CN107332717A - A kind of new type of safe wisdom platform realizes framework - Google Patents
A kind of new type of safe wisdom platform realizes framework Download PDFInfo
- Publication number
- CN107332717A CN107332717A CN201710700493.3A CN201710700493A CN107332717A CN 107332717 A CN107332717 A CN 107332717A CN 201710700493 A CN201710700493 A CN 201710700493A CN 107332717 A CN107332717 A CN 107332717A
- Authority
- CN
- China
- Prior art keywords
- alarm
- association
- module
- new type
- safe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Alarm Systems (AREA)
Abstract
Alarm correlation analysis is a kind of widely used technology, for understanding alarm log and finding network attack.However, due to current network and the scale and complexity of attack, the alarm log quantity produced by these networks is very big, so that being difficult to analyze.A kind of new type of safe wisdom platform of the present invention realizes framework, can automatically generate alarm association rule, significantly simplify the analysis of alarm log, improve the core competitiveness of the platform.
Description
Technical field
The present invention relates to information security, field of artificial intelligence, more particularly to build intelligence, quickly and efficiently new
The framework of the safe wisdom platform of type.
Background technology
The English abbreviation included in the present invention is as follows:
LOF:Local Outlier Factor local outlier factors
SOC:Security Operation Center security management centers
ID:Identifier identification unique numbers
IDS:Intrusion Detection Systems intruding detection systems
SNMP:Simple Network Management Protocol Simple Network Management Protocols
Safety in production is always to ensure the premise that work in every is carried out in order, is also the rejection index for examining leading cadres at various levels.
Enterprise IT network and information security operation and maintenance systems are the important components that each class factory works with enterprise safety operation.Ensure enterprise
Industry IT system and industrial network and information system are efficiently and stably run, and are factory and all market management activities of enterprise and normal
The basis of running.
Currently, the IT networks and industrial control system of factory and enterprise all deploy a variety of intelligence to some extent
Management control system and safety means, are effectively improved labor productivity, reduce operation cost, have become factory and enterprise
An indispensable ring in the important support and production link of industry high efficiency operation.On the one hand, once because industrial network and each control
There is security incident or failure in system processed, if can not in time find, handle in time, recover in time, this will certainly influence factory
With the normal management order of enterprise, even result in plant downtime, have influence on the existence of factory and enterprise, for Enterprise IT System and
The safety guarantee of industrial network just seems increasingly important;On the other hand, because various cyber-attack techniques also become more and more first
Enter, increasingly universalness, the industrial network systems face of factory and enterprise the danger attacked at any time, or even frequently suffers from not
With the invasion and destruction of degree, the severe jamming normal operation of Enterprise Office System and factory industry network, severe jamming
Enterprise operation and the normal production order;Increasingly serious security threat forces enterprise to have to strengthen to IT system and industrial network
Security protection, constantly pursue the multi-level, security defensive system of three-dimensional, build new type of safe wisdom platform, real-time tracking
System event, detect and predict various security attacks in real time, take corresponding control action in time, eliminating or reduction attack is made
Into loss or harm, do everything possible to protect the normal operation of Enterprise IT System and industrial network.
The information safety operation and maintenance equipment disposed, for example:Safety management, SOC, webmaster, OMC etc., are such as set by collection
Standby IDS, fire wall, IPS, fort machine, 4A etc. daily record, are associated analysis, then send alarm.However, these are transported safely
The intelligence degree for tieing up equipment is not high, in a large amount of alarms that equipment is produced especially as IDS, and it is greatly to miss to have
Report, but can not reduce rate of false alarm using existing safe and intelligent platform.On the other hand, existing safe and intelligent platform, association
Rule can not automate generation.
Therefore, how to improve the operation benefits of factory and enterprise using information-based means, the IT of optimization factory and enterprise and
Industrial control system so that it can be that each class factory and enterprise provide specialty and high performance-price ratio information safety operation and maintenance clothes
Business, becomes an important topic for having to solve on especially information safety operation and maintenance management design.
The content of the invention
Framework is realized the invention provides a kind of new type of safe wisdom platform, alarm association rule can be automatically generated,
Complete intelligentized security log analysis, accomplishes unattended safe O&M.
A kind of new type of safe wisdom platform of the present invention realizes framework, is applied to be that multiple factories and enterprise provide
In the intelligentized safe O&M monitoring service platform of various security services and O&M monitoring service.
The security service includes configuration management/baseline management, security risk assessment, threat detection, vulnerability scanning, diseases prevention
Poison etc..
The O&M monitoring service includes configuration management, fault management, performance management, issue management, change management etc..
It is preferential that the framework includes alarm association rule generation module, alarm online association module, alarm association figure
Level division module, alarm report and distribution module, work order distribute module.
The alarm association rule generation module, is exactly using history alarm information architecture correlation models, automatically
Alarm association rule is generated, is used and is updated periodically by the alarm online association module(Or update in real time).Should
Alarm correlation model is made up of two knowledge places:(i)Alarm association intensity(ii)Alarm association rule.Alarm association intensity
Represent two alarm typesWithDegree of relevancy.More specifically, it is representedThe alarm of type occursAlarm
The size of probability afterwards.
The alarm online association module, in alarmBeforeThe alarm occurred within second time for S=, to each alarm received in real timeCarry out correlation analysis.In order to determineWith the alarm in S whether
Correlation, two knowledge bases that can be inquired about in the alarm association rule generation module are obtainedThe announcement of alarm type
Alert strength of association and alarm association rule.If two alarms meet following condition, mean correlation:
(1)WithThe strength of association of two alarm types
(2)WithThe rule of two alarm types,WithAt least while meet a rule among them.
Each analyzed alarm is stored in memory database.If the alarmWithCorrelation, thenIt is added to.Therefore, a line is added in alarm association figure, and correlation is described with this.
The alarm association figure priority division module, based on the otherness between alarm association figure, this module is each
Individual alarm association figure distributes a priority.Priority is always divided into 4 grades.4th grade is highest alarm level(Or the announcement of most serious
It is alert), the 1st grade is minimum alarm level(Or most unessential alarm).
Alarm association figure priority is calculated based on LOF.It is reflecting between the value of priority and the LOF of member alarm as follows
Penetrate:
P(g)=
In above formula, g is an alarm association figure,It is the weight of LOF values.Employ the neighbours, reachable of alarm association figure
Distance and local density.
The alarm report and distribution module, are forwarded to work order by the alarm of high priority and distribute system or hair in time
Be sent to visualization interface shown or be forwarded to safe operation management personnel carry out confirmation re-send to work order distribute system,
Or it is forwarded to other interfaces etc..
The work order distributes module, and the alarm confirmed by system is distributed to the safe operation maintenance personnel of correlation.
Alarm correlation analysis is a kind of widely used technology, for understanding alarm log and finding network attack.So
And, due to current network and the scale and complexity of attack, the alarm log quantity produced by these networks is very big, so that
It is difficult to analyze.A kind of new type of safe wisdom platform of the present invention realizes framework, can automatically generate alarm association rule, significantly
Ground simplifies the analysis of alarm log, improves the core competitiveness of the platform.
Brief description of the drawings
Fig. 1 is a kind of structural representation for realizing framework of new type of safe wisdom platform of the present invention;
Embodiment
Here is to further description of the invention with reference to the accompanying drawings with example:
Fig. 1 is a kind of structural representation for realizing framework of new type of safe wisdom platform of the present invention.
It is preferential that the framework includes alarm association rule generation module, alarm online association module, alarm association figure
Level division module, alarm report and distribution module, work order distribute module.
The alarm association rule generation module, is exactly using history alarm information architecture correlation models, automatically
Alarm association rule and strength of association parameter are generated, is used and is updated periodically by the alarm online association module(Or
Update in real time).The alarm correlation model is made up of two knowledge places:(i)Alarm association intensity(ii)Alarm association is advised
Then.Alarm association intensity is to represent two alarm typesWithDegree of relevancy.More specifically, it is representedType
Alarm occursThe size of probability after alarm.
When having n between two alarm types:During n > 1 correlation rule relation, then the association between the two alarm types
Intensity is exactly the minimum strength of association of n correlation rule:
L(,)=min{P()(1)
Wherein,
P()=(2)
In equation(2)In, for given history alarm, P()Refer within window W at the same time, wheneverDuring generation,The number of times occurred afterwards.P()Refer to
The number of times occurred afterwards, these data are stored in two knowledge bases, are inquired about during for online association.Finally, P(︱
)It is exactlyAlerted in two given classesWithThe probability occurred within same time window.
Algorithm 1 describes the alarm association rule generation module calculating strength of association and two of correlation rule are known
Know the process in storehouse.
1st~5 row is initialized.A represents alarm attributes, including:Alert time of origin(timestamp), source IP(source
IP), source port(source port), Target IP(destination IP), Target IP(destination Port), alarm
Type(intrusion type).H represents history alarm, for training correlation models;T represents the announcement of all history alarms
Alert type.Represent all alarm types pair in T(1 pair contains 2 alarm types), whereinRepresent i-th pair alarm typeWithIt is right.
For every a pair of alarms, GETCONSTRAINTS is possible to k composite attributes by calculating, and generates some associations
Rule, it uses the artificial intelligence approach of method such as apriori approach data mining.First, it is just raw as k=1
Into the correlation rule that length is 1, wherein, to each correlation rule C, only comprising an alarm attributes aA.For each pass
Join rule C, we will be calculated under condition C,It is sent inProbability before.If this probability is not above, then、It is considered as uncorrelated.
Example 1 is exactly the correlation rule generated by the alarm association rule generation module:
The alarm online association module, in alarmBeforeThe alarm occurred within second time for S=
, to each alarm received in real timeCarry out correlation analysis.In order to determineIt is whether related to the alarm in S, can be in real time
Two knowledge bases in query warning correlation rule automatically-generating module, are obtainedThe alarm association intensity of alarm type and alarm
Correlation rule.If two alarms meet following condition, mean correlation:
(1)WithThe strength of association of two alarm types
(2)WithThe rule of two alarm types,WithAt least while meet a rule among them.
Each analyzed alarm is stored in memory database.If the alarmWithCorrelation, thenIt is added to.Therefore, a line is added in alarm association figure, and correlation is described with this.
The alarm association figure priority division module, based on the otherness between alarm association figure, this module is each
Individual alarm association figure distributes a priority.Priority is always divided into 4 grades.4th grade is highest alarm level(Or the announcement of most serious
It is alert), the 1st grade is minimum alarm level(Or most unessential alarm).
Alarm association figure priority is calculated based on LOF.It is reflecting between the value of priority and the LOF of member alarm as follows
Penetrate:
P(g)=
In above formula, g is an alarm association figure,It is the weight of LOF values.Employ the neighbours, reachable of alarm association figure
Distance and local density.
(1)K- neighbours and k- distances:The k- neighbours of one alarm association figure use() represent,() be some its
Its alarm association figure, its withBetween difference be less than or equal to the k- distances.OneK- distances be exactlyWith k-th most
The distance of near alarm association figure.K is the configurable parameter that the algorithm is provided.
(2)Reach distance:Take the maximum of this 2 values:One value is the distance between two alarm association figures, another
Value isK- distances.It is shown as follows:
r(g,)=max
(3)Local reachability density:The local reachability density of one alarm association figure is exactly being averaged between it and it k- neighbours
The inverse of reach distance:
Ir=(
(4)Local outlier factor:Calculated for each alarm association figure g, its LOF by below equation:
=
(5)LOF priority is divided:In view of LOF values scope 0~Between, this patent make use of weight technology, by LOF
Value be mapped to 0~Between.
nLOF(g)=
The division of each priority of alarm association figure, this module uses it as filtering, and thresholding is more thanAll announcements
Alert associated diagram is forwarded to alarm report and distribution module is further processed, for example, more than 2 grades of alarm association figure is forwarded
To the alarm report and distribution module, final purpose is exactly to allow unessential alarm to be not forwarded on alarm report and distribution mould
Block.
The alarm report and distribution module, are forwarded to work order by the alarm of high priority and distribute system or hair in time
Be sent to visualization interface shown or be forwarded to safe operation management personnel carry out confirmation re-send to work order distribute system,
Or it is forwarded to other interfaces etc..
The work order distributes module, and the alarm confirmed by system is distributed to the safe operation maintenance personnel of correlation.
The foregoing is only presently preferred embodiments of the present invention, not for limit the present invention practical range;It is every according to this
The made equivalence changes of invention and modification, the scope of the claims for being considered as the present invention are covered.
Claims (10)
1. the invention provides a kind of framework of realizing of new type of safe wisdom platform, including alarm association rule generation mould
Block, alarm online association module, alarm association figure priority division module, alarm report and distribution module, work order distribute module.
2. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm association rule is automatic raw
It is exactly, using history alarm information architecture correlation models, to automatically generate alarm association rule and strength of association parameter into module,
Used and be updated periodically or updated in real time by the alarm online association module.
3. the alarm correlation model is made up of two knowledge places:(i)Alarm association intensity(ii)Alarm association rule.
4. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm online association module,
The alarm occurred within time second before alarm be S=, each alarm received in real time is carried out related
Property analysis.
, can be in real time in query warning correlation rule automatically-generating module 5. whether related to the alarm in S in order to determine
Two knowledge bases, obtain the alarm association intensity and alarm association rule of alarm type.
6. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm association figure priority draws
Sub-module, based on the otherness between alarm association figure, this module is that each alarm association figure distributes a priority.
7. priority is always divided into 4 grades.
8. the 4th grade is highest alarm level(Or the alarm of most serious), the 1st grade is minimum alarm level(Or it is least important
Alarm).
9. a kind of new type of safe wisdom platform as claimed in claim 1 realizes framework, the alarm report and distribution module,
The alarm of high priority is forwarded to work order in time distributes system or be sent to visualization interface and shown or be forwarded to
Safe operation management personnel progress confirmation re-sends to work order and distributes system or be forwarded to other interfaces etc..
10. a kind of as claimed in claim 1 new type of safe wisdom platform realizes framework, the work order distributes module, will be through
The alarm for crossing system confirmation distributes the safe operation maintenance personnel of correlation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710700493.3A CN107332717A (en) | 2017-08-16 | 2017-08-16 | A kind of new type of safe wisdom platform realizes framework |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710700493.3A CN107332717A (en) | 2017-08-16 | 2017-08-16 | A kind of new type of safe wisdom platform realizes framework |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107332717A true CN107332717A (en) | 2017-11-07 |
Family
ID=60201126
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710700493.3A Pending CN107332717A (en) | 2017-08-16 | 2017-08-16 | A kind of new type of safe wisdom platform realizes framework |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107332717A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112702215A (en) * | 2021-03-04 | 2021-04-23 | 新华三人工智能科技有限公司 | Alarm association rule matching priority ordering method, device and storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7376969B1 (en) * | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
CN105847029A (en) * | 2015-09-08 | 2016-08-10 | 南京联成科技发展有限公司 | Information security event automatic association and rapid response method and system based on big data analysis |
-
2017
- 2017-08-16 CN CN201710700493.3A patent/CN107332717A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7376969B1 (en) * | 2002-12-02 | 2008-05-20 | Arcsight, Inc. | Real time monitoring and analysis of events from multiple network security devices |
CN105847029A (en) * | 2015-09-08 | 2016-08-10 | 南京联成科技发展有限公司 | Information security event automatic association and rapid response method and system based on big data analysis |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112702215A (en) * | 2021-03-04 | 2021-04-23 | 新华三人工智能科技有限公司 | Alarm association rule matching priority ordering method, device and storage medium |
CN112702215B (en) * | 2021-03-04 | 2021-07-02 | 新华三人工智能科技有限公司 | Alarm association rule matching priority ordering method, device and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105847029B (en) | A kind of information security events auto-associating and quick response system based on big data | |
CN108900541B (en) | System and method for sensing security situation of SDN (software defined network) of cloud data center | |
CN101562537B (en) | Distributed self-optimized intrusion detection alarm associated system | |
CN107479518A (en) | A kind of method and system for automatically generating alarm association rule | |
CN108833397A (en) | A kind of big data safety analysis plateform system based on network security | |
CN104506507A (en) | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) | |
CN104468631A (en) | Network intrusion identification method based on anomaly flow and black-white list library of IP terminal | |
CN110336827A (en) | A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning | |
CN107547228B (en) | Implementation architecture of safe operation and maintenance management platform based on big data | |
CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
CN111600863B (en) | Network intrusion detection method, device, system and storage medium | |
EP2936772B1 (en) | Network security management | |
CN105867347B (en) | Cross-space cascading fault detection method based on machine learning technology | |
CN113115315B (en) | IOT equipment behavior credible supervision method based on block chain | |
Amudhavel et al. | A survey on intrusion detection system: State of the art review | |
CN107547229A (en) | A kind of implementation method of the safe operation management platform intelligent control based on big data | |
Landress | A hybrid approach to reducing the false positive rate in unsupervised machine learning intrusion detection | |
CN111935189B (en) | Industrial control terminal strategy control system and industrial control terminal strategy control method | |
CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
CN112383525A (en) | Industrial internet security situation evaluation method with high evaluation level and accuracy | |
CN115941317A (en) | Network security comprehensive analysis and situation awareness platform | |
CN108418697A (en) | A kind of realization framework of intelligentized safe O&M service cloud platform | |
CN107332717A (en) | A kind of new type of safe wisdom platform realizes framework | |
TWI744545B (en) | Decentralized network flow analysis approach and system for malicious behavior detection | |
CN110460558B (en) | Method and system for discovering attack model based on visualization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
CB02 | Change of applicant information |
Address after: 211800 14F, building A, Eagle building, 99 solidarity Road, Nanjing Software Park, Nanjing hi tech Zone, Jiangsu Applicant after: NANJING LIANCHENG TECHNOLOGY DEVELOPMENT CO.,LTD. Address before: 211800, Jiangsu province Nanjing high tech Zone Nanjing Software Park unity Road 99 hatch Eagle Building A block 14 layers Applicant before: NANJING LIANCHENG TECHNOLOGY DEVELOPMENT CO.,LTD. |
|
CB02 | Change of applicant information | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |
|
RJ01 | Rejection of invention patent application after publication |