CN105119945A - Log association analysis method for safety management center - Google Patents
Log association analysis method for safety management center Download PDFInfo
- Publication number
- CN105119945A CN105119945A CN201510617100.3A CN201510617100A CN105119945A CN 105119945 A CN105119945 A CN 105119945A CN 201510617100 A CN201510617100 A CN 201510617100A CN 105119945 A CN105119945 A CN 105119945A
- Authority
- CN
- China
- Prior art keywords
- management center
- attack
- log information
- security management
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a log association analysis method for a safety management center. The log association analysis method includes the steps of 1, information logging, 2, catalogue association, 3, crossing association, 4, logical association, 5, risk assessment, 6, safety information event generation, namely, the log information acquired by the safety management center system is associated with asset information, the comprehensive intelligent analysis can be carried out by continuously upgraded and customized associated rules, and a lot of alarm events (false-alarm, low-priority, low-risk, and disruptive events) without response values can be removed and the safety events with response events are refined. The whole process is fine and controllable, and the network security is high. The log association analysis method solves the problems of low network security level and improper defense in the prior art.
Description
Technical field
The invention belongs to technical field of network security, be specifically related to a kind of log correlation analysis method for security management center.
Background technology
A large amount of operation systems is deployed in cloud computing environment; these operation systems need different types of safety means, fail-safe software to protect in the Internet; from the magnanimity of these different safety means, fail-safe software, real-time log information then indicates the operation of equipment and operation system in current cloud computing environment, access and state, invariably embodies the degree of risk of current cloud computing environment lower network, assets.
Only depend on some safety product; effectively can not protect the overall network safety of oneself; information security integrally; need the safety product, branch, Operation Network, client etc. of each side concerned in security process as each level to include one in closely in unified security management platform, effectively could ensure network security and the protection information investment of enterprise.
Summary of the invention
The object of this invention is to provide a kind of log correlation analysis method for security management center, solve the network security level existed in prior art low and defend problem not in place.
The technical solution adopted in the present invention is, a kind of log correlation analysis method for security management center, specifically implements according to following steps:
Step 1, Data Enter;
Step 2, directory associates;
Step 3, cross correlation;
Step 4, logic association;
Step 5, risk assessment;
Step 6, security information event generate.
Feature of the present invention is also,
Step 1 is specially:
Step (1.1), first, while assets typing security management center, comprises OS Type, service, port, vulnerability information typing simultaneously security management center system by the host information relevant to assets;
Step (1.2), secondly, typing safety means daily record dictionary, the OS Type that the priority that the attack of the every bar daily record representative of typing simultaneously occurs, reliability, attack are suitable for, for service and port;
Step (1.3), again, termly vulnerability scanning is carried out to the assets of typing, and vulnerability information is updated in security management center;
Step (1.4), then, Log Types safety means being described attack and attack for vulnerability information be associated, and be stored in security management center;
Step (1.5), period, in safe O&M process, once run into attack, the response order of record security equipment, the log information that responding time intervals between safety means and safety means produce, generate a complete correlation rule chain, each node in correlation rule chain comprises corresponding safety means type and log information type, the time interval that the reliability that attack occurs and with it posterior nodal point log information occur and priority, the situation that behavior behavior of similar later stage in early stage is different is there is between some different attack, so be reacted on safety means is then respond response of identical later stage difference early stage, the same section of the complete correlation rule chain this several similar attack generated combines, different piece separately, form a kind of tree, be correlation rule tree,
Step (1.6), last, in safe O&M process, the attack run into is recorded in the middle of knowledge base, and according to the priority of attack to the threaten degree record attack of assets in current network.
Step 2 is specially:
Step (2.1), after security management center receives the log information that described step 1 sends here, to put it in the middle of message queue, and real-time query message queue;
Step (2.2), from message queue order take out log information successively, carry out the attack that directory associates represents by log information to associate with assets, when both OS Type, service, port match, often mate a kind of characteristic, the reliability that corresponding this type of attack of raising one-level occurs;
Step (2.3), after log information is completed by directory associates process, again returned to security management center.
Step 3 is specially:
The log information returned after directory associates process is carried out cross correlation and continues process by step (3.1), security management center;
The leak kind that step (3.2), the attack first inquiring about the representative of this log information from database are suitable for, whether query aim assets deposit the leak of this type simultaneously, if existed, the reliability that then can arrange log information is ten grades, equally, once vulnerability information inapplicable, then the reliability that can arrange log information is zero level;
Step (3.3), after log information is completed by cross correlation process, again returned to security management center.
Step 4 is specially:
The log information returned after cross correlation process is carried out logic association and continues process by step (4.1), security management center;
Each correlation rule tree is divided into multiple level by step (4.2), security management center, and concrete processing method is as follows:
Step (4.2.1), when process Article 1 log information time, first security management center can remove the root node mating each correlation rule tree, if node and Log Types match, so this correlation rule tree advances one-level automatically, the reliability value that the reliability simultaneously arranging log information stores for present node and priority value;
Step (4.2.2), when process next log information time, if some nodes of current level can be matched, so this correlation rule tree is along this branch advance one-level, the reliability value that the reliability simultaneously arranging log information stores for present node and priority value;
Step (4.2.3), the described step that circulates (4.2.2), until the leaf node matching correlation rule tree, or the time-out time exceeded when previous stage matches next stage not yet, the circular treatment of end step (4.2.2);
Step (4.2.4) is if having matched a complete branch of correlation rule tree, and the reliability of so such attack will be ten grades, and priority, by the priority described by leaf nodes, represents this type of attack and occurs;
Step (4.3), after log information is completed by logic association process, again returned to security management center.
Step 5 is specially:
The log information returned after logic association process is carried out friendship risk assessment by step (5.1), security management center, continues process;
Step (5.2), risk assessment can carry out priority correction to log information: first inquire about in the knowledge base described in described step 1 the attack kind whether recording log information and describe, once both the match is successful, then the priority that can arrange log information is the priority of attack in knowledge base.
Step (5.3), then according to log information, assets are carried out to hazard level, attacked the correction of rank, the priority of log information, when reliability exceedes the threshold values of security management center setting, then be confirmed as a kind of attack and produce alarm, attacked the hazard level elevated by one step of purpose network domains, represent attack and can threaten other assets in same network domains, the attack rank of attacking occurring source place assets is improved one-level, represents and other assets in network domains is impended.
Step 6 is specially:
After step 5 is complete, reliability reaches the log information of three grades as warning information the most at last, carries out manual analysis, and final generation security incident processes.
The invention has the beneficial effects as follows, a kind of log correlation analysis method for security management center, pass through Data Enter, directory associates, cross correlation, logic association, risk assessment, security information event generates this few step, the log information that security management center system gathers is associated with assets information, comprehensive intellectual analysis is carried out by the correlation rule of customization of constantly upgrading, remove do not respond in a large number value (wrong report, low priority, low-risk, interfering) alarm event, refine and provide the security incident of standby response value, whole process is meticulous controlled, internet security is high.
Accompanying drawing explanation
Fig. 1 is the flow chart of a kind of log correlation analysis method for security management center of the present invention.
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in detail.
A kind of log correlation analysis method for security management center of the present invention, flow chart as shown in Figure 1, is specifically implemented according to following steps:
Step 1, Data Enter, be specially:
Step (1.1), first, while assets typing security management center, comprises OS Type, service, port, vulnerability information typing simultaneously security management center system by the host information relevant to assets;
Step (1.2), secondly, typing safety means daily record dictionary, the OS Type that the priority that the attack of the every bar daily record representative of typing simultaneously occurs, reliability, attack are suitable for, for service and port;
Step (1.3), again, termly vulnerability scanning is carried out to the assets of typing, and vulnerability information is updated in security management center;
Step (1.4), then, Log Types safety means being described attack and attack for vulnerability information be associated, and be stored in security management center;
Step (1.5), period, in safe O&M process, once run into attack, the response order of record security equipment, the log information that responding time intervals between safety means and safety means produce, generate a complete correlation rule chain, each node in correlation rule chain comprises corresponding safety means type and log information type, the time interval that the reliability that attack occurs and with it posterior nodal point log information occur and priority, the situation that behavior behavior of similar later stage in early stage is different is there is between some different attack, so be reacted on safety means is then respond response of identical later stage difference early stage, the same section of the complete correlation rule chain this several similar attack generated combines, different piece separately, form a kind of tree, be correlation rule tree,
Step (1.6), last, in safe O&M process, the attack run into is recorded in the middle of knowledge base, and according to the priority of attack to the threaten degree record attack of assets in current network.
Step 2, directory associates, be specially:
Step (2.1), after security management center receives the log information that described step 1 sends here, to put it in the middle of message queue, and real-time query message queue;
Step (2.2), from message queue order take out log information successively, carry out the attack that directory associates represents by log information to associate with assets, when both OS Type, service, port match, often mate a kind of characteristic, the reliability that corresponding this type of attack of raising one-level occurs;
Step (2.3), after log information is completed by directory associates process, again returned to security management center.
Step 3, cross correlation, be specially:
The log information returned after directory associates process is carried out cross correlation and continues process by step (3.1), security management center;
The leak kind that step (3.2), the attack first inquiring about the representative of this log information from database are suitable for, whether query aim assets deposit the leak of this type simultaneously, if existed, the reliability that then can arrange log information is ten grades, equally, once vulnerability information inapplicable, then the reliability that can arrange log information is zero level;
Step (3.3), after log information is completed by cross correlation process, again returned to security management center.
Step 4, logic association, be specially:
The log information returned after cross correlation process is carried out logic association and continues process by step (4.1), security management center;
Each correlation rule tree is divided into multiple level by step (4.2), security management center, and concrete processing method is as follows:
Step (4.2.1), when process Article 1 log information time, first security management center can remove the root node mating each correlation rule tree, if node and Log Types match, so this correlation rule tree advances one-level automatically, the reliability value that the reliability simultaneously arranging log information stores for present node and priority value;
Step (4.2.2), when process next log information time, if some nodes of current level can be matched, so this correlation rule tree is along this branch advance one-level, the reliability value that the reliability simultaneously arranging log information stores for present node and priority value;
Step (4.2.3), circulation step (4.2.2), until the leaf node matching correlation rule tree, or the time-out time exceeded when previous stage matches next stage not yet, the circular treatment of end step (4.2.2);
Step (4.2.4) is if having matched a complete branch of correlation rule tree, and the reliability of so such attack will be ten grades, and priority, by the priority described by leaf nodes, represents this type of attack and occurs;
Step (4.3), after log information is completed by logic association process, again returned to security management center.
Step 5, risk assessment, be specially:
The log information returned after logic association process is carried out friendship risk assessment by step (5.1), security management center, continues process;
Step (5.2), risk assessment can carry out priority correction to log information: first inquire about in the knowledge base described in described step 1 the attack kind whether recording log information and describe, once both the match is successful, then the priority that can arrange log information is the priority of attack in knowledge base.
Step (5.3), then according to log information, assets are carried out to hazard level, attacked the correction of rank, the priority of log information, when reliability exceedes the threshold values of security management center setting, then be confirmed as a kind of attack and produce alarm, attacked the hazard level elevated by one step of purpose network domains, represent attack and can threaten other assets in same network domains, the attack rank of attacking occurring source place assets is improved one-level, represents and other assets in network domains is impended.
Step 6, security information event generate, and are specially:
After step 5 is complete, reliability reaches the log information of three grades as warning information the most at last, carries out manual analysis, and final generation security incident processes.
This method be log information (every bar log information represents the behavior in a network) that security management center system is gathered with assets information (each assets have oneself OS Type, service, port, vulnerability information) be associated, comprehensive intellectual analysis is carried out by the correlation rule of customization of can constantly upgrading, remove do not respond in a large number value (wrong report, low priority, low-risk, interfering) alarm event, refine and provide the security incident of standby response value, whole process is meticulous controlled, and internet security is high.
Claims (7)
1. for a log correlation analysis method for security management center, it is characterized in that, specifically implement according to following steps:
Step 1, Data Enter;
Step 2, directory associates;
Step 3, cross correlation;
Step 4, logic association;
Step 5, risk assessment;
Step 6, security information event generate.
2. a kind of log correlation analysis method for security management center according to claim 1, it is characterized in that, described step 1 is specially:
Step (1.1), first, while assets typing security management center, comprises OS Type, service, port, vulnerability information typing simultaneously security management center system by the host information relevant to assets;
Step (1.2), secondly, typing safety means daily record dictionary, the OS Type that the priority that the attack of the every bar daily record representative of typing simultaneously occurs, reliability, attack are suitable for, for service and port;
Step (1.3), again, termly vulnerability scanning is carried out to the assets of typing, and vulnerability information is updated in security management center;
Step (1.4), then, Log Types safety means being described attack and attack for vulnerability information be associated, and be stored in security management center;
Step (1.5), period, in safe O&M process, once run into attack, the response order of record security equipment, the log information that responding time intervals between safety means and safety means produce, generate a complete correlation rule chain, each node in correlation rule chain comprises corresponding safety means type and log information type, the time interval that the reliability that attack occurs and with it posterior nodal point log information occur and priority, the situation that behavior behavior of similar later stage in early stage is different is there is between some different attack, so be reacted on safety means is then respond response of identical later stage difference early stage, the same section of the complete correlation rule chain this several similar attack generated combines, different piece separately, form a kind of tree, be correlation rule tree,
Step (1.6), last, in safe O&M process, the attack run into is recorded in the middle of knowledge base, and according to the priority of attack to the threaten degree record attack of assets in current network.
3. a kind of log correlation analysis method for security management center according to claim 1, it is characterized in that, described step 2 is specially:
Step (2.1), after security management center receives the log information that described step 1 sends here, to put it in the middle of message queue, and real-time query message queue;
Step (2.2), from message queue, order takes out log information successively, carry out the attack that directory associates represents by log information to associate with assets, when both OS Type, service, port match, often mate a kind of characteristic, the reliability that corresponding this type of attack of raising one-level occurs;
Step (2.3), after log information is completed by directory associates process, again returned to security management center.
4. a kind of log correlation analysis method for security management center according to claim 1, it is characterized in that, described step 3 is specially:
The log information returned after directory associates process is carried out cross correlation and continues process by step (3.1), security management center;
The leak kind that step (3.2), the attack first inquiring about the representative of this log information from database are suitable for, whether query aim assets deposit the leak of this type simultaneously, if existed, the reliability that then can arrange log information is ten grades, equally, once vulnerability information inapplicable, then the reliability that can arrange log information is zero level;
Step (3.3), after log information is completed by cross correlation process, again returned to security management center.
5. a kind of log correlation analysis method for security management center according to claim 1, it is characterized in that, described step 4 is specially:
The log information returned after cross correlation process is carried out logic association and continues process by step (4.1), security management center;
Each correlation rule tree is divided into multiple level by step (4.2), security management center, and concrete processing method is as follows:
Step (4.2.1), when process Article 1 log information time, first security management center can remove the root node mating each correlation rule tree, if node and Log Types match, so this correlation rule tree advances one-level automatically, the reliability value that the reliability simultaneously arranging log information stores for present node and priority value;
Step (4.2.2), when process next log information time, if some nodes of current level can be matched, so this correlation rule tree is along this branch advance one-level, the reliability value that the reliability simultaneously arranging log information stores for present node and priority value;
Step (4.2.3), the described step that circulates (4.2.2), until the leaf node matching correlation rule tree, or the time-out time exceeded when previous stage matches next stage not yet, the circular treatment of end step (4.2.2);
Step (4.2.4) is if having matched a complete branch of correlation rule tree, and the reliability of so such attack will be ten grades, and priority, by the priority described by leaf nodes, represents this type of attack and occurs;
Step (4.3), after log information is completed by logic association process, again returned to security management center.
6. a kind of log correlation analysis method for security management center according to claim 1, it is characterized in that, described step 5 is specially:
The log information returned after logic association process is carried out friendship risk assessment by step (5.1), security management center, continues process;
Step (5.2), risk assessment can carry out priority correction to log information: first inquire about in the knowledge base described in described step 1 the attack kind whether recording log information and describe, once both the match is successful, then the priority that can arrange log information is the priority of attack in knowledge base;
Step (5.3), then according to log information, assets are carried out to hazard level, attacked the correction of rank, the priority of log information, when reliability exceedes the threshold values of security management center setting, then be confirmed as a kind of attack and produce alarm, attacked the hazard level elevated by one step of purpose network domains, represent attack and can threaten other assets in same network domains, the attack rank of attacking occurring source place assets is improved one-level, represents and other assets in network domains is impended.
7. a kind of log correlation analysis method for security management center according to claim 1, it is characterized in that, described step 6 is specially:
After described step 5 is complete, reliability reaches the log information of three grades as warning information the most at last, carries out manual analysis, and final generation security incident processes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510617100.3A CN105119945A (en) | 2015-09-24 | 2015-09-24 | Log association analysis method for safety management center |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510617100.3A CN105119945A (en) | 2015-09-24 | 2015-09-24 | Log association analysis method for safety management center |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105119945A true CN105119945A (en) | 2015-12-02 |
Family
ID=54667833
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510617100.3A Pending CN105119945A (en) | 2015-09-24 | 2015-09-24 | Log association analysis method for safety management center |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105119945A (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107015895A (en) * | 2015-12-30 | 2017-08-04 | 国际商业机器公司 | Data-centered monitoring to the conjunction rule of Distributed Application |
CN108270785A (en) * | 2018-01-15 | 2018-07-10 | 中国人民解放军国防科技大学 | Knowledge graph-based distributed security event correlation analysis method |
CN108462598A (en) * | 2017-02-21 | 2018-08-28 | 阿里巴巴集团控股有限公司 | A kind of daily record generation method, log analysis method and device |
CN108616381A (en) * | 2018-02-28 | 2018-10-02 | 北京奇艺世纪科技有限公司 | A kind of event correlation alarm method and device |
CN109951359A (en) * | 2019-03-21 | 2019-06-28 | 北京国舜科技股份有限公司 | The asynchronous scan method of distributed network assets and equipment |
CN110881051A (en) * | 2019-12-24 | 2020-03-13 | 深信服科技股份有限公司 | Security risk event processing method, device, equipment and storage medium |
CN111431753A (en) * | 2020-04-02 | 2020-07-17 | 深信服科技股份有限公司 | Asset information updating method, device, equipment and storage medium |
CN113259364A (en) * | 2021-05-27 | 2021-08-13 | 长扬科技(北京)有限公司 | Network event correlation analysis method and device and computer equipment |
CN114006748A (en) * | 2021-10-28 | 2022-02-01 | 国网山东省电力公司信息通信公司 | Network security comprehensive monitoring method, system, equipment and storage medium |
CN114143020A (en) * | 2021-09-06 | 2022-03-04 | 北京许继电气有限公司 | Rule-based network security event correlation analysis method and system |
CN114978885A (en) * | 2022-08-02 | 2022-08-30 | 深圳市华曦达科技股份有限公司 | Log management method and device, computer equipment and system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070143842A1 (en) * | 2005-12-15 | 2007-06-21 | Turner Alan K | Method and system for acquisition and centralized storage of event logs from disparate systems |
CN101257399A (en) * | 2007-12-29 | 2008-09-03 | 中国移动通信集团四川有限公司 | Service system united safe platform |
CN101399658A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Safe log analyzing method and system |
CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
CN201491020U (en) * | 2009-08-20 | 2010-05-26 | 福建富士通信息软件有限公司 | Event classification and rule tree-based association analysis device |
KR101060612B1 (en) * | 2009-07-23 | 2011-08-31 | 한신대학교 산학협력단 | Audit data based web attack event extraction system and method |
CN103580900A (en) * | 2012-08-01 | 2014-02-12 | 上海宝信软件股份有限公司 | Association analysis system based on event chains |
CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
-
2015
- 2015-09-24 CN CN201510617100.3A patent/CN105119945A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070143842A1 (en) * | 2005-12-15 | 2007-06-21 | Turner Alan K | Method and system for acquisition and centralized storage of event logs from disparate systems |
CN101399658A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Safe log analyzing method and system |
CN101257399A (en) * | 2007-12-29 | 2008-09-03 | 中国移动通信集团四川有限公司 | Service system united safe platform |
KR101060612B1 (en) * | 2009-07-23 | 2011-08-31 | 한신대학교 산학협력단 | Audit data based web attack event extraction system and method |
CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
CN201491020U (en) * | 2009-08-20 | 2010-05-26 | 福建富士通信息软件有限公司 | Event classification and rule tree-based association analysis device |
CN103580900A (en) * | 2012-08-01 | 2014-02-12 | 上海宝信软件股份有限公司 | Association analysis system based on event chains |
CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107015895A (en) * | 2015-12-30 | 2017-08-04 | 国际商业机器公司 | Data-centered monitoring to the conjunction rule of Distributed Application |
CN107015895B (en) * | 2015-12-30 | 2020-05-19 | 国际商业机器公司 | Method and system for data-centric monitoring of compliance of distributed applications |
CN108462598A (en) * | 2017-02-21 | 2018-08-28 | 阿里巴巴集团控股有限公司 | A kind of daily record generation method, log analysis method and device |
CN108462598B (en) * | 2017-02-21 | 2022-03-11 | 阿里巴巴集团控股有限公司 | Log generation method, log analysis method and device |
CN108270785A (en) * | 2018-01-15 | 2018-07-10 | 中国人民解放军国防科技大学 | Knowledge graph-based distributed security event correlation analysis method |
CN108270785B (en) * | 2018-01-15 | 2020-06-30 | 中国人民解放军国防科技大学 | Knowledge graph-based distributed security event correlation analysis method |
CN108616381B (en) * | 2018-02-28 | 2021-10-15 | 北京奇艺世纪科技有限公司 | Event correlation alarm method and device |
CN108616381A (en) * | 2018-02-28 | 2018-10-02 | 北京奇艺世纪科技有限公司 | A kind of event correlation alarm method and device |
CN109951359A (en) * | 2019-03-21 | 2019-06-28 | 北京国舜科技股份有限公司 | The asynchronous scan method of distributed network assets and equipment |
CN109951359B (en) * | 2019-03-21 | 2021-02-02 | 北京国舜科技股份有限公司 | Asynchronous scanning method and device for distributed network assets |
CN110881051A (en) * | 2019-12-24 | 2020-03-13 | 深信服科技股份有限公司 | Security risk event processing method, device, equipment and storage medium |
CN110881051B (en) * | 2019-12-24 | 2022-04-29 | 深信服科技股份有限公司 | Security risk event processing method, device, equipment and storage medium |
CN111431753A (en) * | 2020-04-02 | 2020-07-17 | 深信服科技股份有限公司 | Asset information updating method, device, equipment and storage medium |
CN113259364A (en) * | 2021-05-27 | 2021-08-13 | 长扬科技(北京)有限公司 | Network event correlation analysis method and device and computer equipment |
CN113259364B (en) * | 2021-05-27 | 2021-10-22 | 长扬科技(北京)有限公司 | Network event correlation analysis method and device and computer equipment |
CN114143020A (en) * | 2021-09-06 | 2022-03-04 | 北京许继电气有限公司 | Rule-based network security event correlation analysis method and system |
CN114143020B (en) * | 2021-09-06 | 2023-10-31 | 北京许继电气有限公司 | Rule-based network security event association analysis method and system |
CN114006748A (en) * | 2021-10-28 | 2022-02-01 | 国网山东省电力公司信息通信公司 | Network security comprehensive monitoring method, system, equipment and storage medium |
CN114006748B (en) * | 2021-10-28 | 2024-04-02 | 国网山东省电力公司信息通信公司 | Network security comprehensive monitoring method, system, equipment and storage medium |
CN114978885A (en) * | 2022-08-02 | 2022-08-30 | 深圳市华曦达科技股份有限公司 | Log management method and device, computer equipment and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105119945A (en) | Log association analysis method for safety management center | |
EP3343867B1 (en) | Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset | |
CN110222525B (en) | Database operation auditing method and device, electronic equipment and storage medium | |
CN104509034B (en) | Pattern merges to identify malicious act | |
CN112114995B (en) | Terminal abnormality analysis method, device, equipment and storage medium based on process | |
CN108694328A (en) | Digital ID management method, Digital ID managing device and recording medium | |
US9721099B2 (en) | Systems and methods for identifying associations between malware samples | |
CN107404494A (en) | Abnormal events information processing method and processing device | |
CN104252443A (en) | Report generation method and device | |
CN112966500B (en) | Network data chain safety monitoring platform based on artificial intelligence configuration | |
CN105635046A (en) | Database command line filtering and audit blocking method and device | |
CN107463839A (en) | A kind of system and method for managing application program | |
CN109389518A (en) | Association analysis method and device | |
CN114338064B (en) | Method, device, system, equipment and storage medium for identifying network traffic type | |
CN104135483B (en) | A kind of network security automatically configures management system | |
CN104158844A (en) | Remote real-time monitoring system | |
CN108833442A (en) | A kind of distributed network security monitoring device and its method | |
US20240031407A1 (en) | Honeypot Network Management Based on Probabilistic Detection of Malicious Port Activity | |
Szabó | Cybersecurity issues in industrial control systems | |
CN110138778B (en) | Game theory-based network attack risk control method and system | |
CN115567241A (en) | Multi-site network perception detection system | |
Sun et al. | Automated 3D reconstruction of tree-like structures from two orthogonal views | |
Reddy | Machine Learning Models for Anomaly Detection in Cloud Infrastructure Security | |
EP4158509A1 (en) | Threat mitigation system and method | |
Fung et al. | Electronic information security documentation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151202 |
|
RJ01 | Rejection of invention patent application after publication |