CN107592309A - Security incident detection and processing method, system, equipment and storage medium - Google Patents

Security incident detection and processing method, system, equipment and storage medium Download PDF

Info

Publication number
CN107592309A
CN107592309A CN201710827834.3A CN201710827834A CN107592309A CN 107592309 A CN107592309 A CN 107592309A CN 201710827834 A CN201710827834 A CN 201710827834A CN 107592309 A CN107592309 A CN 107592309A
Authority
CN
China
Prior art keywords
security incident
critical field
group
value
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710827834.3A
Other languages
Chinese (zh)
Other versions
CN107592309B (en
Inventor
周鸣杰
陈莹
江榕
任晓艳
章锦成
凌云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ctrip Travel Information Technology Shanghai Co Ltd
Original Assignee
Ctrip Travel Information Technology Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ctrip Travel Information Technology Shanghai Co Ltd filed Critical Ctrip Travel Information Technology Shanghai Co Ltd
Priority to CN201710827834.3A priority Critical patent/CN107592309B/en
Publication of CN107592309A publication Critical patent/CN107592309A/en
Application granted granted Critical
Publication of CN107592309B publication Critical patent/CN107592309B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention provides a kind of security incident detection and processing method, system, equipment and storage medium, this method is included in the trigger condition for multiple security incidents that prestored in web services;The merging condition of multiple security incident groups is preset in web services;System journal is obtained from monitored system, screens record pending in the system journal, by pending record storage to message queue;Pending record is extracted from the message queue, and the number that the value for counting same critical field occurs, determine whether to generate security incident according to the trigger condition of multiple security incidents, according to the merging condition of security incident group, determine the packet of security incident.The present invention improves the event handling efficiency of O&M security response personnel, improves accuracy rate, on the basis of event centralization, introduce event group mechanism, by the event aggregation for having certain incidence relation into event group, reduce the limitation of single incident analysis, export more accurate event group alarm.

Description

Security incident detection and processing method, system, equipment and storage medium
Technical field
The present invention relates to computer O&M technical field, more particularly to a kind of unified detection and packet are carried out to security incident The security incident detection of processing and processing method, system, equipment and storage medium.
Background technology
Security incident handling is the response processing procedure of the security incident to being found in network and system, in the prior art Security incident handling use basic procedure include response, processing and report.Now with the continuous development of internet industry, Various detection instruments emerge in an endless stream, and also include many safety for being used to detect Intranet from the safety detection instrument ground or system, so And the common feature of various safety detection instruments is all individually to handle each security incident.
With the fast development of internet industry, what is brought therewith is exactly substantial amounts of security incident, and this rings to safe O&M Answer personnel to bring substantial amounts of workload, and individually by the way of handling, also there is very big office using existing each event It is sex-limited.
The content of the invention
For the problems of the prior art, it is an object of the invention to provide a kind of security incident detection and processing method, System, equipment and storage medium, the event handling efficiency of O&M security response personnel is improved, accuracy rate is improved, in event set On the basis of change, event group mechanism is introduced, by the event aggregation for having certain incidence relation into event group, reduces single incident analysis Limitation, export more accurate event group alarm.
The embodiment of the present invention provides a kind of security incident detection and processing method, methods described comprise the following steps:
Prestore the trigger conditions of multiple security incidents in web services, and the trigger condition of each security incident includes Very first time scope, at least a critical field and to should critical field triggering times;
The merging condition of multiple security incident groups, the merging condition of each security incident group are preset in web services Including the second time range, at least value of a critical field and the critical field;
System journal is obtained from monitored system, screens record pending in the system journal, will be pending Record storage is to message queue;
Pending record is extracted from the message queue, and is counted in the range of the very first time, same critical field It is worth the number occurred, if the number that statistics obtains reaches the triggering times that critical field is corresponded in a trigger condition, Generate a new security incident;
Judge whether new security incident is in the second time range of a security incident group, and the security incident In reach triggering times critical field value it is identical with the value that critical field is corresponded in the security incident group;
If it is, new security incident is stored to corresponding security incident group;Otherwise, newly-built security incident group, And new security incident is stored to newly-built security incident group.
Alternatively, the critical field includes source IP address and target ip address;
In the range of the statistics very first time, the number of the value appearance of same critical field, comprise the following steps:
Count in the range of the very first time, the number of the value appearance of same source IP address;
Count in the range of the very first time, the number of the value appearance of same target ip address.
Alternatively, the type of the security incident includes port scan security incident and logs in shotfiring safety event;
The trigger condition of the port scan security incident includes the triggering times of source IP and source IP;
If counted in the range of the obtained very first time, the number that the value of same source IP address occurs reaches a port The triggering times of source IP address in the trigger condition of security incident are scanned, then generate a new port scan security incident;
The trigger condition for logging in shotfiring safety event includes the triggering times of target ip address and target ip address;
If counted in the range of the obtained very first time, the number of the value appearance of same target ip address reaches to be stepped on described in one The triggering times of Target IP in the trigger condition of shotfiring safety event are recorded, then generate a new login shotfiring safety event.
Alternatively, the merging condition of each security incident group also includes security incident type;
If new security incident is in the second time range of a security incident group, reach in the security incident The value of the critical field of triggering times is identical with the value that critical field is corresponded in the security incident group, and the type of the security incident It is identical with the security incident type in the security incident group, then the security incident is stored to corresponding security incident group.
Alternatively, the critical field also includes user name, and the trigger condition for logging in shotfiring safety event also includes The triggering number of user name;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of login username corresponding to the value of same target ip address;
If count in the range of the obtained very first time, the number of login username corresponding to the value of same target ip address Reach the triggering number of user name in a trigger condition for logging in shotfiring safety event, then generate a new login explosion peace Total event.
Alternatively, the critical field also includes the Hostname of monitored system, the login shotfiring safety event Trigger condition also includes the Hostname of monitored system and the triggering times of Hostname;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of the value appearance of same Hostname;
If counted in the range of the obtained very first time, the number that the value of same Hostname occurs reaches a login The triggering times of Hostname in the trigger condition of shotfiring safety event, then generate a new login shotfiring safety event.
Alternatively, the newly-built security incident group, comprises the following steps:
Newly-built security incident group, the second time range of newly-built security incident group is set to default default time model Enclose;
The critical field of triggering times and the value of the critical field will be reached in the security incident as the security incident group Merging condition in critical field and critical field value.
Alternatively, the merging condition of each security incident group also includes security incident type;
The newly-built security incident group, also comprises the following steps:
Security incident type using the type of the security incident as the security incident group.
Alternatively, the record includes access request record and login failure record;
Record pending in the system journal is screened, by pending record storage to message queue, including it is as follows Step:
Identify the access request record and/or login failure record in the system journal;
Extract the value of time, critical field and critical field that the access request record and/or login failure record simultaneously Store to message queue.
Alternatively, the system journal is cut into by logstash instruments by pending record, will be described pending Time of record, the value of critical field and critical field stored to message queue with json forms.
Alternatively, in the range of the statistics very first time, the number of the value appearance of same critical field, including following step Suddenly:
Count in the range of the very first time, the value of same critical field comes across the number of access request record;And
Count in the range of the very first time, the value of same critical field comes across the number of login failure record;
The trigger condition of the security incident includes very first time scope, at least a critical field and to should keyword Section come across access request record triggering times or to should critical field come across login failure record triggering times;
If the number that the value for counting obtained same critical field comes across access request record reaches the safety The triggering times that critical field comes across access request record are corresponded in the trigger condition of event, then generate a new safe thing Part;
If the number that the value for counting obtained same critical field comes across login failure record reaches the safety The triggering times that critical field comes across login failure record are corresponded in the trigger condition of event, then generate a new safe thing Part.
Alternatively, the security incident trigger condition also includes:
The previous statistics moment was counted in the range of obtained very first time, the number that the value of same critical field occurs;
Methods described also comprises the following steps:
Calculating the current statistic moment counted in the range of obtained very first time, the number that the value of same critical field occurs with The previous statistics moment was counted in the range of obtained very first time, the difference for the number that the value of same critical field occurs;
If the difference being calculated reaches the triggering times that critical field is corresponded in a trigger condition, one is generated New security incident.
Alternatively, also comprise the following steps:
Preset corresponding to multiple event group grades and each event group grade of each security incident group Event number threshold value;
Judge whether the event number in each security incident group reaches the thing corresponding to next event group grade Part amount threshold, if it is, the event group grade of the security incident group is revised as into next event group grade.
Alternatively, the system journal includes server log, Network Intrusion Detection System daily record, honey jar daily record and virtual At least one of dedicated network daily record.
The embodiment of the present invention also provides a kind of security incident detection and processing system, for realizing described security incident inspection Survey and processing method, the system include:
Database, the trigger condition of multiple security incidents is prestored in the database, and each security incident is touched Clockwork spring part include very first time scope, an at least critical field and to should critical field triggering times;And the database In prestore the merging conditions of multiple security incident groups, each merging condition includes the second time range, at least a keyword The value of section and the critical field;
System journal pushing module, for obtaining system journal from monitored system, screen and treated in the system journal The record of processing, by pending record storage to message queue;
Security incident determination module, for extracting pending record from the message queue, and count the very first time In the range of, the number of the value appearance of same critical field, if the number that statistics obtains reaches the triggering of a security incident The triggering times of critical field are corresponded in condition, then generate a new security incident;
Security incident merging module, for being in the second time range of a security incident group when new security incident It is interior, and reach value phase of the value of the critical field of triggering times with corresponding to critical field in the security incident group in the security incident Meanwhile the security incident is stored to corresponding security incident group;
The newly-built module of security incident group, for being unsatisfactory for the merging bar of any security incident group when new security incident During part, newly-built security incident group, the security incident is stored to newly-built security incident group.
The embodiment of the present invention also provides a kind of security incident detection and processing equipment, including:
Processor;
Memory, wherein being stored with the executable instruction of the processor;
Wherein, the processor be configured to perform via the executable instruction is performed described security incident detection and The step of processing method.
The embodiment of the present invention also provides a kind of computer-readable recording medium, and for storage program, described program is performed The step of security incident detection described in Shi Shixian and processing method.
It should be appreciated that the general description and following detailed description of the above are only exemplary and explanatory, not The disclosure can be limited.
Security incident detection provided by the present invention and processing method, system, equipment and storage medium have following advantages:
The present invention is on the basis of single incident and alarm is retained, according to time window and associate field, by safe thing Part aggregates into event group to be handled, and enhances relevance, the limitation for avoiding single incident from analyzing;Because each event is gathered Compound event group, threshold value can be suitably reduced on policy engine, to avoid failing to report caused by setting high threshold because of wrong report; In combination with machine learning, event group data as the sample of model training, can improve the event handling efficiency of operation maintenance personnel.
Brief description of the drawings
The detailed description made by reading with reference to the following drawings to non-limiting example, further feature of the invention, Objects and advantages will become more apparent upon.
Fig. 1 is the flow chart of the security incident detection and processing method of one embodiment of the invention;
Fig. 2 is the flow chart of the processing system daily record of one embodiment of the invention;
Fig. 3 is the flow chart of the newly-built security incident group of one embodiment of the invention;
Fig. 4 is the flow chart for judging security incident group grade of one embodiment of the invention;
Fig. 5 is the security incident detection and the structural representation of processing system of one embodiment of the invention;
Fig. 6 is the security incident detection and the structural representation of processing equipment of one embodiment of the invention;
Fig. 7 is the structural representation of the computer-readable recording medium of one embodiment of the invention.
Embodiment
Example embodiment is described more fully with referring now to accompanying drawing.However, example embodiment can be with a variety of shapes Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, these embodiments are provided so that the disclosure will more Fully and completely, and by the design of example embodiment comprehensively it is communicated to those skilled in the art.Described feature, knot Structure or characteristic can be incorporated in one or more embodiments in any suitable manner.
In addition, accompanying drawing is only the schematic illustrations of the disclosure, it is not necessarily drawn to scale.Identical accompanying drawing mark in figure Note represents same or similar part, thus will omit repetition thereof.Some block diagrams shown in accompanying drawing are work( Can entity, not necessarily must be corresponding with physically or logically independent entity.These work(can be realized using software form Energy entity, or these functional entitys are realized in one or more hardware modules or integrated circuit, or at heterogeneous networks and/or place These functional entitys are realized in reason device device and/or microcontroller device.
As shown in figure 1, the embodiment of the present invention provides a kind of security incident detection and processing method, methods described includes as follows Step:
S100:Prestore the trigger conditions of multiple security incidents in web applications, the trigger condition of each security incident Including very first time scope, an at least critical field and to should critical field triggering times;
S200:The merging condition of multiple security incident groups, the merging of each security incident group are preset in web applications Condition includes the second time range, at least value of a critical field and the critical field;
S300:System journal is obtained from monitored system, screens record pending in the system journal, will wait to locate The record storage of reason is to message queue;
Alternatively, the system journal can include server log, Network Intrusion Detection System daily record, honey jar daily record and At least one of VPN daily record.The daily record of each type can be divided into multiple subclasses again, for example login successfully, Login failure and some application operating running logs unrelated with safety.Login successfully and may be used also with the relative recording of login failure With including information such as connection protocol, ports.
S400:Pending record is extracted from the message queue, and is counted in the range of the very first time, same keyword The number that the value of section occurs, if the number that statistics obtains reaches the triggering time that critical field is corresponded in a trigger condition Number, then generate a new security incident;The security incident of generation generally comprises port scan and logs in explosion two types, also has The security incident generated according to feature leak.
For example, the trigger condition of a security incident was included in five minutes, the value appearance of same source IP address 100 times, such as The number that fruit counts to obtain meets the condition, it is determined that one new security incident of generation;
The trigger condition of one security incident was included in ten minutes, and the value of same target ip address occurs 50 times, such as The number that fruit counts to obtain meets the condition, it is determined that one new security incident of generation.
It is only for example herein, in actual applications, very first time scope and triggering times can be configured as needed, Such as need to detect the malice scanning in the short time or log in explosion security incident, then very first time scope can be set short by one A bit, accuracy of detection need to be such as improved, then triggering times can be set higher, need to such as reduce accuracy of detection, then will can be touched Hair number sets lower etc..In addition, the very first time scope in the trigger condition of different security incidents can also be set Obtain different.In statistics number, counted respectively for different very first time scopes.
S500:Judge whether new security incident can add a security incident group, be specially:Judge new security incident Whether it is in the second time range of a security incident group, and reaches the critical field of triggering times in the security incident Value it is identical with the value that critical field is corresponded in the security incident group;
S600:If it is, new security incident is stored to corresponding security incident group;
For example, the merging condition of a security incident group was included in 1 hour, the value of source IP address is 1.1.1.2.And one is newborn Into security incident time in this 1 hour, and the value for reaching the critical field of triggering times is the value of source IP 1.1.1.2, then in security incident group corresponding to being incorporated to the newly-generated security incident.The second of different security incident groups Time range can be different, such as security incident group includes the security incident in 2 hours, and another safe thing Part group includes security incident in 1 hour etc., is possible.
S700:Otherwise, newly-built security incident group, and new security incident is stored to newly-built security incident group.
When security incident is alarmed, each security incident group can be notified by user by mail, user can pass through Web page check all security incident groups, and the details of each security incident group and including security incident, So as to realize the polymerization analysis of security incident.
The present invention is screened and treated in the system journal by will actively or passively obtain system journal from monitored system The record of processing, by pending record storage to message queue, realize the event collection of centralization.Can be each supervised System journal is actively sent to O&M security platform system or the active of O&M security platform system and goes to extract by control system System journal in monitored system.By the way that all events are focused in O&M security platform system, safety can be configured The corresponding strategies such as the trigger condition of event and the merging condition of security incident group, can also handle event, so as to improve O&M peace The treatment effeciency of full personnel.
In addition, the present invention judges whether to generate single security incident by the trigger condition of security incident, and lead to Whether the merging condition judgment for crossing security incident group adds existing security incident group, and security incident is aggregated into event group to collect Middle alarm, the limitation of single incident analysis is reduced, according to time window and associate field, aggregates into event group to be located Reason, reduce wrong report and fail to report, improve the event handling efficiency of operation maintenance personnel.
Further, the record can include access request record and login failure record, if gone out in a period of time Now access request record or login failure record many times, then have been likely to occur the port scan of malice or have logged in the peace such as explosion Total event.
As shown in Fig. 2 record pending in the system journal is screened, by pending record storage to message team Row, comprise the following steps:
S301:By system journal described in logstash instrument cuttings, it is necessary to be syncopated as critical field and critical field Value, critical field can be such as source IP address, target ip address, user name, host name etc.;Logstash is a powerful Data processing tools, it can realize data transfer, format analysis processing, Formatting Output, also powerful pin function, commonly use In log processing.
S302:Identify the access request record and/or login failure record in the system journal;
S303:Extract time, critical field and critical field that the access request record and/or login failure record Value;
S304:The value for extracting obtained time, critical field and critical field is stored to message queue with json forms.
For example, stored according to following form:
Alternatively, in the range of the statistics very first time, the number of the value appearance of same critical field, including following step Suddenly:
Count in the range of the very first time, the value of same critical field comes across the number of access request record;And statistics In the range of the very first time, the value of same critical field comes across the number of login failure record;
The trigger condition of the security incident includes very first time scope, at least a critical field and to should keyword Section come across access request record triggering times or to should critical field come across login failure record triggering times;
If the number that the value for counting obtained same critical field comes across access request record reaches the safety The triggering times that critical field comes across access request record are corresponded in the trigger condition of event, then generate a new safe thing Part;
If the number that the value for counting obtained same critical field comes across login failure record reaches the safety The triggering times that critical field comes across login failure record are corresponded in the trigger condition of event, then generate a new safe thing Part.
Access request is recorded i.e. in the embodiment and separates to be counted with login failure two kinds of different situations of record And analysis.
Further, the critical field includes source IP address and target ip address;
In the range of the statistics very first time, the number of the value appearance of same critical field, it may include steps of:
Count in the range of the very first time, the number of the value appearance of same source IP address;
Count in the range of the very first time, the number of the value appearance of same target ip address.
As described above, the type of the security incident can include port scan security incident and log in shotfiring safety thing Part;Port scan security incident is usually to be judged according to the value of source IP address, and it is usually root to log in shotfiring safety event Judge according to the value of target ip address.Specifically:
The trigger condition of the port scan security incident includes the triggering times of source IP and source IP;
If counted in the range of the obtained very first time, the number that the value of same source IP address occurs reaches a port The triggering times of source IP address in the trigger condition of security incident are scanned, then generate a new port scan security incident;
For example, the value of some source IP address was attempted to access honey jar port 50 times within 5 minutes;
The value of some source IP address logon attempt vpn system within 10 minutes fails 100 times etc..
The trigger condition for logging in shotfiring safety event includes the triggering times of target ip address and target ip address;
If counted in the range of the obtained very first time, the number of the value appearance of same target ip address reaches to be stepped on described in one The triggering times of Target IP in the trigger condition of shotfiring safety event are recorded, then generate a new login shotfiring safety event.
For example, port corresponding to the value of same Target IP or system login failure 100 times etc. within 5 minutes.
Further, the merging condition of each security incident group can also include security incident type;It will pacify When total event is incorporated to security incident group, it is also necessary to see whether the type of security incident is consistent with the type of security incident group.
If new security incident is in the second time range of a security incident group, reach in the security incident The value of the critical field of triggering times is identical with the value that critical field is corresponded in the security incident group, and the type of the security incident It is identical with the security incident type in the security incident group, then the security incident is stored to corresponding security incident group.
For example, the merging condition of a security incident group was included in 1 hour, the value of source IP address is 1.1.1.3, and event Type is port scan event, and the time of a security incident is located in this 1 hour, reaches the value of the source IP address of triggering times For 1.1.1.3, then the security incident belongs to the security incident group.
Further, the critical field can also include user name, the trigger condition for logging in shotfiring safety event Also include the triggering number of user name;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of login username corresponding to the value of same target ip address;
If count in the range of the obtained very first time, the number of login username corresponding to the value of same target ip address Reach the triggering number of user name in a trigger condition for logging in shotfiring safety event, then generate a new login explosion peace Total event.
Then it is probably hair for example, occurring the account of 100 login failures in virtual private network system in 10 minutes Login shotfiring safety event is given birth to.
Further, the critical field also includes the Hostname of monitored system, the login shotfiring safety event Trigger condition also include the Hostname of monitored system and the triggering times of Hostname;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of the value appearance of same Hostname;
If counted in the range of the obtained very first time, the number that the value of same Hostname occurs reaches a login The triggering times of Hostname in the trigger condition of shotfiring safety event, then generate a new login shotfiring safety event.
For example, in 5 minutes, the login failure number in same system reaches 100 times, then may trigger a login explosion Security incident.
The judgment mode of above-mentioned various security incidents can also be combined with each other, and be not limited to citing above.In addition, Port scan security incident and login shotfiring safety event can also combine analysis and processing, and in some cases, Same condition may also trigger different security incidents, be permitted for example, existing within a period of time in virtual private network system Multiple different failure accounts, it may be possible to port scan security incident, it is also possible to be logged on shotfiring safety event;A certain IP address Logon attempt VPN fails many times within a period of time, it is also possible to port scan security incident, or step on Shotfiring safety event is recorded, the analysis method more stretched into can be further introduced into.
As shown in figure 3, further, the newly-built security incident group, it may include steps of:
S701:Newly-built security incident group, the second time range of newly-built security incident group is set to default acquiescence Time range;
S702:The critical field of triggering times and the value of the critical field will be reached in the security incident as the safe thing The value of critical field and critical field in the merging condition of part group.
Alternatively, the merging condition of each security incident group also includes security incident type;
The newly-built security incident group, also comprises the following steps:
S703:Security incident type using the type of the security incident as the security incident group.
For example, a security incident is in 5 minutes, source IP address 1.1.1.4 occurs 100 times, and event type is port Security incident is scanned, and the security incident can not find corresponding security incident group, then correspond to a newly-built security incident group, newly Second time range of the event group built is default default time scope, such as default default time scope is 1 hour, and 2 is small When etc., the critical field of newly-built event group is source IP address, and the value of source IP address is 1.1.1.4, and the class of the event group Type is port scan security incident.
Further, the security incident trigger condition can also include:When the previous statistics moment counts obtain first Between in the range of, number that the value of same critical field occurs.
Methods described can also comprise the following steps:
Calculating the current statistic moment counted in the range of obtained very first time, the number that the value of same critical field occurs with The previous statistics moment was counted in the range of obtained very first time, the difference for the number that the value of same critical field occurs;
If the difference being calculated reaches the triggering times that critical field is corresponded in a trigger condition, one is generated New security incident.
For example, login failure amounts of some IP address 1.1.1.5 in first 5 minutes logged in than 5 minutes before 10 minutes Failure amount is more than 100 times, then may generate a security incident., can be more accurate by the comparison of the statistics number of different periods Really intuitively judge security incident, improve judging nicety rate, reduce erroneous judgement situation.Wherein, the previous statistics moment can be according to need Set, the statistics moment before e.g. 10 minutes, statistics moment before 20 minutes etc., belong to the present invention's Within protection domain.
As shown in figure 4, the security incident detection and processing method can also comprise the following steps:
S801:Multiple event group grades and each event group grade institute for presetting each security incident group are right The event number threshold value answered;
S802:Judge whether the event number in each security incident group reaches corresponding to next event group grade Event number threshold value;
S803:If it is, the event group grade of the security incident group is revised as next event group grade;Work as peace When the event number of total event group is more, the grade of the security incident group is lifted, to cause the attention of O&M security response personnel
S804:If it is not, then keep the event group grade of current safety event group.
It is high-risk grade for example, when setting event number is more than 50, when the event number in security incident group is less than 50 When, it is low danger grade, with the further increase of event number, when the event number in security incident group reaches 50, then will Low danger level adjustment is high-risk grade.Event number threshold value can be arranged in the field identification of each security incident group, and Different security incident groups can set the threshold value of different event numbers.
Produced by using the security incident detection and processing method, O&M security response personnel of the present invention in new security incident It during raw triggering alarm, can directly find out from security incident group with the presence or absence of dependent event, obtain more information to be rung It should handle.And handle the security incident group, also can synchronization process its all event for including, reach the effect of batch processing. So as to improve the event handling efficiency of O&M security response personnel, accuracy rate is improved.
It is described for realizing as shown in figure 5, the embodiment of the present invention also provides a kind of security incident detection and processing system Security incident detection and processing method, the system include:
Database 100, the trigger condition of multiple security incidents is prestored in the database, each security incident Trigger condition include very first time scope, an at least critical field and to should critical field triggering times;And the data The merging condition for multiple security incident groups that prestored in storehouse, each merging condition include the second time range, at least one key The value of field and the critical field;
System journal pushing module 200, for obtaining system journal from monitored system, screen in the system journal Pending record, by pending record storage to message queue;Can be each monitored system actively by system journal Send to system journal pushing module 200 or the active of system journal pushing module 200 and go to extract in monitored system System journal.By such a mode, the log collection of centralization is realized.
Security incident determination module 300, for extracting pending record from the message queue, and during statistics first Between in the range of, number that the value of same critical field occurs, if the number that statistics obtains reaches touching for a security incident The triggering times of critical field are corresponded in clockwork spring part, then generate a new security incident;
Security incident merging module 400, for being in the second time of a security incident group when new security incident In the range of, and the value for reaching the critical field of triggering times in the security incident corresponds to critical field with the security incident group When being worth identical, the security incident is stored to corresponding security incident group;All security incidents are that data are arrived in rule storage In storehouse, there is field identification in security incident group, field identification can include the merging condition and event number of security incident group Threshold value, and security incident group includes corresponding security incident.
The newly-built module 500 of security incident group, for being unsatisfactory for the conjunction of any security incident group when new security incident And during condition, newly-built security incident group, the security incident is stored to newly-built security incident group.
When security incident is alarmed, each security incident group can be notified by user by mail, user can pass through Web page check all security incident groups, and the details of each security incident group and including security incident, So as to realize the polymerization analysis of security incident.
Security incident detection and processing system by using the present invention, reduce the limitation of single incident analysis, root According to time window and associate field, event group is aggregated into be handled, and is reduced wrong report and is failed to report, improves the event of operation maintenance personnel Treatment effeciency.
The embodiment of the present invention also provides a kind of security incident detection and processing equipment, including processor;Memory, wherein depositing Contain the executable instruction of the processor;Wherein, the processor is configured to perform via the executable instruction is performed The step of described security incident detection and processing method.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or Program product.Therefore, various aspects of the invention can be implemented as following form, i.e.,:It is complete hardware embodiment, complete The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.), or hardware and software, can unite here Referred to as " circuit ", " module " or " equipment ".
The electronic equipment 600 according to the embodiment of the invention is described referring to Fig. 6.The electronics that Fig. 6 is shown Equipment 600 is only an example, should not bring any restrictions to the function and use range of the embodiment of the present invention.
As shown in fig. 6, electronic equipment 600 is showed in the form of universal computing device.The component of electronic equipment 600 can wrap Include but be not limited to:At least one processing unit 610, at least one memory cell 620, (including the storage of connection distinct device component Unit 620 and processing unit 610) bus 630, display unit 640 etc..
Wherein, the memory cell is had program stored therein code, and described program code can be held by the processing unit 610 OK so that the processing unit 610 perform described in the above-mentioned electronic prescription circulation processing method part of this specification according to this The step of inventing various illustrative embodiments.For example, the step of processing unit 610 can perform as shown in fig. 1.
Therefore, the security incident detection of the present embodiment and processing equipment, the limitation of single incident analysis is reduced, according to Time window and associate field, event group is aggregated into be handled, reduce wrong report and fail to report, improve at the event of operation maintenance personnel Manage efficiency.
The memory cell 620 can include the computer-readable recording medium of volatile memory cell form, such as random access memory Unit (RAM) 6201 and/or cache memory unit 6202, it can further include read-only memory unit (ROM) 6203.
The memory cell 620 can also include program/practical work with one group of (at least one) program module 6205 Tool 6204, such program module 6205 includes but is not limited to:Operating system, one or more application program, other programs Module and routine data, the realization of network environment may be included in each or certain combination in these examples.
Bus 630 can be to represent the one or more in a few class bus structures, including memory cell bus or storage Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures Local bus.
Electronic equipment 600 can also be with one or more external equipments 700 (such as keyboard, sensing equipment, bluetooth equipment Deng) communication, the equipment communication interacted with the electronic equipment 600 can be also enabled a user to one or more, and/or with causing Any equipment that the electronic equipment 600 can be communicated with one or more of the other computing device (such as router, modulation /demodulation Device etc.) communication.This communication can be carried out by input/output (I/O) interface 650.Also, electronic equipment 600 can be with By network adapter 660 and one or more network (such as LAN (LAN), wide area network (WAN) and/or public network, Such as internet) communication.Network adapter 660 can be communicated by bus 630 with other modules of electronic equipment 600.Should Understand, although not shown in the drawings, can combine electronic equipment 600 uses other hardware and/or software module, including it is but unlimited In:Microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and number According to backup storage device etc..
The embodiment of the present invention also provides a kind of computer-readable recording medium, and for storage program, described program is performed The step of security incident detection described in Shi Shixian and processing method.In some possible embodiments, of the invention is each Aspect is also implemented as a kind of form of program product, and it includes program code, when described program product on the terminal device During operation, described program code is used to make the terminal device perform the above-mentioned electronic prescription circulation processing method part of this specification Described according to the step of various illustrative embodiments of the invention.
It can be actually that web is applied herein, server, notebook can be deployed in, on desktop computer, and have network Communication.Because it is supplied to HTTP service, that is, allows O&M Security Officer to go to access by browser, so as to be grasped Make.And application itself goes to obtain daily record data, and database is stored data into, all need network service.
Therefore, the computer-readable recording medium of the present embodiment is by running the security incident detection and processing method, The limitation of single incident analysis is reduced, according to time window and associate field, aggregates into event group to be handled, is reduced Report by mistake and fail to report, improve the event handling efficiency of operation maintenance personnel.
With reference to shown in figure 7, the program product for being used to realize the above method according to the embodiment of the present invention is described 800, it can use portable compact disc read only memory (CD-ROM) and including program code, and can in terminal device, Such as run on PC.However, the program product not limited to this of the present invention, in this document, readable storage medium storing program for executing can be with Be it is any include or the tangible medium of storage program, the program can be commanded execution system, device either device use or It is in connection.
Described program product can use any combination of one or more computer-readable recording mediums.Computer-readable recording medium can be readable letter Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example can be but be not limited to electricity, magnetic, optical, electromagnetic, infrared ray or System, device or the device of semiconductor, or any combination above.The more specifically example of readable storage medium storing program for executing is (non exhaustive List) include:It is electrical connection, portable disc, hard disk, random access memory (RAM) with one or more wires, read-only Memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read only memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
The computer-readable recording medium can include believing in a base band or as the data that a carrier wave part is propagated Number, wherein carrying readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetism Signal, optical signal or above-mentioned any appropriate combination.Readable storage medium storing program for executing can also be any beyond readable storage medium storing program for executing Computer-readable recording medium, the computer-readable recording medium can send, propagate either transmit for being used by instruction execution system, device or device or Person's program in connection.The program code included on readable storage medium storing program for executing can be transmitted with any appropriate medium, bag Include but be not limited to wireless, wired, optical cable, RF etc., or above-mentioned any appropriate combination.
Can being combined to write the program operated for performing the present invention with one or more programming languages Code, described program design language include object oriented program language-Java, C++ etc., include routine Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user Perform on computing device, partly perform on a user device, the software kit independent as one performs, is partly calculated in user Its upper side point is performed or performed completely in remote computing device or server on a remote computing.It is remote being related to In the situation of journey computing device, remote computing device can pass through the network of any kind, including LAN (LAN) or wide area network (WAN) user calculating equipment, is connected to, or, it may be connected to external computing device (such as utilize ISP To pass through Internet connection).
Security incident detection provided by the present invention and processing method, system, equipment and storage medium have following advantages:
The present invention is on the basis of single incident and alarm is retained, according to time window and associate field, by safe thing Part aggregates into event group to be handled, and enhances relevance, the limitation for avoiding single incident from analyzing;Because each event is gathered Compound event group, threshold value can be suitably reduced on policy engine, to avoid failing to report caused by setting high threshold because of wrong report; In combination with machine learning, event group data as the sample of model training, can improve the event handling efficiency of operation maintenance personnel.
Above content is to combine specific preferred embodiment further description made for the present invention, it is impossible to is assert The specific implementation of the present invention is confined to these explanations.For general technical staff of the technical field of the invention, On the premise of not departing from present inventive concept, some simple deduction or replace can also be made, should all be considered as belonging to the present invention's Protection domain.

Claims (17)

1. a kind of security incident detection and processing method, it is characterised in that comprise the following steps:
Prestore the trigger conditions of multiple security incidents in web services, and the trigger condition of each security incident includes first Time range, at least a critical field and to should critical field triggering times;
The merging condition of multiple security incident groups is preset in web services, the merging condition of each security incident group includes Second time range, at least value of a critical field and the critical field;
System journal is obtained from monitored system, screens record pending in the system journal, by pending record Store to message queue;
Pending record is extracted from the message queue, and is counted in the range of the very first time, the value of same critical field goes out Existing number, if the number that statistics obtains reaches the triggering times that critical field is corresponded in a trigger condition, generate One new security incident;
Judge whether new security incident is in the second time range of a security incident group, and reached in the security incident Value to the critical field of triggering times is identical with the value that critical field is corresponded in the security incident group;
If it is, new security incident is stored to corresponding security incident group;Otherwise, newly-built security incident group, and will New security incident is stored to newly-built security incident group.
2. security incident detection according to claim 1 and processing method, it is characterised in that the critical field includes source IP address and target ip address;
In the range of the statistics very first time, the number of the value appearance of same critical field, comprise the following steps:
Count in the range of the very first time, the number of the value appearance of same source IP address;
Count in the range of the very first time, the number of the value appearance of same target ip address.
3. security incident detection according to claim 2 and processing method, it is characterised in that the type of the security incident Including port scan security incident and log in shotfiring safety event;
The trigger condition of the port scan security incident includes the triggering times of source IP and source IP;
If counted in the range of the obtained very first time, the number that the value of same source IP address occurs reaches a port scan The triggering times of source IP address in the trigger condition of security incident, then generate a new port scan security incident;
The trigger condition for logging in shotfiring safety event includes the triggering times of target ip address and target ip address;
If in the range of statistics obtained very first time, number that the value of same target ip address occurs reach one it is described log in it is quick-fried The triggering times of Target IP, then generate a new login shotfiring safety event in the trigger condition of broken security incident.
4. security incident detection according to claim 3 and processing method, it is characterised in that each security incident group Merging condition also include security incident type;
If new security incident is in the second time range of a security incident group, triggering is reached in the security incident The value of the critical field of number is identical with the value that critical field is corresponded in the security incident group, and the type of the security incident is with being somebody's turn to do Security incident type in security incident group is identical, then stores the security incident to corresponding security incident group.
5. security incident detection according to claim 3 and processing method, it is characterised in that the critical field also includes User name, the trigger condition for logging in shotfiring safety event also include the triggering number of user name;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of login username corresponding to the value of same target ip address;
If counted in the range of the obtained very first time, the number of login username reaches corresponding to the value of same target ip address The triggering number of user name, then generate a new login shotfiring safety thing in one trigger condition for logging in shotfiring safety event Part.
6. security incident detection according to claim 3 and processing method, it is characterised in that the critical field also includes The Hostname of monitored system, the trigger condition for logging in shotfiring safety event also include the Hostname of monitored system With the triggering times of Hostname;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of the value appearance of same Hostname;
If counted in the range of the obtained very first time, the number that the value of same Hostname occurs reaches a login explosion The triggering times of Hostname in the trigger condition of security incident, then generate a new login shotfiring safety event.
7. security incident detection according to claim 1 and processing method, it is characterised in that a newly-built security incident Group, comprise the following steps:
Newly-built security incident group, the second time range of newly-built security incident group is set to default default time scope;
The conjunction of the critical field of triggering times and the value of the critical field as the security incident group will be reached in the security incident And critical field and the value of critical field in condition.
8. security incident detection according to claim 7 and processing method, it is characterised in that each security incident group Merging condition also include security incident type;
The newly-built security incident group, also comprises the following steps:
Security incident type using the type of the security incident as the security incident group.
9. security incident detection according to claim 1 and processing method, it is characterised in that the record, which includes accessing, asks Ask record and login failure record;
Record pending in the system journal is screened, pending record storage to message queue comprises the following steps:
Identify the access request record and/or login failure record in the system journal;
Extract the access request record and/or time of login failure record, the value of critical field and critical field and storage To message queue.
10. security incident detection according to claim 9 and processing method, it is characterised in that pass through logstash instruments The system journal is cut into pending record, by time, critical field and the critical field of the pending record Value stored with json forms to message queue.
11. security incident detection according to claim 10 and processing method, it is characterised in that the statistics very first time In the range of, the number of the value appearance of same critical field, comprise the following steps:
Count in the range of the very first time, the value of same critical field comes across the number of access request record;And
Count in the range of the very first time, the value of same critical field comes across the number of login failure record;
The trigger condition of the security incident include very first time scope, an at least critical field and to should critical field go out Now in access request record triggering times or to should critical field come across login failure record triggering times;
If the number that the value for counting obtained same critical field comes across access request record reaches a security incident Trigger condition in correspond to critical field come across access request record triggering times, then generate a new security incident;
If the number that the value for counting obtained same critical field comes across login failure record reaches a security incident Trigger condition in correspond to critical field come across login failure record triggering times, then generate a new security incident.
12. security incident detection according to claim 1 and processing method, it is characterised in that the security incident triggering Condition also includes:
The previous statistics moment was counted in the range of obtained very first time, the number that the value of same critical field occurs;
Methods described also comprises the following steps:
Calculating the current statistic moment counted in the range of obtained very first time, the number that the value of same critical field occurs with it is previous The statistics moment was counted in the range of obtained very first time, the difference for the number that the value of same critical field occurs;
If the difference being calculated reaches the triggering times that critical field is corresponded in a trigger condition, generation one is new Security incident.
13. security incident detection according to claim 1 and processing method, it is characterised in that also comprise the following steps:
Event corresponding to the multiple event group grades and each event group grade of default each security incident group Amount threshold;
Judge whether the event number in each security incident group reaches the event number corresponding to next event group grade Threshold value is measured, if it is, the event group grade of the security incident group is revised as into next event group grade.
14. security incident detection according to claim 1 and processing method, it is characterised in that the system journal includes At least one of server log, Network Intrusion Detection System daily record, honey jar daily record and VPN daily record.
15. a kind of security incident detection and processing system, for realizing the security incident any one of claim 1 to 14 Detection and processing method, it is characterised in that the system includes:
Database, the trigger condition of multiple security incidents, the triggering bar of each security incident are prestored in the database Part include very first time scope, an at least critical field and to should critical field triggering times;It is and pre- in the database Deposit the merging condition of multiple security incident groups, each merging condition include the second time range, an at least critical field and The value of the critical field;
System journal pushing module, for obtaining system journal from monitored system, screen pending in the system journal Record, by pending record storage to message queue;
Security incident determination module, for extracting pending record from the message queue, and count very first time scope It is interior, the number of the value appearance of same critical field, if the number that statistics obtains reaches the trigger condition of a security incident The triggering times of middle corresponding critical field, then generate a new security incident;
Security incident merging module, for being in when new security incident in the second time range of a security incident group, And the value for reaching the critical field of triggering times in the security incident is identical with the value that critical field is corresponded in the security incident group When, the security incident is stored to corresponding security incident group;
The newly-built module of security incident group, for being unsatisfactory for the merging condition of any security incident group when new security incident When, newly-built security incident group, the security incident is stored to newly-built security incident group.
16. a kind of security incident detection and processing equipment, it is characterised in that including:
Processor;
Memory, wherein being stored with the executable instruction of the processor;
Wherein, the processor is configured to come any one of 1 to 14 institute of perform claim requirement via the execution executable instruction The step of security incident detection stated and processing method.
17. a kind of computer-readable recording medium, for storage program, it is characterised in that power is realized when described program is performed Profit requires the step of security incident detection and processing method any one of 1 to 14.
CN201710827834.3A 2017-09-14 2017-09-14 Security incident detection and processing method, system, equipment and storage medium Active CN107592309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710827834.3A CN107592309B (en) 2017-09-14 2017-09-14 Security incident detection and processing method, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710827834.3A CN107592309B (en) 2017-09-14 2017-09-14 Security incident detection and processing method, system, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN107592309A true CN107592309A (en) 2018-01-16
CN107592309B CN107592309B (en) 2019-09-17

Family

ID=61052078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710827834.3A Active CN107592309B (en) 2017-09-14 2017-09-14 Security incident detection and processing method, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107592309B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109460653A (en) * 2018-10-22 2019-03-12 武汉极意网络科技有限公司 Verification method, verifying equipment, storage medium and the device of rule-based engine
CN109710585A (en) * 2018-08-20 2019-05-03 平安普惠企业管理有限公司 Multisystem is associated with method for early warning, device, equipment and computer readable storage medium
CN110012011A (en) * 2019-04-03 2019-07-12 北京奇安信科技有限公司 Method, apparatus, computer equipment and the storage medium for preventing malice from logging in
CN110224970A (en) * 2018-03-01 2019-09-10 西门子公司 A kind of security monitoring method and apparatus of industrial control system
CN111581328A (en) * 2020-04-21 2020-08-25 浙江华途信息安全技术股份有限公司 Data comparison detection method and system
CN112087414A (en) * 2019-06-14 2020-12-15 北京奇虎科技有限公司 Detection method and device for mining trojans
CN113095625A (en) * 2021-03-17 2021-07-09 中国民用航空总局第二研究所 Method and system for grading unsafe events of civil aviation airport
CN113709153A (en) * 2021-08-27 2021-11-26 绿盟科技集团股份有限公司 Log merging method and device and electronic equipment
CN115632884A (en) * 2022-12-21 2023-01-20 徐工汉云技术股份有限公司 Network security situation perception method and system based on event analysis
CN115934782A (en) * 2023-02-13 2023-04-07 山东星维九州安全技术有限公司 Method for analyzing and processing security log and computer storage medium
CN116599690A (en) * 2023-03-28 2023-08-15 中国船舶集团有限公司综合技术经济研究院 Ship information security event processing method and device and computer equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7243374B2 (en) * 2001-08-08 2007-07-10 Microsoft Corporation Rapid application security threat analysis
CN102571469A (en) * 2010-12-23 2012-07-11 北京启明星辰信息技术股份有限公司 Attack detecting method and device
CN103546312A (en) * 2013-08-27 2014-01-29 中国航天科工集团第二研究院七〇六所 Massive multi-source isomerism log correlation analyzing method
CN104753861A (en) * 2013-12-27 2015-07-01 中国电信股份有限公司 Security event handling method and device
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
CN106603524A (en) * 2016-12-09 2017-04-26 浙江宇视科技有限公司 Method for combining safety rules and intelligent device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7243374B2 (en) * 2001-08-08 2007-07-10 Microsoft Corporation Rapid application security threat analysis
CN102571469A (en) * 2010-12-23 2012-07-11 北京启明星辰信息技术股份有限公司 Attack detecting method and device
CN103546312A (en) * 2013-08-27 2014-01-29 中国航天科工集团第二研究院七〇六所 Massive multi-source isomerism log correlation analyzing method
CN104753861A (en) * 2013-12-27 2015-07-01 中国电信股份有限公司 Security event handling method and device
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
CN106603524A (en) * 2016-12-09 2017-04-26 浙江宇视科技有限公司 Method for combining safety rules and intelligent device

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110224970A (en) * 2018-03-01 2019-09-10 西门子公司 A kind of security monitoring method and apparatus of industrial control system
CN109710585A (en) * 2018-08-20 2019-05-03 平安普惠企业管理有限公司 Multisystem is associated with method for early warning, device, equipment and computer readable storage medium
CN109460653A (en) * 2018-10-22 2019-03-12 武汉极意网络科技有限公司 Verification method, verifying equipment, storage medium and the device of rule-based engine
CN109460653B (en) * 2018-10-22 2021-06-25 武汉极意网络科技有限公司 Rule engine based verification method, verification device, storage medium and apparatus
CN110012011B (en) * 2019-04-03 2021-02-26 奇安信科技集团股份有限公司 Method and device for preventing malicious login, computer equipment and storage medium
CN110012011A (en) * 2019-04-03 2019-07-12 北京奇安信科技有限公司 Method, apparatus, computer equipment and the storage medium for preventing malice from logging in
CN112087414A (en) * 2019-06-14 2020-12-15 北京奇虎科技有限公司 Detection method and device for mining trojans
CN111581328A (en) * 2020-04-21 2020-08-25 浙江华途信息安全技术股份有限公司 Data comparison detection method and system
CN113095625A (en) * 2021-03-17 2021-07-09 中国民用航空总局第二研究所 Method and system for grading unsafe events of civil aviation airport
CN113709153A (en) * 2021-08-27 2021-11-26 绿盟科技集团股份有限公司 Log merging method and device and electronic equipment
CN115632884A (en) * 2022-12-21 2023-01-20 徐工汉云技术股份有限公司 Network security situation perception method and system based on event analysis
CN115934782A (en) * 2023-02-13 2023-04-07 山东星维九州安全技术有限公司 Method for analyzing and processing security log and computer storage medium
CN115934782B (en) * 2023-02-13 2023-05-12 山东星维九州安全技术有限公司 Method for analyzing and processing security log and computer storage medium
CN116599690A (en) * 2023-03-28 2023-08-15 中国船舶集团有限公司综合技术经济研究院 Ship information security event processing method and device and computer equipment

Also Published As

Publication number Publication date
CN107592309B (en) 2019-09-17

Similar Documents

Publication Publication Date Title
CN107592309B (en) Security incident detection and processing method, system, equipment and storage medium
US11336669B2 (en) Artificial intelligence cyber security analyst
US11212299B2 (en) System and method for monitoring security attack chains
EP3343868B1 (en) Resource-centric network cyber attack detection and alerting
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US10986121B2 (en) Multivariate network structure anomaly detector
US10432660B2 (en) Advanced cybersecurity threat mitigation for inter-bank financial transactions
US10412111B2 (en) System and method for determining network security threats
WO2021171093A1 (en) Cyber security for a software-as-a-service factoring risk
US11218510B2 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
US20210273973A1 (en) SOFTWARE AS A SERVICE (SaaS) USER INTERFACE (UI) FOR DISPLAYING USER ACTIVITIES IN AN ARTIFICIAL INTELLIGENCE (AI)-BASED CYBER THREAT DEFENSE SYSTEM
CN108040493A (en) Security incident is detected using low confidence security incident
US20220263860A1 (en) Advanced cybersecurity threat hunting using behavioral and deep analytics
CN103748853A (en) Method and system for classifying a protocol message in a data communication network
Sathya et al. Discriminant analysis based feature selection in kdd intrusion dataset
US10826920B1 (en) Signal distribution score for bot detection
US20150172302A1 (en) Interface for analysis of malicious activity on a network
János et al. Security concerns towards security operations centers
Southall et al. Early warning signals of infectious disease transitions: a review
WO2021216163A2 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20230135660A1 (en) Educational Tool for Business and Enterprise Risk Management
WO2018088383A1 (en) Security rule evaluation device and security rule evaluation system
KR102361766B1 (en) Method of optimizing alert rules of siem by collecting asset server information and apparatus thereof
Murad et al. Software testing techniques in iot
Xuan et al. A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant