | 中国科学院信息工程研究所 | Threat-driven cooperative acquisition method and device |
| CN111865899B (en) * | 2020-06-02 | 2021-07-13 | 中国科学院信息工程研究所 | Threat-driven cooperative acquisition method and device |
| CN113422763A (en) * | 2021-06-04 | 2021-09-21 | 桂林电子科技大学 | Alarm correlation analysis method constructed based on attack scene |
| CN114091704A (en) * | 2021-11-26 | 2022-02-25 | 奇点浩翰数据技术(北京)有限公司 | Alarm suppression method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101697545B (en) | 2012-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101697545B (en) | Security incident correlation method and device as well as network server | |
| CN110213077B (en) | Method, device and system for determining safety event of power monitoring system | |
| CN114143020B (en) | Rule-based network security event association analysis method and system | |
| CN107241226B (en) | Fuzzy test method based on industrial control private protocol | |
| CN101119321B (en) | Network flux classification processing method and apparatus | |
| CN101282340B (en) | Method and apparatus for processing network attack | |
| CN111988285A (en) | Network attack tracing method based on behavior portrait | |
| CN105871832A (en) | Network application encrypted traffic recognition method and device based on protocol attributes | |
| CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
| CN109768981B (en) | Network attack defense method and system based on machine learning under SDN architecture | |
| CN104618132B (en) | A kind of application program recognition rule generation method and device | |
| CN110046297B (en) | Operation and maintenance violation identification method and device and storage medium | |
| CN103997489A (en) | Method and device for recognizing DDoS bot network communication protocol | |
| CN109150869A (en) | A kind of exchanger information acquisition analysis system and method | |
| CN107294966A (en) | A kind of IP white list construction methods based on Intranet flow | |
| CN103746982A (en) | Automatic generation method and system for HTTP (Hyper Text Transport Protocol) network feature code | |
| CN110691073A (en) | Industrial control network brute force cracking flow detection method based on random forest | |
| CN102611713A (en) | Entropy operation-based network intrusion detection method and device | |
| CN110120957B (en) | Safe disposal digital twin method and system based on intelligent scoring mechanism | |
| CN104935570A (en) | Network flow connection behavior characteristic analysis method based on network flow connection graph | |
| CN116233902B (en) | Wireless communication network anomaly identification system and method based on big data | |
| CN115134250A (en) | Network attack source tracing evidence obtaining method | |
| CN113259367B (en) | Industrial control network flow multistage anomaly detection method and device | |
| CN111478921A (en) | Method, device and equipment for detecting communication of hidden channel | |
| CN110535716A (en) | A kind of service stability monitoring method and system for melting media |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. Free format text: FORMER NAME: CHENGDU HUAWEI SYMANTEC TECHNOLOGIES CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Patentee before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120808 Termination date: 20191029 |