CN107592309A - Security incident detection and processing method, system, equipment and storage medium - Google Patents
Security incident detection and processing method, system, equipment and storage medium Download PDFInfo
- Publication number
- CN107592309A CN107592309A CN201710827834.3A CN201710827834A CN107592309A CN 107592309 A CN107592309 A CN 107592309A CN 201710827834 A CN201710827834 A CN 201710827834A CN 107592309 A CN107592309 A CN 107592309A
- Authority
- CN
- China
- Prior art keywords
- security incident
- critical field
- group
- value
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a kind of security incident detection and processing method, system, equipment and storage medium, this method is included in the trigger condition for multiple security incidents that prestored in web services;The merging condition of multiple security incident groups is preset in web services;System journal is obtained from monitored system, screens record pending in the system journal, by pending record storage to message queue;Pending record is extracted from the message queue, and the number that the value for counting same critical field occurs, determine whether to generate security incident according to the trigger condition of multiple security incidents, according to the merging condition of security incident group, determine the packet of security incident.The present invention improves the event handling efficiency of O&M security response personnel, improves accuracy rate, on the basis of event centralization, introduce event group mechanism, by the event aggregation for having certain incidence relation into event group, reduce the limitation of single incident analysis, export more accurate event group alarm.
Description
Technical field
The present invention relates to computer O&M technical field, more particularly to a kind of unified detection and packet are carried out to security incident
The security incident detection of processing and processing method, system, equipment and storage medium.
Background technology
Security incident handling is the response processing procedure of the security incident to being found in network and system, in the prior art
Security incident handling use basic procedure include response, processing and report.Now with the continuous development of internet industry,
Various detection instruments emerge in an endless stream, and also include many safety for being used to detect Intranet from the safety detection instrument ground or system, so
And the common feature of various safety detection instruments is all individually to handle each security incident.
With the fast development of internet industry, what is brought therewith is exactly substantial amounts of security incident, and this rings to safe O&M
Answer personnel to bring substantial amounts of workload, and individually by the way of handling, also there is very big office using existing each event
It is sex-limited.
The content of the invention
For the problems of the prior art, it is an object of the invention to provide a kind of security incident detection and processing method,
System, equipment and storage medium, the event handling efficiency of O&M security response personnel is improved, accuracy rate is improved, in event set
On the basis of change, event group mechanism is introduced, by the event aggregation for having certain incidence relation into event group, reduces single incident analysis
Limitation, export more accurate event group alarm.
The embodiment of the present invention provides a kind of security incident detection and processing method, methods described comprise the following steps:
Prestore the trigger conditions of multiple security incidents in web services, and the trigger condition of each security incident includes
Very first time scope, at least a critical field and to should critical field triggering times;
The merging condition of multiple security incident groups, the merging condition of each security incident group are preset in web services
Including the second time range, at least value of a critical field and the critical field;
System journal is obtained from monitored system, screens record pending in the system journal, will be pending
Record storage is to message queue;
Pending record is extracted from the message queue, and is counted in the range of the very first time, same critical field
It is worth the number occurred, if the number that statistics obtains reaches the triggering times that critical field is corresponded in a trigger condition,
Generate a new security incident;
Judge whether new security incident is in the second time range of a security incident group, and the security incident
In reach triggering times critical field value it is identical with the value that critical field is corresponded in the security incident group;
If it is, new security incident is stored to corresponding security incident group;Otherwise, newly-built security incident group,
And new security incident is stored to newly-built security incident group.
Alternatively, the critical field includes source IP address and target ip address;
In the range of the statistics very first time, the number of the value appearance of same critical field, comprise the following steps:
Count in the range of the very first time, the number of the value appearance of same source IP address;
Count in the range of the very first time, the number of the value appearance of same target ip address.
Alternatively, the type of the security incident includes port scan security incident and logs in shotfiring safety event;
The trigger condition of the port scan security incident includes the triggering times of source IP and source IP;
If counted in the range of the obtained very first time, the number that the value of same source IP address occurs reaches a port
The triggering times of source IP address in the trigger condition of security incident are scanned, then generate a new port scan security incident;
The trigger condition for logging in shotfiring safety event includes the triggering times of target ip address and target ip address;
If counted in the range of the obtained very first time, the number of the value appearance of same target ip address reaches to be stepped on described in one
The triggering times of Target IP in the trigger condition of shotfiring safety event are recorded, then generate a new login shotfiring safety event.
Alternatively, the merging condition of each security incident group also includes security incident type;
If new security incident is in the second time range of a security incident group, reach in the security incident
The value of the critical field of triggering times is identical with the value that critical field is corresponded in the security incident group, and the type of the security incident
It is identical with the security incident type in the security incident group, then the security incident is stored to corresponding security incident group.
Alternatively, the critical field also includes user name, and the trigger condition for logging in shotfiring safety event also includes
The triggering number of user name;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of login username corresponding to the value of same target ip address;
If count in the range of the obtained very first time, the number of login username corresponding to the value of same target ip address
Reach the triggering number of user name in a trigger condition for logging in shotfiring safety event, then generate a new login explosion peace
Total event.
Alternatively, the critical field also includes the Hostname of monitored system, the login shotfiring safety event
Trigger condition also includes the Hostname of monitored system and the triggering times of Hostname;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of the value appearance of same Hostname;
If counted in the range of the obtained very first time, the number that the value of same Hostname occurs reaches a login
The triggering times of Hostname in the trigger condition of shotfiring safety event, then generate a new login shotfiring safety event.
Alternatively, the newly-built security incident group, comprises the following steps:
Newly-built security incident group, the second time range of newly-built security incident group is set to default default time model
Enclose;
The critical field of triggering times and the value of the critical field will be reached in the security incident as the security incident group
Merging condition in critical field and critical field value.
Alternatively, the merging condition of each security incident group also includes security incident type;
The newly-built security incident group, also comprises the following steps:
Security incident type using the type of the security incident as the security incident group.
Alternatively, the record includes access request record and login failure record;
Record pending in the system journal is screened, by pending record storage to message queue, including it is as follows
Step:
Identify the access request record and/or login failure record in the system journal;
Extract the value of time, critical field and critical field that the access request record and/or login failure record simultaneously
Store to message queue.
Alternatively, the system journal is cut into by logstash instruments by pending record, will be described pending
Time of record, the value of critical field and critical field stored to message queue with json forms.
Alternatively, in the range of the statistics very first time, the number of the value appearance of same critical field, including following step
Suddenly:
Count in the range of the very first time, the value of same critical field comes across the number of access request record;And
Count in the range of the very first time, the value of same critical field comes across the number of login failure record;
The trigger condition of the security incident includes very first time scope, at least a critical field and to should keyword
Section come across access request record triggering times or to should critical field come across login failure record triggering times;
If the number that the value for counting obtained same critical field comes across access request record reaches the safety
The triggering times that critical field comes across access request record are corresponded in the trigger condition of event, then generate a new safe thing
Part;
If the number that the value for counting obtained same critical field comes across login failure record reaches the safety
The triggering times that critical field comes across login failure record are corresponded in the trigger condition of event, then generate a new safe thing
Part.
Alternatively, the security incident trigger condition also includes:
The previous statistics moment was counted in the range of obtained very first time, the number that the value of same critical field occurs;
Methods described also comprises the following steps:
Calculating the current statistic moment counted in the range of obtained very first time, the number that the value of same critical field occurs with
The previous statistics moment was counted in the range of obtained very first time, the difference for the number that the value of same critical field occurs;
If the difference being calculated reaches the triggering times that critical field is corresponded in a trigger condition, one is generated
New security incident.
Alternatively, also comprise the following steps:
Preset corresponding to multiple event group grades and each event group grade of each security incident group
Event number threshold value;
Judge whether the event number in each security incident group reaches the thing corresponding to next event group grade
Part amount threshold, if it is, the event group grade of the security incident group is revised as into next event group grade.
Alternatively, the system journal includes server log, Network Intrusion Detection System daily record, honey jar daily record and virtual
At least one of dedicated network daily record.
The embodiment of the present invention also provides a kind of security incident detection and processing system, for realizing described security incident inspection
Survey and processing method, the system include:
Database, the trigger condition of multiple security incidents is prestored in the database, and each security incident is touched
Clockwork spring part include very first time scope, an at least critical field and to should critical field triggering times;And the database
In prestore the merging conditions of multiple security incident groups, each merging condition includes the second time range, at least a keyword
The value of section and the critical field;
System journal pushing module, for obtaining system journal from monitored system, screen and treated in the system journal
The record of processing, by pending record storage to message queue;
Security incident determination module, for extracting pending record from the message queue, and count the very first time
In the range of, the number of the value appearance of same critical field, if the number that statistics obtains reaches the triggering of a security incident
The triggering times of critical field are corresponded in condition, then generate a new security incident;
Security incident merging module, for being in the second time range of a security incident group when new security incident
It is interior, and reach value phase of the value of the critical field of triggering times with corresponding to critical field in the security incident group in the security incident
Meanwhile the security incident is stored to corresponding security incident group;
The newly-built module of security incident group, for being unsatisfactory for the merging bar of any security incident group when new security incident
During part, newly-built security incident group, the security incident is stored to newly-built security incident group.
The embodiment of the present invention also provides a kind of security incident detection and processing equipment, including:
Processor;
Memory, wherein being stored with the executable instruction of the processor;
Wherein, the processor be configured to perform via the executable instruction is performed described security incident detection and
The step of processing method.
The embodiment of the present invention also provides a kind of computer-readable recording medium, and for storage program, described program is performed
The step of security incident detection described in Shi Shixian and processing method.
It should be appreciated that the general description and following detailed description of the above are only exemplary and explanatory, not
The disclosure can be limited.
Security incident detection provided by the present invention and processing method, system, equipment and storage medium have following advantages:
The present invention is on the basis of single incident and alarm is retained, according to time window and associate field, by safe thing
Part aggregates into event group to be handled, and enhances relevance, the limitation for avoiding single incident from analyzing;Because each event is gathered
Compound event group, threshold value can be suitably reduced on policy engine, to avoid failing to report caused by setting high threshold because of wrong report;
In combination with machine learning, event group data as the sample of model training, can improve the event handling efficiency of operation maintenance personnel.
Brief description of the drawings
The detailed description made by reading with reference to the following drawings to non-limiting example, further feature of the invention,
Objects and advantages will become more apparent upon.
Fig. 1 is the flow chart of the security incident detection and processing method of one embodiment of the invention;
Fig. 2 is the flow chart of the processing system daily record of one embodiment of the invention;
Fig. 3 is the flow chart of the newly-built security incident group of one embodiment of the invention;
Fig. 4 is the flow chart for judging security incident group grade of one embodiment of the invention;
Fig. 5 is the security incident detection and the structural representation of processing system of one embodiment of the invention;
Fig. 6 is the security incident detection and the structural representation of processing equipment of one embodiment of the invention;
Fig. 7 is the structural representation of the computer-readable recording medium of one embodiment of the invention.
Embodiment
Example embodiment is described more fully with referring now to accompanying drawing.However, example embodiment can be with a variety of shapes
Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, these embodiments are provided so that the disclosure will more
Fully and completely, and by the design of example embodiment comprehensively it is communicated to those skilled in the art.Described feature, knot
Structure or characteristic can be incorporated in one or more embodiments in any suitable manner.
In addition, accompanying drawing is only the schematic illustrations of the disclosure, it is not necessarily drawn to scale.Identical accompanying drawing mark in figure
Note represents same or similar part, thus will omit repetition thereof.Some block diagrams shown in accompanying drawing are work(
Can entity, not necessarily must be corresponding with physically or logically independent entity.These work(can be realized using software form
Energy entity, or these functional entitys are realized in one or more hardware modules or integrated circuit, or at heterogeneous networks and/or place
These functional entitys are realized in reason device device and/or microcontroller device.
As shown in figure 1, the embodiment of the present invention provides a kind of security incident detection and processing method, methods described includes as follows
Step:
S100:Prestore the trigger conditions of multiple security incidents in web applications, the trigger condition of each security incident
Including very first time scope, an at least critical field and to should critical field triggering times;
S200:The merging condition of multiple security incident groups, the merging of each security incident group are preset in web applications
Condition includes the second time range, at least value of a critical field and the critical field;
S300:System journal is obtained from monitored system, screens record pending in the system journal, will wait to locate
The record storage of reason is to message queue;
Alternatively, the system journal can include server log, Network Intrusion Detection System daily record, honey jar daily record and
At least one of VPN daily record.The daily record of each type can be divided into multiple subclasses again, for example login successfully,
Login failure and some application operating running logs unrelated with safety.Login successfully and may be used also with the relative recording of login failure
With including information such as connection protocol, ports.
S400:Pending record is extracted from the message queue, and is counted in the range of the very first time, same keyword
The number that the value of section occurs, if the number that statistics obtains reaches the triggering time that critical field is corresponded in a trigger condition
Number, then generate a new security incident;The security incident of generation generally comprises port scan and logs in explosion two types, also has
The security incident generated according to feature leak.
For example, the trigger condition of a security incident was included in five minutes, the value appearance of same source IP address 100 times, such as
The number that fruit counts to obtain meets the condition, it is determined that one new security incident of generation;
The trigger condition of one security incident was included in ten minutes, and the value of same target ip address occurs 50 times, such as
The number that fruit counts to obtain meets the condition, it is determined that one new security incident of generation.
It is only for example herein, in actual applications, very first time scope and triggering times can be configured as needed,
Such as need to detect the malice scanning in the short time or log in explosion security incident, then very first time scope can be set short by one
A bit, accuracy of detection need to be such as improved, then triggering times can be set higher, need to such as reduce accuracy of detection, then will can be touched
Hair number sets lower etc..In addition, the very first time scope in the trigger condition of different security incidents can also be set
Obtain different.In statistics number, counted respectively for different very first time scopes.
S500:Judge whether new security incident can add a security incident group, be specially:Judge new security incident
Whether it is in the second time range of a security incident group, and reaches the critical field of triggering times in the security incident
Value it is identical with the value that critical field is corresponded in the security incident group;
S600:If it is, new security incident is stored to corresponding security incident group;
For example, the merging condition of a security incident group was included in 1 hour, the value of source IP address is 1.1.1.2.And one is newborn
Into security incident time in this 1 hour, and the value for reaching the critical field of triggering times is the value of source IP
1.1.1.2, then in security incident group corresponding to being incorporated to the newly-generated security incident.The second of different security incident groups
Time range can be different, such as security incident group includes the security incident in 2 hours, and another safe thing
Part group includes security incident in 1 hour etc., is possible.
S700:Otherwise, newly-built security incident group, and new security incident is stored to newly-built security incident group.
When security incident is alarmed, each security incident group can be notified by user by mail, user can pass through
Web page check all security incident groups, and the details of each security incident group and including security incident,
So as to realize the polymerization analysis of security incident.
The present invention is screened and treated in the system journal by will actively or passively obtain system journal from monitored system
The record of processing, by pending record storage to message queue, realize the event collection of centralization.Can be each supervised
System journal is actively sent to O&M security platform system or the active of O&M security platform system and goes to extract by control system
System journal in monitored system.By the way that all events are focused in O&M security platform system, safety can be configured
The corresponding strategies such as the trigger condition of event and the merging condition of security incident group, can also handle event, so as to improve O&M peace
The treatment effeciency of full personnel.
In addition, the present invention judges whether to generate single security incident by the trigger condition of security incident, and lead to
Whether the merging condition judgment for crossing security incident group adds existing security incident group, and security incident is aggregated into event group to collect
Middle alarm, the limitation of single incident analysis is reduced, according to time window and associate field, aggregates into event group to be located
Reason, reduce wrong report and fail to report, improve the event handling efficiency of operation maintenance personnel.
Further, the record can include access request record and login failure record, if gone out in a period of time
Now access request record or login failure record many times, then have been likely to occur the port scan of malice or have logged in the peace such as explosion
Total event.
As shown in Fig. 2 record pending in the system journal is screened, by pending record storage to message team
Row, comprise the following steps:
S301:By system journal described in logstash instrument cuttings, it is necessary to be syncopated as critical field and critical field
Value, critical field can be such as source IP address, target ip address, user name, host name etc.;Logstash is a powerful
Data processing tools, it can realize data transfer, format analysis processing, Formatting Output, also powerful pin function, commonly use
In log processing.
S302:Identify the access request record and/or login failure record in the system journal;
S303:Extract time, critical field and critical field that the access request record and/or login failure record
Value;
S304:The value for extracting obtained time, critical field and critical field is stored to message queue with json forms.
For example, stored according to following form:
Alternatively, in the range of the statistics very first time, the number of the value appearance of same critical field, including following step
Suddenly:
Count in the range of the very first time, the value of same critical field comes across the number of access request record;And statistics
In the range of the very first time, the value of same critical field comes across the number of login failure record;
The trigger condition of the security incident includes very first time scope, at least a critical field and to should keyword
Section come across access request record triggering times or to should critical field come across login failure record triggering times;
If the number that the value for counting obtained same critical field comes across access request record reaches the safety
The triggering times that critical field comes across access request record are corresponded in the trigger condition of event, then generate a new safe thing
Part;
If the number that the value for counting obtained same critical field comes across login failure record reaches the safety
The triggering times that critical field comes across login failure record are corresponded in the trigger condition of event, then generate a new safe thing
Part.
Access request is recorded i.e. in the embodiment and separates to be counted with login failure two kinds of different situations of record
And analysis.
Further, the critical field includes source IP address and target ip address;
In the range of the statistics very first time, the number of the value appearance of same critical field, it may include steps of:
Count in the range of the very first time, the number of the value appearance of same source IP address;
Count in the range of the very first time, the number of the value appearance of same target ip address.
As described above, the type of the security incident can include port scan security incident and log in shotfiring safety thing
Part;Port scan security incident is usually to be judged according to the value of source IP address, and it is usually root to log in shotfiring safety event
Judge according to the value of target ip address.Specifically:
The trigger condition of the port scan security incident includes the triggering times of source IP and source IP;
If counted in the range of the obtained very first time, the number that the value of same source IP address occurs reaches a port
The triggering times of source IP address in the trigger condition of security incident are scanned, then generate a new port scan security incident;
For example, the value of some source IP address was attempted to access honey jar port 50 times within 5 minutes;
The value of some source IP address logon attempt vpn system within 10 minutes fails 100 times etc..
The trigger condition for logging in shotfiring safety event includes the triggering times of target ip address and target ip address;
If counted in the range of the obtained very first time, the number of the value appearance of same target ip address reaches to be stepped on described in one
The triggering times of Target IP in the trigger condition of shotfiring safety event are recorded, then generate a new login shotfiring safety event.
For example, port corresponding to the value of same Target IP or system login failure 100 times etc. within 5 minutes.
Further, the merging condition of each security incident group can also include security incident type;It will pacify
When total event is incorporated to security incident group, it is also necessary to see whether the type of security incident is consistent with the type of security incident group.
If new security incident is in the second time range of a security incident group, reach in the security incident
The value of the critical field of triggering times is identical with the value that critical field is corresponded in the security incident group, and the type of the security incident
It is identical with the security incident type in the security incident group, then the security incident is stored to corresponding security incident group.
For example, the merging condition of a security incident group was included in 1 hour, the value of source IP address is 1.1.1.3, and event
Type is port scan event, and the time of a security incident is located in this 1 hour, reaches the value of the source IP address of triggering times
For 1.1.1.3, then the security incident belongs to the security incident group.
Further, the critical field can also include user name, the trigger condition for logging in shotfiring safety event
Also include the triggering number of user name;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of login username corresponding to the value of same target ip address;
If count in the range of the obtained very first time, the number of login username corresponding to the value of same target ip address
Reach the triggering number of user name in a trigger condition for logging in shotfiring safety event, then generate a new login explosion peace
Total event.
Then it is probably hair for example, occurring the account of 100 login failures in virtual private network system in 10 minutes
Login shotfiring safety event is given birth to.
Further, the critical field also includes the Hostname of monitored system, the login shotfiring safety event
Trigger condition also include the Hostname of monitored system and the triggering times of Hostname;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of the value appearance of same Hostname;
If counted in the range of the obtained very first time, the number that the value of same Hostname occurs reaches a login
The triggering times of Hostname in the trigger condition of shotfiring safety event, then generate a new login shotfiring safety event.
For example, in 5 minutes, the login failure number in same system reaches 100 times, then may trigger a login explosion
Security incident.
The judgment mode of above-mentioned various security incidents can also be combined with each other, and be not limited to citing above.In addition,
Port scan security incident and login shotfiring safety event can also combine analysis and processing, and in some cases,
Same condition may also trigger different security incidents, be permitted for example, existing within a period of time in virtual private network system
Multiple different failure accounts, it may be possible to port scan security incident, it is also possible to be logged on shotfiring safety event;A certain IP address
Logon attempt VPN fails many times within a period of time, it is also possible to port scan security incident, or step on
Shotfiring safety event is recorded, the analysis method more stretched into can be further introduced into.
As shown in figure 3, further, the newly-built security incident group, it may include steps of:
S701:Newly-built security incident group, the second time range of newly-built security incident group is set to default acquiescence
Time range;
S702:The critical field of triggering times and the value of the critical field will be reached in the security incident as the safe thing
The value of critical field and critical field in the merging condition of part group.
Alternatively, the merging condition of each security incident group also includes security incident type;
The newly-built security incident group, also comprises the following steps:
S703:Security incident type using the type of the security incident as the security incident group.
For example, a security incident is in 5 minutes, source IP address 1.1.1.4 occurs 100 times, and event type is port
Security incident is scanned, and the security incident can not find corresponding security incident group, then correspond to a newly-built security incident group, newly
Second time range of the event group built is default default time scope, such as default default time scope is 1 hour, and 2 is small
When etc., the critical field of newly-built event group is source IP address, and the value of source IP address is 1.1.1.4, and the class of the event group
Type is port scan security incident.
Further, the security incident trigger condition can also include:When the previous statistics moment counts obtain first
Between in the range of, number that the value of same critical field occurs.
Methods described can also comprise the following steps:
Calculating the current statistic moment counted in the range of obtained very first time, the number that the value of same critical field occurs with
The previous statistics moment was counted in the range of obtained very first time, the difference for the number that the value of same critical field occurs;
If the difference being calculated reaches the triggering times that critical field is corresponded in a trigger condition, one is generated
New security incident.
For example, login failure amounts of some IP address 1.1.1.5 in first 5 minutes logged in than 5 minutes before 10 minutes
Failure amount is more than 100 times, then may generate a security incident., can be more accurate by the comparison of the statistics number of different periods
Really intuitively judge security incident, improve judging nicety rate, reduce erroneous judgement situation.Wherein, the previous statistics moment can be according to need
Set, the statistics moment before e.g. 10 minutes, statistics moment before 20 minutes etc., belong to the present invention's
Within protection domain.
As shown in figure 4, the security incident detection and processing method can also comprise the following steps:
S801:Multiple event group grades and each event group grade institute for presetting each security incident group are right
The event number threshold value answered;
S802:Judge whether the event number in each security incident group reaches corresponding to next event group grade
Event number threshold value;
S803:If it is, the event group grade of the security incident group is revised as next event group grade;Work as peace
When the event number of total event group is more, the grade of the security incident group is lifted, to cause the attention of O&M security response personnel
S804:If it is not, then keep the event group grade of current safety event group.
It is high-risk grade for example, when setting event number is more than 50, when the event number in security incident group is less than 50
When, it is low danger grade, with the further increase of event number, when the event number in security incident group reaches 50, then will
Low danger level adjustment is high-risk grade.Event number threshold value can be arranged in the field identification of each security incident group, and
Different security incident groups can set the threshold value of different event numbers.
Produced by using the security incident detection and processing method, O&M security response personnel of the present invention in new security incident
It during raw triggering alarm, can directly find out from security incident group with the presence or absence of dependent event, obtain more information to be rung
It should handle.And handle the security incident group, also can synchronization process its all event for including, reach the effect of batch processing.
So as to improve the event handling efficiency of O&M security response personnel, accuracy rate is improved.
It is described for realizing as shown in figure 5, the embodiment of the present invention also provides a kind of security incident detection and processing system
Security incident detection and processing method, the system include:
Database 100, the trigger condition of multiple security incidents is prestored in the database, each security incident
Trigger condition include very first time scope, an at least critical field and to should critical field triggering times;And the data
The merging condition for multiple security incident groups that prestored in storehouse, each merging condition include the second time range, at least one key
The value of field and the critical field;
System journal pushing module 200, for obtaining system journal from monitored system, screen in the system journal
Pending record, by pending record storage to message queue;Can be each monitored system actively by system journal
Send to system journal pushing module 200 or the active of system journal pushing module 200 and go to extract in monitored system
System journal.By such a mode, the log collection of centralization is realized.
Security incident determination module 300, for extracting pending record from the message queue, and during statistics first
Between in the range of, number that the value of same critical field occurs, if the number that statistics obtains reaches touching for a security incident
The triggering times of critical field are corresponded in clockwork spring part, then generate a new security incident;
Security incident merging module 400, for being in the second time of a security incident group when new security incident
In the range of, and the value for reaching the critical field of triggering times in the security incident corresponds to critical field with the security incident group
When being worth identical, the security incident is stored to corresponding security incident group;All security incidents are that data are arrived in rule storage
In storehouse, there is field identification in security incident group, field identification can include the merging condition and event number of security incident group
Threshold value, and security incident group includes corresponding security incident.
The newly-built module 500 of security incident group, for being unsatisfactory for the conjunction of any security incident group when new security incident
And during condition, newly-built security incident group, the security incident is stored to newly-built security incident group.
When security incident is alarmed, each security incident group can be notified by user by mail, user can pass through
Web page check all security incident groups, and the details of each security incident group and including security incident,
So as to realize the polymerization analysis of security incident.
Security incident detection and processing system by using the present invention, reduce the limitation of single incident analysis, root
According to time window and associate field, event group is aggregated into be handled, and is reduced wrong report and is failed to report, improves the event of operation maintenance personnel
Treatment effeciency.
The embodiment of the present invention also provides a kind of security incident detection and processing equipment, including processor;Memory, wherein depositing
Contain the executable instruction of the processor;Wherein, the processor is configured to perform via the executable instruction is performed
The step of described security incident detection and processing method.
Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or
Program product.Therefore, various aspects of the invention can be implemented as following form, i.e.,:It is complete hardware embodiment, complete
The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.), or hardware and software, can unite here
Referred to as " circuit ", " module " or " equipment ".
The electronic equipment 600 according to the embodiment of the invention is described referring to Fig. 6.The electronics that Fig. 6 is shown
Equipment 600 is only an example, should not bring any restrictions to the function and use range of the embodiment of the present invention.
As shown in fig. 6, electronic equipment 600 is showed in the form of universal computing device.The component of electronic equipment 600 can wrap
Include but be not limited to:At least one processing unit 610, at least one memory cell 620, (including the storage of connection distinct device component
Unit 620 and processing unit 610) bus 630, display unit 640 etc..
Wherein, the memory cell is had program stored therein code, and described program code can be held by the processing unit 610
OK so that the processing unit 610 perform described in the above-mentioned electronic prescription circulation processing method part of this specification according to this
The step of inventing various illustrative embodiments.For example, the step of processing unit 610 can perform as shown in fig. 1.
Therefore, the security incident detection of the present embodiment and processing equipment, the limitation of single incident analysis is reduced, according to
Time window and associate field, event group is aggregated into be handled, reduce wrong report and fail to report, improve at the event of operation maintenance personnel
Manage efficiency.
The memory cell 620 can include the computer-readable recording medium of volatile memory cell form, such as random access memory
Unit (RAM) 6201 and/or cache memory unit 6202, it can further include read-only memory unit (ROM) 6203.
The memory cell 620 can also include program/practical work with one group of (at least one) program module 6205
Tool 6204, such program module 6205 includes but is not limited to:Operating system, one or more application program, other programs
Module and routine data, the realization of network environment may be included in each or certain combination in these examples.
Bus 630 can be to represent the one or more in a few class bus structures, including memory cell bus or storage
Cell controller, peripheral bus, graphics acceleration port, processing unit use any bus structures in a variety of bus structures
Local bus.
Electronic equipment 600 can also be with one or more external equipments 700 (such as keyboard, sensing equipment, bluetooth equipment
Deng) communication, the equipment communication interacted with the electronic equipment 600 can be also enabled a user to one or more, and/or with causing
Any equipment that the electronic equipment 600 can be communicated with one or more of the other computing device (such as router, modulation /demodulation
Device etc.) communication.This communication can be carried out by input/output (I/O) interface 650.Also, electronic equipment 600 can be with
By network adapter 660 and one or more network (such as LAN (LAN), wide area network (WAN) and/or public network,
Such as internet) communication.Network adapter 660 can be communicated by bus 630 with other modules of electronic equipment 600.Should
Understand, although not shown in the drawings, can combine electronic equipment 600 uses other hardware and/or software module, including it is but unlimited
In:Microcode, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and number
According to backup storage device etc..
The embodiment of the present invention also provides a kind of computer-readable recording medium, and for storage program, described program is performed
The step of security incident detection described in Shi Shixian and processing method.In some possible embodiments, of the invention is each
Aspect is also implemented as a kind of form of program product, and it includes program code, when described program product on the terminal device
During operation, described program code is used to make the terminal device perform the above-mentioned electronic prescription circulation processing method part of this specification
Described according to the step of various illustrative embodiments of the invention.
It can be actually that web is applied herein, server, notebook can be deployed in, on desktop computer, and have network
Communication.Because it is supplied to HTTP service, that is, allows O&M Security Officer to go to access by browser, so as to be grasped
Make.And application itself goes to obtain daily record data, and database is stored data into, all need network service.
Therefore, the computer-readable recording medium of the present embodiment is by running the security incident detection and processing method,
The limitation of single incident analysis is reduced, according to time window and associate field, aggregates into event group to be handled, is reduced
Report by mistake and fail to report, improve the event handling efficiency of operation maintenance personnel.
With reference to shown in figure 7, the program product for being used to realize the above method according to the embodiment of the present invention is described
800, it can use portable compact disc read only memory (CD-ROM) and including program code, and can in terminal device,
Such as run on PC.However, the program product not limited to this of the present invention, in this document, readable storage medium storing program for executing can be with
Be it is any include or the tangible medium of storage program, the program can be commanded execution system, device either device use or
It is in connection.
Described program product can use any combination of one or more computer-readable recording mediums.Computer-readable recording medium can be readable letter
Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example can be but be not limited to electricity, magnetic, optical, electromagnetic, infrared ray or
System, device or the device of semiconductor, or any combination above.The more specifically example of readable storage medium storing program for executing is (non exhaustive
List) include:It is electrical connection, portable disc, hard disk, random access memory (RAM) with one or more wires, read-only
Memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc read only memory
(CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.
The computer-readable recording medium can include believing in a base band or as the data that a carrier wave part is propagated
Number, wherein carrying readable program code.The data-signal of this propagation can take various forms, including but not limited to electromagnetism
Signal, optical signal or above-mentioned any appropriate combination.Readable storage medium storing program for executing can also be any beyond readable storage medium storing program for executing
Computer-readable recording medium, the computer-readable recording medium can send, propagate either transmit for being used by instruction execution system, device or device or
Person's program in connection.The program code included on readable storage medium storing program for executing can be transmitted with any appropriate medium, bag
Include but be not limited to wireless, wired, optical cable, RF etc., or above-mentioned any appropriate combination.
Can being combined to write the program operated for performing the present invention with one or more programming languages
Code, described program design language include object oriented program language-Java, C++ etc., include routine
Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user
Perform on computing device, partly perform on a user device, the software kit independent as one performs, is partly calculated in user
Its upper side point is performed or performed completely in remote computing device or server on a remote computing.It is remote being related to
In the situation of journey computing device, remote computing device can pass through the network of any kind, including LAN (LAN) or wide area network
(WAN) user calculating equipment, is connected to, or, it may be connected to external computing device (such as utilize ISP
To pass through Internet connection).
Security incident detection provided by the present invention and processing method, system, equipment and storage medium have following advantages:
The present invention is on the basis of single incident and alarm is retained, according to time window and associate field, by safe thing
Part aggregates into event group to be handled, and enhances relevance, the limitation for avoiding single incident from analyzing;Because each event is gathered
Compound event group, threshold value can be suitably reduced on policy engine, to avoid failing to report caused by setting high threshold because of wrong report;
In combination with machine learning, event group data as the sample of model training, can improve the event handling efficiency of operation maintenance personnel.
Above content is to combine specific preferred embodiment further description made for the present invention, it is impossible to is assert
The specific implementation of the present invention is confined to these explanations.For general technical staff of the technical field of the invention,
On the premise of not departing from present inventive concept, some simple deduction or replace can also be made, should all be considered as belonging to the present invention's
Protection domain.
Claims (17)
1. a kind of security incident detection and processing method, it is characterised in that comprise the following steps:
Prestore the trigger conditions of multiple security incidents in web services, and the trigger condition of each security incident includes first
Time range, at least a critical field and to should critical field triggering times;
The merging condition of multiple security incident groups is preset in web services, the merging condition of each security incident group includes
Second time range, at least value of a critical field and the critical field;
System journal is obtained from monitored system, screens record pending in the system journal, by pending record
Store to message queue;
Pending record is extracted from the message queue, and is counted in the range of the very first time, the value of same critical field goes out
Existing number, if the number that statistics obtains reaches the triggering times that critical field is corresponded in a trigger condition, generate
One new security incident;
Judge whether new security incident is in the second time range of a security incident group, and reached in the security incident
Value to the critical field of triggering times is identical with the value that critical field is corresponded in the security incident group;
If it is, new security incident is stored to corresponding security incident group;Otherwise, newly-built security incident group, and will
New security incident is stored to newly-built security incident group.
2. security incident detection according to claim 1 and processing method, it is characterised in that the critical field includes source
IP address and target ip address;
In the range of the statistics very first time, the number of the value appearance of same critical field, comprise the following steps:
Count in the range of the very first time, the number of the value appearance of same source IP address;
Count in the range of the very first time, the number of the value appearance of same target ip address.
3. security incident detection according to claim 2 and processing method, it is characterised in that the type of the security incident
Including port scan security incident and log in shotfiring safety event;
The trigger condition of the port scan security incident includes the triggering times of source IP and source IP;
If counted in the range of the obtained very first time, the number that the value of same source IP address occurs reaches a port scan
The triggering times of source IP address in the trigger condition of security incident, then generate a new port scan security incident;
The trigger condition for logging in shotfiring safety event includes the triggering times of target ip address and target ip address;
If in the range of statistics obtained very first time, number that the value of same target ip address occurs reach one it is described log in it is quick-fried
The triggering times of Target IP, then generate a new login shotfiring safety event in the trigger condition of broken security incident.
4. security incident detection according to claim 3 and processing method, it is characterised in that each security incident group
Merging condition also include security incident type;
If new security incident is in the second time range of a security incident group, triggering is reached in the security incident
The value of the critical field of number is identical with the value that critical field is corresponded in the security incident group, and the type of the security incident is with being somebody's turn to do
Security incident type in security incident group is identical, then stores the security incident to corresponding security incident group.
5. security incident detection according to claim 3 and processing method, it is characterised in that the critical field also includes
User name, the trigger condition for logging in shotfiring safety event also include the triggering number of user name;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of login username corresponding to the value of same target ip address;
If counted in the range of the obtained very first time, the number of login username reaches corresponding to the value of same target ip address
The triggering number of user name, then generate a new login shotfiring safety thing in one trigger condition for logging in shotfiring safety event
Part.
6. security incident detection according to claim 3 and processing method, it is characterised in that the critical field also includes
The Hostname of monitored system, the trigger condition for logging in shotfiring safety event also include the Hostname of monitored system
With the triggering times of Hostname;
Methods described also comprises the following steps:
Count in the range of the very first time, the number of the value appearance of same Hostname;
If counted in the range of the obtained very first time, the number that the value of same Hostname occurs reaches a login explosion
The triggering times of Hostname in the trigger condition of security incident, then generate a new login shotfiring safety event.
7. security incident detection according to claim 1 and processing method, it is characterised in that a newly-built security incident
Group, comprise the following steps:
Newly-built security incident group, the second time range of newly-built security incident group is set to default default time scope;
The conjunction of the critical field of triggering times and the value of the critical field as the security incident group will be reached in the security incident
And critical field and the value of critical field in condition.
8. security incident detection according to claim 7 and processing method, it is characterised in that each security incident group
Merging condition also include security incident type;
The newly-built security incident group, also comprises the following steps:
Security incident type using the type of the security incident as the security incident group.
9. security incident detection according to claim 1 and processing method, it is characterised in that the record, which includes accessing, asks
Ask record and login failure record;
Record pending in the system journal is screened, pending record storage to message queue comprises the following steps:
Identify the access request record and/or login failure record in the system journal;
Extract the access request record and/or time of login failure record, the value of critical field and critical field and storage
To message queue.
10. security incident detection according to claim 9 and processing method, it is characterised in that pass through logstash instruments
The system journal is cut into pending record, by time, critical field and the critical field of the pending record
Value stored with json forms to message queue.
11. security incident detection according to claim 10 and processing method, it is characterised in that the statistics very first time
In the range of, the number of the value appearance of same critical field, comprise the following steps:
Count in the range of the very first time, the value of same critical field comes across the number of access request record;And
Count in the range of the very first time, the value of same critical field comes across the number of login failure record;
The trigger condition of the security incident include very first time scope, an at least critical field and to should critical field go out
Now in access request record triggering times or to should critical field come across login failure record triggering times;
If the number that the value for counting obtained same critical field comes across access request record reaches a security incident
Trigger condition in correspond to critical field come across access request record triggering times, then generate a new security incident;
If the number that the value for counting obtained same critical field comes across login failure record reaches a security incident
Trigger condition in correspond to critical field come across login failure record triggering times, then generate a new security incident.
12. security incident detection according to claim 1 and processing method, it is characterised in that the security incident triggering
Condition also includes:
The previous statistics moment was counted in the range of obtained very first time, the number that the value of same critical field occurs;
Methods described also comprises the following steps:
Calculating the current statistic moment counted in the range of obtained very first time, the number that the value of same critical field occurs with it is previous
The statistics moment was counted in the range of obtained very first time, the difference for the number that the value of same critical field occurs;
If the difference being calculated reaches the triggering times that critical field is corresponded in a trigger condition, generation one is new
Security incident.
13. security incident detection according to claim 1 and processing method, it is characterised in that also comprise the following steps:
Event corresponding to the multiple event group grades and each event group grade of default each security incident group
Amount threshold;
Judge whether the event number in each security incident group reaches the event number corresponding to next event group grade
Threshold value is measured, if it is, the event group grade of the security incident group is revised as into next event group grade.
14. security incident detection according to claim 1 and processing method, it is characterised in that the system journal includes
At least one of server log, Network Intrusion Detection System daily record, honey jar daily record and VPN daily record.
15. a kind of security incident detection and processing system, for realizing the security incident any one of claim 1 to 14
Detection and processing method, it is characterised in that the system includes:
Database, the trigger condition of multiple security incidents, the triggering bar of each security incident are prestored in the database
Part include very first time scope, an at least critical field and to should critical field triggering times;It is and pre- in the database
Deposit the merging condition of multiple security incident groups, each merging condition include the second time range, an at least critical field and
The value of the critical field;
System journal pushing module, for obtaining system journal from monitored system, screen pending in the system journal
Record, by pending record storage to message queue;
Security incident determination module, for extracting pending record from the message queue, and count very first time scope
It is interior, the number of the value appearance of same critical field, if the number that statistics obtains reaches the trigger condition of a security incident
The triggering times of middle corresponding critical field, then generate a new security incident;
Security incident merging module, for being in when new security incident in the second time range of a security incident group,
And the value for reaching the critical field of triggering times in the security incident is identical with the value that critical field is corresponded in the security incident group
When, the security incident is stored to corresponding security incident group;
The newly-built module of security incident group, for being unsatisfactory for the merging condition of any security incident group when new security incident
When, newly-built security incident group, the security incident is stored to newly-built security incident group.
16. a kind of security incident detection and processing equipment, it is characterised in that including:
Processor;
Memory, wherein being stored with the executable instruction of the processor;
Wherein, the processor is configured to come any one of 1 to 14 institute of perform claim requirement via the execution executable instruction
The step of security incident detection stated and processing method.
17. a kind of computer-readable recording medium, for storage program, it is characterised in that power is realized when described program is performed
Profit requires the step of security incident detection and processing method any one of 1 to 14.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710827834.3A CN107592309B (en) | 2017-09-14 | 2017-09-14 | Security incident detection and processing method, system, equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710827834.3A CN107592309B (en) | 2017-09-14 | 2017-09-14 | Security incident detection and processing method, system, equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107592309A true CN107592309A (en) | 2018-01-16 |
CN107592309B CN107592309B (en) | 2019-09-17 |
Family
ID=61052078
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710827834.3A Active CN107592309B (en) | 2017-09-14 | 2017-09-14 | Security incident detection and processing method, system, equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107592309B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109460653A (en) * | 2018-10-22 | 2019-03-12 | 武汉极意网络科技有限公司 | Verification method, verifying equipment, storage medium and the device of rule-based engine |
CN109710585A (en) * | 2018-08-20 | 2019-05-03 | 平安普惠企业管理有限公司 | Multisystem is associated with method for early warning, device, equipment and computer readable storage medium |
CN110012011A (en) * | 2019-04-03 | 2019-07-12 | 北京奇安信科技有限公司 | Method, apparatus, computer equipment and the storage medium for preventing malice from logging in |
CN110224970A (en) * | 2018-03-01 | 2019-09-10 | 西门子公司 | A kind of security monitoring method and apparatus of industrial control system |
CN111581328A (en) * | 2020-04-21 | 2020-08-25 | 浙江华途信息安全技术股份有限公司 | Data comparison detection method and system |
CN112087414A (en) * | 2019-06-14 | 2020-12-15 | 北京奇虎科技有限公司 | Detection method and device for mining trojans |
CN113095625A (en) * | 2021-03-17 | 2021-07-09 | 中国民用航空总局第二研究所 | Method and system for grading unsafe events of civil aviation airport |
CN113709153A (en) * | 2021-08-27 | 2021-11-26 | 绿盟科技集团股份有限公司 | Log merging method and device and electronic equipment |
CN115632884A (en) * | 2022-12-21 | 2023-01-20 | 徐工汉云技术股份有限公司 | Network security situation perception method and system based on event analysis |
CN115934782A (en) * | 2023-02-13 | 2023-04-07 | 山东星维九州安全技术有限公司 | Method for analyzing and processing security log and computer storage medium |
CN116599690A (en) * | 2023-03-28 | 2023-08-15 | 中国船舶集团有限公司综合技术经济研究院 | Ship information security event processing method and device and computer equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7243374B2 (en) * | 2001-08-08 | 2007-07-10 | Microsoft Corporation | Rapid application security threat analysis |
CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
CN103546312A (en) * | 2013-08-27 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Massive multi-source isomerism log correlation analyzing method |
CN104753861A (en) * | 2013-12-27 | 2015-07-01 | 中国电信股份有限公司 | Security event handling method and device |
CN106375331A (en) * | 2016-09-23 | 2017-02-01 | 北京网康科技有限公司 | Mining method and device of attacking organization |
CN106603524A (en) * | 2016-12-09 | 2017-04-26 | 浙江宇视科技有限公司 | Method for combining safety rules and intelligent device |
-
2017
- 2017-09-14 CN CN201710827834.3A patent/CN107592309B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7243374B2 (en) * | 2001-08-08 | 2007-07-10 | Microsoft Corporation | Rapid application security threat analysis |
CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
CN103546312A (en) * | 2013-08-27 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Massive multi-source isomerism log correlation analyzing method |
CN104753861A (en) * | 2013-12-27 | 2015-07-01 | 中国电信股份有限公司 | Security event handling method and device |
CN106375331A (en) * | 2016-09-23 | 2017-02-01 | 北京网康科技有限公司 | Mining method and device of attacking organization |
CN106603524A (en) * | 2016-12-09 | 2017-04-26 | 浙江宇视科技有限公司 | Method for combining safety rules and intelligent device |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110224970A (en) * | 2018-03-01 | 2019-09-10 | 西门子公司 | A kind of security monitoring method and apparatus of industrial control system |
CN109710585A (en) * | 2018-08-20 | 2019-05-03 | 平安普惠企业管理有限公司 | Multisystem is associated with method for early warning, device, equipment and computer readable storage medium |
CN109460653A (en) * | 2018-10-22 | 2019-03-12 | 武汉极意网络科技有限公司 | Verification method, verifying equipment, storage medium and the device of rule-based engine |
CN109460653B (en) * | 2018-10-22 | 2021-06-25 | 武汉极意网络科技有限公司 | Rule engine based verification method, verification device, storage medium and apparatus |
CN110012011B (en) * | 2019-04-03 | 2021-02-26 | 奇安信科技集团股份有限公司 | Method and device for preventing malicious login, computer equipment and storage medium |
CN110012011A (en) * | 2019-04-03 | 2019-07-12 | 北京奇安信科技有限公司 | Method, apparatus, computer equipment and the storage medium for preventing malice from logging in |
CN112087414A (en) * | 2019-06-14 | 2020-12-15 | 北京奇虎科技有限公司 | Detection method and device for mining trojans |
CN111581328A (en) * | 2020-04-21 | 2020-08-25 | 浙江华途信息安全技术股份有限公司 | Data comparison detection method and system |
CN113095625A (en) * | 2021-03-17 | 2021-07-09 | 中国民用航空总局第二研究所 | Method and system for grading unsafe events of civil aviation airport |
CN113709153A (en) * | 2021-08-27 | 2021-11-26 | 绿盟科技集团股份有限公司 | Log merging method and device and electronic equipment |
CN115632884A (en) * | 2022-12-21 | 2023-01-20 | 徐工汉云技术股份有限公司 | Network security situation perception method and system based on event analysis |
CN115934782A (en) * | 2023-02-13 | 2023-04-07 | 山东星维九州安全技术有限公司 | Method for analyzing and processing security log and computer storage medium |
CN115934782B (en) * | 2023-02-13 | 2023-05-12 | 山东星维九州安全技术有限公司 | Method for analyzing and processing security log and computer storage medium |
CN116599690A (en) * | 2023-03-28 | 2023-08-15 | 中国船舶集团有限公司综合技术经济研究院 | Ship information security event processing method and device and computer equipment |
Also Published As
Publication number | Publication date |
---|---|
CN107592309B (en) | 2019-09-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107592309B (en) | Security incident detection and processing method, system, equipment and storage medium | |
US11336669B2 (en) | Artificial intelligence cyber security analyst | |
US11212299B2 (en) | System and method for monitoring security attack chains | |
EP3343868B1 (en) | Resource-centric network cyber attack detection and alerting | |
US11025674B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
US10986121B2 (en) | Multivariate network structure anomaly detector | |
US10432660B2 (en) | Advanced cybersecurity threat mitigation for inter-bank financial transactions | |
US10412111B2 (en) | System and method for determining network security threats | |
WO2021171093A1 (en) | Cyber security for a software-as-a-service factoring risk | |
US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
US20210273973A1 (en) | SOFTWARE AS A SERVICE (SaaS) USER INTERFACE (UI) FOR DISPLAYING USER ACTIVITIES IN AN ARTIFICIAL INTELLIGENCE (AI)-BASED CYBER THREAT DEFENSE SYSTEM | |
CN108040493A (en) | Security incident is detected using low confidence security incident | |
US20220263860A1 (en) | Advanced cybersecurity threat hunting using behavioral and deep analytics | |
CN103748853A (en) | Method and system for classifying a protocol message in a data communication network | |
Sathya et al. | Discriminant analysis based feature selection in kdd intrusion dataset | |
US10826920B1 (en) | Signal distribution score for bot detection | |
US20150172302A1 (en) | Interface for analysis of malicious activity on a network | |
János et al. | Security concerns towards security operations centers | |
Southall et al. | Early warning signals of infectious disease transitions: a review | |
WO2021216163A2 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
US20230135660A1 (en) | Educational Tool for Business and Enterprise Risk Management | |
WO2018088383A1 (en) | Security rule evaluation device and security rule evaluation system | |
KR102361766B1 (en) | Method of optimizing alert rules of siem by collecting asset server information and apparatus thereof | |
Murad et al. | Software testing techniques in iot | |
Xuan et al. | A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |