Embodiment
Below by drawings and Examples, the technical scheme of the embodiment of the invention is described in further detail.
Fig. 1 is the flow chart of the embodiment of the invention one security incident correlating method.As shown in Figure 1, present embodiment specifically comprises the steps:
Step 101, when receiving new alarm, will newly alarm and be converted into the fact;
Step 102, in the rule base that presets, select the strictly all rules relevant, the composition rule collection with the fact;
The rule that step 103, rule searching are concentrated when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.
Concrete, the rule that rule searching is concentrated can be inquired about according to the order that is provided with.
Above-mentioned steps is carried out under online mode, and the rule base that wherein presets disposes formation under off-line or online mode, stored a plurality of rules in the rule base of this setting.In each embodiment of following the present invention, at least two all are expressed as a plurality of.
In above-mentioned steps 101, when receiving new alarm, can adopt inference engine newly to alarm and be converted into the fact, this fact comprises the certain attributes of new alarm.
In above-mentioned steps 102, according to the certain attributes of the new alarm that comprises in the fact, a plurality of rules in the rule base and the fact are carried out related, obtain the rule set that constitutes with true relevant rule, i.e. a true corresponding rule set.
In above-mentioned steps 103, the rule that rule searching is concentrated, inquiry and true rule of mating, the rule that all facts that inquiry is just comprised have all taken place obtains security incident according to this rule.
The described security incident correlating method of present embodiment, when receiving new alarm, to newly alarm and be converted into the fact, in the rule base that presets, select and true relevant strictly all rules formation rule collection, rule in the sequential query rule set when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.In the embodiment of the invention, whether a true corresponding rule set has all obtained security incident by inquiring about the fact that rule is comprised in this rule set, does not need to write down intermediateness, processing speed is very fast, has realized the online in real time coupling of security incident.
Fig. 2 is the flow chart of the embodiment of the invention two security incident correlating methods.Present embodiment can be included in pre-configured rule base under off-line or the online mode on the basis of embodiment one, particularly, the building process of this rule base comprises:
Utilize Time series analysis method, a plurality of original alarms that collect are carried out association analysis, draw more than one and attack scene, each is attacked scene be converted into a plurality of rules step by step, constitute this rule base.Wherein a plurality of original alarms can be the alarm that sends from various alarm equipments in advance when online.
Further, as shown in Figure 2, specifically comprise the steps:
Step 201, according to presetting rule, a plurality of original alarms that collect are repeated to alarm fusion treatment.
This step can be in advance unified the form of a plurality of original alarms that collect to handle.
Particularly, this step can repeat to alarm fusion treatment with a plurality of original alarms that collect according to the rule about alarm attributes that presets; That is to say that this step is utilized the similitude of alarm attributes, repeat to alarm fusion treatment.By repeating to alarm fusion treatment, the alarm quantity of original alarm fusion treatment for needing of several repetitions specifically can be able to be kept one of them, remove other and repeat alarm, repeat alarm thereby reduced.
Alarm attributes comprises: alarm identifier (ID), attack type, protocol type, source address, destination address, source port, destination interface, time, alarm equipment type and priority etc.Above-mentioned preset about the rule of alarm attributes can for: 1) when two original alarms except the time, other attributes are all identical, and the time difference is in specified scope (as 2s), think that then these two original alarms are the alarms that repeat to same attack of same alarm equipment, can carry out fusion treatment; 2) when two original alarms except time and alarm equipment type, other attributes are all identical, and the time difference thinks that then these two original alarms are the alarms that repeat to same attack of different alarm equipments, can carry out fusion treatment in specified scope (as 10s).
Step 202, according to the attribute of original alarm, a plurality of original alarms are carried out clustering processing form a plurality of original alarm groups.
Clustering processing is meant except asynchronism(-nization), the original alarm that other attribute is all identical is classified as a class, form an original alarm group, each group original alarm group is exactly an all identical alarm sequence along the time shaft distribution of other attributes except the time like this.
Background alarm group in step 203, a plurality of original alarm groups of filtration, this step is an optional step.
Have a large amount of background alarm groups in a plurality of original alarm groups after the clustering processing, these background alarm groups are garbage.This step can adopt " Ljung " box method of testing to come detection background alarm group, thereby filters, and this method is specially hypothesis background alarm group and has random character, utilizes the auto-correlation function of these random characters to come detection background alarm group.This step also can be utilized some expertise identification background alarm groups, can also utilize probability inference (or even authentication techniques) to come detection background alarm group.
Step 204, a plurality of original alarm group medium priorities of filtration are lower than the alarm group of setting threshold, and this step is an optional step.
Present embodiment can calculate the priority of each original alarm group according to the assets (as operating system, protocol type or attack type etc.) of system, when being greater than or equal to setting threshold, priority thinks then that this original alarm group is the alarm group that need carry out subsequent treatment, only handles these alarm groups in the subsequent process.
Certainly this step is an optional step, when not carrying out this step, also can handle all original alarm groups in the subsequent process.
Step 205, each original alarm group carry out time seriesization.
Present embodiment has set in advance a time range, represents with T.With T is unit, and each original alarm group is divided into the p section, adds up the quantity that drops on the original alarm in each T of chronomere in each original alarm group, constitutes time series.
Step 206, at any two the original alarm groups in a plurality of original alarm groups, utilize Granger causality check (Granger Causality Test, be called for short: the GCT) statistical value between the corresponding time series of these any two original alarm groups of Model Calculation, if statistical value satisfies the null hypothesis condition, then with two original alarm groups as an alarm to associating.
Introduced autoregression model (Autoregressive Model in the GCT model again, the AR model) and ARMA model (Autoregressive Moving Average Model be called for short:, be called for short: arma modeling), AR model and arma modeling all are to utilize the value match in time series past to be worth now, and this step can be utilized AR model or arma modeling.
For any two the original alarm groups in a plurality of original alarm groups, calculate the statistical value between the corresponding time series of two original alarm groups, the error that can utilize AR model or arma modeling to produce in fit procedure is particularly calculated this statistical value as input value, if two seasonal effect in time series statistical values satisfy the null hypothesis condition, then with two original alarm groups as an alarm to associating, and note down.
Step 207, the alarm that obtains according to step 206 are right, make up and attack scene more than one.
Step 206 obtains is that alarm is right more than one, this step search for these alarms between whether have common node, if common node is arranged, then they can be associated, constitute complete attack scene.
For instance, establish alarm that step 206 obtains to being: A->B, B->C, C->D, wherein A, B, C and D represent the original alarm group respectively, the direction of the time sequencing that arrow ">" expression takes place; According to above-mentioned alarm be: A->B->C->D to the attack scene that can make up.If the alarm that step 206 obtains is to being: A->C, B->C, C->D, the attack scene that then can make up is: A->C->D and B->C->D.
Step 208, each is attacked scene be converted into a plurality of rules step by step.
In inference engine, each rule can comprise regular head and rule body, and regular head can represent that this predicate is made up of predicate name and parameter with predicate, and rule body is to be made of the one or more facts that will inquire about, is the abstract summary of the fact that will inquire about.Adopt regular head to describe in the present embodiment and attack scene, adopt rule body to represent a kind of logical combination (comprising logical AND and/or logic NOT) of the attack step that this attack scene is included.
Present embodiment is attacked scene with each and is converted into a plurality of rules step by step, and attacking scene with DDOS below is example, and how analysis will attack scene is converted into rule.
DDOS generally is divided into following step:
The first step: " Sadmind_Ping " alarm, the assailant finds and may under fire " Sandmind " serve;
Second step: " Sadmind_Amslverify_Overflow " alarm, the assailant initiates to be linked in a large number victim host, causes the victim host buffer memory to overflow;
The 3rd step: " Rsh " alarm, the assailant duplicates one a section program and a .rhost file and move this section program in the victim host system;
The 4th step: " Mstream_Zombie " alarm is used for the background program of mail transmission/reception and the communication between the DDOS main frame (master) in DDOS internet (Internet).
The 5th step: " Stream_Dos " alarm, the true DDOS that is used for the background program initiation of mail transmission/reception in DDOS internet (Internet) attacks.
Above-mentioned attack scene can be expressed as the attack sequence:
xulieSadmind_Ping→Sadmind_Amslverify_Overflow→Rsh→Mstream_Zombie→Stream_Dos
Above-mentioned attack scene can be converted into following rule step by step:
DDOS1(destIP,time):-xulieSadmind_Ping(destIP,time)
DDOS2(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow(destIP,time)
DDOS3(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow(destIP,time),rsh(destIP,time)
DDOS4(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow(destIP,time),rsh(destIP,time),mstream_Zombie(destIP,time)
DDOS(destIP,time):-xulieSadmind_Ping(destIP,time),sadmind_Amslverify_Overflow?destIP,time),rsh(destIP,time),mstream_Zombie(destIP,time),stream_Dos(destIP,time)
Content before the above-mentioned regular colon is to be used to describe the regular head of attacking scene, content after the colon is to be used to represent to take place the rule body that this attacks a kind of logical combination of the included attack step of scene, in above-mentioned each rule body the logic of each several part content be " with ", for example: at DDOS2 (destIP, time) :-xulieSadmind_Ping (destIP, time), sadmind_Amslverify_Overflow (destIP, time) in this rule, the logic of " xulieSadmind_Ping (destIP; time) " and " sadmind_Amslverify_Overflow (destIP; time) " be " with ", it is two that the attack step that scene " DDOS2 (destIP, time) " need possess take place is attacked in expression.
Above-mentioned the 4th rule " DDOS4 (destIP, time) " represent that being about to take place DDOS attacks, under this attack scene, can send early warning, allow the keeper take certain measure to make and remedy, stop the harm that attack takes place or reduction is attacked.
Above-mentioned steps 201 to 208 is the process in presetting rule storehouse, can under offline mode or online mode, carry out, below step 209 be under online mode, to carry out to 211.
Step 209, when receiving new alarm, will newly alarm and be converted into the fact.
In inference engine, the fact represents with predicate that generally this predicate is made up of predicate name and parameter, can comprise a plurality of parameters so that enough information to be provided.To alarm newly in the present embodiment that to be converted into the alarm type be title, the alarm attributes fact as parameter, be pressed into true formation then.Wherein, alarm attributes can comprise arbitrary combination of Alarm ID, protocol type, source address, destination address, source port, destination interface, time, alarm equipment type, priority or above-mentioned information.
For instance, the new alarm that receives is:
[116:150:1](snort?decoder)Sadmind_Ping[Priority:3]03/08-00:27:51.177806 127.93.72.86:5032->131.84.1.31:26903 TCP?TTL:255TOS:0x8ID:24726 IpLen:20 DgmLen:40 DF?Seq:0x7BE9C279 Ack:0x0Win:0x4000 TcpLen:20
Should newly alarm the fact that transforms is:
Sadmind_Ping(24726,TCP,127.93.72.86:5032,131.84.1.31,177806,26903,03/08-00:27:51,snort,3)
Wherein, " Sadmind_Ping " is alarm type, " 24726 " are Alarm ID, and " TCP " is protocol type, and " 127.93.72.86:5032 " is source address, " 131.84.1.31 " is destination address, " 177806 " are source port, and " 26903 " are destination interface, and " 03/08-00:27:51 " is the time, " snort " is the alarm equipment type, and " 3 " are priority.
Step 210, in the rule base that presets, select the strictly all rules relevant, the composition rule collection with the fact.
Rule in step 211, the sequential query rule set when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.
Further, generate early warning or senior warning according to the security incident that obtains.
Fig. 3 is the flow chart of step 210 and step 211 in the embodiment of the invention two security incident correlating methods.As shown in Figure 3, may further include following steps:
Step 301, the selection strictly all rules relevant with the fact that step 209 obtains, the composition rule collection.
If there is no relevant with fact rule, then the rule set of Gou Chenging is empty.
Whether step 302, judgment rule collection are empty, if then execution in step 209; Otherwise execution in step 303.
Step 303, a rule concentrating of selective rule are in order inquired about all facts that this rule comprises.
Order is concentrated the true more rule that is comprised in this step for first selective rule.
Step 304, judge whether all facts that this rule comprises all take place, if then execution in step 305; Otherwise execution in step 306.
Step 305, generation early warning or senior warning, execution in step 209.
Step 306, in rule set the deletion this rule, execution in step 302.
Come the technical scheme of description of step 301 to 306 below with a concrete example.
If the fact is Sadmind_Ping (24726, TCP, 127.93.72.86:5032,131.84.1.31,177806,26903,03/08-00:27:51, snort, 3), in step 301, the rule relevant with this fact comprises five rules listing in the step 208, these five regular composition rule collection.In step 302, judge rule set not for empty, jump procedure 303.In step 303, select earlier the 5th rule in order, all that inquire that this rule comprises true for " xulieSadmind_Ping (and destIP, time); sadmind_Amslverify_Overflow destIP; time), rsh (destIP, time); mstream_Zombie (destIP; time), stream_Dos (destIP, time) ".In step 304, judge whether these facts all take place, if jump procedure 305 obtains the 5th security incident that rule is corresponding, generates senior warning, DDOS has taken place and has attacked in expression; If not, jump procedure 306, the 5th rule of deletion in rule set, jump procedure 302.
Then, select the 4th rule, judge whether the 4th fact that rule comprises all takes place, if, then obtain the 4th security incident that rule is corresponding, generate early warning, expression is about to take place DDOS and attacks, allow the keeper take certain measure to make and remedy, stop and attack the harm that takes place or reduce attack; If not, the 4th rule of deletion in rule set.
The rest may be inferred, until obtaining security incident or rule set for empty, jump procedure 209.
By above analysis as can be known, the security incident correlating method that provides of present embodiment has following advantage:
(1) in the present embodiment, a true corresponding rule set, comprise a plurality of and true relevant concrete rule in this rule set, a certain the fact that rule comprised all taken place in this rule set as if inquiring, then obtain security incident according to this rule, present embodiment does not need to write down intermediateness, and processing speed is very fast, has realized the online in real time coupling.
(2) present embodiment utilizes Time series analysis method, the a plurality of original alarms that collect are carried out association analysis, draw more than one and attack scene, do not rely on artificial description and attack scene, the alarm quantity of gathering increases greatly, do not need to know attack be how to take place or attack step between have what kind of contact, if the probability height that attack step takes place together, utilize the causality of Time series analysis method between just can finding to alarm, and then the attack scene of discovery unknown attack participation, thereby it is comprehensive to analyze the attack scene that obtains, and this attack scene can be used as the priori of inference engine, has strengthened the recognition capability of interconnected system; Comprehensively attack the rule that scene transforms according to this, the fact that new alarm transforms is mated, the new alarm that can not handle has seldom improved the efficient that association analysis is handled.
(3) present embodiment is before carrying out the association analysis processing, according to presetting rule, a plurality of original alarms that collect are repeated to alarm fusion treatment, reduced and repeated alarm, for further association analysis processing has reduced data pressure, provide related efficient.
(4) present embodiment is by filtering the background alarm, can the many garbages of filtering, and make association analysis handle and between the alarm that may comprise real attack, carry out, improved related efficient.
(5) the present embodiment original alarm group that priority can be higher than setting threshold is added up, and Tong Ji data volume is less like this, reduces the complexity of calculating; The original alarm group that present embodiment can constitute all alarms is added up, and can guarantee the related rate of system like this.
(6) present embodiment utilizes the online in real time matching process of inference engine realization to have the function of early warning or advanced alarm, provide useful information to responding system timely, be convenient to responding system and in time take corresponding measure, network is caused even more serious harm to prevent to attack.
Fig. 4 is the structural representation of the embodiment of the invention one security incident associated apparatus.As shown in Figure 4, present embodiment specifically comprises: conversion module 11, rule set composition module 12 and incident acquisition module 13.Wherein:
Conversion module 11 is used for when receiving new alarm, will newly alarm and be converted into the fact;
Rule set composition module 12 is used at the rule base that presets, and selects and true relevant strictly all rules, composition rule collection;
Incident acquisition module 13 is used for the rule that rule searching is concentrated, and when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.
Concrete, when receiving new alarm, conversion module 11 can adopt inference engine newly to alarm and be converted into the fact, and this fact comprises the certain attributes of new alarm; Rule set composition module 12 is according to the certain attributes of the new alarm that comprises in the fact, a plurality of rules in the rule base and the fact carried out related, obtains the rule set that constitutes with true relevant rule, i.e. a true corresponding rule set; The rule that incident acquisition module 13 rule searching are concentrated, inquiry and true rule of mating, the rule that all facts that inquiry is just comprised have all taken place obtains security incident according to this rule, and the rule that concrete rule searching is concentrated can be inquired about according to the order that is provided with.
The processing procedure of rule set composition module 12 and incident acquisition module 13 can be referring to Fig. 3.
The described security incident associated apparatus of present embodiment, conversion module is when receiving new alarm, to newly alarm and be converted into the fact, the rule set composition module is in the rule base that presets, select and true relevant strictly all rules formation rule collection, the rule that incident acquisition module rule searching is concentrated when all facts that rule comprised in inquiring rule set have all taken place, obtains security incident according to this rule.In the present embodiment, whether a true corresponding rule set has all obtained security incident by inquiring about the fact that rule is comprised in this rule set, does not need to write down intermediateness, and processing speed is very fast, has realized the online in real time coupling of security incident.
Fig. 5 is the structural representation of the embodiment of the invention two security incident associated apparatus.As shown in Figure 5, on the basis of said apparatus embodiment one, present embodiment can also comprise:
Preset module 14, this preset module 14 is used to utilize Time series analysis method, and a plurality of original alarms that collect are carried out association analysis, draws more than one and attacks scene, each is attacked scene be converted into rule step by step, the composition rule storehouse.
Further, preset module 14 can specifically comprise: cluster cell 15, time series unit 16, associative cell 17, construction unit 18 and regular conversion unit 19.Wherein:
Cluster cell 15 is used for the attribute according to original alarm, a plurality of original alarms is carried out clustering processing form a plurality of original alarm groups;
Time series unit 16 is used for each original alarm group carry out time seriesization;
Associative cell 17 is used for any two the original alarm groups at a plurality of original alarm groups, utilizes the statistical value between the corresponding time series of two original alarm groups of GCT Model Calculation; If statistical value satisfies the null hypothesis condition, then with two original alarm groups as an alarm to associating;
Construction unit 18, it is right to be used for according to alarm, makes up and attacks scene more than one;
Rule conversion unit 19 is used for that each is attacked scene and is converted into rule step by step, the composition rule storehouse.
Particularly, cluster cell 15 will be except asynchronism(-nization), the original alarm that other attribute is all identical is classified as a class, forms an original alarm group, and each group original alarm group is exactly an all identical alarm sequence along the time shaft distribution of other attributes except the time like this.Time series unit 16 is divided into the p section with each original alarm group, adds up the quantity that drops on the original alarm in each T of chronomere in each original alarm group, constitutes time series.Associative cell 17 is for any two the original alarm groups in a plurality of original alarm groups, calculate the statistical value between the corresponding time series of two original alarm groups, the error that can utilize AR model or arma modeling to produce in fit procedure is particularly calculated this statistical value as input value, if two seasonal effect in time series statistical values satisfy the null hypothesis condition, then with two original alarm groups as an alarm to associating, and note down.These alarms of construction unit 18 search between whether have common node, if common node is arranged, then they can be associated, constitute complete attack scene.Rule conversion unit 19 is attacked scene with each and is converted into a plurality of rules step by step, the composition rule storehouse.
Further again, preset module 14 can also comprise: first filter element 20 and second filter element 21.
First filter element 20 is used for filtering the background alarm group of a plurality of original alarm groups, and a plurality of original alarm groups after filtering are exported to second filter element 21.
Concrete, in another case, when not comprising second filter element 21 in the present embodiment, first filter element 20 can also be exported to time series unit 16 with a plurality of original alarm groups after filtering.
Particularly, first filter element 20 filters the background alarm group in a plurality of original alarm groups that obtain by cluster cell 15.By filtering background alarm group, can the many garbages of filtering, make association analysis handle and between the alarm that may comprise real attack, carry out, improved related efficient.
Second filter element 21 is used to filter the alarm group that a plurality of original alarm group medium priorities are lower than setting threshold, and a plurality of original alarm groups after filtering are exported to time series unit 16.
Particularly, in one case, second filter element 21 is exported to time series unit 16 after the original alarm group after filtering by first filter element 20 further can being filtered.In another case, when not having first filter element 20, second filter element 21 also can directly will select priority to be greater than or equal to the alarm group of setting threshold as the target alarms group in a plurality of original alarm groups that obtain at cluster cell 15, reconstitute the original alarm group by the target alarms group, pass to time series unit 15 and go to handle.That is to say that first filter element 20 and second filter element 21 can exist simultaneously, also can only have one of them.By of the filtration of these two filter elements to the original alarm group, can make the data volume of statistics less, reduce the complexity of calculating.
Preset module 14 can also comprise: integrated unit 22, this integrated unit 22 is used for according to presetting rule, and a plurality of original alarms that collect are repeated to alarm fusion treatment.
Particularly, integrated unit 22 can repeat to alarm fusion treatment with a plurality of original alarms that collect according to the rule about alarm attributes that presets; That is to say that integrated unit 22 utilizes the similitude of alarm attributes, repeat to alarm fusion treatment.Wherein, repeat alarm if several original alarms belong to, fusion treatment can be specially and keep one of them, removes other and repeats alarm, repeats alarm thereby reduced, and handles for further association analysis to have reduced data pressure, and related efficient is provided.
Present embodiment can also comprise:
Alarm module 23, this alarm module 23 are used for generating early warning or senior warning according to the security incident that obtains.
Concrete, alarm module 23 generates early warning or senior warning after obtaining security incident, provide useful information to responding system timely, is convenient to responding system and in time takes corresponding measure, to prevent to attack network is caused even more serious harm.
The present embodiment preset module is utilized Time series analysis method, the a plurality of original alarms that collect are carried out association analysis, draw more than one and attack scene, do not rely on artificial description and attack scene, the alarm quantity of gathering increases greatly, do not need to know attack be how to take place or attack step between have what kind of contact, if the probability height that attack step takes place together, utilize the causality of Time series analysis method between just can finding to alarm, and then the attack scene of discovery unknown attack participation, thereby it is comprehensive to analyze the attack scene that obtains, and this attack scene can be used as the priori of inference engine, has strengthened the recognition capability of interconnected system; Comprehensively attack the rule that scene transforms according to this, the fact that new alarm transforms is mated, the new alarm that can not handle has seldom improved the efficient that association analysis is handled.Matching module can carry out the online in real time coupling to new alarm, and processing speed is very fast, and real-time is good.
The embodiment of the invention also provides a kind of webserver that comprises above-mentioned security incident associated apparatus.This webserver can be specially various watch-dogs, gateway device etc., by utilizing above-mentioned security incident associated apparatus, realized the online in real time coupling of security incident, and real-time is good.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is when carrying out, execution comprises the step of said method embodiment, and aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to the technical scheme of the explanation embodiment of the invention, is not intended to limit; Although the embodiment of the invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of each embodiment technical scheme of the embodiment of the invention.