CN109688105A - A kind of threat warning message generation method and system - Google Patents

A kind of threat warning message generation method and system Download PDF

Info

Publication number
CN109688105A
CN109688105A CN201811377198.XA CN201811377198A CN109688105A CN 109688105 A CN109688105 A CN 109688105A CN 201811377198 A CN201811377198 A CN 201811377198A CN 109688105 A CN109688105 A CN 109688105A
Authority
CN
China
Prior art keywords
threat
information
network
abnormal behaviour
warning message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811377198.XA
Other languages
Chinese (zh)
Other versions
CN109688105B (en
Inventor
李凤华
张玲翠
李莉
周曙光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201811377198.XA priority Critical patent/CN109688105B/en
Publication of CN109688105A publication Critical patent/CN109688105A/en
Application granted granted Critical
Publication of CN109688105B publication Critical patent/CN109688105B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Alarm Systems (AREA)

Abstract

The embodiment of the present invention provides a kind of threat warning message generation method and system.Wherein, method includes: to determine whether the target information got can characterize network and be on the hazard according to threat characteristics library, wherein target information is acquired original information or abnormal behaviour information;It is on the hazard if it is determined that target information can characterize network, then according to any one or more in threat characteristics library, network context information and target information, generates and threaten warning message, wherein threaten warning message to be based on Unify legislation format and description is normalized.The embodiment of the present invention provides a kind of threat warning message generation method and system, by the way that multisystem, multi-user, more times, polytopic acquired original information and/or abnormal behaviour information are carried out convergence analysis, identify threat event, and be converted to unified threat alarm format, so that effectively being monitored to network security, for data acquisition, network security monitoring and disposition is threatened to provide effective support.

Description

A kind of threat warning message generation method and system
Technical field
The present embodiments relate to technical field of network security more particularly to a kind of threat warning message generation method and it is System.
Background technique
With the communication technology, network technology and information technology sustained and rapid development and application it is widely available, form (such as: electronics ticket service system, e-commerce comprising Incorporate network, Internet of Things, dedicated network and all kinds of service systems System, electronic government affairs system) where network etc. large scale scale heterogeneous internet.It is carried in large scale scale heterogeneous internet big Measure business, in terms of the system with relevance, each system can generate magnanimity original log information and abnormal row It for information, converged, be associated with and statisticallyd analyze, to identify the threat event of various dimensions, be converted into unified threat Alarm descriptor format for data acquisition, network security monitoring and threatens disposition providing support.The prior art is directed to single system mostly System, is associated analysis in single dimension, lacks multisystem, multi-user, more times, polytopic global analysis, and threaten The Unify legislation of warning message.
Summary of the invention
For the technical problems in the prior art, the embodiment of the present invention provides a kind of threat warning message generation method And system.
In a first aspect, the embodiment of the present invention provides a kind of threat warning message generation method, comprising:
According to threat characteristics library, determine whether the target information got can characterize network and be on the hazard, wherein the mesh Marking information is acquired original information or abnormal behaviour information;
It is on the hazard if it is determined that the target information can characterize network, then according to the threat characteristics library, network context Any one or more in information and the target information generates and threatens warning message, wherein the threat warning message base Description is normalized in Unify legislation format.
Second aspect, the embodiment of the present invention provide a kind of threat warning message generation system, comprising:
Determination module, for determining whether the target information got can characterize network by prestige according to threat characteristics library The side of body, wherein the target information is acquired original information or abnormal behaviour information;
Warning message generation module is threatened, for if it is determined that the target information can characterize network is on the hazard, then basis Any one or more in the threat characteristics library, network context information and the target information generates and threatens alarm signal Breath, wherein the threat warning message is based on Unify legislation format and description is normalized.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory Computer program that is upper and can running on a processor, is realized when the processor executes described program as first aspect provides Method the step of.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating Machine program is realized as provided by first aspect when the computer program is executed by processor the step of method.
A kind of threat warning message generation method and system provided in an embodiment of the present invention, by by multisystem, multi-user, More times, polytopic acquired original information and/or abnormal behaviour information carry out convergence analysis, identify threat event, and turn It is changed to unified threat alarm format, so that effectively being monitored to network security, for data acquisition, network security monitoring and prestige Side of body disposition provides effective support.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of threat warning message generation method flow chart provided in an embodiment of the present invention;
Fig. 2 is that abnormal behaviour information multidimensional provided in an embodiment of the present invention is associated with schematic diagram;
Fig. 3 is Unify legislation form schematic diagram provided in an embodiment of the present invention;
Fig. 4 is the structural schematic diagram that a kind of threat warning message that one embodiment of the invention provides generates system;
Fig. 5 be another embodiment of the present invention provides a kind of threat warning message generate system structural schematic diagram;
Fig. 6 is the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Embodiment for a better understanding of the present invention, here, the embodiment of the present invention is applied to target network, and to the mesh Mark network and system therein and equipment are illustrated.
The target network includes in network, Incorporate network, Internet of Things and dedicated network where service system Any one or more;
The service system includes but is not limited to: electronics ticket service system, identity authentication service system, cryptographic service System, social network service system, electric business service system, E-government affairs service system.
System and equipment in the target network include but is not limited to: electronics authority authorization services management system, electronics Authority condition managing and control system, unified certification service management system, electronics authority examination service system, multi-service electronics with According to collaboration issue system, magnanimity electronics authority data-storage system, identity identification system, electronics ticket service gate system, across Issue system for unified management, electronics authority print system, the mobile intelligent terminal electronics authority individual application of platform clectronic authority Software, the end PC electronics authority individual application software, electronics authority integrated services application system, the audit of electronics authority on-line/off-line Support system, electronics authority on-line/off-line check support system, road passenger transportation electronics authority checking system, business-electronic authority Management system, electronics authority safe bearing load transmission device management system, abnormal behaviour information storage system, abnormal behaviour information are converged Poly- system, abnormal behaviour convergence analysis system, security postures analysis system, security incident tracking traceability system, at emergency cooperative It is public to set system, identity authentication management system, access authentication system, magnanimity electronics authority inquiry download service system, electronics authority Checking assembly is opened, business policing services middleware is issued, checks and approves business policing services middleware, electronics authority application fusion centre Part, internetworking safety control system, password resource management system, network-wide security equipment system for unified management, data storage system System, office system, document exchange system, supervisory systems, Internet of Things net topology mapping system, security service demand and resource management system The systems such as system, data storage dispatching management information system, Internet of Things security management and control central management system, equipment discovery and identifying system, Electronics ticket service job scheduler, high-performance supervision traffic scheduling equipment, high performance cipher job scheduling controller, electronics with According to high speed authorization services equipment, unified certification service equipment, identity authentication terminal, Electronic Signature terminal, Electronic Signature server, The equipment such as electronics authority safe bearing load transmission device, electronics authority medium card reader.
Fig. 1 is a kind of threat warning message generation method flow chart provided in an embodiment of the present invention, as shown in Figure 1, the party Method includes:
Step 101, according to threat characteristics library, determine whether the target information got can characterize network and be on the hazard, In, the target information is acquired original information or abnormal behaviour information.
Specifically, the executing subject of method provided in an embodiment of the present invention is known as acquisition management center, in acquisition management The heart can be located at outside target network, can also be located in target network, but regardless of acquisition management center is located at where, all have Following function: according to threat characteristics library, determine whether the target information got can characterize network and be on the hazard;If it is determined that described Target information can characterize network and be on the hazard, then according to the threat characteristics library, network context information and the target information In any one or more, generate threaten warning message, for network security monitor support is provided.
Further, target information is acquired original information or abnormal behaviour information.Wherein, the acquired original information refers to Untreated log information and/or network traffic information, log information include but is not limited to: who, when between, where point, What system, what operate, network traffic information refers to network communication data and/or its statistical information, and network communication data includes but not It is limited to: the stem of each network protocol, application layer message;Abnormal behaviour information refers to be had partially with one or more entity normal operatings Difference may include but is not limited to the behavioural information that network threatens, type: repetition submits an expense account, cancel/rush the reimbursement of red authority, False invoice reimbursement, same enterprise's short time issues a large amount of authoritys, same enterprise's short time issues a large amount of wholesale authoritys, abnormal time Issue a large amount of authoritys, abnormal time issues wholesale authority, same user's short time across enterprise issues a large amount of wholesale authoritys, same use Family/enterprise repeatedly checks the multiple attempted authentication failure of false invoice, same system, the same electronics authority of same user repeatedly attempts core Approval failure is repeatedly attempted in quasi- failure, same user's difference electronics authority, same authority frequently changes state, same user is frequent Change electronics authority state, multiple certificate verification failure, false system connection, repeatedly trial password, exception ICBM SHF satellite terminal network, are close The use of code resource exception, violation file operation, in violation of rules and regulations circulation, in violation of rules and regulations publication, in violation of rules and regulations storage, the access of violation medium, exceptional communication.
Obtaining target information can one of in the following ways or a variety of any combination obtains: actively obtaining, quilt It is dynamic to receive;The mode actively obtained includes any of the following or a variety of: calling interface reads journal file, reads configuration text Part, reading state file;Passive received communication mode includes any of the following or a variety of: socket communication, shared drive, Message queue, pipeline.
It is stored in threat characteristics library and threatens behavioural characteristic and/or threat behavior correlation rule,
It can determine whether the target information got can characterize network and be on the hazard according to threat characteristics library.
Step 102, if it is determined that the target information can characterize network is on the hazard, then according to the threat characteristics library, net Any one or more in network contextual information and the target information generates and threatens warning message, wherein threats is reported Alert information is based on Unify legislation format and description is normalized.
Specifically, network context information includes any of the following or a variety of: physical address, communication where communication entity Logical address where entity, user identifier, source IP address, purpose IP address, source port number, destination slogan, transport layer protocol, Long data packet.
If acquisition management center determines that target information can characterize network and be on the hazard, determine that network receives threat, because This, acquisition management center can be raw according to any one or more in threat characteristics library, network context information and target information At threatening warning message, so that itself or other acquisition management centers are according to threatening warning message to generate corresponding acquisition strategies, So that corresponding Collection agent according to acquisition strategies acquires corresponding acquisition item in network, and then by carrying out to acquisition item Analysis and processing are preferably to cope with or dispose threat.
It should be noted that threatening warning message to be based on Unify legislation format is normalized description, wherein Unify legislation Format includes any of the following or a variety of combinations: threat types, threat object, threat object feature, threat object performance Feature, threat range, threat level, threaten the beginning and ending time, attack entity, attack substance feature, attack pattern, attack path, Information sharing entity, information receiving entity.
Method provided in an embodiment of the present invention, by believing multisystem, multi-user, more times, polytopic acquired original Breath and/or abnormal behaviour information carry out convergence analysis, identify threat event, and are converted to unified threat alarm format, make It obtains and network security is effectively monitored, for data acquisition, network security monitoring and disposition is threatened to provide effective support.
On the basis of the above embodiments, the embodiment of the present invention is illustrated the process in building threat characteristics library.That is, root According to threat characteristics library, determine whether the target information got can characterize network and be on the hazard, before further include:
It obtains and threatens behavioural characteristic and/or threaten behavior correlation rule, to construct threat characteristics library;Wherein,
The threat behavioural characteristic include threat types, threat level, threaten behavior time of origin or time interval threshold value, Threat behavior scene threatens behavior that entity occurs and threatens any one or more in content of the act;
The threat behavior correlation rule includes abnormal behaviour attribute information, abnormal behaviour attribute value, abnormal behaviour attribute Any one or more in threshold value and operator.
Specifically, it according to functional requirement and/or nonfunction requirement, obtains and threatens behavioural characteristic and/or behavior is threatened to be associated with Rule, to construct threat characteristics library.Wherein, threatening behavioural characteristic includes any combination of one or more of: threat types, Threat level threatens behavior time of origin or time interval threshold value, threatens behavior scene, threatens behavior that entity, prestige occurs Coerce content of the act;Threat behavior correlation rule includes any combination of one or more of: abnormal behaviour attribute information, exception Behavior property value, abnormal behaviour attribute thresholds and operator.
It illustrates how to construct threat characteristics according to functional requirement and/or nonfunction requirement below by a specific example Threat behavioural characteristic in library.
Threat behavioural characteristic includes but is not limited to: threat types, threaten behavior time of origin or time interval at threat level Threshold value threatens behavior scene, threatens behavior that entity occurs, threatens content of the act.Wherein, threaten behavior scene can be with It is identified with physical address (country, provinces and cities, area, street), logical address (network address, such as IP address, MAC can also be used Location) mark.
Behavioural characteristic example is threatened, as shown in table 1, table 1 is to threaten behavioural characteristic sample table.
Table 1 threatens behavioural characteristic sample table
Optionally, it can define following threat behavior:
(1) same user issues/examination/and submits an expense account a large amount of electronics authoritys at the appointed time in threshold value.
(2) different user check/submit an expense account to same electronics authority at the appointed time in threshold value.
(3) same user is at the appointed time in threshold value, and in different location to same ,/different electronics authoritys issue/is looked into It tests/submits an expense account.
Optionally, the document representation of behavior XML format is threatened, as follows:
<? xml version=" 1.0 " encoding=" UTF-8 "?>
< Policy PolicyId=" credentials:invoice:threatdefine:SimplePolicy1 " Version=" 1.0 " RuleCombiningAlgId=" identifier:rule-combining-algorithm:deny- overrides">
<Description>
Same user issues in the time range of specified threshold, and/examination/submits an expense account a large amount of electronics authoritys
According to the functional requirement and/or nonfunction requirement of system, threat behavior correlation rule is defined.
Threat behavior correlation rule includes any combination of one or more of: system exception behavior property information, different Normal behavior property value, abnormal behaviour attribute thresholds and operator;
System exception behavior property information is can to carry out the atom belonging information of rule match, including but not limited to: operation Time, operation place, number of users, operation user's name, operation User ID, operation behavior, operating result, in system banner Any one or more;
Abnormal behaviour attribute value be it is corresponding with abnormal behaviour attribute-bit can value, for example, abnormal behaviour attribute is System banner, then abnormal behaviour attribute value include but is not limited to: multi-service electronics authority collaboration issue system, multi-service electronics with System, any one or more in electronics authority print system are issued according to collaboration.
Abnormal behaviour attribute thresholds are corresponding with abnormal behaviour attribute information, during rule match, to instantiation Abnormal behaviour attribute information is counted, if reaching corresponding abnormal behaviour attribute thresholds, referred to as abnormal behaviour attribute is expired Foot;
The operator includes but is not limited to: comparison operator and/or logical operator.
The comparison operator is for abnormal expression behavior property information and abnormal behaviour attribute value, abnormal behaviour attribute threshold The manner of comparison of value, comparison result are a logical values, and true or false, the comparison operator includes but is not limited to: being equal to, greatly In, be less than, be more than or equal to, be less than or equal to, be not equal in any one or a few;
Logical operator is used to express the relationships of multiple abnormal behaviour attribute informations, including but not limited to: with or it is non-in Any one or more.
For example, a threat behavior correlation rule is expressed as follows:
" number of users " > 1000000
" system identifier "=" system is issued in the collaboration of multi-service electronics authority "
" operating time " < 5min
Wherein, " number of users ", " system identifier ", " operating time " are abnormal behaviour attribute information, " > ", "=", " < " For comparison operator, " 1000000 ", " 5min " are abnormal behaviour attribute thresholds, " system is issued in the collaboration of multi-service electronics authority " For abnormal behaviour attribute value.
Threat behavior correlation rule provided in an embodiment of the present invention at least can achieve the embodiment of the present invention in Fig. 2 and provide The associated effect of abnormal behaviour information multidimensional, in system, user, abnormal behaviour type and time etc., the definition of multiple dimensions has Single/multiple acquired original information and/or abnormal behaviour information of correlation, wherein Fig. 2 is provided in an embodiment of the present invention different Normal behavioural information multidimensional is associated with schematic diagram.
On the basis of the various embodiments described above, the embodiment of the present invention to how to determine target information whether can characterize network by It is specifically described to threat.Since target information is divided into two classes, one kind is acquired original information, another kind of to believe for abnormal behaviour Breath, and to the decision procedure of inhomogeneous target information difference, therefore, have respectively to the decision process of two class target informations Body explanation.Firstly, the decision process of acquired original information is specifically described:
According to threat characteristics library, determine whether the target information got can characterize network and be on the hazard, further comprise:
Acquired original information is parsed, acquired original information parsing result is generated.
Specifically, the acquired original information parsing result includes any combination of one or more of: the operating time, Operation place, operation user, operation behavior, number of operations, operating result, the entity for reporting acquired original information, generation are original Acquire the entity of information, access entity, via network;
The operation place includes: physical address and/or logical address;
The entity includes any combination of one or more of: component, equipment, system and individual.
The acquired original information parsing result is matched with the threat behavior correlation rule, and is tied according to matching Fruit determines whether the acquired original information can characterize network and be on the hazard.
The acquired original information parsing result is matched with the threat behavior correlation rule, and is tied according to matching Fruit determines whether the acquired original information can characterize network and be on the hazard, and further comprises:
To threatening behavior correlation rule to instantiate, instantiation correlation rule is formed;
By it is described instantiation correlation rule in abnormal behaviour attribute information and the acquired original information parsing result into Row matching;
If successful match, judge whether the instantiation correlation rule meets the first preset condition, also, updates example Change the corresponding abnormal behaviour attribute value of abnormal behaviour attribute information in correlation rule;If it fails to match, it is real to create correlation rule Example;
If the instantiation correlation rule meets first preset condition, triggering state transfer;
If being threatened status after state transfer, the primitive event for generating the acquired original information is defined as to threaten thing Part, and determine that the acquired original information can characterize network and be on the hazard.
It illustrates how to determine whether acquired original information can characterize net using correlation rule below by a specific example Network is on the hazard.
During carrying out matched to log information, the threat behavior correlation rule in threat characteristics library is carried out successively Instantiation.
The abnormal behaviour attribute information instantiated in correlation rule is matched with acquired original information parsing result.
Firstly, an instantiation correlation rule, for example, instantiation correlation rule 1, is expressed as follows, wherein " User ID ", " system identifier ", " operation initial time ", " action type " are abnormal behaviour attribute informations.
" User ID "={ user1, user2, user3... ..., user99}
" system identifier "=" system is issued in the collaboration of multi-service electronics authority "
" operation initial time "=" 2018-10-01 8:00:00 "
" action type "=" issuing "
A kind of decomposable form for the acquired original information parsing result that log information generates is sole user when single Between, solely point carries out the atom belonging information of single operation, for example, user A is in morning 2:00, in company's internal network, Magnanimity electronics authority inquires download service system, and it is ID that 1 ID has been downloaded in inquiryxElectronic bill.
Then, acquired original information parsing result is matched one by one with instantiation correlation rule, specifically, parsing knot Fruit field is matched one by one with the abnormal behaviour attribute-bit in instantiation correlation rule, for example, by parsing result field " user A ", " morning 2:00 ", " company's internal network ", " magnanimity electronics authority inquire download service system ", " under inquiry Load ", " IDx" carried out with " User ID ", " system identifier ", " operation initial time ", " action type " in instantiation correlation rule 1 Matching, since the abnormal behaviour attribute value of " system identifier " in instantiation correlation rule 1 is not equal to acquired original information parsing knot " magnanimity electronics authority inquires download service system " in fruit continues to match other instantiation correlation rules so it fails to match.
If being matched to, the corresponding abnormal behaviour attribute value of abnormal behaviour attribute information in instantiation correlation rule is updated;
If cannot be matched to, matched with the correlation rule in threat characteristics library, to the correlation rule being matched into Row instantiation, and the corresponding abnormal behaviour attribute value of corresponding abnormal behaviour attribute-bit is set to 1;
Optionally, if the required word not threatened comprising the correlation rule in threat characteristics library detection in the log information Section, for example, the physical location of user, IP address etc., then according to network context information, for example, network topology, collected Searched and extracted in network traffic information, the information found is filled into parsing result field, for further into Row threat judgment.
Finally, if the abnormal behaviour attribute information in instantiation correlation rule is matched into acquired original information parsing result Function then judges to instantiate whether correlation rule meets the first preset condition;
If meeting the first preset condition, triggering state transfer;
If being threatened status after state transfer, the primitive event of acquired original information is defined as threat event.
First preset condition includes but is not limited to: meeting all abnormal behaviour attribute words in instantiation correlation rule Section, at least one abnormal behaviour attribute field in satisfaction instantiation correlation rule, satisfaction instantiate default in correlation rule The abnormal behaviour attribute field of threshold number;
The state transfer is that state transition is carried out in abnormal behaviour state machine, and the state includes but is not limited to: just Normal state, potential abnormality, threatened status.
On the basis of the various embodiments described above, the embodiment of the present invention to how to determine target information whether can characterize network by It is specifically described to threat.Since target information is divided into two classes, one kind is acquired original information, another kind of to believe for abnormal behaviour Breath, and to the decision procedure of inhomogeneous target information difference, therefore, have respectively to the decision process of two class target informations Body explanation.The decision process of acquired original information is specifically described in the above-described embodiments, the embodiment of the present invention is specific The decision process of abnormal behaviour information is specifically described:
According to threat characteristics library, determine whether the target information got can characterize network and be on the hazard, further comprise:
Abnormal behaviour information is parsed, abnormal behaviour information parsing result is generated.
The abnormal behaviour information parsing result includes any combination of one or more of: operating time, operatively Point, operation behavior, number of operations, operating result, the entity for reporting abnormal behaviour information, is abnormal behavior at operation user Entity, access entity and via network.
The operating time includes but is not limited to: time point, period, time point set and period set;
The operation place includes but is not limited to: operation place and/or operation place set;
The operation user includes but is not limited to: operation user and/or operation user's set;
The operation behavior includes but is not limited to: operation behavior and/or operation behavior set;
The operating result includes but is not limited to: operating result and/or operating result set;
The entity for reporting abnormal behaviour information includes but is not limited to: report abnormal behaviour information entity and/or on Report the entity sets of abnormal behaviour information;
The entity for being abnormal behavior includes but is not limited to: being abnormal the entity of behavior and/or is abnormal row For entity sets;
Access entity includes but is not limited to: access entity and/or access entity set;
Include but is not limited to via network: via network and/or via collection of network.
The abnormal behaviour information parsing result is matched with the threat behavioural characteristic, and is sentenced according to matching result Whether the fixed abnormal behaviour information, which can characterize network, is on the hazard.
The abnormal behaviour information parsing result is matched with the threat behavioural characteristic, and is sentenced according to matching result Whether the fixed abnormal behaviour information, which can characterize network, is on the hazard, and further comprises:
The abnormal behaviour information parsing result is matched with the threat behavioural characteristic, if meeting the first matching item The abnormal behaviour for generating abnormal behaviour information is then defined as threat event, and determines that the abnormal behaviour information can characterize by part Network is on the hazard.
The matching way includes but is not limited to: sequence matching, random fit, in priority match any one or it is more Kind;
First matching condition includes but is not limited to: exactly matching, at least one is matched, greater than predetermined threshold number Matching.
It illustrates how to determine whether abnormal behaviour information can characterize network and be on the hazard below by a specific example.
Abnormal behaviour information 1: user1Using the IP address of 194.12.1.100, in 10:10 to 10:11 points, ID is requestedx Invoice inquiry times 100 times.
Parsing result field and corresponding contents are as follows:
Period: 10:10-10:11;
Place: IP address (194.12.1.100);
Operation behavior: inquiry;
Operation content: same invoice number IDx
Number: 100 times.
Above-mentioned field is matched one by one with the threat characteristics list (table 1) in threat characteristics library, for threatening behavior The record of feature number 1,10:10-10:11 meet time < 5min, and IP address (194.12.1.100) meets any place, behaviour It is inquiry, same invoice number ID as fieldxMeet arbitrary content, meet for 100 times >=100, therefore, whole fields are hit, are said The bright abnormal behaviour is a threat event.
On the basis of the various embodiments described above, believed according to the threat characteristics library, network context information and the target Any one or more in breath generates and threatens warning message, further comprise:
According to the threat characteristics library, determine whether that threat event need to be carried out information supplement, and work as and determine result to need When carrying out information supplement to the event of threat, according to network context information, information supplement is carried out to the threat event.
Specifically, firstly, according to the threat characteristics library, information item collection needed for generating threat warning message is determined It closes, then, collection of information items needed for threatening warning message will be generated and the existing collection of information items of threat event does difference set, root Whether it is sky according to the difference set, determines whether that threat event need to be carried out information supplement, and when the difference set is not sky, determining need to Information supplement is carried out to the event of threat, determines the item of information for threatening event information that need to supplement, then, is believed according to the threat event The item of information that need to be supplemented is ceased, is marked/extracts from network context information, threat event information is supplemented.
Further, in threat characteristics library, the corresponding threat types of threat event are searched, according to threat types, are determined Generate collection of information items needed for threatening warning message.Wherein, item of information needed for the generation threatens warning message include but Be not limited to: the physical region of threat object, the logic region of threat object, threat object IP address, threat object said system, The physical address for attacking entity, the logical address for attacking entity, the physical attacks path of attack entity to threat object, attack are real Body to threat object logical attack path, threaten time of origin, report threat event entity, generate threat event reality Body.
For example, according to threat object IP address in network context information, search threat object physical region and/or The logic region of threat object.
Description is normalized to the threat event after information supplement based on Unify legislation format, generates and threatens alarm signal Breath.
Fig. 3 is Unify legislation form schematic diagram provided in an embodiment of the present invention, as shown in figure 3, the Unify legislation format It includes any of the following or a variety of combinations:
Threat types, threat object, threat object feature, threat object performance characteristic, threat range, threat level, prestige Coerce beginning and ending time, attack entity, attack substance feature, attack pattern, attack path, information sharing entity, information receiving entity.
Field in the Unify legislation format is explained as follows:
Threat types refer to the type for the threat event being predefined in threat characteristics library, including but not limited to: rejection service Attack, unauthorized access, Traffic Anomaly, FTP wooden horse, Sasser worm, loophole attack, backdoor attack, Domain Hijacking, scanning are visited It surveys, wooden horse/virus, man-in-the-middle attack.
Threat object refers to the object set under fire influenced in network, including but not limited to: the equipment with potential threat Or device type, OS Type.Equipment or device type include but is not limited to: satellite, mobile terminal, system server, Router, gateway, firewall, IDS, IPS.OS Type includes but is not limited to: Windows, Linux, Android, iOS。
Threat range refers to physical extent and/or logic scope where threat object.
Threat level refers to the severity of threat, for example, can be indicated with discrete value, the integer from 0 to 10, number is bigger, It indicates to threaten more serious.
The beginning and ending time is threatened to refer to the time of earliest generation event associated with threat and threaten the estimated time eliminated.
Attack entity refers to the side that launches a offensive, including but not limited to: personal, group and tissue.
Attack substance feature refers to what the attack entity with identical attack type was shown after common feature extracts Characteristic, including but not limited to: any one or more in place logic region, place physical region.
Attack pattern refer to attack entity utilize Malware, utilize attack tool, via network type in appoint It anticipates one or more.
The network type includes but is not limited to: any one or more in cable network, wireless network.
Attack path includes but is not limited to: physical pathway, logical path, and the physical pathway refers to that attack entity arrival is attacked Hit object via equipment and via equipment room precedence relationship;The logical path refers to that attack entity is to reach attack purpose The loophole utilized and the precedence relationship using loophole, alternatively, the precedence relationship of performed operation and performed operation room.
Threat object feature refers to can be to the characteristic that threat object is drawn a portrait.
The characteristic includes but is not limited to position of the threat object in geographic area and/or logic region, threat object On service type, any one or more in the assets value of threat object disposed.
Threat object performance characteristic refers to that state to threat object after being attacked and/or state changed portrays, institute The state of stating includes but is not limited to: cpu busy percentage, memory usage, network interface receiver packet number, available link bandwidth and TCP connect Connect any one or more in situation.
Information sharing entity refers to the side for sending abnormal behaviour information and/or acquired original information, including but not limited to: being System, equipment, people and tissue.
Information receiving entity refers to the side for receiving warning message;The describing mode of the information receiving entity includes but unlimited In: information receiving entity type knows range and security level.The information receiving entity type includes but is not limited to: acquisition Agency, collecting system, analysis system, command system, management system;The describing mode for knowing range includes but is not limited to: Administrative grade, geographic area.
Description is normalized to the threat event after information supplement based on Unify legislation format, including right from the following aspect Threat event carries out information extraction, generates and threatens warning message:
Threat types: the threat types that threat event is matched in threat characteristics library.
Threat object: the system that behavior is abnormal in threat event is extracted.
Threat range: physical extent and/or logic scope where extraction threat object.
Threat level: according to acquired original information and/or abnormal behaviour information, behavioural characteristic, threat object assets are threatened Any one or more analysis in value information obtains.For example, according to the threat types threatened in behavioural characteristic, threatening generation Place, threat object assets value COMPREHENSIVE CALCULATING threat level.Threaten the range occurred more extensive, the entity being related to is more, prestige It is higher to coerce rank;Threat object assets value is higher, and threat level is higher.
Threaten the beginning and ending time: when operating time point or the earliest time of period are as starting is threatened in extraction threat event Between, it is indicated using unified time format.
Attack entity: the operation user set for extracting threat event.
Attack substance feature: the common feature for attacking entity extracts.
Attack pattern: extract threat event in attack entity utilize Malware, utilize attack tool, via Any one or more in network type.
Attack path: extracting the operation user in threat event to all physical pathways and its precedence relationship between system, And/or the loophole that threat event utilizes and the precedence relationship using loophole are extracted, and/or, entity is attacked in threat event to be held The precedence relationship of capable operation and performed operation room.
Threat object feature: the common feature of threat object, the including but not limited to type of service of threat object, institute are extracted Any one or more in geographic area, place logic region.
Threat object performance characteristic: the general character of performance characteristic of the extraction threat object after threat event occurs, including but It is not limited to system mode change.
Information sharing entity: system, equipment, people or the tissue for sending threat event are extracted.
Information receiving entity: according to any one in the threat types, severity, threat object type of the event of threat Or it is a variety of, it calculates receiving entity type, know range and security level, and then determine the receiving entity of warning message.
Warning message is threatened finally, each field extracted from threat event is formed.
Fig. 4 is the structural schematic diagram that a kind of threat warning message that one embodiment of the invention provides generates system, such as Fig. 4 institute Show, which includes:
Determination module 401, for according to threat characteristics library, determine the target information got whether can characterize network by It threatens, wherein the target information is acquired original information or abnormal behaviour information;Warning message generation module 402 is threatened, is used In if it is determined that the target information can characterize network is on the hazard, then according to the threat characteristics library, network context information and Any one or more in the target information generates and threatens warning message, wherein the threats warning message is based on uniformly Description is normalized in descriptor format.
System provided in an embodiment of the present invention, specifically executes above-mentioned each method embodiment process, please specifically be detailed in above-mentioned each The content of embodiment of the method, details are not described herein again.System provided in an embodiment of the present invention, by by multisystem, multi-user, it is more when Between, polytopic acquired original information and/or abnormal behaviour information carry out convergence analysis, identify threat event, and be converted to Unified threat alarm format, so that effectively being monitored to network security, at data acquisition, network security monitoring and threat The effective support of offer is provided.
Fig. 5 be another embodiment of the present invention provides a kind of threat warning message generate system structural schematic diagram, including But be not limited to following part: information acquisition module, threatens warning message package module, threat characteristics library, net at threat judgment module Network configuration information library and network topological information library, wherein network configuration information library and network topological information library, are external informations Library.
Information acquisition module obtains acquired original information and/or abnormal behaviour information, and is sent to threat judgment module; Threat judgment module receives acquired original information and/or abnormal behaviour information, and inquiry threatens behavioural characteristic in threat characteristics library And/or behavior correlation rule is threatened, parsing and threat judgment are carried out to acquired original information and/or abnormal behaviour information, if sentencing It is disconnected to go out to threaten, then it sends corresponding threat event to and threatens warning message package module;Warning message package module is threatened to connect Receive threat judgment module send threat event, if threaten event need to carry out information supplement, network configuration information library and/ Or Network Search contextual information in network topological information library, to supplement threat event, finally, utilizing Unify legislation lattice Formula carries out Unify legislation to threat warning message;Storage threatens behavioural characteristic and/or threatens behavior association rule in threat characteristics library Then, the inquiry of threat judgment module is responded.
Fig. 6 is the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention, as shown in fig. 6, the electronics Equipment may include: processor (processor) 601, communication interface (Communications Interface) 602, storage Device (memory) 603 and communication bus 604, wherein processor 601, communication interface 602, memory 603 pass through communication bus 604 complete mutual communication.Processor 601, which can call, to be stored on memory 603 and can run on processor 601 Computer program, the method to execute the various embodiments described above offer, for example, according to threat characteristics library, determine to get Whether target information, which can characterize network, is on the hazard, wherein the target information is acquired original information or abnormal behaviour information; It is on the hazard if it is determined that the target information can characterize network, then according to the threat characteristics library, network context information and institute Any one or more in target information is stated, generates and threatens warning message, wherein the threat warning message is based on uniformly retouching It states format and description is normalized.
In addition, the logical order in above-mentioned memory 603 can be realized by way of SFU software functional unit and conduct Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally The technical solution of the inventive embodiments substantially part of the part that contributes to existing technology or the technical solution in other words It can be embodied in the form of software products, which is stored in a storage medium, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the present invention respectively The all or part of the steps of a embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk Etc. the various media that can store program code.
The embodiment of the present invention also provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, The computer program is implemented to carry out the transmission method of the various embodiments described above offer when being executed by processor, for example, according to Threat characteristics library, determines whether the target information got can characterize network and be on the hazard, wherein the target information is original Acquire information or abnormal behaviour information;It is on the hazard if it is determined that the target information can characterize network, then it is special according to the threat Any one or more in library, network context information and the target information is levied, generates and threatens warning message, wherein institute It states and threatens warning message that description is normalized based on Unify legislation format.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member It is physically separated with being or may not be, component shown as a unit may or may not be physics list Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs In some or all of the modules realize the purpose of the embodiment of the present invention.Those of ordinary skill in the art are not paying wound In the case where the labour for the property made, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features; And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (11)

1. a kind of threat warning message generation method characterized by comprising
According to threat characteristics library, determine whether the target information got can characterize network and be on the hazard, wherein the target letter Breath is acquired original information or abnormal behaviour information;
It is on the hazard if it is determined that the target information can characterize network, then according to the threat characteristics library, network context information It with any one or more in the target information, generates and threatens warning message, wherein the threat warning message is based on system Description is normalized in one descriptor format.
2. the method according to claim 1, wherein determining the target information got according to threat characteristics library Network whether can be characterized to be on the hazard, before further include:
It obtains and threatens behavioural characteristic and/or threaten behavior correlation rule, to construct threat characteristics library;Wherein,
The threat behavioural characteristic includes threat types, threat level, threatens behavior time of origin or time interval threshold value, threatens Behavior scene threatens behavior that entity occurs and threatens any one or more in content of the act;
The threat behavior correlation rule includes abnormal behaviour attribute information, abnormal behaviour attribute value, abnormal behaviour attribute thresholds With any one or more in operator.
3. according to the method described in claim 2, it is characterized in that, determining the target information got according to threat characteristics library Network whether can be characterized to be on the hazard, further comprise:
Acquired original information is parsed, acquired original information parsing result is generated;
The acquired original information parsing result is matched with the threat behavior correlation rule, and is sentenced according to matching result Whether the fixed acquired original information, which can characterize network, is on the hazard.
4. according to the method described in claim 3, it is characterized in that, by the acquired original information parsing result and the threat Behavior correlation rule is matched, and determines whether the acquired original information can characterize network by prestige according to matching result The side of body further comprises:
To threatening behavior correlation rule to instantiate, instantiation correlation rule is formed;
By the abnormal behaviour attribute information instantiated in correlation rule and acquired original information parsing result progress Match;
If successful match, judge whether the instantiation correlation rule meets the first preset condition;
If the instantiation correlation rule meets first preset condition, triggering state transfer;
If being threatened status after state transfer, the primitive event for generating the acquired original information is defined as threat event, And determine that the acquired original information can characterize network and be on the hazard.
5. according to the method described in claim 2, it is characterized in that, determining the target information got according to threat characteristics library Network whether can be characterized to be on the hazard, further comprise:
Abnormal behaviour information is parsed, abnormal behaviour information parsing result is generated;
The abnormal behaviour information parsing result is matched with the threat behavioural characteristic, and institute is determined according to matching result It states abnormal behaviour information and whether can characterize network and be on the hazard.
6. according to the method described in claim 5, it is characterized in that, by the abnormal behaviour information parsing result and the threat Behavioural characteristic is matched, and determines whether the abnormal behaviour information can characterize network and be on the hazard according to matching result, into One step includes:
The abnormal behaviour information parsing result is matched with the threat behavioural characteristic, if meeting the first matching condition, The abnormal behaviour for generating abnormal behaviour information is then defined as threat event, and determines that the abnormal behaviour information can characterize network It is on the hazard.
7. the method according to claim 4 or 6, which is characterized in that according to the threat characteristics library, network context information With any one or more in the target information, generates and threatens warning message, further comprise:
According to the threat characteristics library, determine whether that threat event need to be carried out information supplement, and when determining result for need to be to prestige When side of body event carries out information supplement, according to network context information, information supplement is carried out to the threat event;
Description is normalized to the threat event after information supplement based on Unify legislation format, generates and threatens warning message.
8. the method according to claim 1, wherein the Unify legislation format includes: threat types, threat pair As, threat object feature, threat object performance characteristic, threat range, threat level, threaten beginning and ending time, attacker, attacker Any one or more in feature, attack pattern, attack path, information sharer and information receiver.
9. a kind of threat warning message generates system characterized by comprising
Determination module, for determining whether the target information got can characterize network and be on the hazard according to threat characteristics library, In, the target information is acquired original information or abnormal behaviour information;
Warning message generation module is threatened, for if it is determined that the target information can characterize network is on the hazard, then according to Any one or more in threat characteristics library, network context information and the target information generates and threatens warning message, In, the threat warning message is based on Unify legislation format and description is normalized.
10. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor Machine program, which is characterized in that the processor is realized when executing described program such as any one of claim 1 to 8 the method Step.
11. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer It is realized when program is executed by processor such as the step of any one of claim 1 to 8 the method.
CN201811377198.XA 2018-11-19 2018-11-19 Threat alarm information generation method and system Active CN109688105B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811377198.XA CN109688105B (en) 2018-11-19 2018-11-19 Threat alarm information generation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811377198.XA CN109688105B (en) 2018-11-19 2018-11-19 Threat alarm information generation method and system

Publications (2)

Publication Number Publication Date
CN109688105A true CN109688105A (en) 2019-04-26
CN109688105B CN109688105B (en) 2020-07-07

Family

ID=66185361

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811377198.XA Active CN109688105B (en) 2018-11-19 2018-11-19 Threat alarm information generation method and system

Country Status (1)

Country Link
CN (1) CN109688105B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110765391A (en) * 2019-09-16 2020-02-07 华青融天(北京)软件股份有限公司 Security detection method and device, electronic equipment and storage medium
CN110866692A (en) * 2019-11-14 2020-03-06 北京明略软件系统有限公司 Generation method and generation device of early warning information and readable storage medium
CN111224953A (en) * 2019-12-25 2020-06-02 哈尔滨安天科技集团股份有限公司 Method, device and storage medium for discovering threat organization attack based on abnormal point
CN111931935A (en) * 2020-09-27 2020-11-13 中国人民解放军国防科技大学 Network security knowledge extraction method and device based on One-shot learning
CN112152968A (en) * 2019-06-27 2020-12-29 北京数安鑫云信息技术有限公司 Network threat detection method and device
CN112261033A (en) * 2020-10-19 2021-01-22 北京京航计算通讯研究所 Network security protection method based on enterprise intranet
CN113259364A (en) * 2021-05-27 2021-08-13 长扬科技(北京)有限公司 Network event correlation analysis method and device and computer equipment
CN113328976A (en) * 2020-02-28 2021-08-31 华为技术有限公司 Security threat event identification method, device and equipment
CN113382015A (en) * 2021-06-24 2021-09-10 北京恒安嘉新安全技术有限公司 Handling method, device, equipment and storage medium of network threat
CN115225366A (en) * 2022-07-14 2022-10-21 国网智能电网研究院有限公司 Access behavior processing method and device
CN115314304A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security event analysis device and method
CN115484151A (en) * 2022-09-23 2022-12-16 北京安天网络安全技术有限公司 Threat detection method and device based on composite event processing

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101562537A (en) * 2009-05-19 2009-10-21 华中科技大学 Distributed self-optimized intrusion detection alarm associated system
CN104954335A (en) * 2014-03-27 2015-09-30 中国移动通信集团安徽有限公司 Method and system for preventing high-risk network intrusion
CN105843803A (en) * 2015-01-12 2016-08-10 上海悦程信息技术有限公司 Big data security visualization interaction analysis system and method
CN106209829A (en) * 2016-07-05 2016-12-07 杨林 A kind of network security management system based on warning strategies
CN107623691A (en) * 2017-09-29 2018-01-23 长沙市智为信息技术有限公司 A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101562537A (en) * 2009-05-19 2009-10-21 华中科技大学 Distributed self-optimized intrusion detection alarm associated system
CN104954335A (en) * 2014-03-27 2015-09-30 中国移动通信集团安徽有限公司 Method and system for preventing high-risk network intrusion
CN105843803A (en) * 2015-01-12 2016-08-10 上海悦程信息技术有限公司 Big data security visualization interaction analysis system and method
CN106209829A (en) * 2016-07-05 2016-12-07 杨林 A kind of network security management system based on warning strategies
CN107623691A (en) * 2017-09-29 2018-01-23 长沙市智为信息技术有限公司 A kind of ddos attack detecting system and method based on reverse transmittance nerve network algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汤沁泉: "基于网络行为分析的网络安全预警系统设计与实现", 《中国优秀硕士学位论文全文数据库》 *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112152968B (en) * 2019-06-27 2022-07-22 北京数安鑫云信息技术有限公司 Network threat detection method and device
CN112152968A (en) * 2019-06-27 2020-12-29 北京数安鑫云信息技术有限公司 Network threat detection method and device
CN110765391A (en) * 2019-09-16 2020-02-07 华青融天(北京)软件股份有限公司 Security detection method and device, electronic equipment and storage medium
CN110765391B (en) * 2019-09-16 2022-02-22 华青融天(北京)软件股份有限公司 Security detection method and device, electronic equipment and storage medium
CN110866692A (en) * 2019-11-14 2020-03-06 北京明略软件系统有限公司 Generation method and generation device of early warning information and readable storage medium
CN111224953A (en) * 2019-12-25 2020-06-02 哈尔滨安天科技集团股份有限公司 Method, device and storage medium for discovering threat organization attack based on abnormal point
CN113328976A (en) * 2020-02-28 2021-08-31 华为技术有限公司 Security threat event identification method, device and equipment
CN113328976B (en) * 2020-02-28 2022-11-22 华为技术有限公司 Security threat event identification method, device and equipment
CN111931935B (en) * 2020-09-27 2021-01-15 中国人民解放军国防科技大学 Network security knowledge extraction method and device based on One-shot learning
CN111931935A (en) * 2020-09-27 2020-11-13 中国人民解放军国防科技大学 Network security knowledge extraction method and device based on One-shot learning
CN112261033A (en) * 2020-10-19 2021-01-22 北京京航计算通讯研究所 Network security protection method based on enterprise intranet
CN113259364A (en) * 2021-05-27 2021-08-13 长扬科技(北京)有限公司 Network event correlation analysis method and device and computer equipment
CN113259364B (en) * 2021-05-27 2021-10-22 长扬科技(北京)有限公司 Network event correlation analysis method and device and computer equipment
CN113382015A (en) * 2021-06-24 2021-09-10 北京恒安嘉新安全技术有限公司 Handling method, device, equipment and storage medium of network threat
CN115225366A (en) * 2022-07-14 2022-10-21 国网智能电网研究院有限公司 Access behavior processing method and device
CN115314304A (en) * 2022-08-10 2022-11-08 重庆电子工程职业学院 Network security event analysis device and method
CN115484151B (en) * 2022-09-23 2023-11-21 北京安天网络安全技术有限公司 Threat detection method, device, equipment and medium based on composite event processing
CN115484151A (en) * 2022-09-23 2022-12-16 北京安天网络安全技术有限公司 Threat detection method and device based on composite event processing

Also Published As

Publication number Publication date
CN109688105B (en) 2020-07-07

Similar Documents

Publication Publication Date Title
CN109688105A (en) A kind of threat warning message generation method and system
US10795992B2 (en) Self-adaptive application programming interface level security monitoring
CN107465648B (en) Abnormal equipment identification method and device
CN104054321B (en) For the safety management of cloud service
CN102428677B (en) Sanitization of packets
CN109871690A (en) The management method and device of equipment permission, storage medium, electronic device
CN100399750C (en) System and method of facilitating the identification of a computer on a network
US20120311562A1 (en) Extendable event processing
US11681804B2 (en) System and method for automatic generation of malware detection traps
CN106063219A (en) System and method for biometric protocol standards
US20230171285A1 (en) Edge network-based account protection service
CN105812480B (en) A kind of intelligence bulk grain transportation vehicle long-distance management device and its management method
CN104052734A (en) Attack Detection And Prevention Using Global Device Fingerprinting
CN101854340A (en) Behavior based communication analysis method carried out based on access control information
CN105009132A (en) Event correlation based on confidence factor
CN101438255A (en) Network and application attack protection based on application layer message inspection
CN109462599A (en) A kind of honey jar management system
CN107347047A (en) Attack guarding method and device
CN114679292B (en) Honeypot identification method, device, equipment and medium based on network space mapping
CN107992771A (en) A kind of data desensitization method and device
CN115242434A (en) Application program interface API identification method and device
US11190589B1 (en) System and method for efficient fingerprinting in cloud multitenant data loss prevention
KR101201629B1 (en) Cloud computing system and Method for Security Management for each Tenant in Multi-tenancy Environment
CN116956252A (en) Self-adaptive management method and system for platform multi-user renting
CN114124453B (en) Processing method and device of network security information, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant