CN104579782B - A kind of recognition methods of focus security incident and system - Google Patents
A kind of recognition methods of focus security incident and system Download PDFInfo
- Publication number
- CN104579782B CN104579782B CN201510015080.2A CN201510015080A CN104579782B CN 104579782 B CN104579782 B CN 104579782B CN 201510015080 A CN201510015080 A CN 201510015080A CN 104579782 B CN104579782 B CN 104579782B
- Authority
- CN
- China
- Prior art keywords
- network
- asset
- hotspot
- event
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000002159 abnormal effect Effects 0.000 claims abstract description 8
- 238000004458 analytical method Methods 0.000 claims description 40
- 238000013507 mapping Methods 0.000 claims description 32
- 238000004364 calculation method Methods 0.000 claims description 12
- 238000012163 sequencing technique Methods 0.000 claims description 12
- 238000005516 engineering process Methods 0.000 description 10
- 238000001514 detection method Methods 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000011160 research Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 201000010099 disease Diseases 0.000 description 2
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 2
- 108030001720 Bontoxilysin Proteins 0.000 description 1
- 208000020061 Hand, Foot and Mouth Disease Diseases 0.000 description 1
- 208000025713 Hand-foot-and-mouth disease Diseases 0.000 description 1
- 241000710886 West Nile virus Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 229940053031 botulinum toxin Drugs 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000000611 regression analysis Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
- 238000012731 temporal analysis Methods 0.000 description 1
Abstract
The invention discloses a kind of recognition methods of focus security incident and system, including:Gather the SYSLOG security log data of the different-format of various types of networked assets in real time with system journal SYSLOG agreements, the security incident that SYSLOG security log data standards are turned to uniform format records.According to the IP address of networked asset and the Asset Type of networked asset, security incident record is mapped to the network hotspot center built in advance.The focus index that security incident records in calculating network focus center.When focus index exceedes predetermined threshold value, then judge that network hotspot center is abnormal, using the maximum networked asset of influence degree in network hotspot center as focus assets, the security incident record related to focus assets is identified as focus incident.By the solution of the present invention, focus incident, accurate response network key information can be analyzed comprehensively.
Description
Technical Field
The invention relates to the field of information security, in particular to a method and a system for identifying a hotspot security event.
Background
With the increasing scale of information networks inside enterprises, the number of various devices in the networks is increased sharply, and various kinds of security and attacks from the outside and the inside are also increased sharply, threatening the information security of the networks. In order to continuously respond to new security challenges, an enterprise network deploys an anti-virus system, a firewall, an intrusion detection system, a vulnerability scanning system, a UTM, and the like, logs of various devices record detailed information of device running states, operations performed by various users, and the like, and the information is called a security event. In the current network environment, the security event data of various devices is large in scale, and the information is increasing more and more rapidly.
In the face of the exponentially-increased new security events, how to effectively master mass data and extract hot events in the mass data becomes a difficult problem which puzzles network managers for a long time. The identification of the hot events can discover the security event with the greatest influence on the whole network within a certain time period from a large number of security events, and can be used for carrying out targeted security precaution so as to realize effective management on the large-scale complex network.
The hotspot analysis technology is a powerful tool for analyzing potential relations among some specific events, a hotspot refers to a special area defined as a hotspot if the occurrence frequency of events in the special area is significantly higher or lower than the normal frequency, the hotspot generally concerned is a small area with highly concentrated event occurrence, and in numerous spatio-temporal analysis methods, hotspot analysis is an effective tool for understanding implicit relations among events, so that regression analysis and prospect prediction can be effectively made on the events through hotspot analysis, and researchers can be helped to draw scientific conclusions. For the network security field, the traditional network attack detection means needs to adopt an accurate rule to describe the relationship and connection of events, but some situations are often difficult to describe by using the accurate rule, for example, the rule of event outbreak defines 50 times per minute as a trigger condition, and then 49 times of outbreak are not counted, and 48 times of outbreak are counted. Then hotspot analysis is a powerful complement of traditional rules, and attempts are made to use fuzzy rules to analyze and describe the internal relations of events, find event hotspots through clustering calculation, and find problematic areas according to the hotspots.
The hotspot analysis has wide application prospect and can be applied to the fields of crime analysis, disease information, information safety and the like. In the aspect of crime place analysis, the crimes stat developed by Ned Levine and colleagues of the National Institute of Justice (NIJ) applies the hot spot analysis theory to the crime analysis in the mole district of Balr, and the software integrates various hot spot analysis methods based on cluster analysis, including main-stream algorithms such as K-MEANS and RNNH, and forms a powerful tool set. In epidemiological analysis, bioportal developed by the Artificial Intelligence laboratory of the university of Arizona has been used with great success, and in the homepage of Bioportal, saTScan and CrimeStat software have been integrated for analysis, which has been successfully applied in the analysis of West Nile virus, botulinum toxin and hand-foot-and-mouth disease.
The research work done by scholars on the analysis of hot events so far can be roughly divided into the following categories: the method is based on a grid technology, a division technology, a density technology, a space scanning technology, a support vector machine technology and a hierarchical clustering technology. The grid-based technology and the partition-based technology have good processing time advantages, but the obtained results are not ideal. The remaining four techniques can produce more desirable results, but require more processing time. Examples are as follows: the Leisha et al propose an improved K-means algorithm (IIKM) for hot spot event discovery, which uses a density function method to initialize a clustering center so as to objectively select an initial clustering center, can be used for both on-line detection and backtracking detection, has a smaller influence of the processing sequence of news corpora on the execution result, and is mainly applied to hot spot news event detection (Leisha, wulingda, leishi, etc., an incremental K-mean value method for initializing class centers and application thereof in news event detection, information academic newspaper ISSN 1000-0135.2006, 25 (3): 289-295 pages). Luowenhua et al put forward the idea of divide-and-conquer multi-layer clustering on the basis of the traditional Single-Pass, the algorithm aims to group data to reduce the system load during large-scale data processing, and obtains certain achievements in the topic detection field (luowenhua, in full spring, xu hong ripples. Topic discovery research of divide-and-conquer multi-layer clustering algorithm based on multi-strategy optimization. The eighth national association of computational linguistics conference (JSCL-2005) corpus, nanjing, china, 362-368. The concept of hierarchical topics and hierarchical clustering is proposed by qiulikun et al, and hierarchical clustering gradually shows a high-quality clustering effect and is applied to the field of event detection (qiulikun, dragon brightness 31054, bellawa, implementation of a hierarchical topic discovery and tracking method and system, university of the faculty of the universe of Guangxi (Nature science edition): 2007 (02): 157-160 pages).
However, the research of the current hotspot event analysis usually focuses on the internet field, only focuses on the event information itself, and actually only analyzes the hotspot 'topic', the accuracy of the key information of the reaction network is low, in the enterprise network environment, the enterprise asset scale is relatively stable, the value of the asset, the severity of the security event, and the network hierarchy to which the security event belongs have a significant influence on the analysis of the hotspot event, but the general hotspot analysis is not involved.
Disclosure of Invention
In order to solve the problems, the invention provides a method and a system for identifying a hotspot security event, which can comprehensively analyze the hotspot event and accurately reflect network key information.
In order to achieve the above object, the present invention provides a method for identifying a hotspot security event, which comprises the following steps:
A. SYSLOG safety log data of various types of network assets in different formats are collected in real time through a system log SYSLOG protocol, and the SYSLOG safety log data are normalized into safety event records with uniform formats.
B. And mapping the security event record to a pre-constructed network hotspot center according to the IP address of the network asset and the asset type of the network asset.
C. And calculating the hotspot index of the security event record in the network hotspot center.
D. And when the hot spot index exceeds a preset threshold value, judging that the network hot spot center is abnormal, taking the network asset with the maximum influence degree in the network hot spot center as the hot spot asset, and identifying the safety event record related to the hot spot asset as a hot spot event.
Preferably, the security event record comprises one or more of a reporting device address, an event source address and an event destination address; the step A also comprises the following steps: if any of the reporting device address, the event source address, and the event destination address is not included in the security event record, the security event record is treated as an invalid log and discarded.
Preferably, the method further comprises: acquiring ledger data of all network assets in a complex network environment; dividing all network assets into three network layers, namely an application layer, a network layer and a terminal layer; wherein, the application layer includes: a server type asset, a database type asset, and a middleware type asset; the network layer includes: a network device type asset and a security protection type asset; the terminal layer includes: a host type asset; the network hotspot center is formed by network assets in predefined IP address network segments in each network layer.
Preferably, the network hotspot center is formed by network assets in predefined IP address network segments in each network hierarchy, which means that: grouping the network assets in each network layer according to asset types, dividing IP address network segments of all the network assets in each group of asset types according to a predefined division rule, generating a plurality of IP address network segments in each network layer, respectively and randomly selecting one or more IP address network segments from each network layer, and defining the network assets corresponding to one group of IP addresses in the selected one or more IP address network segments as a network hotspot center; and one or more selected IP address network segments form one or more network hotspot centers.
Preferably, step B comprises:
and B1, taking the source address and the destination address in the security event record as an event analysis IP, and taking the address of the reporting device in the security event record as the event analysis IP if the source address and the destination address do not exist in the security event record.
And B2, constructing a corresponding table of the IP address and the asset type of the network equipment asset, analyzing the IP according to the event, and obtaining the asset type corresponding to the safety event record.
And B3, mapping the security event record to the corresponding network hierarchy according to the network hierarchy corresponding to the asset type, and mapping the IP to a network hotspot center according to event analysis.
Preferably, step B3 comprises: each network hotspot center caches the security event records mapped to the network hotspot center by adopting an ArrayList data structure, and caches the security event records in a preset caching period.
Each network hotspot center caches a cached list of security event records mapped to the network hotspot center within a caching period.
Preferably, step C comprises: acquiring security event records in each network hotspot center, and calculating the hotspot index of each network hotspot center according to the following formula:
wherein HI refers to hot spot index; n is the total number of security event records in the network hotspot center; PRI is the severity level of the security event record, and the value range is a positive integer of 1-5; ni is the number of security event records in each severity level.
Preferably, step D comprises:
d1, calculating the influence degree of the security event record of the single network asset in the network hotspot center according to the following formula:
wherein AI is the degree of influence; m is the total number of all security event records of the network asset, PRI is the severity level of the security event records, a positive integer with a value range of 1-5, M i The number of security event records in each severity level.
And D2, sequencing the AI of all network assets in the network hotspot center to obtain the network equipment asset with the largest AI as the hotspot asset.
And D3, sequencing all the security event records corresponding to the hot asset according to the PRI, and acquiring the security event record with the highest PRI as the hot event, wherein the hot event is a single event or a group of events.
And D4, directly sending the hotspot event to a third-party system in a SYSLOG protocol mode and/or storing the hotspot event in a storage database and transmitting the hotspot event to the third-party system through reading and writing the database.
The invention also provides a system for identifying the hotspot security event, which comprises an acquisition module, a mapping module, a calculation module and a judgment module.
The acquisition module is used for acquiring SYSLOG security log data of various types of network assets in complex network environment in real time by using a system log SYSLOG protocol, and normalizing the SYSLOG security log data into security event records with uniform formats.
And the mapping module is used for mapping the security event record to a pre-constructed network hotspot center according to the IP address of the network asset and the asset type of the network asset.
And the computing module is used for computing the hotspot indexes of the security event records in the network hotspot center.
And the judging module is used for judging that the network hotspot center is abnormal when the hotspot index exceeds a preset threshold value, taking the network asset with the maximum influence degree in the network hotspot center as the hotspot asset, and identifying the safety event record related to the hotspot asset as the hotspot event.
Preferably, the collecting module is further configured to, when any one of the address of the reporting device, the address of the event source, and the address of the event destination is not included in the security event record, treat the security event record as an invalid log and discard the security event record.
Preferably, the system further comprises a construction module for acquiring ledger data of all network assets in the complex network environment; dividing all network assets into three network layers, namely an application layer, a network layer and a terminal layer; wherein, the application layer includes: a server type asset, a database type asset, and a middleware type asset; the network layer includes: a network device type asset and a security protection type asset; the terminal layer includes: a host type asset; the network hotspot center is formed by network assets in predefined IP address network segments in each network layer.
Preferably, the building block is further configured to: grouping the network assets in each network layer according to asset types, dividing IP address network segments of all the network assets in each group of asset types according to a predefined division rule to generate a plurality of IP address network segments in each network layer, respectively and randomly selecting one or more IP address network segments from each network layer, and defining the network assets corresponding to one group of IP addresses in the selected one or more IP address network segments as a network hotspot center; and one or more selected IP address network segments form one or more network hotspot centers.
Preferably, the mapping module is further configured to complete the mapping by:
and B1, taking the source address and the destination address in the security event record as an event analysis IP, and if the source address and the destination address do not exist in the security event record, taking the address of the reporting device in the security event record as the event analysis IP.
And B2, constructing a corresponding table of the IP address and the asset type of the network equipment asset, analyzing the IP according to the event, and obtaining the asset type corresponding to the safety event record.
And B3, mapping the security event record to the corresponding network hierarchy according to the network hierarchy corresponding to the asset type, and mapping the IP to a network hotspot center according to event analysis.
Preferably, the system further includes a caching module, configured to cache the security event records mapped to the network hotspot center in each network hotspot center by using an ArrayList data structure, and cache the security event records in a predetermined caching period.
Each network hotspot center caches a cached list of security event records mapped to the network hotspot center within a caching period.
Preferably, the calculation module is further configured to: acquiring security event records in each network hotspot center, and calculating the hotspot index of each network hotspot center according to the following formula:
wherein HI refers to hot spot index; n is the total number of security event records in the network hotspot center; PRI is the severity level of the security incident record, and the value range is a positive integer of 1-5; ni is the number of security event records in each severity level.
Preferably, the determining module is further configured to complete determining and sending of the hotspot event by the following steps:
d1, calculating the influence degree of the security event record of the single network asset in the network hotspot center according to the following formula:
wherein AI is the degree of influence; m is the total number of all security event records of the network asset, PRI is the severity level of the security event record, the value range is a positive integer from 1 to 5, M i The number of security event records in each severity level.
And D2, sequencing the AI of all network assets in the network hotspot center to obtain the network equipment asset with the largest AI as the hotspot asset.
And D3, sequencing all the security event records corresponding to the hot asset according to the PRI to obtain the security event record with the largest PRI as the hot event, wherein the hot event is a single event or a group of events.
And D4, directly sending the hot event to a third-party system in a SYSLOG protocol mode and/or storing the hot event in a storage database, and transmitting the hot event to the third-party system through reading and writing the database.
Compared with the prior art, the invention comprises the following steps: SYSLOG safety log data of various types of network assets in different formats are collected in real time through a system log SYSLOG protocol, and the SYSLOG safety log data are normalized into safety event records with uniform formats. And mapping the security event record to a pre-constructed network hotspot center according to the IP address of the network asset and the asset type of the network asset. And calculating the hotspot index of the security event record in the network hotspot center. And when the hot spot index exceeds a preset threshold value, judging that the network hot spot center is abnormal, taking the network asset with the maximum influence degree in the network hot spot center as the hot spot asset, and identifying the safety event record related to the hot spot asset as a hot spot event. By the scheme of the invention, the hot events can be comprehensively analyzed, and the network key information can be accurately reflected.
Drawings
The accompanying drawings in the embodiments of the present invention are described below, and the drawings in the embodiments are provided for further understanding of the present invention, and together with the description serve to explain the present invention without limiting the scope of the present invention.
FIG. 1 is a flowchart of a method for identifying a hotspot security event in accordance with the present invention;
FIG. 2 is a block diagram of a system for identifying hotspot security events in accordance with the present invention;
FIG. 3 is a schematic diagram illustrating a method for identifying a hotspot security event according to the present invention;
FIG. 4 is a flowchart illustrating the identification and calculation of a hotspot security event in accordance with the present invention.
Detailed Description
The following further description of the present invention, in order to facilitate understanding of those skilled in the art, is provided in conjunction with the accompanying drawings and is not intended to limit the scope of the present invention.
The invention aims to overcome the defects of the prior art and provides a method for identifying a hotspot security event in a complex network environment. SYSLOG log data of each network equipment asset in an enterprise network are collected and normalized into security event records with uniform formats; constructing a network hotspot center by using network layering and IP segmentation technologies; mapping the security event record to a hotspot center according to the IP and asset information; calculating the hot spot indexes of all hot spot centers by comprehensively considering factors such as the severity and the quantity of security events, the importance degree of assets and the like; when the hot spot index exceeds a certain threshold value, the hot spot index is indicated as a hot spot event, and data in a proper form are acquired, so that accurate and reliable identification of the hot spot security event in the complex network environment is realized.
Specifically, the invention provides a method for identifying a hotspot security event, which comprises the following steps:
A. SYSLOG safety log data of various types of network assets in different formats are collected in real time through a system log SYSLOG protocol, and the SYSLOG safety log data are normalized into safety event records with uniform formats.
Preferably, the security event record comprises one or more of a reporting device address, an event source address and an event destination address; the step A also comprises the following steps: if any one of the address of the reporting device, the address of the event source and the address of the event destination is not included in the security event record, the security event record is regarded as an invalid log and is rejected.
B. And mapping the security event record to a pre-constructed network hotspot center according to the IP address of the network asset and the asset type of the network asset.
Preferably, the method further comprises: acquiring ledger data of all network assets in a complex network environment; for a complex enterprise network, the protected network is relatively fixed, and a network asset ledger data is generally maintained through a network management system. The hotspot analysis is applied to the security event analysis, the most basic principle is that the number of events in a region is mutated or outbreak, which inevitably implies problems, the event may spread and propagate, the association and the inherent relation of the events in the region are all the way, and the hotspot analysis is used. For an enterprise network environment, the meaning of a physical region is not great, and more is embodied in a logical region, and from the end-to-end analysis of business applications, as shown in fig. 3, all network assets can be divided into three network levels, namely an application layer, a network layer and a terminal layer; wherein, the application layer includes: a server type asset, a database type asset, and a middleware type asset; the network layer includes: a network device type asset and a security protection type asset; the terminal layer includes: host type assets and other devices correspond to the terminal layer. Network hot spot centers are formed by network assets within predefined IP address segments in each network hierarchy.
Preferably, the network hotspot center is formed by network assets in predefined IP address network segments in each network hierarchy, which means that: grouping the network assets in each network layer according to asset types, dividing IP address network segments of all the network assets in each group of asset types according to a predefined division rule, generating a plurality of IP address network segments in each network layer, respectively and randomly selecting one or more IP address network segments from each network layer, and defining the network assets corresponding to one group of IP addresses in the selected one or more IP address network segments as a network hotspot center; and one or more selected IP address network segments form one or more network hotspot centers.
Specific examples are shown below:
first, the network hotspot center must be located in a single network hierarchy; grouping the network assets in each network layer according to asset types; secondly, dividing the IP addresses of all the network assets in each group of asset types into IP address network segments according to a predefined division rule, wherein the IP addresses of all the network assets are divided into IP address network segments by taking each 50 IP addresses as a group, and the IP addresses of all the network assets are divided into 5 IP address network segments, namely 5 network hotspot centers, which respectively are as follows:
[*.*.*.1,*.*.*.50],[*.*.*.51,*.*.*.100],[*.*.*.101,*.*.*.150],[*.*.*.151,*.*.*.200],[*.*.*.201,*.*.*.255]. Examples are as follows:
preferably, step B specifically comprises:
and B1, taking the source address and the destination address in the security event record as an event analysis IP, and taking the address of the reporting device in the security event record as the event analysis IP if the source address and the destination address do not exist in the security event record.
And B2, constructing a corresponding table of the IP address and the asset type of the network equipment asset, analyzing the IP according to the event, and obtaining the asset type corresponding to the safety event record.
And B3, mapping the security event record to the corresponding network hierarchy according to the network hierarchy corresponding to the asset type, and mapping the IP to a network hotspot center according to event analysis.
Specifically, the step B3 includes: each network hotspot center caches the security event records mapped to the network hotspot center by adopting an ArrayList data structure, and caches the security event records in a preset caching period; in the embodiment of the invention, the selected cache period is 5 minutes. The data structure is expressed as:
ArrayList < EventObject > EventList; wherein EventObject represents a security event record and eventList represents a list of security event records cached by the hotspot center.
After the security event mapping step, each network hotspot center caches a cache list of security event records mapped to the network hotspot center in a cache period. In the embodiment of the invention, each hotspot center caches the security event record cache list eventList mapped to the hotspot center in the last 5 minutes. All security event records eventobjects contain event analysis IP and event severity level information. The event severity rating (denoted PRI) is divided into 5 levels:
1: information
2: light and slight
3: in general terms
4: of importance
5: severe severity of disease
C. And calculating the hotspot index of the security event record in the network hotspot center.
And calculating the hot spot indexes, namely calculating the hot spot indexes of all hot spot centers by comprehensively considering factors such as the severity and the quantity of the security events, the importance degree of the assets and the like.
Preferably, step C specifically comprises: acquiring security event records in each network hotspot center, and calculating the hotspot index of each network hotspot center according to the following formula:
wherein HI refers to hot spot index; n is the total number of security event records in the network hotspot center; PRI is the severity level of the security event record, and the value range is a positive integer of 1-5; ni is the number of security event records in each severity level.
Specifically, the hotspot index of each hotspot center is calculated by comprehensively considering factors such as the severity and the number of security events, the importance degree of assets and the like, and the calculation method comprises the following steps:
the event frequency calculation formula of the specified network hotspot center is as follows:
where N is the number of all security event records for the network hotspot center.
The event impact calculation formula of the specified network hotspot center is as follows:
wherein, N is the total number of the security event records in the hotspot center, PRI is the severity level of the security event records, a positive integer with a value range of 1-5 is taken, and Ni is the number of the security event records of each influence level.
The hot spot index calculation method of the specified network hot spot center is as follows:
HI=EF*EI,
namely:
D. and when the hot spot index exceeds a preset threshold value, judging that the network hot spot center is abnormal, taking the network asset with the maximum influence degree in the network hot spot center as the hot spot asset, and identifying the safety event record related to the hot spot asset as a hot spot event.
Preferably, step D specifically includes:
d1, calculating through the following formula, wherein the calculation formula of the influence degree of the single network in the network hotspot center, the network asset, the safety event record is as follows:
wherein AI is, degree of influence; m is the total number of all network assets and safety event records, PRI is the severity level of the safety event records, the value range is a positive integer from 1 to 5, M i The number of security event records for each, in the severity level.
And D2, sequencing the AI of all network assets in the network hotspot center to obtain the network equipment asset with the largest AI as the hotspot asset.
And D3, sequencing all the security event records corresponding to the hot asset according to the PRI to obtain the security event record with the largest PRI as the hot event, wherein the hot event is a single event or a group of events.
And D4, directly sending the hotspot event to a third-party system in a SYSLOG protocol mode and/or storing the hotspot event in a storage database and transmitting the hotspot event to the third-party system through reading and writing the database.
The invention also provides a hot spot security event identification system 01 which comprises an acquisition module 02, a mapping module 03, a calculation module 04 and a judgment module 05.
And the acquisition module 02 is used for acquiring SYSLOG security log data of various types of network assets in a complex network environment in real time by using a SYSLOG protocol and standardizing the SYSLOG security log data into security event records with uniform formats.
And the mapping module 03 is configured to map the security event record to a pre-constructed network hotspot center according to the IP address of the network asset and the asset type of the network asset.
And the calculating module 04 is used for calculating the hotspot index of the security event record in the network hotspot center.
And the judging module 05 is used for judging that the network hotspot center is abnormal when the hotspot index exceeds a preset threshold value, taking the network asset with the maximum influence degree in the network hotspot center as the hotspot asset, and identifying the safety event record related to the hotspot asset as the hotspot event.
Preferably, the collecting module 02 is further configured to treat the security event record as an invalid log and discard the security event record when any one of the address of the reporting device, the address of the event source, and the address of the event destination is not included in the security event record.
Preferably, the system further comprises a construction module 06 for obtaining ledger data of all network assets in the complex network environment; dividing all network assets into three network layers of an application layer, a network layer and a terminal layer; wherein, the application layer includes: a server type asset, a database type asset, and a middleware type asset; the network layer includes: a network device type asset and a security protection type asset; the terminal layer includes: a host type asset; the network hotspot center is formed by network assets in predefined IP address network segments in each network layer.
Preferably, the building block 06 is also for: grouping the network assets in each network layer according to asset types, dividing IP address network segments of all the IP addresses of the network assets in each group of asset types according to a predefined division rule to generate a plurality of IP address network segments in each network layer, respectively and randomly selecting one or more IP address network segments from each network layer, and defining the network assets corresponding to one group of IP addresses in the selected one or more IP address network segments as a network hotspot center; and one or more selected IP address network segments form one or more network hotspot centers.
Preferably, the mapping module 03 is further configured to perform mapping by:
and B1, taking the source address and the destination address in the security event record as an event analysis IP, and taking the address of the reporting device in the security event record as the event analysis IP if the source address and the destination address do not exist in the security event record.
And B2, constructing a corresponding table of the IP address and the asset type of the network equipment asset, analyzing the IP according to the event, and obtaining the asset type corresponding to the safety event record.
And B3, mapping the security event record to the corresponding network hierarchy according to the network hierarchy corresponding to the asset type, and mapping the IP to a network hotspot center according to event analysis.
Preferably, the system further includes a caching module 07, configured to cache the security event records mapped to the network hotspot centers in an ArrayList data structure in each network hotspot center, and cache the security event records in a predetermined caching period.
Each network hotspot center caches a cached list of security event records mapped to the network hotspot center within a caching period.
Preferably, the calculation module 04 is further configured to: acquiring security event records in each network hotspot center, and calculating the hotspot index of each network hotspot center according to the following formula:
wherein HI refers to hot spot index; n is the total number of security event records in the network hotspot center; PRI is the severity level of the security incident record, and the value range is a positive integer of 1-5; ni is the number of security event records in each severity level.
Preferably, the determination module 05 is further configured to complete determination and sending of the hotspot event by the following steps:
d1, calculating the influence degree of the security event record of the single network asset in the network hotspot center according to the following formula:
wherein AI is the degree of influence; m is the total number of all security event records of the network asset, PRI is the severity level of the security event record, the value range is a positive integer from 1 to 5, M i The number of security event records in each severity level.
And D2, sequencing the AI of all network assets in the network hotspot center to obtain the network equipment asset with the largest AI as the hotspot asset.
And D3, sequencing all the security event records corresponding to the hot asset according to the PRI, and acquiring the security event record with the highest PRI as the hot event, wherein the hot event is a single event or a group of events.
And D4, directly sending the hotspot event to a third-party system in a SYSLOG protocol mode and/or storing the hotspot event in a storage database and transmitting the hotspot event to the third-party system through reading and writing the database.
The invention aims to form a security event record based on SYSLOG log data aiming at a complex enterprise network environment, effectively identify and judge a hotspot security event by comprehensively analyzing the content and meaning of the security event record in combination with enterprise asset information, and assist a user to effectively analyze and manage a complex network.
It should be noted that the above-mentioned embodiments are only for facilitating the understanding of those skilled in the art, and are not intended to limit the scope of the present invention, and any obvious substitutions, modifications, etc. made by those skilled in the art without departing from the inventive concept of the present invention are within the scope of the present invention.
Claims (14)
1. A method for identifying a hotspot security event, the method comprising the steps of:
A. collecting SYSLOG security log data of various types of network assets in different formats in real time by using a system log SYSLOG protocol, and normalizing the SYSLOG security log data into security event records with uniform formats;
B. mapping the security event record to a pre-constructed network hotspot center according to the IP address of the network asset and the asset type of the network asset;
C. calculating a hotspot index of the security event record in the network hotspot center;
D. when the hot spot index exceeds a preset threshold value, judging that the network hot spot center is abnormal, taking the network asset with the largest influence degree in the network hot spot center as a hot spot asset, and identifying the safety event record related to the hot spot asset as a hot spot event;
the safety event record comprises one or more of a reporting device address, an event source address and an event destination address; the step A further comprises the following steps: if any of the reporting device address, the event source address, and the event destination address is not included in the security event record, the security event record is treated as an invalid log and discarded.
2. The method of claim 1, wherein the method further comprises: acquiring the standing book data of all the network assets in the complex network environment; dividing all the network assets into three network layers, namely an application layer, a network layer and a terminal layer; wherein the application layer comprises: a server type asset, a database type asset, and a middleware type asset; the network layer includes: a network device type asset and a security protection type asset; the terminal layer includes: a host type asset; and the network hotspot center is formed by the network assets in the predefined IP address network segments in each network layer.
3. The method of claim 2, wherein forming the network hotspot center from the network assets within a predefined IP address segment in each of the network hierarchies comprises: grouping the network assets in each network layer according to the asset types, dividing IP addresses of all the network assets in each group of asset types into IP address network segments according to a predefined division rule, generating a plurality of IP address network segments in each network layer, respectively and randomly selecting one or more IP address network segments from each network layer, and defining the network assets corresponding to one group of IP addresses in the selected one or more IP address network segments as one network hotspot center; and one or more network hotspot centers are formed by the one or more selected IP address network segments.
4. The method of claim 1, wherein step B comprises:
b1, taking a source address and a destination address in the security event record as an event analysis IP, and if the source address and the destination address do not exist in the security event record, taking a reporting device address of the security event record as the event analysis IP;
b2, constructing a corresponding table of the IP address and the asset type of the network equipment asset, and analyzing an IP according to the event to obtain the asset type corresponding to the safety event record;
and B3, mapping the security event record into a corresponding network hierarchy according to the network hierarchy corresponding to the asset type, and mapping the IP into the network hotspot center according to the event analysis.
5. The method of claim 4, wherein said step B3 comprises: each network hotspot center caches the security event records mapped to the network hotspot center by adopting an ArrayList data structure, and caches the security event records in a preset caching period;
each network hotspot center caches a cached list of the security event records mapped to the network hotspot center within the caching period.
6. The method of claim 1, wherein step C comprises: obtaining the security event record in each network hotspot center, and calculating the hotspot index of each network hotspot center according to the following formula:
wherein HI refers to the hotspot index; n is the total number of the security event records in the network hotspot center; the PRI is the severity level of the security event record and is a positive integer with the value range of 1-5; ni is the number of said security event records in each of said severity levels.
7. The method of claim 1, wherein step D comprises:
d1, calculating the influence degree of the security event record of a single network asset in the network hotspot center by the following formula:
wherein AI is the degree of influence; m is the total number of all the security event records of the network asset, PRI is the severity level of the security event record, and the value range is a positive integer from 1 to 5, M i The number of records for the security event in each of the severity levels;
d2, sequencing the AI of all the network assets in the network hotspot center to obtain the network equipment asset with the largest AI as the hotspot asset;
d3, sequencing all the safety event records corresponding to the hot spot assets according to the PRI, and acquiring the safety event record with the largest PRI as the hot spot event, wherein the hot spot event is a single event or a group of events;
and D4, directly sending the hotspot event to a third-party system in the form of the SYSLOG protocol and/or storing the hotspot event in a storage database, and transmitting the hotspot event to the third-party system by reading and writing the database.
8. The system for identifying the hotspot security event is characterized by comprising an acquisition module, a mapping module, a calculation module and a judgment module;
the acquisition module is used for acquiring SYSLOG security log data of various types of network assets in the complex network environment in different formats in real time by using a SYSLOG protocol, and normalizing the SYSLOG security log data into security event records with uniform formats;
the mapping module is used for mapping the security event record to a pre-constructed network hotspot center according to the IP address of the network asset and the asset type of the network asset;
the computing module is used for computing the hotspot index of the security event record in the network hotspot center;
the judging module is used for judging that the network hotspot center is abnormal when the hotspot index exceeds a preset threshold value, taking the network asset with the maximum influence degree in the network hotspot center as a hotspot asset, and identifying the safety event record related to the hotspot asset as a hotspot event;
the acquisition module is further configured to, when the security event record does not include any one of a reporting device address, an event source address, and an event destination address, regard the security event record as an invalid log and reject the invalid log.
9. The system of claim 8, further comprising a build module to obtain ledger data for all of the network assets in the complex network environment; dividing all the network assets into three network layers of an application layer, a network layer and a terminal layer; wherein the application layer comprises: a server type asset, a database type asset, and a middleware type asset; the network layer includes: a network device type asset and a security protection type asset; the terminal layer includes: a host type asset; and the network hotspot center is formed by the network assets in the predefined IP address network segments in each network layer.
10. The system of claim 9, wherein the build module is further to: grouping the network assets in each network layer according to the asset types, dividing IP addresses of all the network assets in each group of the asset types into IP address network segments according to a predefined division rule, generating a plurality of IP address network segments in each network layer, respectively and randomly selecting one or more IP address network segments from each network layer, and defining the network assets corresponding to one group of IP addresses in the selected one or more IP address network segments as one network hotspot center; and one or more network hotspot centers are formed by the one or more selected IP address network segments.
11. The method of claim 8, wherein the mapping module is further configured to complete the mapping by:
b1, taking a source address and a destination address in the security event record as an event analysis IP, and if the source address and the destination address do not exist in the security event record, taking a reporting device address of the security event record as the event analysis IP;
b2, constructing a corresponding table of the IP address and the asset type of the network equipment asset, and analyzing an IP according to the event to obtain the asset type corresponding to the safety event record;
and B3, mapping the security event record into a corresponding network hierarchy according to the network hierarchy corresponding to the asset type, and mapping the IP into the network hotspot center according to the event analysis.
12. The system of claim 11, further comprising a caching module for caching the security event records mapped to the network hotspot center in an ArrayList data structure at each of the network hotspot centers and at a predetermined caching period;
each network hotspot center caches a cached list of the security event records mapped to the network hotspot center within the caching period.
13. The method of claim 8, wherein the computing module is further to: obtaining the security event record in each network hotspot center, and calculating the hotspot index of each network hotspot center according to the following formula:
wherein HI refers to the hot spot index; n is the total number of the security event records in the network hotspot center; PRI is the severity level of the security event record, and the value range is a positive integer of 1-5; ni is the number of security event records in each of the severity levels.
14. The system of claim 8, wherein the determination module is further configured to complete the determination and sending of the hotspot event by:
d1, calculating the influence degree of the security event record of a single network asset in the network hotspot center by the following formula:
wherein AI is the degree of influence; m is the total number of all the security event records of the network asset, PRI is the severity level of the security event records, a positive integer with a value range of 1-5, M i The number of records for the security event in each of the severity levels;
d2, sequencing the AI of all the network assets in the network hotspot center to obtain the network equipment asset with the largest AI as the hotspot asset;
d3, sequencing all the safety event records corresponding to the hot spot assets according to the PRI, and acquiring the safety event record with the largest PRI as the hot spot event, wherein the hot spot event is a single event or a group of events;
and D4, directly sending the hotspot event to a third-party system in the form of the SYSLOG protocol and/or storing the hotspot event in a storage database, and transmitting the hotspot event to the third-party system by reading and writing the database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510015080.2A CN104579782B (en) | 2015-01-12 | 2015-01-12 | A kind of recognition methods of focus security incident and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510015080.2A CN104579782B (en) | 2015-01-12 | 2015-01-12 | A kind of recognition methods of focus security incident and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104579782A CN104579782A (en) | 2015-04-29 |
| CN104579782B true CN104579782B (en) | 2018-03-27 |
Family
ID=53095047
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510015080.2A Active CN104579782B (en) | 2015-01-12 | 2015-01-12 | A kind of recognition methods of focus security incident and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104579782B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104994075A (en) * | 2015-06-01 | 2015-10-21 | 广东电网有限责任公司信息中心 | Security event handling method, system and terminal based on output logs of security system |
| CN106096406B (en) * | 2016-05-30 | 2019-01-25 | 北京启明星辰信息安全技术有限公司 | A kind of security breaches backtracking analysis method and device |
| CN107493576B (en) * | 2016-06-12 | 2020-09-18 | 上海连尚网络科技有限公司 | Method and apparatus for determining security information for a wireless access point |
| CN106101098B (en) * | 2016-06-13 | 2019-07-02 | 金邦达有限公司 | A kind of information assets recognition methods and device |
| CN109977990A (en) * | 2019-01-21 | 2019-07-05 | 中国电子科技集团公司第三十研究所 | A kind of networked asset method for measuring similarity based on concept lattice |
| CN112738107B (en) * | 2020-12-30 | 2022-08-05 | 恒安嘉新(北京)科技股份公司 | Network security evaluation method, device, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087210A (en) * | 2007-05-22 | 2007-12-12 | 网御神州科技(北京)有限公司 | High-performance Syslog processing and storage method |
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN103546312A (en) * | 2013-08-27 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Massive multi-source isomerism log correlation analyzing method |
-
2015
- 2015-01-12 CN CN201510015080.2A patent/CN104579782B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087210A (en) * | 2007-05-22 | 2007-12-12 | 网御神州科技(北京)有限公司 | High-performance Syslog processing and storage method |
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN103546312A (en) * | 2013-08-27 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Massive multi-source isomerism log correlation analyzing method |
Non-Patent Citations (1)
| Title |
|---|
| 安全事件管理系统的研究与实现;胡成锴;《中国优秀硕士学位论文全文数据库 信息科技辑》;20060415(第4期);第23-26、56-61页,表4-1,表4-11至表4-20 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104579782A (en) | 2015-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104579782B (en) | A kind of recognition methods of focus security incident and system | |
| Gao et al. | A distributed network intrusion detection system for distributed denial of service attacks in vehicular ad hoc network | |
| Vinayakumar et al. | Detecting malicious domain names using deep learning approaches at scale | |
| Vinayakumar et al. | Scalable framework for cyber threat situational awareness based on domain name systems data analysis | |
| Yin et al. | ConnSpoiler: Disrupting C&C communication of IoT-based botnet through fast detection of anomalous domain queries | |
| Ahmed et al. | Novel approach for network traffic pattern analysis using clustering-based collective anomaly detection | |
| CN112910929B (en) | Malicious domain name detection method and device based on heterogeneous graph representation learning | |
| Deokar et al. | Intrusion detection system using log files and reinforcement learning | |
| Rupa et al. | A machine learning driven threat intelligence system for malicious URL detection | |
| Gomes et al. | Cryingjackpot: Network flows and performance counters against cryptojacking | |
| Chin et al. | A machine learning framework for studying domain generation algorithm (DGA)-based malware | |
| Vinayakumar et al. | Improved DGA domain names detection and categorization using deep learning architectures with classical machine learning algorithms | |
| Zang et al. | Identifying fast-flux botnet with AGD names at the upper DNS hierarchy | |
| Yang et al. | Fast3DS: A real-time full-convolutional malicious domain name detection system | |
| Phan et al. | User identification via neural network based language models | |
| Liu et al. | Context2Vector: Accelerating security event triage via context representation learning | |
| Li et al. | A Review: How to detect malicious domains | |
| Wang et al. | A detection scheme for DGA domain names based on SVM | |
| Barrionuevo et al. | An anomaly detection model in a lan using k-nn and high performance computing techniques | |
| Alshehri | APP-NTS: a network traffic similarity-based framework for repacked Android apps detection | |
| Lu et al. | A network security situational awareness framework based on situation fusion | |
| Mishra et al. | A hybrid approach for protection against rumours in a iot enabled smart city environment | |
| Gutierrez et al. | High rate Denial-of-Service attack detection system for cloud environment using flume and spark | |
| Zang et al. | Attack scenario reconstruction via fusing heterogeneous threat intelligence | |
| Qing et al. | An intrusion detection approach based on data mining |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |