CN105376193A - Intelligent association analysis method and intelligent association analysis device for security events - Google Patents
Intelligent association analysis method and intelligent association analysis device for security events Download PDFInfo
- Publication number
- CN105376193A CN105376193A CN201410401184.2A CN201410401184A CN105376193A CN 105376193 A CN105376193 A CN 105376193A CN 201410401184 A CN201410401184 A CN 201410401184A CN 105376193 A CN105376193 A CN 105376193A
- Authority
- CN
- China
- Prior art keywords
- value
- security incident
- confidence
- attributive character
- standardization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an intelligent association analysis method and an intelligent association analysis device for security events. The intelligent association analysis method comprises the steps of decomposing the attribute characteristic of a security event which is acquired in real time and standardizing the attribute characteristic values; and traversing an offline generated unified inference structure by means of the standardized attribute characteristic value, thereby determining an attack type. The intelligent association analysis method and the intelligent association analysis device improve association analysis efficiency.
Description
Technical field
The disclosure relates to network safety filed, especially, relates to a kind of intelligent association analytical method and device of security incident.
Background technology
In today that network security situation is more severe, network security management becomes the important content of network operation.SOC (SecurityOperationsCentre, safe operation center) comprehensively analyzes network and safety means and system, realizes the technical platform of security incident centralized management and monitoring.The security log that SOC is produced by equipment in collection network and system, processes by analysis, finds network current safety to threaten and potential security risk, thus sends early warning in time, avoid network to bear heavy losses.In a large amount of security event informations that SOC collects from network, many do not have real threat, and some may be threaten the sign implementing early stage, and some may be that essence threatens the related alarm produced.Security event associative analysis extracts useful information from through pretreated security incident, by association process correlation, be a security incident chain isolated security incident set associative, its target finds out real threat warning in a large amount of false alarms and low level alarm, helps potential safety hazard potential in the timely fixer network of safe operation maintenance personnel.
Current intelligent SOC association analysis engine mechanism mainly adopts " inference machine " method." inference machine " formula association analysis engine operation principle is the inference pattern that preset priori trains, after collecting security incident, extraction attribute information is mated with each rule feature of inference pattern respectively, satisfied then carry out record, until inference pattern strictly all rules characteristic matching degree reaches threshold value, trigger alerts." inference machine " formula association analysis engine can not omit any information that any security incident and security incident are carried, analysis precision is high, but because the analysis of SOC to network-wide security event relates to many equipment, multi-protocols, many attack types, tradition " inference machine " association analysis engine is adopted then to need to build a large amount of challenge model, analyze elaborate, very many computer memory time costs need be taken, cause analysis efficiency very low.Security incident magnanimity in telecommunication network environment, inefficient inference machine formula association analysis engine efficiency cannot be supported.
Summary of the invention
The disclosure proposes new technical scheme in view of at least one in above problem.
The disclosure provides a kind of intelligent association analytical method of security incident in one, which raises the efficiency of association analysis.
The disclosure provides a kind of intelligent association analytical equipment of security incident on the other hand at it, which raises the efficiency of association analysis.
According to the disclosure, a kind of intelligent association analytical method of security incident is provided, comprises:
To Real-time Collection to security incident carry out the decomposition of attributive character and the standardization of attributive character value;
The attributive character value after standardization is utilized to travel through the unified reasoning structure of off-line generation, to determine to attack classification.
In embodiments more of the present disclosure, generate unified reasoning structure by following manner:
Collect challenge model storehouse and security incident training sample;
Security incident training sample is decomposed into feature database;
The association probability of each feature and attack in calculated characteristics storehouse;
According to association probability, classification is carried out to each feature based on tree structure, form the nodes at different levels of unified reasoning structure;
Training calculates the value of the confidence of the nodes at different levels meeting judgement required precision, and determines classification thresholds and classification accuracy rate.
In embodiments more of the present disclosure, the attributive character value after standardization is utilized to travel through the unified reasoning structure of off-line generation, to determine that attacking classification comprises:
Start the attributive character value after by standardization from the root node of unified reasoning structure to compare with the characterization rules of the nodes at different levels in unified reasoning structure;
If the attributive character value after standardization and characterization rules match, then root node is superimposed to the value of the confidence of present node, formed and attack the value of the confidence;
After having traveled through unified reasoning structure, determine to attack classification according to the confidence space attacked residing for the value of the confidence.
In embodiments more of the present disclosure, described method also comprises:
For the attributive character value after a standardization, start to start timer in the root node traversal from unified reasoning structure;
If timer expiry, then the attack the value of the confidence of the attributive character value after a described standardization is reset.
In embodiments more of the present disclosure, the attributive character of security incident comprises equipment that source IP address and port, object IP address and port, event category, event title, event class, event relate to and the time that event occurs.
According to the disclosure, additionally provide a kind of intelligent association analytical equipment of security incident, comprising:
Event acquisition unit, for Real-time Collection to security incident carry out the decomposition of attributive character and the standardization of attributive character value;
Classification judging unit, for the unified reasoning structure utilizing the attributive character value after standardization to travel through off-line generation, to determine to attack classification.
In embodiments more of the present disclosure, the intelligent association analytical equipment of described security incident also comprises unified reasoning structure generation unit, and described unified reasoning structure generation unit comprises:
Collect subelement, for collecting challenge model storehouse and security incident training sample;
Sample decomposes subelement, for security incident training sample is decomposed into feature database;
Association probability computation subunit, for the association probability of feature each in calculated characteristics storehouse and attack;
Structure forms subelement, for carrying out classification according to association probability to each feature based on tree structure, forms the nodes at different levels of unified reasoning structure;
The value of the confidence determination subelement, for training the value of the confidence calculating the nodes at different levels meeting judgement required precision, and determines classification thresholds and classification accuracy rate.
In embodiments more of the present disclosure, described classification judging unit comprises:
Comparer unit, compares with the characterization rules of the nodes at different levels in unified reasoning structure for starting the attributive character value after by standardization from the root node of unified reasoning structure;
Attack the value of the confidence computation subunit, if matched for the attributive character value after standardization and characterization rules, then root node is superimposed to the value of the confidence of present node, formed and attack the value of the confidence;
Classification determination subelement, for after having traveled through unified reasoning structure, has determined to attack classification according to the confidence space attacked residing for the value of the confidence.
In embodiments more of the present disclosure, the intelligent association analytical equipment of described security incident also comprises:
Timer, for for the attributive character value after a standardization, starts to start timer in the root node traversal from unified reasoning structure, if timer expiry, then resets the attack the value of the confidence of the attributive character value after a described standardization.
In embodiments more of the present disclosure, the attributive character of security incident comprises equipment that source IP address and port, object IP address and port, event category, event title, event class, event relate to and the time that event occurs.
In technical scheme of the present disclosure, the unified reasoning structure generated by off-line improves the association analysis efficiency of the security incident to Real-time Collection, saves computer memory, time cost, achieves the balance of precision and efficiency.
Accompanying drawing explanation
Accompanying drawing described herein is used to provide further understanding of the disclosure, forms a application's part.In the accompanying drawings:
Fig. 1 is the schematic flow sheet of the intelligent association analytical method of the security incident of a disclosure embodiment.
Fig. 2 is the schematic diagram of the tree-like unified reasoning structure of a disclosure embodiment.
Fig. 3 is the structural representation of the intelligent association analytical equipment of the security incident of a disclosure embodiment.
Embodiment
Below with reference to accompanying drawings the disclosure is described.It should be noted that following being described in is only explanatory and exemplary in essence, never as any restriction to the disclosure and application or use.Unless stated otherwise, otherwise positioned opposite and numerical expression and the numerical value of the parts of setting forth in an embodiment and step do not limit the scope of the present disclosure.In addition, technology well known by persons skilled in the art, method and apparatus may not be discussed in detail, but are intended to the part becoming specification in appropriate circumstances.
Fig. 1 is the schematic flow sheet of the intelligent association analytical method of the security incident of a disclosure embodiment.
As shown in Figure 1, this embodiment can comprise the following steps:
S102, to Real-time Collection to security incident carry out the decomposition of attributive character and the standardization of attributive character value;
Wherein, the attributive character of security incident can include but not limited to the equipment that source IP address and port, object IP address and port, event category, event title, event class, event relate to and the time that event occurs.
S104, utilizes the attributive character value after standardization to travel through the unified reasoning structure of off-line generation, and to determine to attack classification, wherein, unified reasoning structure can be tree structure.
In this embodiment, the unified reasoning structure generated by off-line improves the association analysis efficiency of the security incident to Real-time Collection, saves computer memory, time cost, achieves the balance of precision and efficiency.
In an example, unified reasoning structure can be generated by following manner:
Collect challenge model storehouse and security incident training sample; Security incident training sample is decomposed into feature database; The association probability of each feature and attack in calculated characteristics storehouse; According to association probability, classification is carried out to each feature based on tree structure, form the nodes at different levels of unified reasoning structure; Training calculates the value of the confidence of the nodes at different levels meeting judgement required precision, and determines classification thresholds and classification accuracy rate.
It is to be noted, above-mentioned unified reasoning structure is based on the security incident training sample structure that training in advance goes out under off-line state, after getting actual time safety event data, directly utilize this to unify reasoning structure to analyze the attack type belonging to secure data, and then the efficiency of analysis can be significantly improved.
In another embodiment, the attributive character value after standardization is utilized to travel through the unified reasoning structure of off-line generation, to determine that the step of attacking classification can comprise: to start the attributive character value after by standardization from the root node of unified reasoning structure and compare with the characterization rules of the nodes at different levels in unification reasoning structure; If the attributive character value after standardization and characterization rules match, then root node is superimposed to the value of the confidence of present node, formed and attack the value of the confidence; After having traveled through unified reasoning structure, determine to attack classification according to the confidence space attacked residing for the value of the confidence.
In another embodiment, for the attributive character value after a standardization, start to start timer in the root node traversal from unified reasoning structure; If timer expiry, then the attack the value of the confidence of the attributive character value after a standardization is reset.Can prevent from like this taking the value of the confidence resource for a long time due to during attributive character value after analyzing certain standardization and destroying normal analytic process.
Next, unified reasoning structure is drawn if described in detail by a specific implementation by offline mode training.Particularly, can comprise the following steps:
Step one, collects challenge model storehouse and raw security event sample;
Wherein, the characteristic attributes such as security incident sample refers to the security incident possessing association analysis engine analysis reference format, the time that the equipment related to by source IP address, source port, object IP address, destination interface, event category, event title, event class, event, event occur form.
Challenge model storehouse refers to the set of all challenge model that association analysis engine can judge, is determined by priori.Challenge model refers to the Attack Scenarios relevant to certain security attack and security incident chain.Wherein, security incident chain refers to chain that be made up of a series of single security incident, that possess the logical relations such as cause and effect, time undertaking priority.
Challenge model can include but not limited to the Mathematical Modeling of all kinds of attacks such as the activity of suspicious scanning activity, abnormal access, malicious code, exception flow of network, network service attack, equipment operation exception.
Step 2, is decomposed into feature database by security incident sample, that is, broken up by all properties element in security incident sample, morphogenesis characters storehouse;
Wherein, feature database refers to the characteristic attribute of security incident sample and the set of property value composition.
Step 3, according to the various attacks model in challenge model storehouse by feature database priori classification, removes and attacks extraneous features;
Particularly, due to characteristic attributes such as the times that security incident comprises source IP address, source port, object IP address, destination interface, event category, event title, event class, event relate to equipment, event occur, so multiple features storehouse element therefore can be divided into.Illustrate, if the event that certain attack Mathematical Modeling requirement event category is " suspicious scanning " occurs, in latter 3 minutes, " website attack " event occurs, the object IP address of two events is consistent, then relevant characteristic element has all pointed to this attack result, so all the other characteristic attributes are just and attack irrelevant feature, can be removed.
Step 4, the association probability of calculated characteristics and attack, according to association probability from big to small to feature ordering in feature database;
Illustrate, certain characterization rules may correspond to various attacks.Always suppose to co-exist in 100 kinds of challenge model, wherein there are 20 kinds of characterization rules all possessing target ip address=XXX, be exactly the association probability 20% of then this feature.
Step 5, according to association probability by ranking of features, as the nodes at different levels of unified reasoning structure;
Wherein, unified reasoning structure refers to the reasoning structure based on single data tree structure, and be made up of multistage node, superior node and downstream site are connected, and every grade of node all has characterization rules and the value of the confidence.
Characterization rules refers to the condition that a certain attributive character of security incident possesses, and such as, source IP address==1.1.1.1, is the condition requiring to possess, i.e. characterization rules.
The value of the confidence refers to the data identified by multi dimensional numerical, represents the degree of conformity of this node and various challenge model.
Particularly, delimit multiple interval exactly, such as, 50-60%, 40-50% ... 0-10%, all characterization rules of association probability within certain interval are all divided into one-level.Each characterization rules of every grade represents with a node, and all nodes form a tree structure, as shown in Figure 2.
Step 6, calculates secondary nodes and the classification associated degree of superior node, if the degree of association is less than threshold value 0.707, then increases new dimension;
Particularly, calculating secondary nodes and superior node belong to the coincidence factor of same attack model, namely, the degree of association, suppose that superior node feature can be pointed to A, B, C and attack, association probability is respectively a, b, c, and secondary nodes is pointed to A, B and attacked, association probability is respectively c, d, then the classification associated degree between secondary nodes and superior node is (c+d)/(a+b+c).Threshold value 0.707 represents the median of the degree of association.
If the degree of association is less than threshold value 0.707, just shows that the degree of association of both is less, the vector value of a dimension can be increased.
Step 7, calculates secondary nodes and the vector value of the classification associated degree of superior node in each dimension;
Particularly, the vector value in each dimension equals secondary nodes
that is, the sine value of association probability and degree of association related angle (that is, vectorial angle) is equaled.
Step 8, according to formula " the value of the confidence=A dimension vector value * x+B dimension vector value * y+ ... " (wherein, A dimension vector value, B dimension vector value etc. are the calculating gained in step 7), by unknown quantity x, y ... from 0, gradient with 1 increases, and calculates the value of the confidence of each node;
Particularly, all possible value is attempted from small to large to each known variables, repeatedly calculate classification accuracy rate by various combinations of values, to determine optimum variate-value.
Such as, (x, the y of root node, z) initial value is (0,0,0), the initial value of minor node of root node is (1,0,0) ..., the rest may be inferred, if until the classification accuracy rate that page node calculate goes out does not meet judgement required precision, then the value of (x, y, the z) of root node increases progressively 1.
Step 9, unifies the reasoning structure the value of the confidence obtained of deducing and superposes, calculate final the value of the confidence result by the security incident chain warp of various attacks model.
Step 10, according to the Cluster space of various challenge model the value of the confidence result, with median algorithm determination classification thresholds and classification accuracy rate;
Particularly, when design category is set, finally can converge to the leaf node that various attack classification is clearly demarcated, when arriving leaf node, the value of the confidence can converge to scope, i.e. a Cluster space.
Such as, if two kinds of Cluster spaces attacked have coincidence, just there will be classification error.Calculate threshold value by median algorithm, namely get the median that two kinds are attacked the numerical value of Cluster space intersection.If threshold calculations is a, being greater than a is attack 1, and being less than a is attack 2.Attack the number range being less than a in 1 Cluster space and will sentence mistake.Attack in 1 Cluster space, the number range/Cluster space being less than a is misclassification rate, otherwise is classification accuracy rate.
Step 11, when classification accuracy rate is less than judgement required precision, goes to step eight, and repeats subsequent step; When classification accuracy rate > adjudicates required precision, process terminates, and now the final the value of the confidence of each node is the value of the confidence of each node of unified reasoning structure, and unified reasoning structure generates.
After training unified reasoning structure, next how to be determined the attack classification of a security incident by an example in detail.Particularly, can comprise the following steps:
Step one, to Real-time Collection to security incident carry out the decomposition of attributive character and the standardization of attributive character value;
Wherein, decompose exactly security incident attribute and property value are divided into: such as, target of attack=upper event scanning target, and so on feature in pairs.Standardization is unified into a kind of standard to describe by the attribute description of the security incident of separate sources.
Step 2, compares the attributive character value after standardization and the characterization rules of current hierarchy node in unified reasoning structure;
It is pointed out that and compare from the root node of unified reasoning structure first.If comparison is unsuccessful, then compare with the minor node of current hierarchy node.
Whether the attributive character value after namely this comparison process sees standardization meets characterization rules.Suppose that characterization rules is: packet loss >50%, if the packet loss attributive character value of the security incident of current collection is 66%, then comparison coupling.
Step 3, if comparison coupling, then attacks the value of the confidence that the value of the confidence is superimposed with present node, does not mate, do not process, skip to next hierarchy node, proceed to step 2; It is pointed out that initial the value of the confidence of attacking gets 0.
According to classification thresholds, step 4, after the unified reasoning structure of traversal, can know that the value of the confidence is placed in the confidence space of which kind of attack, then the corresponding judgement which kind of made and attacks, and sends alarm.
Step 5, if the value of the confidence is not placed in any confidence space, then analyzes next attributive character value, proceeds to step 2;
Step 6, whole attributive character values of current safety event are analyzed complete, then analyze the security incident that the next one collects, proceed to step one.
Step 7, starts a timer in step 2 from root node during reasoning, if timer expiry, then the value of the confidence resets, and timer also resets.Use timer timing, accumulative a period of time resets the value of the confidence, to prevent isolated security incident from taking the value of the confidence resource for a long time, destroys normal assay process.
One of ordinary skill in the art will appreciate that, realize the whole of said method embodiment to have been come by the hardware that program command is relevant with part steps, aforesaid program can be stored in a computing equipment read/write memory medium, this program is when performing, perform and comprise the step of said method embodiment, and aforesaid storage medium can comprise ROM, RAM, magnetic disc and CD etc. various can be program code stored medium.
Fig. 3 is the structural representation of the intelligent association analytical equipment of the security incident of a disclosure embodiment.
As shown in Figure 3, the device 30 in this embodiment can comprise event acquisition unit 302 and classification judging unit 304.Wherein,
Event acquisition unit 302, for Real-time Collection to security incident carry out the decomposition of attributive character and the standardization of attributive character value;
Classification judging unit 304, for the unified reasoning structure utilizing the attributive character value after standardization to travel through off-line generation, to determine to attack classification.
In this embodiment, the unified reasoning structure generated by off-line improves the association analysis efficiency of the security incident to Real-time Collection, saves computer memory, time cost, achieves the balance of precision and efficiency.
In one embodiment, the intelligent association analytical equipment of security incident can also comprise unified reasoning structure generation unit, and unified reasoning structure generation unit comprises and collects subelement, sample decomposes subelement, association probability computation subunit, structure form subelement and the value of the confidence determination subelement.Wherein,
Collect subelement, for collecting challenge model storehouse and security incident training sample; Sample decomposes subelement, for security incident training sample is decomposed into feature database; Association probability computation subunit, for the association probability of feature each in calculated characteristics storehouse and attack; Structure forms subelement, for carrying out classification according to association probability to each feature based on tree structure, forms the nodes at different levels of unified reasoning structure; The value of the confidence determination subelement, for training the value of the confidence calculating the nodes at different levels meeting judgement required precision, and determines classification thresholds and classification accuracy rate.
In another embodiment, classification judging unit comprises comparer unit, attacks the value of the confidence computation subunit and classification determination subelement.Wherein, comparer unit, compares with the characterization rules of the nodes at different levels in unified reasoning structure for starting the attributive character value after by standardization from the root node of unified reasoning structure; Attack the value of the confidence computation subunit, if matched for the attributive character value after standardization and characterization rules, then root node is superimposed to the value of the confidence of present node, formed and attack the value of the confidence; Classification determination subelement, for after having traveled through unified reasoning structure, has determined to attack classification according to the confidence space attacked residing for the value of the confidence.
In another embodiment, the intelligent association analytical equipment of security incident also comprises timer, for for the attributive character value after a standardization, start to start timer in the root node traversal from unified reasoning structure, if timer expiry, then the attack the value of the confidence of the attributive character value after a standardization is reset.
Wherein, the attributive character of security incident can include but not limited to the equipment that source IP address and port, object IP address and port, event category, event title, event class, event relate to and the time that event occurs.
In another embodiment, merge the association analysis engine based on unified reasoning structure of many challenge model, comprise unified reasoning structure generation module, security incident pretreatment module, unified rational analysis decision-making module and alarm module.Wherein,
Unified reasoning structure generation module refers to the challenge model based on security incident Sample Storehouse and priori, adopts many wheel training methods to generate the information processed offline module of unified reasoning structure.Comprise: security incident sample, challenge model storehouse, feature database and unified reasoning structure.
Security incident pretreatment module, unified rational analysis decision-making module and alarm module are the online processing module of association analysis engine.
Security incident pretreatment module refers to that carrying out characteristic attribute to the security incident entering association analysis engine decomposes and the message processing module sorted out.
Unified rational analysis decision-making module refers to and carries out association analysis based on unified reasoning structure to security incident and whether decision-making attacks the message processing module of generation.Comprise unified reasoning structure, the value of the confidence space and timer.
Wherein, the memory space of current the value of the confidence and history the value of the confidence when the value of the confidence space refers to unified rational analysis decision-making; Timer refers to for the register to unified rational analysis decision-making time self-clocking.
Alarm module refers to the system module sending and attack alarm.
This embodiment is for the inefficient problem of magnanimity security event associative analysis under telecommunication network environment, propose the association analysis method based on fuzzy decision-tree merging many challenge model: the attack judgment condition of different challenge model is with multidimensional the value of the confidence mark, and training generates unified multipath fuzzy decision-tree.By unified inference method improve association analysis efficiency, save computer memory, time cost, achieve the multi-source information association analysis of precision and balance of efficiency.
In this specification, each embodiment all adopts the mode of going forward one by one to describe, and what each embodiment stressed is the difference with other embodiments, and part identical with similar between each embodiment can cross-reference.For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, relevant part can see the explanation of embodiment of the method part.
Although describe the disclosure with reference to exemplary embodiment, should be understood that the disclosure is not limited to above-mentioned exemplary embodiment.It will be obvious to those skilled in the art that and can revise above-mentioned exemplary embodiment under the condition not deviating from the scope of the present disclosure and spirit.The scope of appended claim should be endowed the widest explanation, to comprise all such amendments and equivalent 26S Proteasome Structure and Function.
Claims (10)
1. an intelligent association analytical method for security incident, is characterized in that, comprising:
To Real-time Collection to security incident carry out the decomposition of attributive character and the standardization of attributive character value;
The attributive character value after standardization is utilized to travel through the unified reasoning structure of off-line generation, to determine to attack classification.
2. the intelligent association analytical method of security incident according to claim 1, is characterized in that, generates unified reasoning structure by following manner:
Collect challenge model storehouse and security incident training sample;
Security incident training sample is decomposed into feature database;
The association probability of each feature and attack in calculated characteristics storehouse;
According to association probability, classification is carried out to each feature based on tree structure, form the nodes at different levels of unified reasoning structure;
Training calculates the value of the confidence of the nodes at different levels meeting judgement required precision, and determines classification thresholds and classification accuracy rate.
3. the intelligent association analytical method of security incident according to claim 1, is characterized in that, utilizes the attributive character value after standardization to travel through the unified reasoning structure of off-line generation, to determine that attacking classification comprises:
Start the attributive character value after by standardization from the root node of unified reasoning structure to compare with the characterization rules of the nodes at different levels in unified reasoning structure;
If the attributive character value after standardization and characterization rules match, then root node is superimposed to the value of the confidence of present node, formed and attack the value of the confidence;
After having traveled through unified reasoning structure, determine to attack classification according to the confidence space attacked residing for the value of the confidence.
4. the intelligent association analytical method of security incident according to claim 3, is characterized in that, described method also comprises:
For the attributive character value after a standardization, start to start timer in the root node traversal from unified reasoning structure;
If timer expiry, then the attack the value of the confidence of the attributive character value after a described standardization is reset.
5. the intelligent association analytical method of security incident according to claim 1, it is characterized in that, the attributive character of security incident comprises equipment that source IP address and port, object IP address and port, event category, event title, event class, event relate to and the time that event occurs.
6. an intelligent association analytical equipment for security incident, is characterized in that, comprising:
Event acquisition unit, for Real-time Collection to security incident carry out the decomposition of attributive character and the standardization of attributive character value;
Classification judging unit, for the unified reasoning structure utilizing the attributive character value after standardization to travel through off-line generation, to determine to attack classification.
7. the intelligent association analytical equipment of security incident according to claim 6, is characterized in that, the intelligent association analytical equipment of described security incident also comprises unified reasoning structure generation unit, and described unified reasoning structure generation unit comprises:
Collect subelement, for collecting challenge model storehouse and security incident training sample;
Sample decomposes subelement, for security incident training sample is decomposed into feature database;
Association probability computation subunit, for the association probability of feature each in calculated characteristics storehouse and attack;
Structure forms subelement, for carrying out classification according to association probability to each feature based on tree structure, forms the nodes at different levels of unified reasoning structure;
The value of the confidence determination subelement, for training the value of the confidence calculating the nodes at different levels meeting judgement required precision, and determines classification thresholds and classification accuracy rate.
8. the intelligent association analytical equipment of security incident according to claim 6, is characterized in that, described classification judging unit comprises:
Comparer unit, compares with the characterization rules of the nodes at different levels in unified reasoning structure for starting the attributive character value after by standardization from the root node of unified reasoning structure;
Attack the value of the confidence computation subunit, if matched for the attributive character value after standardization and characterization rules, then root node is superimposed to the value of the confidence of present node, formed and attack the value of the confidence;
Classification determination subelement, for after having traveled through unified reasoning structure, has determined to attack classification according to the confidence space attacked residing for the value of the confidence.
9. the intelligent association analytical equipment of security incident according to claim 8, is characterized in that, the intelligent association analytical equipment of described security incident also comprises:
Timer, for for the attributive character value after a standardization, starts to start timer in the root node traversal from unified reasoning structure, if timer expiry, then resets the attack the value of the confidence of the attributive character value after a described standardization.
10. the intelligent association analytical equipment of security incident according to claim 6, it is characterized in that, the attributive character of security incident comprises equipment that source IP address and port, object IP address and port, event category, event title, event class, event relate to and the time that event occurs.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410401184.2A CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410401184.2A CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105376193A true CN105376193A (en) | 2016-03-02 |
| CN105376193B CN105376193B (en) | 2019-06-04 |
Family
ID=55378007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410401184.2A Active CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105376193B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209893A (en) * | 2016-07-27 | 2016-12-07 | 中国人民解放军信息工程大学 | The inside threat detecting system excavated based on business process model and detection method thereof |
| CN106570131A (en) * | 2016-10-27 | 2017-04-19 | 北京途美科技有限公司 | Sensitive data exception access detection method based on clustering analysis |
| CN107517216A (en) * | 2017-09-08 | 2017-12-26 | 瑞达信息安全产业股份有限公司 | A kind of network safety event correlating method |
| CN109218435A (en) * | 2018-09-30 | 2019-01-15 | 湖北华联博远科技有限公司 | A kind of data uploading method and system |
| CN109361728A (en) * | 2018-08-30 | 2019-02-19 | 中国科学院上海微系统与信息技术研究所 | A kind of classification Incident Reporting System and method based on the multi-source sensing data degree of association |
| CN109446291A (en) * | 2018-10-23 | 2019-03-08 | 山东中创软件商用中间件股份有限公司 | Road network state statistical method and device and computer readable storage medium |
| CN110545276A (en) * | 2019-09-03 | 2019-12-06 | 新华三信息安全技术有限公司 | threat event warning method and device, warning equipment and machine-readable storage medium |
| CN111343161A (en) * | 2020-02-14 | 2020-06-26 | 平安科技(深圳)有限公司 | Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment |
| CN113095625A (en) * | 2021-03-17 | 2021-07-09 | 中国民用航空总局第二研究所 | Method and system for grading unsafe events of civil aviation airport |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
| CN113672913B (en) * | 2021-08-20 | 2024-06-28 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| CN1878093A (en) * | 2006-07-19 | 2006-12-13 | 华为技术有限公司 | Security event associative analysis method and system |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
-
2014
- 2014-08-15 CN CN201410401184.2A patent/CN105376193B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| CN1878093A (en) * | 2006-07-19 | 2006-12-13 | 华为技术有限公司 | Security event associative analysis method and system |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209893B (en) * | 2016-07-27 | 2019-03-19 | 中国人民解放军信息工程大学 | The inside threat detection system and its detection method excavated based on business process model |
| CN106209893A (en) * | 2016-07-27 | 2016-12-07 | 中国人民解放军信息工程大学 | The inside threat detecting system excavated based on business process model and detection method thereof |
| CN106570131A (en) * | 2016-10-27 | 2017-04-19 | 北京途美科技有限公司 | Sensitive data exception access detection method based on clustering analysis |
| CN107517216A (en) * | 2017-09-08 | 2017-12-26 | 瑞达信息安全产业股份有限公司 | A kind of network safety event correlating method |
| CN107517216B (en) * | 2017-09-08 | 2020-02-21 | 瑞达信息安全产业股份有限公司 | Network security event correlation method |
| CN109361728A (en) * | 2018-08-30 | 2019-02-19 | 中国科学院上海微系统与信息技术研究所 | A kind of classification Incident Reporting System and method based on the multi-source sensing data degree of association |
| CN109361728B (en) * | 2018-08-30 | 2021-01-29 | 中国科学院上海微系统与信息技术研究所 | Hierarchical event reporting system and method based on multi-source sensing data relevance |
| CN109218435A (en) * | 2018-09-30 | 2019-01-15 | 湖北华联博远科技有限公司 | A kind of data uploading method and system |
| CN109446291A (en) * | 2018-10-23 | 2019-03-08 | 山东中创软件商用中间件股份有限公司 | Road network state statistical method and device and computer readable storage medium |
| CN109446291B (en) * | 2018-10-23 | 2022-05-13 | 山东中创软件商用中间件股份有限公司 | Road network state statistical method and device and computer readable storage medium |
| CN110545276A (en) * | 2019-09-03 | 2019-12-06 | 新华三信息安全技术有限公司 | threat event warning method and device, warning equipment and machine-readable storage medium |
| CN110545276B (en) * | 2019-09-03 | 2022-06-21 | 新华三信息安全技术有限公司 | Threat event warning method and device, warning equipment and machine-readable storage medium |
| CN111343161A (en) * | 2020-02-14 | 2020-06-26 | 平安科技(深圳)有限公司 | Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment |
| CN111343161B (en) * | 2020-02-14 | 2021-12-10 | 平安科技(深圳)有限公司 | Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment |
| CN113095625A (en) * | 2021-03-17 | 2021-07-09 | 中国民用航空总局第二研究所 | Method and system for grading unsafe events of civil aviation airport |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
| CN113672913B (en) * | 2021-08-20 | 2024-06-28 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105376193B (en) | 2019-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105376193A (en) | Intelligent association analysis method and intelligent association analysis device for security events | |
| CN111475804A (en) | Alarm prediction method and system | |
| CN107391598B (en) | Automatic threat information generation method and system | |
| CN114039758B (en) | Network security threat identification method based on event detection mode | |
| CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
| CN110768971B (en) | Confrontation sample rapid early warning method and system suitable for artificial intelligence system | |
| CN107104951B (en) | Method and device for detecting network attack source | |
| CN114915478B (en) | Network attack scene identification method, system and storage medium of intelligent park industrial control system based on multi-agent distributed correlation analysis | |
| CN111027615A (en) | Middleware fault early warning method and system based on machine learning | |
| CN104836805A (en) | Network intrusion detection method based on fuzzy immune theory | |
| CN112685459A (en) | Attack source feature identification method based on K-means clustering algorithm | |
| Alinezhad et al. | Early classification of industrial alarm floods based on semisupervised learning | |
| CN111598179A (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
| CN110851422A (en) | Data anomaly monitoring model construction method based on machine learning | |
| CN117081858A (en) | Intrusion behavior detection method, system, equipment and medium based on multi-decision tree | |
| CN115718874A (en) | Anomaly detection | |
| CN113705714A (en) | Power distribution Internet of things equipment abnormal behavior detection method and device based on behavior sequence | |
| CN113516565A (en) | Intelligent alarm processing method and device for power monitoring system based on knowledge base | |
| CN117473571B (en) | Data information security processing method and system | |
| Bilakanti et al. | Anomaly detection in IoT environment using machine learning | |
| CN112288317A (en) | Industrial big data analysis platform and method based on multi-source heterogeneous data governance | |
| Dentamaro et al. | Ensemble Consensus: An Unsupervised Algorithm for Anomaly Detection in Network Security data. | |
| CN115514581B (en) | Data analysis method and equipment for industrial internet data security platform | |
| CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method | |
| CN113542037B (en) | Alarm multidimensional association method and device based on root cause analysis in Internet of things environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |