CN107332717A - A kind of new type of safe wisdom platform realizes framework - Google Patents

A kind of new type of safe wisdom platform realizes framework Download PDF

Info

Publication number
CN107332717A
CN107332717A CN201710700493.3A CN201710700493A CN107332717A CN 107332717 A CN107332717 A CN 107332717A CN 201710700493 A CN201710700493 A CN 201710700493A CN 107332717 A CN107332717 A CN 107332717A
Authority
CN
China
Prior art keywords
alarm
association
module
new type
safe
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710700493.3A
Other languages
Chinese (zh)
Inventor
凌飞
李木金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Liancheng Science And Technology Development Ltd By Share Ltd
Original Assignee
Nanjing Liancheng Science And Technology Development Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Liancheng Science And Technology Development Ltd By Share Ltd filed Critical Nanjing Liancheng Science And Technology Development Ltd By Share Ltd
Priority to CN201710700493.3A priority Critical patent/CN107332717A/en
Publication of CN107332717A publication Critical patent/CN107332717A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Alarm Systems (AREA)

Abstract

Alarm correlation analysis is a kind of widely used technology, for understanding alarm log and finding network attack.However, due to current network and the scale and complexity of attack, the alarm log quantity produced by these networks is very big, so that being difficult to analyze.A kind of new type of safe wisdom platform of the present invention realizes framework, can automatically generate alarm association rule, significantly simplify the analysis of alarm log, improve the core competitiveness of the platform.

