CN101771582A - Safety monitoring correlation analysis method based on state machine - Google Patents
Safety monitoring correlation analysis method based on state machine Download PDFInfo
- Publication number
- CN101771582A CN101771582A CN200910243576A CN200910243576A CN101771582A CN 101771582 A CN101771582 A CN 101771582A CN 200910243576 A CN200910243576 A CN 200910243576A CN 200910243576 A CN200910243576 A CN 200910243576A CN 101771582 A CN101771582 A CN 101771582A
- Authority
- CN
- China
- Prior art keywords
- safe condition
- security incident
- goal systems
- attack
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a safety monitoring correlation analysis method based on a state machine, which comprises the following steps: determining the safety state corresponding to attack phases of an attack scenario of a target system, the attack scenario is a safety event set which is generated when interdependent interactive behaviors with time order occur; categorizing the safety events which are inspected by a monitoring program of the target system and relative to the attack scenario and establishing a comparison table of the safety state and the safety events; and inspecting and recording the safety state of the target system according to the comparison table. In the condition of guaranteeing the sustainable system running speed, the method can store the safety state of assets for a longer time; the method can inspect distributed system attacks; in the condition of not defining an accurate attack scenario, the method can determine the safety state of the system; and the method can analyze the attacked track of the system and provide evidence for investigation and evidence collection.
Description
Technical field
The present invention relates to the network security technology field, particularly a kind of safety monitoring correlation analysis method based on state machine.
Background technology
In the method for the attack scene reconstruction of traditional solution multi-step attack, mainly use the method for sequential correlation.
The main implementation procedure of traditional attack scene reconstruction is as follows:
(1) self-defined attack scene, the attack process of needs inspection with the rule representing.
(2) to being checked through to such an extent that security incident and rule are mated, if meet rule then produce alarm.
The shortcoming of prior art one:
(1) needs the attack scene of definition accurately.
(2) when defining too much security attack scene, need to carry out each and attack scene coupling security incident, cause the checking efficiency of system obviously to descend.
(3) when the assailant carries out concerted attack, need the too much safe condition of maintenance, cause the checking efficiency of system to reduce.
Summary of the invention
(1) goal of the invention
The purpose of this invention is to provide a kind of safety monitoring correlation analysis method based on state machine, solve by multistep form suddenly incident inspection, utilize multi-source data to judge the state of system and the problem that network cooperating is attacked.
(2) summary of the invention
A kind of safety monitoring correlation analysis method based on state machine may further comprise the steps:
S1: determine the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
S2: the supervisory programme security incident that be checked through, relevant with described attack scene to goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
S3: according to the safe condition of described table of comparisons inspection and record object system.
Wherein, described step S3 comprises:
S31: when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, then carry out S32 if satisfy, otherwise carry out S33;
S32: the safe condition that the safe condition of described goal systems is changed into security incident correspondence in the alarm;
Whether S33: searching goal systems has corresponding security incident previous stage, if find then execution in step S32, otherwise carries out S34;
S34: change the safe condition of goal systems the safe condition of security incident correspondence in the alarm into, and this safe condition of mark is a nondeterministic statement.
Wherein, the concentrated safe condition of described safe condition mainly comprises: target system information is collected, authority is acquired, be placed into the back door and daily record is cleared up.
A kind of safety monitoring correlation analysis system based on state machine comprises:
Attack the scene determination module, be used for determining the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
The table of comparisons is set up module, is used for the supervisory programme security incident that be checked through, relevant with described attack scene of goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
The safe condition logging modle is used for the safe condition according to described table of comparisons inspection and record assets place goal systems.
Wherein, described safe condition logging modle comprises:
The previous state judge module, be used for when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy the execution current safe state module is set, searches module previous stage otherwise carry out;
Current safe state is provided with module, is used for the safe condition of described goal systems is changed into the safe condition of alarm security incident correspondence;
Whether search module previous stage, being used to search goal systems has corresponding security incident previous stage, if find the execution current safe state that module is set, otherwise carry out uncertain safe condition module is set;
Uncertain safe condition is provided with module, is used for the safe condition of goal systems is changed into the safe condition of alarm security incident correspondence, and this safe condition of mark is a nondeterministic statement.
(3) beneficial effect
Safety monitoring correlation analysis method based on state machine of the present invention has following beneficial effect:
(1) can be under the certain situation of the safeguards system speed of service, to the safe condition storage long period of assets;
(2) can check the distributed systems attack;
(3) there not being definition accurately to attack under the situation of scene, can determine the safe condition of system;
(4) can analyze system's track under attack, for investigation and evidence collection provides foundation.
Description of drawings
Fig. 1 is the flow chart according to the safety monitoring correlation analysis method based on state machine of the present invention.
Embodiment
The safety monitoring correlation analysis method based on state machine that the present invention proposes is described as follows in conjunction with the accompanying drawings and embodiments.
As shown in Figure 1, step S1 determines the safe condition of each phase of the attack correspondence of the attack scene of goal systems, wherein attacking scene is meant when complementary, as to have time sequencing interbehavior takes place, the security incident collection that produces, make up to attack scene by rule and can discern next step action that real attack, prediction are attacked, safe condition generally includes that target system information is collected, authority is acquired, be placed into back door and daily record is cleared up etc.
That among the step S2 each supervisory programme is checked through, relevant with described attack scene security incident is classified, and sets up the table of comparisons of safe condition and security incident, i.e. the table of comparisons of each phase of the attack and security incident is as shown in table 1:
The table of comparisons of each phase of the attack of table 1 and security incident
Each phase of the attack | Gathering system information | Obtain authority | Place the back door | The cleaning daily record |
Security incident | Main frame scanning port scan service scanning vulnerability scanning | The flooding leak utilizes directory traversal | Configuration change is installed rogue program | The deletion daily record |
Each stage of attack in the table, security incident was for causing reaching certain safe condition time institute event corresponding to each safe condition.
Step S3 is according to the safe condition of above-mentioned table of comparisons inspection and record assets place goal systems.Particularly, when alarm Alert_new of supervisory programme receives in system, check among the step S31 whether the safe condition in the table of comparisons of goal systems is the previous state that satisfies the corresponding safe condition of security incident among the described alarm Alert_new, if satisfy, then the safe condition with goal systems changes corresponding states into, be step S32, for example: receive an alarm Alert_new, the corresponding safe condition of security incident in this warning (as flooding) is " obtaining authority ", whether the safe condition of then checking the corresponding system table of comparisons is denoted as " system information is collected " state, if then the safe condition of this system is changed into the state of " authority is acquired "; Whether if do not satisfy, then searching goal systems in step S33 has corresponding security incident previous stage, if find, then the safe condition of goal systems is changed into the safe condition of security incident correspondence among the alarm Alert_new; Otherwise change the safe condition of this system the safe condition of security incident correspondence in the alarm into, and this safe condition of mark is a nondeterministic statement.
A kind of safety monitoring correlation analysis system based on state machine comprises:
Attack the scene determination module, be used for determining the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation; The table of comparisons is set up module, is used for the supervisory programme security incident that be checked through, relevant with described attack scene of goal systems is classified, and sets up the table of comparisons of described safe condition and security incident; The safe condition logging modle is used for the safe condition according to described table of comparisons inspection and record assets place goal systems.
Wherein, described safe condition logging modle comprises:
The previous state judge module, be used for when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy the execution current safe state module is set, searches module previous stage otherwise carry out; Current safe state is provided with module, is used for the safe condition of described goal systems is changed into the safe condition of alarm security incident correspondence; Whether search module previous stage, being used to search goal systems has corresponding security incident previous stage, if find the execution current safe state that module is set, otherwise carry out uncertain safe condition module is set; Uncertain safe condition is provided with module, is used for the safe condition of goal systems is changed into the safe condition of alarm security incident correspondence, and this safe condition of mark is a nondeterministic statement.
Above execution mode only is used to illustrate the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; under the situation that does not break away from the spirit and scope of the present invention; can also make various variations and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (5)
1. the safety monitoring correlation analysis method based on state machine is characterized in that, may further comprise the steps:
S determines the safe condition of each phase of the attack correspondence of the attack scene of goal systems, and described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
S2: the supervisory programme security incident that be checked through, relevant with described attack scene to goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
S3: according to the safe condition of described table of comparisons inspection and record object system.
2. the safety monitoring correlation analysis method based on state machine as claimed in claim 1 is characterized in that, described step S3 comprises:
S31: when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, then carry out S32 if satisfy, otherwise carry out S33;
S3 changes the safe condition of described goal systems into the safe condition of security incident correspondence in the alarm;
Whether S33: searching goal systems has corresponding security incident previous stage, if find then execution in step S32, otherwise carries out S34;
S34: change the safe condition of goal systems the safe condition of security incident correspondence in the alarm into, and this safe condition of mark is a nondeterministic statement.
3. described safety monitoring correlation analysis method as claimed in claim 1 or 2 based on state machine, it is characterized in that the safe condition that described safe condition is concentrated mainly comprises: target system information is collected, authority is acquired, be placed into the back door and daily record is cleared up.
4. the safety monitoring correlation analysis system based on state machine is characterized in that, comprising:
Attack the scene determination module, be used for determining the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
The table of comparisons is set up module, is used for the supervisory programme security incident that be checked through, relevant with described attack scene of goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
The safe condition logging modle is used for the safe condition according to described table of comparisons inspection and record assets place goal systems.
5. the safety monitoring correlation analysis system based on state machine as claimed in claim 4 is characterized in that, described safe condition logging modle comprises:
The previous state judge module, be used for when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy the execution current safe state module is set, searches module previous stage otherwise carry out;
Current safe state is provided with module, is used for the safe condition of described goal systems is changed into the safe condition of alarm security incident correspondence;
Whether search module previous stage, being used to search goal systems has corresponding security incident previous stage, if find the execution current safe state that module is set, otherwise carry out uncertain safe condition module is set;
Uncertain safe condition is provided with module, is used for the safe condition of goal systems is changed into the safe condition of alarm security incident correspondence, and this safe condition of mark is a nondeterministic statement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910243576XA CN101771582B (en) | 2009-12-28 | 2009-12-28 | Safety monitoring correlation analysis method based on state machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910243576XA CN101771582B (en) | 2009-12-28 | 2009-12-28 | Safety monitoring correlation analysis method based on state machine |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101771582A true CN101771582A (en) | 2010-07-07 |
CN101771582B CN101771582B (en) | 2011-12-14 |
Family
ID=42504198
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN200910243576XA Active CN101771582B (en) | 2009-12-28 | 2009-12-28 | Safety monitoring correlation analysis method based on state machine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101771582B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101958897A (en) * | 2010-09-27 | 2011-01-26 | 北京系统工程研究所 | Correlation analysis method of security incident and system |
CN102685095A (en) * | 2011-12-26 | 2012-09-19 | 北京安天电子设备有限公司 | Event processing method and system based on risk level |
CN103269290A (en) * | 2013-04-18 | 2013-08-28 | 中国移动通信集团陕西有限公司 | Method and device for intelligently analyzing abnormity of network based on case library |
CN103269337A (en) * | 2013-04-27 | 2013-08-28 | 中国科学院信息工程研究所 | Data processing method and device |
CN103561012A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | WEB backdoor detection method and system based on relevance tree |
CN103580900A (en) * | 2012-08-01 | 2014-02-12 | 上海宝信软件股份有限公司 | Association analysis system based on event chains |
CN103746991A (en) * | 2014-01-02 | 2014-04-23 | 曙光云计算技术有限公司 | Security event analysis method and system in cloud computing network |
CN104219193A (en) * | 2013-05-29 | 2014-12-17 | 中国电信股份有限公司 | Method and system for correlation analysis of security events |
CN106330909A (en) * | 2016-08-24 | 2017-01-11 | 华青融天(北京)技术股份有限公司 | Security event handling method |
CN107483425A (en) * | 2017-08-08 | 2017-12-15 | 北京盛华安信息技术有限公司 | Composite attack detection method based on attack chain |
CN112866220A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
CN1447263A (en) * | 2003-03-17 | 2003-10-08 | 上海金诺网络安全技术发展股份有限公司 | Method for handling computer network information security events |
CN101047542A (en) * | 2006-03-31 | 2007-10-03 | 中国科学院软件研究所 | Method for analysing large scale network safety |
-
2009
- 2009-12-28 CN CN200910243576XA patent/CN101771582B/en active Active
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101958897B (en) * | 2010-09-27 | 2013-10-09 | 北京系统工程研究所 | Correlation analysis method of security incident and system |
CN101958897A (en) * | 2010-09-27 | 2011-01-26 | 北京系统工程研究所 | Correlation analysis method of security incident and system |
CN102685095A (en) * | 2011-12-26 | 2012-09-19 | 北京安天电子设备有限公司 | Event processing method and system based on risk level |
CN103580900B (en) * | 2012-08-01 | 2016-12-21 | 上海宝信软件股份有限公司 | A kind of correlation analysis system based on event chain |
CN103580900A (en) * | 2012-08-01 | 2014-02-12 | 上海宝信软件股份有限公司 | Association analysis system based on event chains |
CN103269290B (en) * | 2013-04-18 | 2016-04-13 | 中国移动通信集团陕西有限公司 | The method and apparatus of Design case based storehouse intellectual analysis Network Abnormal |
CN103269290A (en) * | 2013-04-18 | 2013-08-28 | 中国移动通信集团陕西有限公司 | Method and device for intelligently analyzing abnormity of network based on case library |
CN103269337A (en) * | 2013-04-27 | 2013-08-28 | 中国科学院信息工程研究所 | Data processing method and device |
CN103269337B (en) * | 2013-04-27 | 2016-08-10 | 中国科学院信息工程研究所 | Data processing method and device |
CN104219193A (en) * | 2013-05-29 | 2014-12-17 | 中国电信股份有限公司 | Method and system for correlation analysis of security events |
CN103561012A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | WEB backdoor detection method and system based on relevance tree |
CN103561012B (en) * | 2013-10-28 | 2017-01-25 | 中国科学院信息工程研究所 | WEB backdoor detection method and system based on relevance tree |
CN103746991A (en) * | 2014-01-02 | 2014-04-23 | 曙光云计算技术有限公司 | Security event analysis method and system in cloud computing network |
CN103746991B (en) * | 2014-01-02 | 2017-03-15 | 曙光云计算技术有限公司 | Safety case investigation method and system in system for cloud computing |
CN106330909A (en) * | 2016-08-24 | 2017-01-11 | 华青融天(北京)技术股份有限公司 | Security event handling method |
CN106330909B (en) * | 2016-08-24 | 2019-07-26 | 华青融天(北京)技术股份有限公司 | Security incident handling method |
CN107483425A (en) * | 2017-08-08 | 2017-12-15 | 北京盛华安信息技术有限公司 | Composite attack detection method based on attack chain |
CN107483425B (en) * | 2017-08-08 | 2020-12-18 | 北京盛华安信息技术有限公司 | Composite attack detection method based on attack chain |
CN112866220A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
Also Published As
Publication number | Publication date |
---|---|
CN101771582B (en) | 2011-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101771582B (en) | Safety monitoring correlation analysis method based on state machine | |
CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
CN108512841B (en) | Intelligent defense system and method based on machine learning | |
CN106888205A (en) | A kind of non-intrusion type is based on the PLC method for detecting abnormality of power consumption analysis | |
CN109981328A (en) | A kind of fault early warning method and device | |
CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
CN105681286A (en) | Association analysis method and association analysis system | |
CN116781430B (en) | Network information security system and method for gas pipe network | |
CN101272286A (en) | Network inbreak event association detecting method | |
CN110933083B (en) | Vulnerability grade evaluation device and method based on word segmentation and attack matching | |
CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
CN101902334A (en) | Real-time confirmation method and system for safety events | |
CN101902349A (en) | Method and system for detecting scanning behaviors of ports | |
CN113064932A (en) | Network situation assessment method based on data mining | |
CN105681274A (en) | Original warning information processing method and device | |
CN108491717A (en) | A kind of xss systems of defense and its implementation based on machine learning | |
CN113852615A (en) | Method and device for monitoring lost host in multi-stage DNS (Domain name System) environment | |
CN115861173A (en) | Automatic detection system and method for accuracy of optical splitter resources based on digital twin and AI | |
CN115664703A (en) | Attack tracing method based on multi-dimensional information | |
KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
CN113381980B (en) | Information security defense method and system, electronic device and storage medium | |
Sen et al. | Towards an approach to contextual detection of multi-stage cyber attacks in smart grids | |
CN110515365B (en) | Industrial control system abnormal behavior analysis method based on process mining | |
CN104933357A (en) | Flooding attack detection system based on data mining | |
CN108848088A (en) | Safety testing system and method based on big data behavior analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder |
Address after: Room 818, 8 / F, 34 Haidian Street, Haidian District, Beijing 100080 Patentee after: BEIJING ULTRAPOWER SOFTWARE Co.,Ltd. Address before: No. 28 building, 100089 Beijing Wanliu new city Haidian District wanquanzhuang Road 5 layer Patentee before: BEIJING ULTRAPOWER SOFTWARE Co.,Ltd. |
|
CP02 | Change in the address of a patent holder |