Summary of the invention
The object of the invention is to use flow of event space-time window to filter, the quick dynamic analysis of the leading coupling of daily record string, the powerful algorithm of various dimensions magnanimity event, event server, the advanced technologies such as modern communication, to exceed fast association analysiss more than 100,000 network safety event ranks per second, the potential safety hazard existing in discovering network in real time and abnormal state alarm in time and prevention are main purpose, by all kinds of security logs that constantly produce in complicated IT resource in computer network and Prevention-Security facility operation process thereof and event are unified to gather, transmission, analyze, the digital management of the overall processes such as issue, set up cross-region, in multiple computer networks, the fail safe of complicated IT resource is implemented effectively, long-acting management and decision-making provide service, there is the correlation analysis system of advanced level.
In order to realize above-mentioned object, the present invention takes following technical scheme to realize:
Network security incident association analysis system is a set of based on distributed Real-time Collection, multipoint cooperative working, flow of event and historical events database mixed interconnection pattern, script drives in the thing of engine and Real-time Association Analyzing and afterwards the computer network security supervisory control system of historical events association analysis in advance, in order to improve network operation maintenance management department to the true degree of understanding of jurisdiction network real time execution situation, the quick stress reaction ability of strengthening network security fault, for building the security protection of collection operation system, on user network, operate behavioural analysis, lay the foundation with the new network security monitor platform of " Alliance Defense " system of existing network safety means composition.
Network security incident association analysis system of the present invention, comprises network safety event acquisition layer, communication network layer, association analysis layer and management presentation layer, wherein said:
(1) network safety event acquisition layer:
The collecting device that the data sources such as state, daily record and the network packet that comprises Network Security Device, the network equipment, host server equipment, operating system, database, middleware gather, is responsible for gathering required network safety event information;
Network Security Device comprises fire compartment wall, IPS (Intrusion Prevention System, be intrusion prevention system), IDS(Intrusion Detection System is intruding detection system) etc., the network equipment comprises switch, router etc.
(2) communication network layer:
Comprise communication part; Be responsible for the daily record of various Network Security Device, the network equipment, host server equipment, operating system, database, middleware to carry out the quick dynamic analysis of the leading coupling of daily record string, daily record and state, network packet after resolving are encapsulated according to communication protocol, by network, diverse network security incident is transferred to association analysis layer;
(3) association analysis layer:
This layer is the core of whole system.Mainly comprise association analysis engine server, association analysis script, event server, historical database server, by data wire, connect each other, described association analysis engine server is responsible for internal memory flow of event and database historical events stream to carry out the filtration of space-time window, the powerful algorithm process of various dimensions magnanimity event with self exceedes per second 100, 000 network safety event, realize analysis and the preservation of the complicated incidence relation of multiple network safety events, described association analysis script is responsible for the alarm association relation between network safety event to define, the description of association analysis flow process, the network safety event that participates in association analysis defines, described event server is responsible for the storage of the internal memory form stream and the database form stream that carry out diverse network security incident, described historical database server carries out association analysis result data, association analysis process is used the store-memory of the related datas such as network safety event.
(4) management presentation layer:
This layer is management, the analysis result exposition of whole system.Mainly comprise historical database server, WEB server, application server, core switch, work station and other various relevant devices and software, by data wire, connect each other; Described historical database server provides association analysis result data and association analysis process detailed data, and described application server completes the realization of various relevant application functions, and WEB server is responsible for final data exhibiting.Each relevant departments can obtain data message separately in browser mode according to the authority of oneself by Internet.
Aforesaid network security incident association analysis system, data are from data sources such as state, daily record and the network packet of Network Security Device (fire compartment wall, IPS, IDS etc.), the network equipment (switch, router etc.), host server equipment, operating system, database, middleware.
Aforesaid communication network layer, based on the TCP/IP network transmission protocol.
Aforesaid event server, association analysis engine server and application server all adopt trunking mode, guarantee high-performance and the high availability of system.
Aforesaid association analysis layer is except carrying out occurent network safety event association analysis, occurent network safety event can also be combined and be carried out association analysis with the web-based history security incident occurring, can also predict alarm to contingent network safety event in future simultaneously.
Aforesaid management presentation layer not only can be shown association analysis result and relevant event information with textual form list, and can graphically show association analysis result and relevant event information by the form of network equipment topological diagram.
The historical data base comprising in described association analysis layer and management presentation layer is public server, because data acquisition amount is very large, and the required precision of association analysis is directly proportional to the time range that event occurs, in order to take into account efficiency and correctness, taked the form of historical data base.
The invention has the beneficial effects as follows: because the generation of most of network security problems is not to be determined by single network safety event, but decided with different time, the interaction of different generations source by multiple network safety events, therefore only the record to single network security incident and simple analysis cannot meet the needs of network security, the difficult point that the present invention is directed to network security problem analysis, judgement, has designed network security incident association analysis system; In the project implementation process according to subject matters such as the real-time often occurring in general networking security incident Analytical System Design process, stability, autgmentabilities, adopted technological means to carry out good solution, for the fail safe of the complicated IT resource of computer network is implemented to effective, long-acting management, the network information security and the operation system data security situation of computer network can have been reflected truly, exactly, for the information security rank examination of computer network provides quantification scale.
(1), system of the present invention is used for reference the professional knowledges such as complex network Security incident handling, the processing of network safety event stream and log processing algorithm, the network packet that the status data, daily record data, the network information that produce in Network Security Device, the network equipment, host server equipment, operating system, database, middleware running are mutual is carried out to health characteristics sample analysis, by the contained information of network safety event is carried out to association analysis, for network safety prevention provides quantification scale.
(2), the quick dynamic resolution parser of the leading coupling of daily record string that utilizes collection terminal to dispose can promptly analyze the data of the daily record of devices from different manufacturers, then by network, sends data to event server.
(3), can real-time graphization show association analysis result instrument, to different association analysis demands, show different topological diagram pictures, and can on-the-spotly adjust display layout and information shows details.Graphical demonstration tool, based on page technology, is used under browser mode of operation, supports the pattern layout editing machine of visualization function completely, can complete the making of the topological diagram layout of the association analysis scene of any complexity.
Embodiment
Below in conjunction with accompanying drawing, the present invention is done to concrete introduction:
Network security incident association analysis system of the present invention, comprises network safety event acquisition layer, communication network layer, association analysis layer and manages four layers of presentation layers.
Network safety event acquisition layer is as system meat and potatoes, if Fig. 1 is network safety event acquisition principle figure of the present invention.Be installed on by the network system core switching device at scene, the crucial monitoring point of each computer network, it comprises state acquisition equipment, log collection equipment, network packet collecting device.Installment state collecting device, log collection equipment, network packet collecting device at the scene, can obtain the data of network safety event after the configuration of being correlated with, analyze, arrange, reach buffer queue pond after format.
Communication network layer is completed each heterogeneous networks security incident in buffer queue pond is carried out to group bag in real time by Hessian interface message processor (IMP), daily record data carries out the quick dynamic analysis of the leading coupling of daily record string before group bag, and the network safety event after group bag is uploaded to event server.Interface message processor (IMP) and event server adopt the transmission mode of one-to-many, can upload to multiple event servers by once gathering the network safety event data of obtaining simultaneously.This service, based on the TCP/IP network transmission protocol, has encapsulated communication protocol.
Association analysis layer is the core of whole system.By event handling layer and analysis logic layer, formed, the space-time window that event handling layer is responsible for internal memory flow of event and database historical events stream filters, analysis logic layer core is association analysis engine, be association analysis engine fundamental diagram of the present invention as shown in Figure 2, the network safety event of being responsible for after filtering requires to carry out association analysis according to association analysis script.Association analysis result is stored in historical data base together with associated several network safety events.Association analysis engine possesses following functions feature:
1. to analyze product of network safety event different from other, in association analysis, go out after combination event alarm, increased and caused that the source of combination event alarm reviews;
2. the network safety event that participates in analyzing can be network safety event internal memory stream, can be also the web-based history security incident that is stored in database, can be even that network safety event internal memory stream mixes with the web-based history security incident that is stored in database;
3. the method for association analysis and condition, by the control of outside association analysis script, have increased width and the degree of depth of association analysis;
4. analysis result is that smallest particles degree is preserved by individual event event, facilitates user to observe the detailed information that network security alarm occurs;
5. analysis result is pressed the storage of graphics data frame mode, can realize the graphical effect of Network Abnormal attack fast and user access activity and vividly show;
6. reasonably association analysis algorithm guarantees that engine can possess the ability of processing ten thousand network safety event ranks of more than ten per second.
Management presentation layer is management, the analysis result exposition of whole system.By network safety event management, the management of association analysis script, association analysis engine management and association analysis result, show that four parts form.Network safety event supervisory packet includes network security incident definition, network safety event change, network safety event issue.The management of association analysis script comprises the definition of association analysis script, the change of association analysis script, association analysis script startup.Association analysis engine management comprises the initialization of association analysis engine, association analysis engine monitoring of working condition.Association analysis result is shown and is comprised list displaying and graphically show.Each network of relation operation management department can pass through browser administration association analysis script and association analysis engine working range, inquires about various association analysis result datas.The equipment of management presentation layer guarantees that native system can normally move and leave room for development.Comprise historical database server, WEB server, application server, core switch, work station, monitoring special-purpose computer, communication apparatus, uninterrupted power supply, printer and relevant device etc.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, do not departing under the prerequisite of the technology of the present invention principle; can also make some improvement and distortion, these improvement and distortion also should be considered as protection scope of the present invention.