Description

A kind of new type of safe wisdom platform realizes framework
Technical field
The present invention relates to information security, field of artificial intelligence, more particularly to build intelligence, quickly and efficiently new The framework of the safe wisdom platform of type.
Background technology
The English abbreviation included in the present invention is as follows:
LOF:Local Outlier Factor local outlier factors
SOC:Security Operation Center security management centers
ID:Identifier identification unique numbers
IDS:Intrusion Detection Systems intruding detection systems
SNMP:Simple Network Management Protocol Simple Network Management Protocols
Safety in production is always to ensure the premise that work in every is carried out in order, is also the rejection index for examining leading cadres at various levels. Enterprise IT network and information security operation and maintenance systems are the important components that each class factory works with enterprise safety operation.Ensure enterprise Industry IT system and industrial network and information system are efficiently and stably run, and are factory and all market management activities of enterprise and normal The basis of running.
Currently, the IT networks and industrial control system of factory and enterprise all deploy a variety of intelligence to some extent Management control system and safety means, are effectively improved labor productivity, reduce operation cost, have become factory and enterprise An indispensable ring in the important support and production link of industry high efficiency operation.On the one hand, once because industrial network and each control There is security incident or failure in system processed, if can not in time find, handle in time, recover in time, this will certainly influence factory With the normal management order of enterprise, even result in plant downtime, have influence on the existence of factory and enterprise, for Enterprise IT System and The safety guarantee of industrial network just seems increasingly important;On the other hand, because various cyber-attack techniques also become more and more first Enter, increasingly universalness, the industrial network systems face of factory and enterprise the danger attacked at any time, or even frequently suffers from not With the invasion and destruction of degree, the severe jamming normal operation of Enterprise Office System and factory industry network, severe jamming Enterprise operation and the normal production order;Increasingly serious security threat forces enterprise to have to strengthen to IT system and industrial network Security protection, constantly pursue the multi-level, security defensive system of three-dimensional, build new type of safe wisdom platform, real-time tracking System event, detect and predict various security attacks in real time, take corresponding control action in time, eliminating or reduction attack is made Into loss or harm, do everything possible to protect the normal operation of Enterprise IT System and industrial network.
The information safety operation and maintenance equipment disposed, for example:Safety management, SOC, webmaster, OMC etc., are such as set by collection Standby IDS, fire wall, IPS, fort machine, 4A etc. daily record, are associated analysis, then send alarm.However, these are transported safely The intelligence degree for tieing up equipment is not high, in a large amount of alarms that equipment is produced especially as IDS, and it is greatly to miss to have Report, but can not reduce rate of false alarm using existing safe and intelligent platform.On the other hand, existing safe and intelligent platform, association Rule can not automate generation.
Therefore, how to improve the operation benefits of factory and enterprise using information-based means, the IT of optimization factory and enterprise and Industrial control system so that it can be that each class factory and enterprise provide specialty and high performance-price ratio information safety operation and maintenance clothes Business, becomes an important topic for having to solve on especially information safety operation and maintenance management design.
The content of the invention
Framework is realized the invention provides a kind of new type of safe wisdom platform, alarm association rule can be automatically generated, Complete intelligentized security log analysis, accomplishes unattended safe O&M.
A kind of new type of safe wisdom platform of the present invention realizes framework, is applied to be that multiple factories and enterprise provide In the intelligentized safe O&M monitoring service platform of various security services and O&M monitoring service.
The security service includes configuration management/baseline management, security risk assessment, threat detection, vulnerability scanning, diseases prevention Poison etc..
The O&M monitoring service includes configuration management, fault management, performance management, issue management, change management etc..
It is preferential that the framework includes alarm association rule generation module, alarm online association module, alarm association figure Level division module, alarm report and distribution module, work order distribute module.
The alarm association rule generation module, is exactly using history alarm information architecture correlation models, automatically Alarm association rule is generated, is used and is updated periodically by the alarm online association module(Or update in real time).Should Alarm correlation model is made up of two knowledge places:(i)Alarm association intensity(ii)Alarm association rule.Alarm association intensity Represent two alarm typesWithDegree of relevancy.More specifically, it is representedThe alarm of type occursAlarm The size of probability afterwards.
The alarm online association module, in alarmBeforeThe alarm occurred within second time for S=, to each alarm received in real timeCarry out correlation analysis.In order to determineWith the alarm in S whether Correlation, two knowledge bases that can be inquired about in the alarm association rule generation module are obtainedThe announcement of alarm type Alert strength of association and alarm association rule.If two alarms meet following condition, mean correlation:
(1)WithThe strength of association of two alarm types
(2)WithThe rule of two alarm types,WithAt least while meet a rule among them.
Each analyzed alarm is stored in memory database.If the alarmWithCorrelation, thenIt is added to.Therefore, a line is added in alarm association figure, and correlation is described with this.
The alarm association figure priority division module, based on the otherness between alarm association figure, this module is each Individual alarm association figure distributes a priority.Priority is always divided into 4 grades.4th grade is highest alarm level(Or the announcement of most serious It is alert), the 1st grade is minimum alarm level(Or most unessential alarm).
Alarm association figure priority is calculated based on LOF.It is reflecting between the value of priority and the LOF of member alarm as follows Penetrate:
P(g)=
In above formula, g is an alarm association figure,It is the weight of LOF values.Employ the neighbours, reachable of alarm association figure Distance and local density.
The alarm report and distribution module, are forwarded to work order by the alarm of high priority and distribute system or hair in time Be sent to visualization interface shown or be forwarded to safe operation management personnel carry out confirmation re-send to work order distribute system, Or it is forwarded to other interfaces etc..
The work order distributes module, and the alarm confirmed by system is distributed to the safe operation maintenance personnel of correlation.
Alarm correlation analysis is a kind of widely used technology, for understanding alarm log and finding network attack.So And, due to current network and the scale and complexity of attack, the alarm log quantity produced by these networks is very big, so that It is difficult to analyze.A kind of new type of safe wisdom platform of the present invention realizes framework, can automatically generate alarm association rule, significantly Ground simplifies the analysis of alarm log, improves the core competitiveness of the platform.
Brief description of the drawings
Fig. 1 is a kind of structural representation for realizing framework of new type of safe wisdom platform of the present invention;
Embodiment
Here is to further description of the invention with reference to the accompanying drawings with example:
Fig. 1 is a kind of structural representation for realizing framework of new type of safe wisdom platform of the present invention.
It is preferential that the framework includes alarm association rule generation module, alarm online association module, alarm association figure Level division module, alarm report and distribution module, work order distribute module.
The alarm association rule generation module, is exactly using history alarm information architecture correlation models, automatically Alarm association rule and strength of association parameter are generated, is used and is updated periodically by the alarm online association module(Or Update in real time).The alarm correlation model is made up of two knowledge places:(i)Alarm association intensity(ii)Alarm association is advised Then.Alarm association intensity is to represent two alarm typesWithDegree of relevancy.More specifically, it is representedType Alarm occursThe size of probability after alarm.
When having n between two alarm types:During n > 1 correlation rule relation, then the association between the two alarm types Intensity is exactly the minimum strength of association of n correlation rule:
L(,)=min{P((1)
Wherein,
P()=(2)
In equation(2)In, for given history alarm, P()Refer within window W at the same time, wheneverDuring generation,The number of times occurred afterwards.P()Refer to The number of times occurred afterwards, these data are stored in two knowledge bases, are inquired about during for online association.Finally, P( )It is exactlyAlerted in two given classesWithThe probability occurred within same time window.
Algorithm 1 describes the alarm association rule generation module calculating strength of association and two of correlation rule are known Know the process in storehouse.
1st~5 row is initialized.A represents alarm attributes, including:Alert time of origin(timestamp), source IP(source IP), source port(source port), Target IP(destination IP), Target IP(destination Port), alarm Type(intrusion type).H represents history alarm, for training correlation models;T represents the announcement of all history alarms Alert type.Represent all alarm types pair in T(1 pair contains 2 alarm types), whereinRepresent i-th pair alarm typeWithIt is right.
For every a pair of alarms, GETCONSTRAINTS is possible to k composite attributes by calculating, and generates some associations Rule, it uses the artificial intelligence approach of method such as apriori approach data mining.First, it is just raw as k=1 Into the correlation rule that length is 1, wherein, to each correlation rule C, only comprising an alarm attributes aA.For each pass Join rule C, we will be calculated under condition C,It is sent inProbability before.If this probability is not above, thenIt is considered as uncorrelated.
Example 1 is exactly the correlation rule generated by the alarm association rule generation module:
The alarm online association module, in alarmBeforeThe alarm occurred within second time for S= , to each alarm received in real timeCarry out correlation analysis.In order to determineIt is whether related to the alarm in S, can be in real time Two knowledge bases in query warning correlation rule automatically-generating module, are obtainedThe alarm association intensity of alarm type and alarm Correlation rule.If two alarms meet following condition, mean correlation:
(1)WithThe strength of association of two alarm types
(2)WithThe rule of two alarm types,WithAt least while meet a rule among them.
Each analyzed alarm is stored in memory database.If the alarmWithCorrelation, thenIt is added to.Therefore, a line is added in alarm association figure, and correlation is described with this.
The alarm association figure priority division module, based on the otherness between alarm association figure, this module is each Individual alarm association figure distributes a priority.Priority is always divided into 4 grades.4th grade is highest alarm level(Or the announcement of most serious It is alert), the 1st grade is minimum alarm level(Or most unessential alarm).
Alarm association figure priority is calculated based on LOF.It is reflecting between the value of priority and the LOF of member alarm as follows Penetrate:
P(g)=
In above formula, g is an alarm association figure,It is the weight of LOF values.Employ the neighbours, reachable of alarm association figure Distance and local density.
(1)K- neighbours and k- distances:The k- neighbours of one alarm association figure use() represent,() be some its Its alarm association figure, its withBetween difference be less than or equal to the k- distances.OneK- distances be exactlyWith k-th most The distance of near alarm association figure.K is the configurable parameter that the algorithm is provided.
(2)Reach distance:Take the maximum of this 2 values:One value is the distance between two alarm association figures, another Value isK- distances.It is shown as follows:
r(g,)=max
(3)Local reachability density:The local reachability density of one alarm association figure is exactly being averaged between it and it k- neighbours The inverse of reach distance:
Ir=(
(4)Local outlier factor:Calculated for each alarm association figure g, its LOF by below equation:
=
(5)LOF priority is divided:In view of LOF values scope 0~Between, this patent make use of weight technology, by LOF Value be mapped to 0~Between.
nLOF(g)=
The division of each priority of alarm association figure, this module uses it as filtering, and thresholding is more thanAll announcements Alert associated diagram is forwarded to alarm report and distribution module is further processed, for example, more than 2 grades of alarm association figure is forwarded To the alarm report and distribution module, final purpose is exactly to allow unessential alarm to be not forwarded on alarm report and distribution mould Block.
The alarm report and distribution module, are forwarded to work order by the alarm of high priority and distribute system or hair in time Be sent to visualization interface shown or be forwarded to safe operation management personnel carry out confirmation re-send to work order distribute system, Or it is forwarded to other interfaces etc..
The work order distributes module, and the alarm confirmed by system is distributed to the safe operation maintenance personnel of correlation.
The foregoing is only presently preferred embodiments of the present invention, not for limit the present invention practical range;It is every according to this The made equivalence changes of invention and modification, the scope of the claims for being considered as the present invention are covered.

Claims (10)

1. the invention provides a kind of framework of realizing of new type of safe wisdom platform, including alarm association rule generation mould Block, alarm online association module, alarm association figure priority division module, alarm report and distribution module, work order distribute module.
2. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm association rule is automatic raw It is exactly, using history alarm information architecture correlation models, to automatically generate alarm association rule and strength of association parameter into module, Used and be updated periodically or updated in real time by the alarm online association module.
3. the alarm correlation model is made up of two knowledge places:(i)Alarm association intensity(ii)Alarm association rule.
4. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm online association module, The alarm occurred within time second before alarm be S=, each alarm received in real time is carried out related Property analysis.
, can be in real time in query warning correlation rule automatically-generating module 5. whether related to the alarm in S in order to determine Two knowledge bases, obtain the alarm association intensity and alarm association rule of alarm type.
6. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm association figure priority draws Sub-module, based on the otherness between alarm association figure, this module is that each alarm association figure distributes a priority.
7. priority is always divided into 4 grades.
8. the 4th grade is highest alarm level(Or the alarm of most serious), the 1st grade is minimum alarm level(Or it is least important Alarm).
9. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm report and distribution module, The alarm of high priority is forwarded to work order in time distributes system or be sent to visualization interface and shown or be forwarded to Safe operation management personnel progress confirmation re-sends to work order and distributes system or be forwarded to other interfaces etc..
10. a kind of as claimed in claim 1 new type of safe wisdom platform realizes framework, the work order distributes module, will be through The alarm for crossing system confirmation distributes the safe operation maintenance personnel of correlation.
CN201710700493.3A 2017-08-16 2017-08-16 A kind of new type of safe wisdom platform realizes framework Pending CN107332717A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710700493.3A CN107332717A (en) 2017-08-16 2017-08-16 A kind of new type of safe wisdom platform realizes framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710700493.3A CN107332717A (en) 2017-08-16 2017-08-16 A kind of new type of safe wisdom platform realizes framework

Publications (1)

Publication Number Publication Date
CN107332717A true CN107332717A (en) 2017-11-07

Family

ID=60201126

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710700493.3A Pending CN107332717A (en) 2017-08-16 2017-08-16 A kind of new type of safe wisdom platform realizes framework

Country Status (1)

Country Link
CN (1) CN107332717A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112702215A (en) * 2021-03-04 2021-04-23 新华三人工智能科技有限公司 Alarm association rule matching priority ordering method, device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7376969B1 (en) * 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7376969B1 (en) * 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112702215A (en) * 2021-03-04 2021-04-23 新华三人工智能科技有限公司 Alarm association rule matching priority ordering method, device and storage medium
CN112702215B (en) * 2021-03-04 2021-07-02 新华三人工智能科技有限公司 Alarm association rule matching priority ordering method, device and storage medium

Similar Documents

Publication Publication Date Title
CN105847029B (en) A kind of information security events auto-associating and quick response system based on big data
CN108900541B (en) System and method for sensing security situation of SDN (software defined network) of cloud data center
CN101562537B (en) Distributed self-optimized intrusion detection alarm associated system
CN107479518A (en) A kind of method and system for automatically generating alarm association rule
CN108833397A (en) A kind of big data safety analysis plateform system based on network security
CN104506507A (en) Honey net safeguard system and honey net safeguard method for SDN (self-defending network)
CN104468631A (en) Network intrusion identification method based on anomaly flow and black-white list library of IP terminal
CN110336827A (en) A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning
CN107547228B (en) Implementation architecture of safe operation and maintenance management platform based on big data
CN110324323B (en) New energy plant station network-related end real-time interaction process anomaly detection method and system
CN111600863B (en) Network intrusion detection method, device, system and storage medium
EP2936772B1 (en) Network security management
CN105867347B (en) Cross-space cascading fault detection method based on machine learning technology
CN113115315B (en) IOT equipment behavior credible supervision method based on block chain
Amudhavel et al. A survey on intrusion detection system: State of the art review
CN107547229A (en) A kind of implementation method of the safe operation management platform intelligent control based on big data
Landress A hybrid approach to reducing the false positive rate in unsupervised machine learning intrusion detection
CN111935189B (en) Industrial control terminal strategy control system and industrial control terminal strategy control method
CN111224973A (en) Network attack rapid detection system based on industrial cloud
CN112383525A (en) Industrial internet security situation evaluation method with high evaluation level and accuracy
CN115941317A (en) Network security comprehensive analysis and situation awareness platform
CN108418697A (en) A kind of realization framework of intelligentized safe O&M service cloud platform
CN107332717A (en) A kind of new type of safe wisdom platform realizes framework
TWI744545B (en) Decentralized network flow analysis approach and system for malicious behavior detection
CN110460558B (en) Method and system for discovering attack model based on visualization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 211800 14F, building A, Eagle building, 99 solidarity Road, Nanjing Software Park, Nanjing hi tech Zone, Jiangsu

Applicant after: NANJING LIANCHENG TECHNOLOGY DEVELOPMENT CO.,LTD.

Address before: 211800, Jiangsu province Nanjing high tech Zone Nanjing Software Park unity Road 99 hatch Eagle Building A block 14 layers

Applicant before: NANJING LIANCHENG TECHNOLOGY DEVELOPMENT CO.,LTD.

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107

RJ01 Rejection of invention patent application after publication