CN105376193B - The intelligent association analysis method and device of security incident - Google Patents
The intelligent association analysis method and device of security incident Download PDFInfo
- Publication number
- CN105376193B CN105376193B CN201410401184.2A CN201410401184A CN105376193B CN 105376193 B CN105376193 B CN 105376193B CN 201410401184 A CN201410401184 A CN 201410401184A CN 105376193 B CN105376193 B CN 105376193B
- Authority
- CN
- China
- Prior art keywords
- value
- confidence
- security incident
- classification
- attributive character
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This disclosure relates to the intelligent association analysis method and device of a kind of security incident.This method includes carrying out the decomposition of attributive character and the standardization of attributive character value to collected security incident in real time;The unified reasoning structure generated offline is traversed using the attributive character value after standardization, attacks classification to determine.The disclosure improves the efficiency of association analysis.
Description
Technical field
This disclosure relates to which network safety filed is particularly related to the intelligent association analysis method and dress of a kind of security incident
It sets.
Background technique
In today that network security situation is more severe, network security management becomes the important content of network operation.SOC
(Security Operations Centre, safe operation center) is that comprehensive point is carried out to network and safety equipment and system
The technical platform of security incident centralized management and monitoring is realized in analysis.SOC passes through produced by acquisition equipment in network and system
Security log, handle by analysis, find network current safety threaten with potential security risk, to issue in time pre-
It is alert, avoid network from bearing heavy losses.From a large amount of security event informations being collected into network, many does not have true simultaneously SOC
Real threat, some may be to threaten the sign for implementing early period, some only essence may threaten the related alarm generated.Safety
Event correlation analysis is to extract useful information from the pretreated security incident of process, by association process correlation, isolated
Security incident set associative be a security incident chain, target be found out in a large amount of false alarms and low level alarm it is true
Positive threat warning helps safe operation maintenance personnel to position potential security risk in network in time.
Current intelligence SOC association analysis engine mechanism mainly uses " inference machine " method." inference machine " formula association analysis is drawn
Holding up working principle is the inference pattern that preset priori trains, collect will extract after security incident attribute information respectively with reasoning
Each rule feature of model is matched, and satisfaction is then recorded, until inference pattern strictly all rules characteristic matching degree reaches
Threshold value, triggering alarm." inference machine " formula association analysis engine will not omit any security incident and security incident carry it is any
Information, analysis precision is high, but since SOC is related to more equipment, multi-protocols, more attack types to the analysis of network-wide security event, adopts
It then needs to build a large amount of challenge model with tradition " inference machine " association analysis engine, analyzes elaborate, need to occupy very more
Calculating space time cost, cause analysis efficiency very low.Security incident magnanimity in telecommunication network environment, inefficient inference machine
Formula association analysis engine efficiency can not be supported.
Summary of the invention
The disclosure proposes new technical solution in view of at least one of problem above.
The disclosure provides a kind of intelligent association analysis method of security incident in terms of one, and which raises associations point
The efficiency of analysis.
The disclosure provides a kind of intelligent association analytical equipment of security incident in its another aspect, and which raises associations point
The efficiency of analysis.
According to the disclosure, a kind of intelligent association analysis method of security incident is provided, comprising:
The decomposition of attributive character and the standardization of attributive character value are carried out to collected security incident in real time;
The unified reasoning structure generated offline is traversed using the attributive character value after standardization, attacks classification to determine.
In some embodiments of the present disclosure, unified reasoning structure is generated by following manner:
Collect challenge model library and security incident training sample;
Security incident training sample is decomposed into feature database;
Calculate the association probability of each feature and attack in feature database;
Each feature is classified according to association probability based on tree construction, forms the nodes at different levels of unified reasoning structure;
Training calculates the value of the confidence for meeting the nodes at different levels of judgement required precision, and determines that classification thresholds and classification are correct
Rate.
In some embodiments of the present disclosure, the unified reasoning generated offline is traversed using the attributive character value after standardization
Structure, to determine that attacking classification includes:
Attributive character value after standardize since the root node of unified reasoning structure with it is each in uniformly reasoning structure
The characterization rules of grade node are compared;
If the attributive character value after standardization matches with characterization rules, by the value of the confidence of root node to present node
It is superimposed, form attack the value of the confidence;
After having traversed unified reasoning structure, attack classification is determined according to confidence space locating for attack the value of the confidence.
In some embodiments of the present disclosure, the method also includes:
For the attributive character value after a standardization, start timing the root node traversal since unified reasoning structure
Device;
If timer expiry, the attack the value of the confidence of the attributive character value after one standardization is reset.
In some embodiments of the present disclosure, the attributive character of security incident includes source IP address and port, destination IP
The time that the equipment and event that location and port, event category, event title, event class, event are related to occur.
According to the disclosure, a kind of intelligent association analytical equipment of security incident is additionally provided, comprising:
Event acquisition unit, for carrying out the decomposition and attributive character value of attributive character to collected security incident in real time
Standardization;
Classification judging unit, for traversing the unified reasoning structure generated offline using the attributive character value after standardization,
Classification is attacked to determine.
In some embodiments of the present disclosure, the intelligent association analytical equipment of the security incident further includes unified reasoning knot
Structure generation unit, the unified reasoning structure generation unit include:
Collect subelement, for collecting challenge model library and security incident training sample;
Sample decomposes subelement, for security incident training sample to be decomposed into feature database;
Association probability computation subunit, for calculating the association probability of each feature and attack in feature database;
Structure forms subelement, and for being classified according to association probability to each feature based on tree construction, formation is uniformly pushed away
Manage the nodes at different levels of structure;
The value of the confidence determines subelement, the value of the confidence for meeting the nodes at different levels of judgement required precision is calculated for training, and really
Determine classification thresholds and classification accuracy rate.
In some embodiments of the present disclosure, the classification judging unit includes:
Comparison subunit, for the attributive character value after standardize since the root node of unified reasoning structure and uniformly
The characterization rules of nodes at different levels in reasoning structure are compared;
The value of the confidence computation subunit is attacked, if the attributive character value for after standardizing matches with characterization rules,
The value of the confidence of root node to present node is superimposed, form attack the value of the confidence;
Classification determines subelement, empty according to confidence locating for attack the value of the confidence for after having traversed unified reasoning structure
Between determine attack classification.
In some embodiments of the present disclosure, the intelligent association analytical equipment of the security incident further include:
Timer, for being traversed from the root node of unified reasoning structure for the attributive character value after a standardization
Start to start timer, it is clear to the attack the value of the confidence of the attributive character value after one standardization if timer expiry
Zero.
In some embodiments of the present disclosure, the attributive character of security incident includes source IP address and port, destination IP
The time that the equipment and event that location and port, event category, event title, event class, event are related to occur.
In the technical solution of the disclosure, improved by the unified reasoning structure generated offline to the safety acquired in real time
The association analysis efficiency of event saves and calculates space, time cost, realizes the balance of precision and efficiency.
Detailed description of the invention
Attached drawing described herein is used to provide further understanding of the disclosure, constitutes part of this application.Attached
In figure:
Fig. 1 is the flow diagram of the intelligent association analysis method of the security incident of an embodiment of the present disclosure.
Fig. 2 is the schematic diagram of the tree-like unified reasoning structure of an embodiment of the present disclosure.
Fig. 3 is the structural schematic diagram of the intelligent association analytical equipment of the security incident of an embodiment of the present disclosure.
Specific embodiment
The disclosure is described below with reference to accompanying drawings.It should be noted that description below is only explanatory in itself and shows
Example property, never as to the disclosure and its application or any restrictions used.Unless stated otherwise, otherwise, implementing
Component described in example and the positioned opposite and numerical expression and numerical value of step are not intended to limit the scope of the present disclosure.In addition,
Technology well known by persons skilled in the art, method and apparatus may not be discussed in detail, but be meant as in appropriate circumstances
Part of specification.
Fig. 1 is the flow diagram of the intelligent association analysis method of the security incident of an embodiment of the present disclosure.
As shown in Figure 1, the embodiment may comprise steps of:
S102 carries out the decomposition of attributive character and the standardization of attributive character value to collected security incident in real time;
Wherein, the attributive character of security incident can include but is not limited to source IP address and port, purpose IP address and end
The time that the equipment and event that mouth, event category, event title, event class, event are related to occur.
S104 traverses the unified reasoning structure generated offline using the attributive character value after standardization, attacks class to determine
Not, wherein unified reasoning structure can be tree structure.
In this embodiment, the pass to the security incident acquired in real time is improved by the unified reasoning structure generated offline
Join analysis efficiency, saves and calculate space, time cost, realize the balance of precision and efficiency.
In an example, unified reasoning structure can be generated by following manner:
Collect challenge model library and security incident training sample;Security incident training sample is decomposed into feature database;It calculates
The association probability of each feature and attack in feature database;Each feature is classified according to association probability based on tree construction, forms system
The nodes at different levels of one reasoning structure;Training calculates the value of the confidence for meeting the nodes at different levels of judgement required precision, and determines classification threshold
Value and classification accuracy rate.
It should be pointed out that above-mentioned unified reasoning structure is instructed in advance under off-line state based on security incident training sample
The structure practised directly unifies reasoning structure using this to analyze secure data institute after getting actual time safety event data
The attack type of category, and then the efficiency of analysis can be significantly improved.
In another embodiment, the unified reasoning structure generated offline is traversed using the attributive character value after standardization, with
The step of determining attack classification may include: attributive character value after standardizing from the root node of unified reasoning structure and
The characterization rules of nodes at different levels in unified reasoning structure are compared;If attributive character value and characterization rules after standardization
Match, then it is the value of the confidence of root node to present node is superimposed, form attack the value of the confidence;Traversing unified reasoning structure
Afterwards, the confidence space according to locating for attack the value of the confidence determines attack classification.
In another embodiment, for the attributive character value after a standardization, in the root node from unified reasoning structure
Traversal starts to start timer;It is clear to the attack the value of the confidence of the attributive character value after a standardization if timer expiry
Zero.It can prevent from destroying normal due to occupying the value of the confidence resource for a long time when analyzing some attributive character value after standardizing in this way
Analytic process.
If obtaining unified reasoning structure by offline mode training next, being described in detail by a specific implementation.
Specifically, it may comprise steps of:
Step 1 collects challenge model library and raw security event sample;
Wherein, security incident sample refers to the security incident for having association analysis engine analysis reference format, by source IP
Equipment, the event that location, source port, purpose IP address, destination port, event category, event title, event class, event are related to
The characteristic attributes such as the time of generation composition.
Challenge model library refers to the set for all challenge models that association analysis engine can determine that, true by priori knowledge
It is fixed.Challenge model refers to Attack Scenarios relevant to certain security attack and security incident chain.Wherein, security incident chain refer to by
A series of single security incidents compositions, have cause and effect, the time accepts the chains of the logical relations such as successively.
Challenge model can include but is not limited to suspicious scanning activity, abnormal access, malicious code activity, Network Abnormal stream
The mathematical model of all kinds of attacks such as amount, network service attack, equipment operation exception.
Security incident sample is decomposed into feature database by step 2, that is, beats all properties element in security incident sample
It dissipates, forms feature database;
Wherein, feature database refers to the characteristic attribute of security incident sample and the set of attribute value composition.
Step 3, according to the various attacks model in challenge model library by feature database priori classification, unrelated spy is attacked in removal
Sign;
Specifically, due to security incident include source IP address, source port, purpose IP address, destination port, event category,
The characteristic attributes such as the time of equipment, event generation that event title, event class, event are related to, therefore be segmented into so more
Feature database element.For example, if certain attack mathematical model requires after the event generation that event category is " suspicious scanning " 3 points
" website attack " event occurs in clock, the purpose IP address of two events is consistent, then relevant characteristic element both points to the attack
As a result, so remaining characteristic attribute is just the feature unrelated with attack, can be removed.
Step 4 calculates the association probability of feature and attack, arranges from big to small feature in feature database according to association probability
Sequence;
For example, certain characterization rules may correspond to various attacks.Assuming that there are 100 kinds of challenge models in total, wherein
There are 20 kinds all to have target ip address=XXX characterization rules, then the association probability of this feature is exactly 20%.
Step 5, the nodes at different levels according to association probability by ranking of features, as unified reasoning structure;
Wherein, unified reasoning structure refers to the reasoning structure based on single data tree structure, is made of multistage node, Shang Jijie
Point is connected with downstream site, and every grade of node all has characterization rules and the value of the confidence.
Characterization rules refer to the condition that a certain attributive character of security incident has, for example, source IP address==
1.1.1.1, the condition having, i.e. characterization rules are as required.
The value of the confidence refers to the data identified by multi dimensional numerical, represents the degree of conformity of the node Yu various challenge models.
Specifically, multiple sections exactly delimited, for example, 50-60%, 40-50% ... 0-10%, association probability is in certain area
Between within all characterization rules be all divided into level-one.Every grade of each characterization rules indicate with a node, all nodes
A tree construction is formed, as shown in Figure 2.
Step 6 calculates secondary nodes and the classification associated degree of superior node, if the degree of association is less than threshold value 0.707, increases
Add new dimension;
Specifically, secondary nodes are calculated and superior node belongs to the coincidence factor of same attack model, that is, the degree of association, it is assumed that
Superior node feature may point to A, B, C attack, and association probability is respectively a, b, c, and secondary nodes are directed toward A, B attack, association probability
Respectively c, d, then the classification associated degree between secondary nodes and superior node is (c+d)/(a+b+c).Threshold value 0.707 indicates to close
The median of connection degree.
If the degree of association is less than threshold value 0.707, the degree of association both indicated that is smaller, can increase a dimension to
Magnitude.
Step 7 calculates the vector value of secondary nodes and the classification associated degree of superior node in each dimension;
Specifically, the vector value in each dimension is equal to secondary nodes That is,
Equal to the sine value of association probability and degree of association related angle (that is, vectorial angle).
Step 8, according to formula " the value of the confidence=A dimension vector value * x+B dimension vector value * y+ ... " (wherein, A dimension
Vector value, B dimension vector value etc. are obtained by the calculating in step 7), by unknown quantity x, y ... since 0, increased with 1 gradient
Add, calculates the value of the confidence of each node;
Specifically, all possible value is attempted to each known variables from small to large, is counted repeatedly with various combinations of values
Classification accuracy rate is calculated, with the optimal variate-value of determination.
For example, (x, the y, z) of root node initial value is (0,0,0), the initial value of the minor node of root node be (1,0,
0) ..., and so on, if until the calculated classification accuracy rate of page node is all unsatisfactory for judgement required precision, root node
The value of (x, y, z) is incremented by 1.
The security incident chain warp of various attacks model is unified the value of the confidence that reasoning structure is deduced and folded by step 9
Add, calculates final the value of the confidence result.
Step 10, according to the Cluster space of various challenge model the value of the confidence results, with median algorithm determine classification thresholds and
Classification accuracy rate;
Specifically, when designing classification tree, the clearly demarcated leaf node of various attack classifications can be finally converged to, leaf is reached
When child node, the value of the confidence can converge to a range, i.e. Cluster space.
For example, just will appear classification error if the Cluster space of two kinds of attacks has coincidence.Threshold is calculated by median algorithm
Value takes the median of the numerical value of two kinds of attack Cluster space intersections.If threshold calculations are a, being greater than a is attack 1, small
It is to attack 2 in a.Mistake will be sentenced by attacking the numberical range in 1 Cluster space less than a.It attacks in 1 Cluster space, the numerical value less than a
Range/Cluster space is misclassification rate, otherwise is classification accuracy rate.
Step 11 goes to step 8, and repeat subsequent step when classification accuracy rate is less than judgement required precision;When
When classification accuracy rate > judgement required precision, process terminates, and the final the value of the confidence of each node is that unified reasoning structure respectively saves at this time
The value of the confidence of point, unified reasoning structure generate.
After training unified reasoning structure, a security incident how is determined followed by an example in detail
Attack classification.Specifically, it may comprise steps of:
Step 1 carries out the decomposition of attributive character and the standardization of attributive character value to collected security incident in real time;
Wherein, decompose is exactly to be divided into security incident attribute and attribute value: for example, target of attack=upper event scanning mesh
Mark, etc feature in pairs.The attribute description of the security incident of separate sources is unified into a kind of standard and retouched by standardization
It states.
Step 2, by the characterization rules of the attributive character value after standardization and current hierarchy node in unified reasoning structure into
Row compares;
It should be pointed out that being compared since the root node of unified reasoning structure for the first time.If comparison is unsuccessful, then
It is compared with the minor node of current hierarchy node.
The comparison process is to see whether the attributive character value after standardization meets characterization rules.Assuming that characterization rules are: losing
Packet rate > 50% compares matching if the packet loss attributive character value of the security incident currently acquired is 66%.
Step 3 attacks the value of the confidence that the value of the confidence is superimposed with present node if comparing matching, and mismatch is not located then
Reason, skips to next hierarchy node, is transferred to step 2;It should be pointed out that initially attack the value of the confidence takes 0.
Step 4 can know which kind of attack is the value of the confidence be placed according to classification thresholds after traversing unified reasoning structure
Confidence space, then accordingly make the judgement of which kind of attack, and issues alarm.
Step 5 is analyzed next attributive character value, is transferred to if the value of the confidence is not disposed in any confidence space
Step 2;
Whole attributive character values analysis of step 6, current safety event finishes, then to next collected safe thing
Part is analyzed, and step 1 is transferred to.
Step 7 starts a timer in step 2 reasoning since root node, if timer expiry, the value of the confidence
It resets, timer is also reset.With timer timing, add up a period of time clearing the value of the confidence, to prevent isolated security incident long-term
The value of the confidence resource is occupied, normal assay process is destroyed.
It will appreciated by the skilled person that realizing that the whole of above method embodiment and part steps can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can store in a compute device readable storage medium, the journey
Sequence when being executed, executes step including the steps of the foregoing method embodiments, and storage medium above-mentioned may include ROM, RAM, magnetic disk
With the various media that can store program code such as CD.
Fig. 3 is the structural schematic diagram of the intelligent association analytical equipment of the security incident of an embodiment of the present disclosure.
As shown in figure 3, the device 30 in the embodiment may include event acquisition unit 302 and classification judging unit 304.
Wherein,
Event acquisition unit 302, the decomposition and attribute for carrying out attributive character to collected security incident in real time are special
The standardization of value indicative;
Classification judging unit 304, for traversing the unified reasoning knot generated offline using the attributive character value after standardization
Structure attacks classification to determine.
In this embodiment, the pass to the security incident acquired in real time is improved by the unified reasoning structure generated offline
Join analysis efficiency, saves and calculate space, time cost, realize the balance of precision and efficiency.
In one embodiment, the intelligent association analytical equipment of security incident can also include that unified reasoning structure generates list
Member, unified reasoning structure generation unit include collecting subelement, sample decomposition subelement, association probability computation subunit, structure
It forms subelement and the value of the confidence determines subelement.Wherein,
Collect subelement, for collecting challenge model library and security incident training sample;Sample decomposes subelement, and being used for will
Security incident training sample is decomposed into feature database;Association probability computation subunit, for calculating each feature and attack in feature database
Association probability;Structure forms subelement, for being classified according to association probability to each feature based on tree construction, is formed unified
The nodes at different levels of reasoning structure;The value of the confidence determines subelement, and the nodes at different levels for meeting judgement required precision are calculated for training
The value of the confidence, and determine classification thresholds and classification accuracy rate.
In another embodiment, classification judging unit includes comparison subunit, attack the value of the confidence computation subunit and classification
Determine subelement.Wherein, comparison subunit, for the attributive character after standardizing since the root node of unified reasoning structure
Value is compared with the characterization rules of the nodes at different levels in unified reasoning structure;The value of the confidence computation subunit is attacked, if for
Attributive character value after standardization matches with characterization rules, then the value of the confidence of root node to present node is superimposed, is formed
Attack the value of the confidence;Classification determines subelement, for after having traversed unified reasoning structure, according to confidence locating for attack the value of the confidence
Space determines attack classification.
In another embodiment, the intelligent association analytical equipment of security incident further includes timer, for for a mark
Attributive character value after standardization starts timer the root node traversal since unified reasoning structure, if timer expiry,
Then the attack the value of the confidence of the attributive character value after a standardization is reset.
Wherein, the attributive character of security incident can include but is not limited to source IP address and port, purpose IP address and end
The time that the equipment and event that mouth, event category, event title, event class, event are related to occur.
In another embodiment, the association analysis engine based on unified reasoning structure of more challenge models, including system are merged
One reasoning structure generation module, security incident preprocessing module, unified rational analysis decision-making module and alarm module.Wherein,
Unified reasoning structure generation module refers to the challenge model based on security incident sample database and priori, using more trainings in rotation
The mode of white silk generates the information processed offline module of unified reasoning structure.It include: security incident sample, challenge model library, feature database
With unified reasoning structure.
Security incident preprocessing module, unified rational analysis decision-making module and alarm module are the online of association analysis engine
Processing module.
Security incident preprocessing module refer to enter association analysis engine security incident carry out characteristic attribute decompose with
The message processing module of classification.
Unified rational analysis decision-making module, which refers to, is associated analysis and decision to security incident based on unified reasoning structure
Whether attack occur message processing module.Including unified reasoning structure, the value of the confidence space and timer.
Wherein, the value of the confidence space refers to that the storage of current the value of the confidence and history the value of the confidence when unified rational analysis decision is empty
Between;Timer refers to for the register to unified rational analysis decision-making time self-clocking.
Alarm module refers to the system module for issuing attack alarm.
The embodiment proposes fusion aiming at the problem that magnanimity security event associative analysis low efficiency under telecommunication network environment
The association analysis method based on fuzzy decision-tree of more challenge models: the attack judgment condition of different challenge models is with multidimensional confidence
Value mark, training generate unified multipath fuzzy decision-tree.Efficiency, the section of association analysis are improved by unified inference method
It has saved and has calculated space, time cost, the multi-source information association analysis for realizing precision and balance of efficiency.
Each embodiment in this specification is described in a progressive manner, the highlights of each of the examples are with its
The difference of his embodiment, identical and similar part can be with cross-reference between each embodiment.For Installation practice
For, since it is basically similar to the method embodiment, so being described relatively simple, related place may refer to embodiment of the method
Partial explanation.
Although describing the disclosure with reference to exemplary embodiment, it should be appreciated that the present disclosure is not limited to above-mentioned exemplary
Embodiment.It will be obvious to those skilled in the art that can be modified under conditions of without departing substantially from the scope of the present disclosure and spirit
Exemplary embodiments mentioned above.The range of the attached claims should be endowed widest explanation, such to repair comprising all
Change and equivalent structure and function.
Claims (6)
1. a kind of intelligent association analysis method of security incident characterized by comprising
The decomposition of attributive character and the standardization of attributive character value are carried out to collected security incident in real time;
Attributive character value after standardize since the root node of unified reasoning structure and the sections at different levels unified in reasoning structure
The characterization rules of point are compared;
If the attributive character value after standardization matches with characterization rules, the value of the confidence of root node to present node is stacked
Add, forms attack the value of the confidence;
After having traversed unified reasoning structure, attack classification is determined according to confidence space locating for attack the value of the confidence;
Unified reasoning structure is generated by following manner:
Collect challenge model library and security incident training sample;
Security incident training sample is decomposed into feature database;
Calculate the association probability of each feature and attack in feature database;
Each feature is classified according to association probability based on tree construction, forms the nodes at different levels of unified reasoning structure;
The classification associated degree for calculating secondary nodes and superior node increases in the case where the classification associated degree is less than threshold value
New dimension;
Vector value of the classification associated degree in each dimension is calculated, the vector value is that the association probability and the classification are closed
The sine value of the vectorial angle of connection degree;
Calculate the value of the confidence of each node, the value of the confidence is the weighted sum of the vector value in each dimension, in each dimension
Vector value corresponding weight value since 0 with 1 gradient increase;
The value of the confidence that unified reasoning structure is deduced described in security incident chain warp by each challenge model is overlapped, and calculates phase
The final the value of the confidence result answered;
According to the Cluster space of various challenge models final the value of the confidence result accordingly, with median algorithm determine classification thresholds and point
Class accuracy.
2. the intelligent association analysis method of security incident according to claim 1, which is characterized in that the method is also wrapped
It includes:
For the attributive character value after a standardization, start timer the root node traversal since unified reasoning structure;
If timer expiry, the attack the value of the confidence of the attributive character value after one standardization is reset.
3. the intelligent association analysis method of security incident according to claim 1, which is characterized in that the attribute of security incident
Feature includes that source IP address and port, purpose IP address and port, event category, event title, event class, event are related to
The time that equipment and event occur.
4. a kind of intelligent association analytical equipment of security incident characterized by comprising
Event acquisition unit, for carrying out the decomposition of attributive character and the mark of attributive character value to collected security incident in real time
Standardization;
Classification judging unit, for traversing the unified reasoning structure generated offline using the attributive character value after standardization, with true
Surely classification is attacked;
The classification judging unit includes:
Comparison subunit, for after standardize since the root node of unified reasoning structure attributive character value with unify reasoning
The characterization rules of nodes at different levels in structure are compared;
The value of the confidence computation subunit is attacked, if the attributive character value for after standardizing matches with characterization rules, by root
The value of the confidence of node to present node is superimposed, forms attack the value of the confidence;
Classification determines subelement, for after having traversed unified reasoning structure, according to attacking, confidence space locating for the value of the confidence to be true
Surely classification is attacked;
The intelligent association analytical equipment of the security incident further includes unified reasoning structure generation unit, the unified reasoning structure
Generation unit includes:
Collect subelement, for collecting challenge model library and security incident training sample;
Sample decomposes subelement, for security incident training sample to be decomposed into feature database;
Association probability computation subunit, for calculating the association probability of each feature and attack in feature database;
Structure forms subelement, for being classified according to association probability to each feature based on tree construction, forms unified reasoning knot
The nodes at different levels of structure;
The value of the confidence determines subelement, for executing following steps:
The classification associated degree for calculating secondary nodes and superior node increases in the case where the classification associated degree is less than threshold value
New dimension;
Vector value of the classification associated degree in each dimension is calculated, the vector value is that the association probability and the classification are closed
The sine value of the vectorial angle of connection degree;
Calculate the value of the confidence of each node, the value of the confidence is the weighted sum of the vector value in each dimension, in each dimension
Vector value corresponding weight value since 0 with 1 gradient increase;
The value of the confidence that unified reasoning structure is deduced described in security incident chain warp by each challenge model is overlapped, and calculates phase
The final the value of the confidence result answered;
According to the Cluster space of various challenge models final the value of the confidence result accordingly, with median algorithm determine classification thresholds and point
Class accuracy.
5. the intelligent association analytical equipment of security incident according to claim 4, which is characterized in that the security incident
Intelligent association analytical equipment further include:
Timer, for the attributive character value after being standardized for one, the root node traversal since unified reasoning structure
Start timer, if timer expiry, the attack the value of the confidence of the attributive character value after one standardization is reset.
6. the intelligent association analytical equipment of security incident according to claim 4, which is characterized in that the attribute of security incident
Feature includes that source IP address and port, purpose IP address and port, event category, event title, event class, event are related to
The time that equipment and event occur.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410401184.2A CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410401184.2A CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105376193A CN105376193A (en) | 2016-03-02 |
| CN105376193B true CN105376193B (en) | 2019-06-04 |
Family
ID=55378007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410401184.2A Active CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105376193B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209893B (en) * | 2016-07-27 | 2019-03-19 | 中国人民解放军信息工程大学 | The inside threat detection system and its detection method excavated based on business process model |
| CN106570131A (en) * | 2016-10-27 | 2017-04-19 | 北京途美科技有限公司 | Sensitive data exception access detection method based on clustering analysis |
| CN107517216B (en) * | 2017-09-08 | 2020-02-21 | 瑞达信息安全产业股份有限公司 | Network security event correlation method |
| CN109361728B (en) * | 2018-08-30 | 2021-01-29 | 中国科学院上海微系统与信息技术研究所 | Hierarchical event reporting system and method based on multi-source sensing data relevance |
| CN109218435B (en) * | 2018-09-30 | 2021-07-23 | 湖北华联博远科技有限公司 | Data uploading method and system |
| CN109446291B (en) * | 2018-10-23 | 2022-05-13 | 山东中创软件商用中间件股份有限公司 | Road network state statistical method and device and computer readable storage medium |
| CN110545276B (en) * | 2019-09-03 | 2022-06-21 | 新华三信息安全技术有限公司 | Threat event warning method and device, warning equipment and machine-readable storage medium |
| CN111343161B (en) * | 2020-02-14 | 2021-12-10 | 平安科技(深圳)有限公司 | Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment |
| CN113095625B (en) * | 2021-03-17 | 2023-04-07 | 中国民用航空总局第二研究所 | Method and system for grading unsafe events of civil aviation airport |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| CN1878093A (en) * | 2006-07-19 | 2006-12-13 | 华为技术有限公司 | Security event associative analysis method and system |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
-
2014
- 2014-08-15 CN CN201410401184.2A patent/CN105376193B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| CN1878093A (en) * | 2006-07-19 | 2006-12-13 | 华为技术有限公司 | Security event associative analysis method and system |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105376193A (en) | 2016-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105376193B (en) | The intelligent association analysis method and device of security incident | |
| Hu et al. | Detection of frequent alarm patterns in industrial alarm floods using itemset mining methods | |
| Kiss et al. | Data clustering-based anomaly detection in industrial control systems | |
| Mirheidari et al. | Alert correlation algorithms: A survey and taxonomy | |
| CN105677791B (en) | For analyzing the method and system of the operation data of wind power generating set | |
| CN109670306A (en) | Electric power malicious code detecting method, server and system based on artificial intelligence | |
| CN103441982A (en) | Intrusion alarm analyzing method based on relative entropy | |
| CN102098180A (en) | Network security situational awareness method | |
| CN106600115A (en) | Intelligent operation and maintenance analysis method for enterprise information system | |
| CN107517216A (en) | A kind of network safety event correlating method | |
| CN103870751A (en) | Method and system for intrusion detection | |
| CN107360152A (en) | A kind of Web based on semantic analysis threatens sensory perceptual system | |
| CN109086603A (en) | A kind of intruding detection system and method based on machine learning | |
| Bateni et al. | Using Artificial Immune System and Fuzzy Logic for Alert Correlation. | |
| Nadiammai et al. | A comprehensive analysis and study in intrusion detection system using data mining techniques | |
| Mbow et al. | An intrusion detection system for imbalanced dataset based on deep learning | |
| Shitharth et al. | A new probabilistic relevancy classification (PRC) based intrusion detection system (IDS) for SCADA network | |
| CN110011990A (en) | Intranet security threatens intelligent analysis method | |
| Gogoi et al. | A rough set–based effective rule generation method for classification with an application in intrusion detection | |
| Hoarau et al. | Suitability of graph representation for bgp anomaly detection | |
| Panda et al. | Ensembling rule based classifiers for detecting network intrusions | |
| CN117081858B (en) | Intrusion behavior detection method, system, equipment and medium based on multi-decision tree | |
| CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
| Dave et al. | DDoS detection at fog layer in internet of things | |
| Salazar et al. | Monitoring approaches for security and safety analysis: application to a load position system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |