CN101938486B - Event rule relevance analysis method and device - Google Patents

Event rule relevance analysis method and device Download PDF

Info

Publication number
CN101938486B
CN101938486B CN 201010279945 CN201010279945A CN101938486B CN 101938486 B CN101938486 B CN 101938486B CN 201010279945 CN201010279945 CN 201010279945 CN 201010279945 A CN201010279945 A CN 201010279945A CN 101938486 B CN101938486 B CN 101938486B
Authority
CN
China
Prior art keywords
node
frame
dynamic node
dynamic
static
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN 201010279945
Other languages
Chinese (zh)
Other versions
CN101938486A (en
Inventor
王承志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN 201010279945 priority Critical patent/CN101938486B/en
Publication of CN101938486A publication Critical patent/CN101938486A/en
Application granted granted Critical
Publication of CN101938486B publication Critical patent/CN101938486B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a method for carrying out rule relevance analysis on events on the basis of multithreading for an SOC system, comprising: defining a plurality of rule models comprising static nodes and dynamic nodes in advance; building a frame structure each frame of which comprises a first part and a second part; filling collected events into the first part of each frame; while filling the events, adopting a first group of threading to match the evens in each static node and each frame; filling the dynamic nodes generated when matching succeeds into the second part of the corresponding frame of a corresponding static node; when matching the static node with the event, adopting a second group of threading to match the dynamic node generated previously with the event of the frame in which the dynamic node is positioned; if the dynamic node generates the subsequent dynamic node of the dynamic node after matching is successful, destroying the dynamic node, and putting the subsequent dynamic node into the corresponding frame of the dynamic node; and meanwhile, generating a warning event according to the preset behaviour of the dynamic node.

Description

Event rule relevance analysis method and device
Technical field
The present invention relates to the network security process field, more specifically, relate to a kind of security incident rule association analytical method and device that the event rules association is carried out the parallel parsing processing.
Background technology
Growing along with network technology comes transmission of information becoming a kind of trend by network.Yet, because often utilizing trojan horse program to trespass cyberspace, network hacker comes steal information, therefore, how to guarantee that the information security on network more and more comes into one's own.
In order to guarantee the information security on network, usually need to report to the police to any one behavior of threaten network security, namely produce security incident.Security incident is generated by safety system usually, and safety system refers to the application system of custom system being carried out safety monitoring and protection, such as intruding detection system, vulnerability scanning system, auditing system, fire compartment wall, UTM etc.
All kinds of safety systems all can produce a large amount of security alarm events usually.The security incident that the different safety system of originating produces often overlaps each other, related or interdepend, and data volume is quite huge.Have in a large number redundancy and the crisscross alert event of relation each other because the safety officer need to tackle, become increasingly complex thereby make management of safe operation become.
In addition, for a lot of attacks, only rely on single safety system can't monitor often.In this case, only have the alert event that each safety system is produced to carry out association analysis and comprehensive judgement, could find exactly and prevent in time these attacks.This shows, address these problems, must adopt the rule association analytical technology.
The rule association analytical technology adopts rule model to describe prerequisite and the subsequent action of attack usually, and the warning that produces etc., and need to mate rule model.Generally, rule model adopts chain type or tree, and more intricately, can adopt network structure, and each node in this model is a link in Attack Scenarios.
At present, rule model is mated the mode that adopts and generally include following two kinds.
First kind of way is based on the rule association analytical technology of serial process, and the alert event that this technology produces safety system and rule model carry out coupling one by one.According to this matching way, can be according to the order of model, the priority of adjustment model, thus realize simple, debugging is convenient.But the treatment effeciency of this matching way is low, throughput is not high, thereby is difficult to realize the real rule association analysis based on scene.
The second way is based on the rule association analytical technology of parallel processing, and this technology is improved above-mentioned serial process technology, thereby can process simultaneously a plurality of rule models.Compare with serial process, utilize this based on the matching way of parallel processing, can improve treatment effeciency.But in this matching way based on parallel processing, all rules are all impartial and there is no priority, thereby also are difficult to realize the real rule association analysis based on scene.
Therefore, need a kind of efficient rule model matching process.Utilize the method, can support the coupling of efficiently and accurately, and can realize the rule association analysis based on scene.
Summary of the invention
In view of the above problems, the invention provides a kind of for SOC (Security Operation Center, security operations center) system carries out to event method and the device that rule association is analyzed based on multithreading, utilize the method and device, can utilize multithreading to carry out matching treatment to static node and the dynamic node that produces when the match is successful at static node, can mate a plurality of complex rule models simultaneously thus, thereby support the coupling of efficiently and accurately, and realize the rule association analysis based on scene.
According to an aspect of the present invention, provide a kind of and based on multithreading, event has been carried out the method that rule association is analyzed for the SOC system, comprise: pre-defined some rule models, each rule model comprises static node and dynamic node, static node is the head node of each rule model, and dynamic node is other node except head node of each rule model; Create the frame structure that every frame comprises first and second portion; The event that the SOC system is gathered is inserted in the first of each frame of the frame structure that creates; When inserting described event, adopt the event of inserting in first group of thread each frame to each static node in described each rule model and the frame structure that creates to mate and produce dynamic node when the match is successful, and the dynamic node that produces being inserted in the second portion of respective frame of its corresponding static node; And when carrying out described static node and described event matches, adopt second group of thread that the previous static node dynamic node that the match is successful produces afterwards and the event of frame that this dynamic node is arranged in are mated, wherein, if produce the follow-up dynamic node of this dynamic node after dynamic node and event matches success, destroy this dynamic node, and will this follow-up dynamic node put into the respective frame of this dynamic node, preset the behavior generation alarm event according to this dynamic node simultaneously.
In one or more embodiments, adopt the event of inserting in first group of thread each frame to each static node in described each rule model and the frame structure that creates to mate and generation dynamic node when the match is successful, and the step of this dynamic node being inserted in the second portion of respective frame of its corresponding static node can also comprise: (a) link of the static node in described each rule model is formed a directed loop, each static node in described directed loop has adduction relationship to each frame in the frame structure that creates; (b) carry out following operation for each frame in the frame structure that creates, until complete the coupling of the event of inserting in each frame of each static node and the frame structure that creates, (b1) each thread obtains a static node that is not locked by other thread from described directed loop, and this static node is locked; (b2) when the static node that obtains and the current event matches success of inserting in quoting frame, produce dynamic node, and this dynamic node is inserted in the second portion of respective frame of its corresponding static node, and the static node that obtains is moved to next frame to the adduction relationship of frame; And when the static node that obtains and the current event matches failure of inserting in quoting frame, carry out the processing in step (b3), (b3) this static node is carried out release, and carry out the processing of above-mentioned steps (b1) in (b3) for next static node that obtains.
in addition, in one or more embodiments, when carrying out described static node and described event matches, adopt the step that second group of thread mates the event of previous the static node dynamic node that produces after the match is successful and frame that this dynamic node is arranged in to comprise: for to some extent the dynamic node of generation carry out following operation, until complete the event inserted of the frame that is arranged in of the dynamic node that produces to some extent and this dynamic node mate, each thread obtains the dynamic node that first is not locked by other thread from the frame of described frame structure, and this dynamic node is locked, whether the match is successful to judge the event that this dynamic node and the frame that is arranged in insert, when this dynamic node and the success of described event matches, remove this dynamic node from described frame, and this dynamic node is carried out release.
In addition, preferably, remove this dynamic node from described frame after, if this dynamic node produces the subsequent dynamic node, will be somebody's turn to do the respective frame that the new dynamic node that produces is put into described frame structure.In addition, the respective frame of described frame structure is and the frame of this dynamic node coupling next frame of this coupling frame maybe.
In addition, matching condition failure or the match is successful but number of times when not enough between this dynamic node and described event moves to the next frame of this frame with this dynamic node from frame that this dynamic node is arranged in.
In addition, continuous a plurality ofly do not quoted by static node and when not comprising the frame of dynamic node, destroy this continuous a plurality of frames when the first frame from described frame structure comes into existence.
In one or more embodiments, described method can also comprise: obtain the mean value of operating time of each thread of first group of thread and real time ratio as the first mean value; Obtain the mean value of operating time of each thread of second group of thread and real time ratio as the second mean value; When the first mean value and/or the second mean value exceed the threshold value that presets, adjust the number of first group of thread and second group of thread.In addition, preferably, the number maximum of described first group of thread is no more than the number of rule model.
According to a further aspect in the invention, provide a kind of and based on multithreading, event has been carried out the device that rule association is analyzed for the SOC system, comprise: rule model predefine unit, be used for pre-defined some rule models, each rule model comprises static node and dynamic node, described static node is the head node of each rule model, and described dynamic node is other node except head node of each scale model; Creating unit is used for creating the frame structure that every frame comprises first and second portion; Filler cells is used for the event that the SOC system gathers is inserted the first of each frame of the frame structure that creates; The static node matching unit, be used for when filling described event, adopt the event of inserting in first group of thread each frame to each static node in described each rule model and the frame structure that creates to mate and produce dynamic node when the match is successful, and the dynamic node that produces being inserted in the second portion of respective frame of its corresponding static node; And dynamic node matching unit, be used for when carrying out described static node and event matches, adopt second group of thread that the previous static node dynamic node that the match is successful produces afterwards and the event of frame that this dynamic node is arranged in are mated, if wherein produce the follow-up dynamic node of this dynamic node after the success of dynamic node and event matches, destroy this dynamic node, and will this follow-up dynamic node put into the respective frame of this dynamic node, preset the behavior generation alarm event according to this dynamic node simultaneously.
In one or more embodiments, described static node matching unit can also comprise: directed loop forms the unit, be used for the static node of described each rule model is formed a directed loop, each static node in described directed loop has adduction relationship to each frame in the frame structure that creates; The static node acquiring unit is used for each frame for the frame structure that creates, and utilizes each thread to obtain a static node that is not locked by other thread from described directed loop; The first judging unit is used for static node that judgement obtains and whether quotes with current the event matches that frame is inserted; The dynamic node generation unit, be used for quoting event matches that frame inserts when successful at the static node that obtains with current, produce the dynamic node of described rule model, and the dynamic node that produces is inserted in the second portion of respective frame of its corresponding static node; Adduction relationship change unit is used for quoting event matches that frame inserts when successful at the static node that obtains with current, and the static node that obtains is moved to next frame to the adduction relationship of frame; And the static node lock unit that locks/separate, the static node that is used for the static node acquiring unit is obtained locks, and the coupling between the static node that obtains and the current event of inserting in quoting frame is carried out release to this static node after completing.
In addition, in one or more embodiments, described dynamic node matching unit can also comprise: the dynamic node acquiring unit, be used for the dynamic node of generation to some extent for institute, and utilize each thread to obtain the dynamic node that first is not locked by other thread from the frame of described frame structure; The second judging unit is used for judging whether this dynamic node and the event that be positioned at frame is inserted mate; Dynamic node removes the unit, is used for removing this dynamic node from described frame when the coupling of completing between this dynamic node and described event; And the dynamic node lock unit that locks/separate, the dynamic node that is used for the dynamic node acquiring unit is obtained locks, and the dynamic node that obtains and be arranged in and after coupling between the event that frame inserts is completed, this dynamic node carried out release.
In addition, after this dynamic node and the success of described event matches, if this dynamic node produces the subsequent dynamic node, described filler cells will be somebody's turn to do the respective frame that the new dynamic node that produces is put into described frame structure.The respective frame of described frame structure is and the frame of this dynamic node coupling next frame of this coupling frame maybe.
In addition, when matching condition failure between this dynamic node and described event or the match is successful but matching times when not enough, described dynamic node removes the unit this dynamic node is arranged in from current the next frame that frame moves to this frame.
In addition, described device can also comprise the destruction unit, is used for continuous a plurality ofly do not quoted by static node and when not comprising the frame of dynamic node, destroying this continuous a plurality of frames when the first frame from described frame structure comes into existence.
In addition, preferably, described device can also comprise: the first acquiring unit is used for obtaining the mean value of operating time of each thread of first group of thread and real time ratio as the first mean value; Second acquisition unit is used for obtaining the mean value of operating time of each thread of second group of thread and real time ratio as the second mean value; And the number of threads adjustment unit, be used for adjusting the number of first group of thread and second group of thread when the first mean value and/or the second mean value exceed the threshold value that presets.
In order to realize above-mentioned and relevant purpose, one or more aspects of the present invention comprise the feature that the back will describe in detail and particularly point out in the claims.Following explanation and accompanying drawing describe some illustrative aspects of the present invention in detail.Yet, the indication of these aspects be only some modes that can use in the variety of way of principle of the present invention.In addition, the present invention is intended to comprise all these aspects and their equivalent.
Description of drawings
By the content of reference below in conjunction with the description of the drawings and claims, and along with understanding more comprehensively of the present invention, other purpose of the present invention and result will be understood and easy to understand more.In the accompanying drawings:
Fig. 1 shows and according to an embodiment of the inventionly based on multithreading, event is carried out the flow chart of the method that rule association analyzes for the SOC system;
Fig. 2 shows the diagram according to the frame structure that creates of the present invention;
Fig. 3 shows the diagram according to the frame structure after stuff event of the present invention;
Fig. 4 shows the flow chart of an example of the process that the event inserted in each frame to each static node and the frame structure that creates in the method for Fig. 1 mates;
Fig. 5 shows the diagram when all static nodes all point to the first frame when initial;
Fig. 6 shows the diagram when processing next static node;
Fig. 7 shows the diagram when completing coupling for all static nodes of same frame;
Fig. 8 shows the flow chart of an example of the process that event that the frame that the dynamic node that produces and this dynamic node are arranged in the method for Fig. 1 inserts mates;
Fig. 9 shows in matching condition failure or the match is successful but the diagram of number of times when not enough;
Figure 10 shows the diagram when destroying dynamic frame;
Figure 11 shows according to of the present invention and based on multithreading, event is carried out the block diagram of the device that rule association analyzes for the SOC system;
Figure 12 shows the block diagram of an example of the static node matching unit that comprises in the device shown in Figure 11; And
Figure 13 shows the block diagram of an example of the dynamic node matching unit that comprises in the device shown in Figure 11.
Label identical in institute's drawings attached is indicated similar or corresponding feature or function.
Embodiment
Various aspects of the present disclosure are described below.Should be understood that, the instruction of this paper can be with varied form imbody, and disclosed any concrete structure, function or both are only representational in this article.Based on the instruction of this paper, those skilled in the art should be understood that, an aspect disclosed herein can be independent of any other side and realize, and the two or more aspects in these aspects can make up according to variety of way.For example, can use the aspect of any number described in this paper, implement device or hands-on approach.In addition, can use other structure, function or except one or more aspects described in this paper or be not the 26S Proteasome Structure and Function of one or more aspects described in this paper, realize this device or put into practice this method.In addition, any aspect described herein can comprise at least one element of claim.
What it will be understood by those skilled in the art that is that term used herein " static node " refers to the head node in the data structures such as chain structure, tree, network structure, the appointment when setting up rule model of this head node.Term " dynamic node " refers to the member node (also referred to as non-head node) in the data structures such as chain structure, tree, network structure.
Below with reference to accompanying drawing, specific embodiments of the invention are described in detail.
Fig. 1 shows and according to an embodiment of the inventionly based on multithreading, event is carried out the flow chart of the method that rule association analyzes for the SOC system.
As shown in Figure 1, at first, in step S110, when system starts, pre-defined some rule models, each rule model comprises static node and dynamic node, static node is the head node of each rule model, and dynamic node is other node except head node of each rule model.
Then, in step S120, create the frame structure that every frame comprises first and second portion, be used for inserting alert event in wherein said first, and the dynamic node that is used for inserting described rule model in described second portion.Fig. 2 shows the diagram according to the frame structure that creates of the present invention.As shown in Figure 2, when starting in system, this frame structure is generally an empty frame, and namely the content of the first in frame and second portion is all empty.
Frame structure create complete after, in step S130, the event that the SOC system is gathered is inserted in the first of each frame of the frame structure that creates.Particularly, (for example produce event in safety system, alert event) after, at first, an event is inserted in the first of the first frame, then put into an empty frame after the first frame, be used for after collecting another event, insert this another event in the first of this frame, and then put into an empty frame, ..., that is to say, be all event to be put into the first of last frame at every turn, and put into an empty frame after this frame, the like, thereby a plurality of events can be put in each frame of the frame structure that creates.Fig. 3 shows the diagram according to the frame structure after stuff event of the present invention.
In step S140, when filling described event, can adopt the event of inserting in first group of thread each frame to the static node in described each rule model and the frame structure that creates to mate, and produce dynamic node when the match is successful, and the dynamic node that produces is inserted in the second portion of respective frame of its corresponding node.About adopting the detailed process that the event inserted in first group of thread each frame to the static node in described each rule model and the frame structure that creates is mated to be described in detail to Fig. 7 with reference to Fig. 4.
Static node the match is successful produce the subsequent dynamic node after, in step S150, can be when carrying out static node and event matches, adopt second group of thread that the previous static node dynamic node that the match is successful produces afterwards and the event of frame that this dynamic node is arranged in are mated, if wherein produce the subsequent dynamic node of this dynamic node after the success of dynamic node and event matches, destroy this dynamic node, and this subsequent dynamic node is inserted in the respective frame of this dynamic node, simultaneously preset the behavior generation alarm event according to this dynamic node.This process can be carried out simultaneously with the process that static node and event are mated.About adopting the detailed process that second group of thread mates the event of the previous static node dynamic node that the match is successful produces afterwards and frame that this dynamic node is arranged in to be described in detail to Figure 10 with reference to Fig. 8.
Fig. 4 shows the flow chart of an example of the process that the event inserted in each frame to each static node and the frame structure that creates in the method for Fig. 1 mates.
As shown in Figure 4, at first, in step S410, all static nodes that will extract from rule model form a directed loop, and each static node in wherein said directed loop has adduction relationship to each frame in the frame structure that creates.
Then, for each frame in the frame structure that creates, each thread obtains a static node that is not locked by other thread from described directed loop, and this static node is locked.Particularly, for example, at first, in step S415, each thread (hereafter is " static thread ") that is used for first group of thread of static node obtains a static node from described directed loop.After obtaining static node, in step S420, judge whether this static node is locked by other thread.If locked by other thread, in step S425, obtain next static node from directed loop, then turn back to step S420.If this static node is not locked by other thread, proceed in step S430, this static node is locked.Here be noted that the said process shown in Fig. 4 is only an example, about obtaining not the static node that is locked by other thread and can also adopt alternate manner to realize to the process that this static node locks from directed loop.
After this static node is locked, in step S435, judge in the first of the current frame of quoting of this static node whether have event.If there is no event, proceed to step S440.Otherwise, proceed to step S445.
In step S440, static thread enters dormancy, waits for after new events is inserted in the frame structure that creates reawaking static thread.Then proceed to step S455.
In step S445, whether static node and the current event of inserting in frame of quoting that judgement is obtained mate.If the static node that obtains and the current event matches of inserting in frame of quoting proceed to step S450.Otherwise, proceed to step S455.
In step S450, produce the dynamic node of described rule model and the dynamic node that produces inserted this currently quote frame (namely, the respective frame of its corresponding static node) in second portion, and the static node that obtains is moved to next frame to the adduction relationship of frame.Then, proceed to step S455.
In step S455, this static node is carried out release, then proceed to step S460.In step S460, whether judgement completes coupling for all static nodes for this current frame of quoting.If be judged as in step S460 and complete coupling, proceed to step S465.If be judged as in step S460 and do not complete coupling, turn back to step S415.Fig. 5 shows the diagram when all static nodes all point to the first frame when initial.Fig. 6 shows the diagram when processing next static node.
In addition, after all static nodes are all completed matching treatment with same interframe, remove the adduction relationship to this frame.Fig. 7 shows the diagram when completing coupling for all static nodes of same frame.
In step S465, judge whether to complete coupling for all frames.If complete coupling for all frames, flow process finishes.Otherwise, turn back to step S415, carry out matching treatment for next frame.
Fig. 4 shows the workflow of static thread, and this flow process is recycled execution, when mating without event, when namely all static nodes are all quoted last empty frame, static thread enters dormancy, until there is new event to produce and insert in the frame structure that creates, just reawakes static thread.
Fig. 8 shows the flow chart of an example of the process that the event that the dynamic node that produces and frame that this dynamic node is arranged in are inserted in the method for Fig. 1 mates.
As shown in Figure 8, at first, in step S810, each thread (hereafter is " dynamically thread ") that is used for second group of thread of dynamic node obtains a dynamic node from the frame of described frame structure.Particularly, each dynamic thread travels through frame since the first frame, if comprise dynamic node in frame, travels through dynamic node.
After obtaining dynamic node, in step S815, judge whether this dynamic node is locked by other dynamic threads.Lock if be judged as in step S815 by other dynamic thread, obtain next dynamic node, and turn back to step S815.Otherwise, proceed to step S825.
At step S825, this dynamic node is locked.Then, in step S830, judge whether frame that this dynamic node is arranged in comprises event.Being judged as when comprising event, proceed to step S835.Otherwise, proceed to step S865.In step S865, dynamically thread enters dormancy, waits for after new events is inserted in the frame structure that creates reawaking dynamic thread, then proceeds to step S875.
In step S835, judge whether to mate overtime.If it is overtime to be judged as coupling, proceed to step S840, in step S840, remove this dynamic node from this present frame.Otherwise, proceed to step S845.
In step S845, judge this dynamic node whether with this event matches.If the match is successful, in step S850, remove this dynamic node from this present frame.Then, proceed to step S855.In step S855, judge whether to produce follow-up new dynamic node.If produce follow-up new dynamic node, in step S860, the follow-up new dynamic node that produces to be inserted in the respective frame of described frame structure, the respective frame of described frame structure is and the frame of this dynamic node coupling next frame of this coupling frame maybe.Then, flow process proceeds to step S875.
If it is unsuccessful to be judged as coupling in step S845, proceed to step S870.In step S870, this dynamic node is moved on in the next frame of this present frame.Here being noted that coupling is unsuccessful can be divided into matching condition failure and matching condition successfully but number of times is not enough.The number of times deficiency moves to dynamic node in next frame in the situation that matching condition failure or matching condition are successful, continues to mate with next frame.Fig. 9 shows in matching condition failure or the match is successful but the diagram of number of times when not enough.Then, flow process proceeds to step S875.
In step S875, this dynamic node is carried out release.Then, in step S880, judge whether to complete coupling for all dynamic nodes.If complete, flow process finishes.Otherwise, turn back to step S810.
Fig. 8 shows the workflow of dynamic thread, this flow process is recycled execution, when mating without event (all dynamic nodes all are moved to last empty frame), dynamically thread enters dormancy, until there is new alert event to produce and put in the frame of the frame structure that creates, just reawake dynamic thread.
In addition, in above-mentioned processing, if from the first frame of described frame structure continuous a plurality of frames of not quoted and do not comprise dynamic node by static node that come into existence, can destroy this continuous a plurality of frames.Do not carry out simultaneously with destruction and the coupling of static node, the coupling of dynamic node of frame.Do not use frame owing in time and effectively destroying, thereby can reduce the expense of internal memory, prevent overflowing of internal memory.Figure 10 shows the diagram when destroying dynamic frame.
In addition, because the event of using normally produces due to network attack or failure and other reasons, have Unpredictability, so the generation of dynamic node is also unpredictalbe in matching process.In order to make the event rule relevance analysis method based on multithreading according to the present invention have higher efficient, preferably, can also according to operating time and the real time of thread, the number of static thread and dynamic thread be adjusted.Particularly, at first, obtain each thread of first group of thread (namely, static thread) operating time, as the first mean value, and the mean value that obtains operating time of each thread (dynamic thread) of first group of thread and real time ratio was as the second mean value with the mean value of real time ratio.Then, the first mean value and/or the second mean value and the threshold value that presets are compared, when the first mean value and/or the second mean value exceed the threshold value that presets, adjust the number of first group of thread and second group of thread.Preferably, the number maximum of first group of thread (that is, static thread) is no more than the number (that is, the number of static node) of rule model.In this case, when dynamic node is too much, can increase the number of dynamic thread, for example can be by " borrowing " with the thread of not using in static sets of threads the number that makes to increase dynamic thread to dynamic node.And when dynamic node is very few, can reduce the number of static thread, and preferably, the thread that reduces can also be distributed to static node and use.
As above with reference to Fig. 1-Figure 10, the event rule relevance analysis method based on multithreading for the SOC system according to the present invention is had been described in detail.Above-mentioned event rule relevance analysis method based on multithreading of the present invention can adopt software to realize, also can adopt hardware to realize, or adopts the mode of software and hardware combining to realize.
Figure 11 shows according to of the present invention and based on multithreading, event is carried out the block diagram of the event rules association analysis device 1100 that rule association analyzes for the SOC system.
As shown in figure 11, described device 1100 comprises rule model predefine unit 1110, creating unit 1130, filler cells 1150, static node matching unit 1170 and dynamic node matching unit 1190.
When system starts, the pre-defined some rule models in rule model predefine unit 1110, each rule model comprises static node and dynamic node, and static node is the head node of each rule model, and dynamic node is other node except head node of each rule model.
Then, creating unit 1130 creates the frame structure that every frame comprises first and second portion, is used for inserting event in described first, and is used for inserting the dynamic node in described rule model in described second portion.
After event, filler cells 1150 is inserted the event that gathers in the first of each frame of the frame structure that creates in the SOC system acquisition.
Then, when filling described event, static node matching unit 1170 adopts the event of inserting in first group of thread each frame to each static node in described rule model and the frame structure that creates to mate and generation dynamic node when the match is successful.In addition, when carrying out static node and event matches, dynamic node matching unit 1190 adopts second group of thread that the previous static node dynamic node that the match is successful produces afterwards and the event of frame that this dynamic node is arranged in are mated.
In addition, described device 1100 can also comprise destroys the unit (not shown), continuous a plurality ofly do not quoted by static node and when not comprising the frame of dynamic node, destroys this continuous a plurality of frames when the first frame from described frame structure comes into existence.
In addition, preferably, described device 1100 can also comprise the first acquiring unit (not shown), is used for obtaining the mean value of operating time of each thread of first group of thread and real time ratio as the first mean value; The second acquisition unit (not shown) is used for obtaining the mean value of operating time of each thread of first group of thread and real time ratio as the second mean value; And number of threads adjustment unit (not shown), be used for adjusting the number of first group of thread and second group of thread when the first mean value and/or the second mean value exceed the threshold value that presets.In addition, the number maximum of described first group of thread is no more than the number of rule model, and in other words, the number maximum of static thread is no more than the number of static node.
Figure 12 shows the block diagram of an example of the static node matching unit 1170 that comprises in the device 1100 shown in Figure 11.
As shown in figure 12, static node matching unit 1170 includes to ring and forms unit 1171, static node acquiring unit 1172, the first judging unit 1173, dynamic node generation unit 1174, adduction relationship change unit 1174 and the static node lock unit 1176 that locks/separate.
Directed loop forms unit 1171 static node in described each rule model is formed a directed loop, and each static node in wherein said directed loop has adduction relationship to each frame in the frame structure that creates.
For each frame in the frame structure that creates, static node acquiring unit 1172 utilizes each thread in first group of thread (that is, static thread) not obtain a static node that is not locked by other thread from described directed loop.Then, the static node that obtains of the first judging unit 1173 judgement whether with current 7 event matches of inserting in frame of quoting.
When the static node that obtains and current 7 event matches of inserting in quoting frame, dynamic node generation unit 1174 produces the dynamic node of described rule models, and the dynamic node that produces is filled in this current second portion of quoting frame.In addition, when the static node that obtains and the current event matches of inserting in quoting frame, adduction relationship change unit 1175 moves to next frame with the static node that obtains to the adduction relationship of frame.
The static node static node that lock unit 1176 is used for the static node acquiring unit is obtained that locks/separate locks, and after the coupling of the static node that obtains and the current event of inserting in quoting frame is completed, this static node is carried out release.
Figure 13 shows the block diagram of an example of the dynamic node matching unit 1190 that comprises in the device 1100 shown in Figure 11.As shown in figure 13, dynamic node matching unit 1190 comprises that dynamic node acquiring unit 1191, the second judging unit 1192, dynamic node remove unit 1193 and the dynamic node lock unit 1194 that locks/separate.
For the dynamic node that produces to some extent, dynamic node acquiring unit 1191 utilizes each thread in second group of thread (that is, dynamically thread) to obtain the dynamic node that first is not locked by other thread from the frame of described frame structure..Then, the second judging unit 1192 judges whether this dynamic node and the event that be arranged in frame is inserted mate.
When the coupling of completing between this dynamic node and described event, dynamic node removes unit 1193 and remove this dynamic node from described frame.Particularly, when this dynamic node and described event matches, dynamic node removes unit 1193 and remove this dynamic node from described frame.At this moment, if this dynamic node produces the subsequent dynamic node, described filler cells 1150 will be somebody's turn to do the respective frame that the new dynamic node that produces is put into described frame structure.The respective frame of described frame structure is and the frame of this dynamic node coupling next frame of this coupling frame maybe.In addition, be coupling when overtime when not mating between this dynamic node and described event, described dynamic node removes this dynamic node of frame deletion that unit 1193 is arranged in from this dynamic node.When the matching condition between this dynamic node and described alert event failure or the match is successful but number of times when not enough, described dynamic node removes unit 1193 this dynamic node is moved to next frame from the current frame that is arranged in.
The dynamic node dynamic node that lock unit 1194 is used for dynamic node acquiring unit 1191 is obtained that locks/separate locks, and after the coupling of the event that the dynamic node that obtains and the frame that is arranged in are inserted is completed, this dynamic node is carried out release.
Beneficial effect
By above by reference to the accompanying drawings to the detailed description of the embodiment of the present invention, be not difficult to find out: event rule relevance analysis method provided by the invention and device, can utilize multithreading to carry out matching treatment to static node and the dynamic node that produces when the match is successful at static node, can mate a plurality of complex rule models simultaneously thus, thereby support the coupling of efficiently and accurately, and realize the rule association analysis based on scene.
Although the disclosed content in front shows exemplary embodiment of the present invention, should be noted that function, step and/or the action according to the claim to a method of inventive embodiments described herein do not need to carry out with any particular order.In addition, although element of the present invention can be with individual formal description or requirement, also it is contemplated that a plurality of, unless clearly be restricted to odd number.
Although each embodiment that has as above described according to event rule relevance analysis method of the present invention and device referring to figs. 1 through Figure 13 is described, but those skilled in the art are to be understood that, to event rule relevance analysis method and the device that the invention described above proposes, can also make various improvement on the basis that does not break away from content of the present invention.Therefore, protection scope of the present invention should be determined by the content of appending claims.

Claims (17)

  1. One kind be used for the security operations center system based on multithreading, event is carried out the method that rule association is analyzed, comprising:
    Pre-defined some rule models, each rule model comprises static node and dynamic node, and static node is the head node of each rule model, and dynamic node is other node except head node of each rule model;
    Create the frame structure that every frame comprises first and second portion;
    The event that the security operations center system is gathered is inserted in the first of each frame of the frame structure that creates;
    When inserting described event, adopt the event of inserting in first group of thread each frame to each static node in described each rule model and the frame structure that creates to mate and produce dynamic node when the match is successful, and the dynamic node that produces being inserted in the second portion of respective frame of its corresponding static node; And
    When carrying out described static node and described event matches, adopt second group of thread that the previous static node dynamic node that the match is successful produces afterwards and the event of frame that this dynamic node is arranged in are mated,
    Wherein, if produce the follow-up dynamic node of this dynamic node after dynamic node and event matches success, destroy this dynamic node, and will this follow-up dynamic node put into the respective frame of this dynamic node, preset the behavior generation alarm event according to this dynamic node simultaneously.
  2. 2. the method for claim 1, wherein, adopts the event of inserting in first group of thread each frame to each static node in described each rule model and the frame structure that creates to mate and produce dynamic node when the match is successful, and the step of this dynamic node being inserted in the second portion of respective frame of its corresponding static node also comprises:
    (a) link of the static node in described each rule model is formed a directed loop, each static node in described directed loop has adduction relationship to each frame in the frame structure that creates;
    (b) carry out following operation for each frame in the frame structure that creates, until complete the coupling of the event of inserting in each frame of each static node and the frame structure that creates,
    (b1) each thread obtains a static node that is not locked by other thread from described directed loop, and this static node is locked;
    (b2) when the static node that obtains and the current event matches success of inserting in quoting frame, produce dynamic node, and this dynamic node is inserted in the second portion of respective frame of its corresponding static node, and the static node that obtains is moved to next frame to the adduction relationship of frame; And when the static node that obtains and the current event matches failure of inserting in quoting frame, carry out the processing in step (b3);
    (b3) this static node is carried out release, and carry out the processing of above-mentioned steps (b1) in (b3) for next static node that obtains.
  3. 3. method as claimed in claim 2, wherein, when carrying out described static node and described event matches, adopt the step that second group of thread mates the event of the previous static node dynamic node that the match is successful produces afterwards and frame that this dynamic node is arranged in also to comprise:
    For the dynamic node that produces to some extent carry out following operation, until complete institute to some extent the dynamic node of generation and the event that frame that this dynamic node is arranged in is inserted mate,
    Each thread obtains the dynamic node that first is not locked by other thread from the frame of described frame structure, and this dynamic node is locked;
    Whether the match is successful to judge the event that this dynamic node and the frame that is arranged in insert;
    When this dynamic node and the success of described event matches, remove this dynamic node from described frame; And
    This dynamic node is carried out release.
  4. 4. method as claimed in claim 3, remove the step of this dynamic node from described frame after, described method also comprises:
    In the situation that this dynamic node produces the subsequent dynamic node, the dynamic node of this new generation is put into the respective frame of described frame structure.
  5. 5. method as claimed in claim 4, wherein, the respective frame of described frame structure is and the frame of this dynamic node coupling next frame of this coupling frame maybe.
  6. 6. method as claimed in claim 3 also comprises:
    Matching condition failure or the match is successful but number of times when not enough between this dynamic node and described event moves to the next frame of this frame with this dynamic node from frame that this dynamic node is arranged in.
  7. 7. the method for claim 1 also comprises:
    Continuous a plurality ofly do not quoted by static node and when not comprising the frame of dynamic node, destroy this continuous a plurality of frames when the first frame from described frame structure comes into existence.
  8. 8. the method for claim 1 also comprises:
    Obtain the mean value of operating time of each thread of first group of thread and real time ratio as the first mean value;
    Obtain the mean value of operating time of each thread of second group of thread and real time ratio as the second mean value;
    When the first mean value and/or the second mean value exceed the threshold value that presets, adjust the number of first group of thread and second group of thread.
  9. 9. method as claimed in claim 2, wherein, the number maximum of described first group of thread is no more than the number of rule model.
  10. One kind be used for the security operations center system based on multithreading, event is carried out the device that rule association is analyzed, comprising:
    Rule model predefine unit, be used for pre-defined some rule models, each rule model comprises static node and dynamic node, and described static node is the head node of each rule model, and described dynamic node is other node except head node of each scale model;
    Creating unit is used for creating the frame structure that every frame comprises first and second portion;
    Filler cells is used for the event that the security operations center system gathers is inserted the first of each frame of the frame structure that creates;
    The static node matching unit, be used for when filling described event, adopt the event of inserting in first group of thread each frame to each static node in described each rule model and the frame structure that creates to mate and produce dynamic node when the match is successful, and the dynamic node that produces being inserted in the second portion of respective frame of its corresponding static node; And
    The dynamic node matching unit, be used for when carrying out described static node and event matches, adopt second group of thread that the previous static node dynamic node that the match is successful produces afterwards and the event of frame that this dynamic node is arranged in are mated, if wherein produce the follow-up dynamic node of this dynamic node after the success of dynamic node and event matches, destroy this dynamic node, and will this follow-up dynamic node put into the respective frame of this dynamic node, preset the behavior generation alarm event according to this dynamic node simultaneously.
  11. 11. device as claimed in claim 10, wherein, described static node matching unit also comprises:
    Directed loop forms the unit, is used for the static node of described each rule model is formed a directed loop, and each static node in described directed loop has adduction relationship to each frame in the frame structure that creates;
    The static node acquiring unit is used for each frame for the frame structure that creates, and utilizes each thread to obtain a static node that is not locked by other thread from described directed loop;
    The first judging unit is used for static node that judgement obtains and whether quotes with current the event matches that frame is inserted;
    The dynamic node generation unit, be used for quoting event matches that frame inserts when successful at the static node that obtains with current, produce the dynamic node of described rule model, and the dynamic node that produces is inserted in the second portion of respective frame of its corresponding static node;
    Adduction relationship change unit is used for quoting event matches that frame inserts when successful at the static node that obtains with current, and the static node that obtains is moved to next frame to the adduction relationship of frame;
    The static node lock unit that locks/separate, the static node that is used for the static node acquiring unit is obtained locks, and the coupling between the static node that obtains and the current event of inserting in quoting frame is carried out release to this static node after completing.
  12. 12. device as claimed in claim 10, wherein, described dynamic node matching unit also comprises:
    The dynamic node acquiring unit is used for the dynamic node of generation to some extent for institute, utilizes each thread to obtain the dynamic node that first is not locked by other thread from the frame of described frame structure;
    The second judging unit is used for judging whether this dynamic node and the event that be positioned at frame is inserted mate;
    Dynamic node removes the unit, is used for removing this dynamic node from described frame when the coupling of completing between this dynamic node and described event; And
    The dynamic node lock unit that locks/separate, the dynamic node that is used for the dynamic node acquiring unit is obtained locks, and the dynamic node that obtains and be arranged in and after coupling between the event that frame inserts is completed, this dynamic node carried out release.
  13. 13. device as claimed in claim 12, wherein, after this dynamic node and the success of described event matches, if this dynamic node produces the subsequent dynamic node, described filler cells will be somebody's turn to do the respective frame that the new dynamic node that produces is put into described frame structure.
  14. 14. device as claimed in claim 13, wherein, the respective frame of described frame structure is and the frame of this dynamic node coupling next frame of this coupling frame maybe.
  15. 15. device as claimed in claim 12, wherein, when matching condition failure between this dynamic node and described event or the match is successful but matching times when not enough, described dynamic node removes the unit this dynamic node is arranged in from current the next frame that frame moves to this frame.
  16. 16. device as claimed in claim 10 also comprises:
    Destroy the unit, be used for continuous a plurality ofly do not quoted by static node and when not comprising the frame of dynamic node, destroying this continuous a plurality of frames when the first frame from described frame structure comes into existence.
  17. 17. device as claimed in claim 10 also comprises:
    The first acquiring unit is used for obtaining the mean value of operating time of each thread of first group of thread and real time ratio as the first mean value;
    Second acquisition unit is used for obtaining the mean value of operating time of each thread of second group of thread and real time ratio as the second mean value; And
    The number of threads adjustment unit is used for adjusting the number of first group of thread and second group of thread when the first mean value and/or the second mean value exceed the threshold value that presets.
CN 201010279945 2010-09-09 2010-09-09 Event rule relevance analysis method and device Active CN101938486B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010279945 CN101938486B (en) 2010-09-09 2010-09-09 Event rule relevance analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010279945 CN101938486B (en) 2010-09-09 2010-09-09 Event rule relevance analysis method and device

Publications (2)

Publication Number Publication Date
CN101938486A CN101938486A (en) 2011-01-05
CN101938486B true CN101938486B (en) 2013-06-12

Family

ID=43391616

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010279945 Active CN101938486B (en) 2010-09-09 2010-09-09 Event rule relevance analysis method and device

Country Status (1)

Country Link
CN (1) CN101938486B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1862534A (en) * 2005-11-24 2006-11-15 华为技术有限公司 Method for managing and maintaining tatic range matching table
CN1878093A (en) * 2006-07-19 2006-12-13 华为技术有限公司 Security event associative analysis method and system
KR100817799B1 (en) * 2006-10-13 2008-03-31 한국정보보호진흥원 System and method for network vulnerability analysis using the multiple heterogeneous scanners
CN101355451A (en) * 2008-09-09 2009-01-28 中兴通讯股份有限公司 Method and system for analyzing alarm correlativity

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1862534A (en) * 2005-11-24 2006-11-15 华为技术有限公司 Method for managing and maintaining tatic range matching table
CN1878093A (en) * 2006-07-19 2006-12-13 华为技术有限公司 Security event associative analysis method and system
KR100817799B1 (en) * 2006-10-13 2008-03-31 한국정보보호진흥원 System and method for network vulnerability analysis using the multiple heterogeneous scanners
CN101355451A (en) * 2008-09-09 2009-01-28 中兴通讯股份有限公司 Method and system for analyzing alarm correlativity

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《联合挖掘发现网络安全事件》;贺蓉等;《计算机系统应用》;20060228(第2期);全文 *
贺蓉等.《联合挖掘发现网络安全事件》.《计算机系统应用》.2006,(第2期),

Also Published As

Publication number Publication date
CN101938486A (en) 2011-01-05

Similar Documents

Publication Publication Date Title
CN103746961B (en) A kind of causal knowledge method for digging of cyber attack scenarios, device and server
CN102685180B (en) Cloud computing-oriented network security early warning method
CN106453377B (en) Block chain based distributed network intelligent monitoring system and method
CN103618652A (en) Audit and depth analysis system and audit and depth analysis method of business data
CN110213226B (en) Network attack scene reconstruction method and system based on risk full-factor identification association
CN107135093A (en) A kind of Internet of Things intrusion detection method and detecting system based on finite automata
CN103118036A (en) Cloud end based intelligent security protection system and method
Rezgui et al. Detecting faulty and malicious vehicles using rule-based communications data mining
CN104901960A (en) Device and method for network security management based on alarm strategy
CN101902336A (en) Rule model-based security event correlation analysis system and method
CN110493179A (en) Network security situation awareness model and method based on time series
CN105426748B (en) A kind of update method and equipment of rule file
CN113139808A (en) Cross-chain asset transaction method and device based on prediction machine and storage medium
CN101499928A (en) Network intrusion scene chart generation method based on cluster analysis
CN101938486B (en) Event rule relevance analysis method and device
CN113965469B (en) Construction method of network data analysis model
CN105069158B (en) Data digging method and system
CN112804204A (en) Intelligent network safety system based on big data analysis
Hurst et al. Behavioural observation for critical infrastructure security support
CN105302527B (en) Thread method for organizing
CN110225308A (en) A kind of method for secret protection of pair of home videos security system
CN113792340B (en) Method and device for auditing logical logs of database
CN110138778A (en) A kind of network attack risk control method and system based on game theory
CN104038344A (en) Identity authentication method based on regular expression
CN105912929B (en) A kind of dynamic measurement method based on domestic TCM

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant