CN110545276A - threat event warning method and device, warning equipment and machine-readable storage medium - Google Patents

threat event warning method and device, warning equipment and machine-readable storage medium Download PDF

Info

Publication number
CN110545276A
CN110545276A CN201910828683.2A CN201910828683A CN110545276A CN 110545276 A CN110545276 A CN 110545276A CN 201910828683 A CN201910828683 A CN 201910828683A CN 110545276 A CN110545276 A CN 110545276A
Authority
CN
China
Prior art keywords
sub
event
association
events
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910828683.2A
Other languages
Chinese (zh)
Other versions
CN110545276B (en
Inventor
顾成杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910828683.2A priority Critical patent/CN110545276B/en
Publication of CN110545276A publication Critical patent/CN110545276A/en
Application granted granted Critical
Publication of CN110545276B publication Critical patent/CN110545276B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Alarm Systems (AREA)

Abstract

the embodiment of the invention provides a threat event warning method, a threat event warning device and a machine-readable storage medium, wherein an association model defines association rules among different appointed sub-events and matching conditions of security information of each appointed sub-event, reflects the process of a threat event caused by a plurality of appointed sub-events, performs association analysis on all received sub-events by using the association model, can find potential threat events which are difficult to find by analyzing a single sub-event through the matching process of the association model on the matching conditions of the security information and the association rules, associates a plurality of sub-events with association into a threat event for warning, and obviously reduces the number of warning information, so that the burden of a network administrator in processing the warning information can be reduced.

Description

Threat event warning method and device, warning equipment and machine-readable storage medium
Technical Field
the present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for alarming a threat event, an alarm device, and a machine-readable storage medium.
background
With the increasing complexity of network environment, network attacks are rampant increasingly, and in order to ensure the security of terminals in a network System, a network System of a large-scale organization usually deploys a large number of network security devices such as firewalls, IPS (Intrusion Prevention systems), switches, etc. to monitor the security of the terminals, and different network security devices monitor different security events for the terminals. Each network security device sends alarm information of a security event obtained by monitoring a terminal to a background alarm device, and once the alarm device identifies that a certain network security device detects that the terminal has the security event, the alarm device generates event alarm information to prompt a network administrator that the security event aiming at the terminal has occurred.
however, each network security device monitors different security events for the terminal, in the above alarm method, each network security device monitors the terminal independently, each network security device reports a large amount of alarm information, and the number of network security devices is large, the alarm information is very large, and the large amount of alarm information may cause heavy burden to a network administrator when processing the alarm information.
Disclosure of Invention
an embodiment of the invention aims to provide a threat event warning method, a threat event warning device, warning equipment and a machine-readable storage medium, so as to reduce the number of warning messages. The specific technical scheme is as follows:
In a first aspect, an embodiment of the present invention provides a method for alerting a threat event, where the method includes:
Receiving safety information of sub-events reported by each device in a specified group network;
Performing association analysis on the received security information of all sub-events by using a pre-established association model to obtain an association analysis result, wherein the association model is a preset model comprising matching conditions of the security information of a plurality of specified sub-events and association rules among the specified sub-events;
and generating threat event warning information based on the correlation analysis result.
In a second aspect, an embodiment of the present invention provides a threat event warning apparatus, including:
The receiving module is used for receiving the safety information of the sub-event reported by each device in the appointed group network;
the analysis module is used for carrying out correlation analysis on the received safety information of all the sub-events by utilizing a pre-established correlation model to obtain a correlation analysis result, wherein the correlation model is a preset model comprising matching conditions of the safety information of a plurality of specified sub-events and correlation rules among the specified sub-events;
and the generating module is used for generating the threat event warning information based on the correlation analysis result.
In a third aspect, an embodiment of the present invention provides an alarm device, including a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor is caused by the machine-executable instructions to perform the method provided by the first aspect of the embodiment of the present invention.
In a fourth aspect, embodiments of the present invention provide a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to perform the method provided by the first aspect of embodiments of the present invention.
The alarm device receives security information of sub-events reported by each device in a specified network, performs correlation analysis on the received security information of all the sub-events by using a pre-established correlation model to obtain a correlation analysis result, wherein the correlation model is a preset model comprising matching conditions of the security information of a plurality of specified sub-events and correlation rules among the plurality of specified sub-events, and generates threat event alarm information based on the correlation analysis result. The association model defines association rules among different appointed sub-events and matching conditions of the security information of each appointed sub-event, reflects the process of a threat event caused by a plurality of appointed sub-events, performs association analysis on all received sub-events by using the association model, and can find potential threat events which are difficult to find by analyzing a single sub-event through the matching process of the association model on the matching conditions of the security information and the association rules, and associates a plurality of sub-events with association relationship into a threat event for warning, so that the number of warning information is obviously reduced, and the burden of a network administrator in processing the warning information can be relieved.
Drawings
in order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of a threat event alerting method according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a correlation model according to an embodiment of the present invention;
FIG. 3 is a flow chart illustrating matching of sequentially associated sub-events according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating a matching procedure of sub-events associated with logic according to an embodiment of the present invention;
FIG. 5 is a flow chart illustrating matching of logically associated sub-events according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating class 6 rules according to an embodiment of the present invention;
FIG. 7 is a schematic illustration of a list of threat events according to an embodiment of the invention;
FIG. 8 is a diagram illustrating a sub-event list according to an embodiment of the present invention;
FIG. 9 is a schematic structural diagram of an association model in a worm virus attack event alarm scenario according to an embodiment of the present invention;
FIG. 10 is a schematic flow chart illustrating the generation of warning information in a worm virus attack event warning scenario according to an embodiment of the present invention;
FIG. 11 is a diagram illustrating a list of threat events in a worm virus attack event alert scenario according to an embodiment of the present invention;
FIG. 12 is a diagram illustrating a sub-event list corresponding to a sub-event B in a worm virus attack event alert scenario according to an embodiment of the present invention;
FIG. 13 is a diagram illustrating a sub-event list corresponding to a sub-event C in a worm virus attack event alert scenario according to an embodiment of the present invention;
FIG. 14 is a schematic structural diagram of a threat event alert device according to an embodiment of the present invention;
Fig. 15 is a schematic structural diagram of an alarm device according to an embodiment of the present invention.
Detailed Description
the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
in order to reduce the number of alarm information and reduce the burden of a network administrator in processing alarm information, embodiments of the present invention provide a threat event alarm method, apparatus, alarm device, and machine-readable storage medium. First, a threat event warning method provided by the embodiment of the present invention is described below.
The execution main body of the threat event warning method provided by the embodiment of the invention can be warning equipment, and the warning equipment has a safety event warning function and can be a background server of a network system.
as shown in fig. 1, a method for alarming a threat event according to an embodiment of the present invention at least includes the following steps.
S101, receiving safety information of sub-events reported by each device in the designated group network.
the alarm device performs security event alarm on the designated networking, the security devices (such as firewall devices, IPS devices, switches and the like), network devices, terminal devices, service systems and the like in the designated networking can count network access, attack events and the like, generated log, alarm and other security information are sent to the alarm device, and the security information can comprise the type of a sub-event, the name of the sub-event, the occurrence time of the sub-event, the device information of the terminal device and the like.
The sub-events detected by each device within the specified group reflect each step in the dynamic process of the attack, such as a scan event for the terminal, a buffer overflow event, a trojan injection event, etc.
Optionally, after executing S101, the method for alerting a threat event according to the embodiment of the present invention may further execute: and carrying out normalization processing on the received safety information of each sub-event to obtain the safety information of each sub-event with uniform data format.
Because different devices have different brands and models, the data formats of the sub-event security information obtained by monitoring are different, so that for convenience of subsequent uniform analysis, after the security information of the sub-events reported by each device in the group network is received, normalization processing can be firstly performed on the security information, the data formats of the security information of all the sub-events are unified, and the security information of all the sub-events has the same data format.
and S102, performing association analysis on the received safety information of all the sub-events by using a pre-established association model to obtain an association analysis result, wherein the association model is a preset model comprising matching conditions of the safety information of a plurality of specified sub-events and association rules among the specified sub-events.
The behavior inside the external intrusion specified networking and the violation behavior of the networking internal device are not single generally, and the behaviors are related in sequence or logic. For example, for a typical remote buffer overflow attack, several steps, such as a scanning process, a buffer overflow attempt, shell code execution, remote access right acquisition, further destruction, etc., are mainly required, and each step of the attack may trigger different sub-events, some of which reflect the dynamic behavior of the attack and some of which reflect the state change of the attacked terminal.
in order to deal with the situation, in the embodiment of the present invention, an association model is pre-established on the alarm device, where the association model is a preset model including matching conditions of security information of a plurality of specified sub-events and association rules among the plurality of specified sub-events, reflects a dynamic process and state of a threat alarm event, and is a model for an attack scene. As shown in fig. 2, in an implementation manner of the embodiment of the present invention, the association model is a tree-shaped association model, the tree-shaped association model is constructed based on a tree-shaped association rule, and the tree-shaped association rule defines matching conditions of the security information of a plurality of designated sub-events and association rules among the plurality of designated sub-events, describes an attack behavior or an attack state of a series of steps, and is an abstraction of an attack process. Of course, the tree-type correlation model is only an example of the correlation model, and both the matching condition of the security information including the multiple specified sub-events and the model including the correlation rule between the multiple specified sub-events may be used as the correlation model, which all belong to the protection scope of the embodiment of the present invention. Wherein the association rule comprises at least a logical association and/or a timing association.
In practical applications, a unified method is needed to describe and store the association model in detail, which is used for adding and maintaining the association model on one hand, and for loading and analyzing the alarm device on the other hand, so as to associate various sub-events. In general, the association model may be constructed and stored in a Language or software such as XML (Extensible Markup Language), EXCEL (spreadsheet software), and the like. The XML has strong data description capacity and hierarchical characteristics, so that the association model can be conveniently modeled, and the XML has a good structure, is easy to expand and is beneficial to maintenance and transplantation of the model.
And S103, generating threat event warning information based on the correlation analysis result.
And performing association analysis on the received security information of all the sub-events by using the association model to obtain an association analysis result of whether the security information of each sub-event is matched with the matching condition of the security information of any specified sub-event in the association model and whether each sub-event is matched with the association rule corresponding to any specified sub-event in the association model, determining whether a threat event aiming at specified networking or certain equipment in the specified networking exists or not based on the association analysis result, and generating corresponding threat event alarm information.
If the sub-events are analyzed separately, the threat event is difficult to find, the threat event difficult to find can be analyzed through the correlation analysis of the correlation model of the embodiment of the invention, and when the alarm is carried out, the alarm can be carried out on the associated threat event instead of the sub-events, so that the quantity of alarm information is obviously reduced.
Optionally, S102 may specifically be: and sequentially aiming at each received sub-event, judging whether the safety information of the sub-event is matched with the matching condition of the safety information of any appointed sub-event in the association model and whether the sub-event is matched with the association rule corresponding to any appointed sub-event in the association model, and obtaining an association analysis result.
s103 may specifically be: and aiming at each sub-event, if the safety information of the sub-event is matched with the matching condition corresponding to any specified sub-event in the association model and the sub-event is matched with the association rule corresponding to any specified sub-event in the association model, generating the threat event alarm information related to the sub-event.
for example, 5 sub-events (sub-event 1, sub-event 2, sub-event 3, sub-event 4, and sub-event 5) are defined in the association model, and the association rule between each sub-event is: on the premise that sub-event 1 or sub-event 2 occurs, if sub-event 3 occurs, then threat event a occurs, and after sub-event 4 occurs, sub-event 5 occurs, then threat event B occurs. After receiving the security information of the sub-event reported in the group network, if a matching condition of the security information of the sub-event matching sub-event 1 exists, the sub-event 1 is indicated to occur, and the association rule of the sub-event 1 or the sub-event 2 is matched, whether a sub-event matching sub-event 3 exists is judged, if a matching condition of the security information of the sub-event matching sub-event 3 exists, it can be determined that a threat event A occurs, and alarm information of the threat event A is generated; if there is a sub-event matching the matching condition of the security information of the sub-event 4, it is indicated that the sub-event 4 occurs, but there is no sub-event matching the matching condition of the security information of the sub-event 5, it may be determined that the threat event B does not occur, and thus, no alarm information about the occurrence of the threat event B is generated.
Optionally, the association rule may include at least: or at least one of logically associated, and sequentially associated.
the association rules between different sub-events reflect the step relationships of different levels of each sub-event, and generally include logical association, sequential association, and the like.
The sequential association means that, when the matching condition between the security information of one sub-event and the security information of a specific sub-event in the association model is successfully matched, the matching condition between the security information of the next sub-event and the matching condition between the security information of the sub-event specified in the association model is further matched, as shown in fig. 3, after the matching condition between the security information of the sub-event R1 and the security information of the specific sub-event in the association model is successfully matched, the matching condition between the security information of the sub-event R2 and the matching condition between the security information of the sub-event specified in the association model is further matched, and similarly, after the matching condition between the security information of the sub-event R2 and the security information of the specific sub-event in the association model is successfully matched, the matching condition between the security information of the sub-event R3 and the security information of the sub-event specified in the association.
the logical association means that, when matching conditions of the security information of the plurality of sub-events and the security information of the plurality of specific sub-events in the association model are all successfully matched, matching of the security information of the sub-event in the next step and the matching conditions of the security information of the sub-event specified in the association model is performed, and as shown in fig. 4, when matching conditions of the security information of the sub-events R1, R2, and R3 and the security information of the plurality of specific sub-events in the association model are all successfully matched, matching of the security information of the sub-event R4 and the matching conditions of the security information of the sub-event specified in the association model is performed.
Or logical association means that when matching conditions of the security information of any one of the sub-events with the security information of a specific sub-event in the association model are successfully matched, matching of the security information of the sub-event in the next step with the matching conditions of the security information of the sub-event specified in the association model is possible, and as shown in fig. 5, when matching conditions of the security information of any one of the sub-events R1, R2, and R3 with the security information of a specific sub-event in the association model are successfully matched, matching of the security information of the sub-event R4 with the matching conditions of the security information of the sub-event specified in the association model is possible.
Optionally, the matching condition may include at least one of a statistical matching condition, an intelligence matching condition, a vulnerability matching condition, and a status matching condition.
the statistical matching conditions comprise matching conditions that the frequency of sub-events occurring in a preset time period is not less than a preset frequency; the intelligence matching condition comprises a matching condition of equipment information of the attacked terminal; the vulnerability matching condition comprises a matching condition of software information with a vulnerability; the state matching condition includes a matching condition that a CPU (Central Processing Unit) utilization rate of the terminal exceeds a preset threshold.
the matching conditions mainly comprise statistical matching conditions, intelligence matching conditions, vulnerability matching conditions, state matching conditions and the like. The statistical matching condition is a matching condition that the number of times of sub-events occurring in a preset time period is not less than a preset number of times, and if the number of times of a sub-event occurring in the preset time period is not less than the preset number of times, the statistical matching condition is considered to be matched, for example, if a sub-event occurs not less than 5 times in 300 seconds, the sub-event is considered to be matched with the statistical matching condition. The information matching condition is a matching condition of the equipment information of the attacked terminal, if the equipment information of the terminal in the received safety information of a certain sub-event is the equipment information of the attacked terminal, the safety information of the sub-event is considered to be matched with the information matching condition, and the information matching condition can be set by the external information collecting equipment after collecting the equipment information of each terminal with the attacked intention and sending the equipment information to the alarming equipment. And if the software information of the terminal in the received security information of a certain sub-event is the software information with the vulnerability, the security information of the sub-event is considered to be matched with the vulnerability matching condition, and the vulnerability matching condition can be set by sending the vulnerability scanning equipment to the alarm equipment after scanning the software information of each terminal with the vulnerability. The state matching condition is a matching condition that the CPU utilization rate of the terminal exceeds a preset threshold, and if the CPU utilization rate of the terminal in the received security information of a certain sub-event exceeds the preset threshold, the matching state matching condition is considered, for example, if the CPU utilization rate of the terminal in the security information of a sub-event exceeds 90%, the security information of the sub-event is considered to be matched with the state matching condition.
in summary, an implementation manner of the embodiment of the present invention may include the above 6 types of rules, that is, a logic association rule, a timing association rule, a statistical matching rule, an intelligence matching rule, a vulnerability matching rule, and a status matching rule. An example of a class 6 rule is shown in FIG. 6.
(1) And (3) statistical matching: this sub-event occurs no less than 5 times in 300 seconds.
(2) And (3) logical association: sub-event C can only occur if sub-event A and sub-event B occur.
(3) And (3) state matching: the CPU utilization rate of the terminal exceeds 90%, and DDoS attacks may occur.
(4) And (3) timing correlation: sub-event A occurs first, sub-event B occurs later, and finally sub-event C occurs.
(5) and (3) information matching: threat intelligence shows that the Lessovirus spreads in the Windows host, and the current terminal is the Windows host.
(6) Vulnerability matching: at present, a certain vulnerability is attacked, and the vulnerability exists in the terminal.
Optionally, after executing S203, the method for alerting a threat event provided in the embodiment of the present invention may further execute:
Recording the alarm information of the threat event and the association rules among all the sub-events by using the threat event list, and presenting the threat event list to an event page;
And/or the presence of a gas in the gas,
And recording the safety information and the matching conditions of all the sub-events by utilizing the sub-event list, and presenting the sub-event list to an event page.
in the process of alarming the threat event, the threat event is used as a new potential security event obtained by analyzing the association of a plurality of associated sub-events, the alarm information of the threat event and the association rules among all the sub-events can be stored, specifically, the data can be stored by using a list of the threat event, and then the list is presented to an event page. The threat event list presented on the event page is shown in fig. 7, and the parameters in the list mainly include:
(1) Event name: a unique identification of a threat event.
(2) event description: information about the event.
(3) the correlation condition is as follows: the method is a logic expression of how to perform correlation analysis based on sub-events, and matching needs to be performed by depending on specific connection conditions and sequence relations among the matching conditions through which matching conditions are adopted.
Matching conditions are as follows: a match condition is a combination condition used to match an event of a certain type.
connection conditions are as follows: means that connection is performed according to which field among some matching conditions, and the connection mode includes ═ and! The term "a", "" > "," < ═ and ">".
Sequence relation between matching conditions: including "sequential match", "full match", "any match". The term "sequential match" refers to the sequential occurrence of sub-events satisfying a plurality of matching conditions, "all matches" refers to the occurrence of all sub-events, and "any match" refers to the occurrence of a sub-event satisfying any one of the matching conditions.
(4) Time window: and the time period of the threat event alarm is used for alarming the threat event only when the time window reaches the specified times. The time window may be in units of minutes/hours/day, etc., and must be a positive integer, with an upper limit of up to 60 days.
(5) threat level: the threat level of the threat event is defined and can be divided into a very low level, a medium level, a high level and a very high level.
(6) event alarm description: a detailed description of the threat event for which the match was successful is defined.
Similarly, the security information and the matching conditions of all the sub-events may also be stored, specifically, the data may be stored by using a sub-event list, and then the list is presented to the event page. The sub-event list presented by the event page is shown in fig. 8, and the parameters in the list mainly include:
(1) Name of the sub-event: unique identification of a sub-event.
(2) Description of sub-events: information about the sub-event.
(3) Matching conditions are as follows: the matching condition is needed by the sub-event, and the matching indicates that the sub-event is a sub-event with associated rules with other sub-events.
(4) time window: and reporting the sub-event only when the time period for reporting the sub-event reaches the specified times in the time window. The time window may be in units of minutes/hours/day, etc., and must be a positive integer, with an upper limit of up to 1 day.
(5) threat level: defining the threat level of the sub-event, which can be divided into a very low level, a medium level, a high level and a very high level.
By applying the embodiment of the invention, the alarm equipment receives the security information of the sub-events reported by each equipment in the appointed group network, and performs association analysis on the received security information of all the sub-events by utilizing the pre-established association model to obtain the association analysis result, wherein the association model is a preset model comprising the matching conditions of the security information of a plurality of appointed sub-events and the association rules among the appointed sub-events, and generates the threat event alarm information based on the association analysis result. The association model defines association rules among different appointed sub-events and matching conditions of the security information of each appointed sub-event, reflects the process of a threat event caused by a plurality of appointed sub-events, performs association analysis on all received sub-events by using the association model, and can find potential threat events which are difficult to find by analyzing a single sub-event through the matching process of the association model on the matching conditions of the security information and the association rules, and associates a plurality of sub-events with association relationship into a threat event for warning, so that the number of warning information is obviously reduced, and the burden of a network administrator in processing the warning information can be relieved.
For convenience of understanding, taking a worm virus attack event as an example below, an association model (as shown in fig. 9) is used to perform event alarm, and an event alarm information generation process is shown in fig. 10 and mainly includes the following steps:
the generation of the alarm information of the event A relates to the correlation analysis of two sub-events, which are respectively as follows:
Sub-event B: the firewall discovers the virus event. The security information of the sub-event B mainly includes a Protocol type, an application Protocol name, a source IP (Internet Protocol) address, a source port number, a destination IP address, a destination port number, a source VPN (Virtual Private Network) name, a source security domain name, a destination security domain name, a policy name, a virus identifier, a severity level, an action name, a frequency, and the like. And the matching process of the sub-event B is based on state matching, the firewall finds the virus load characteristics, and the terminal is a Windows host, so that the sub-event B is determined to occur.
Sub-event C: and (4) breaking the event violently. The security information of the sub-event C mainly includes a protocol name, a source IP address, a destination IP address, an action type, attack start time, times, and the like. The matching process of the sub-event C is based on statistical matching, and the firewall finds that the port is scanned for a predetermined number of times, and determines that the sub-event C occurs.
For the event A of ' discovering worm virus attack ', the threat event ' discovering worm virus attack ' is identified by comprehensively analyzing the logic association defined by the association model according to the safety information of the sub-event B and the sub-event C and based on the fact that the sub-event B ' discovering virus ' and the sub-event C ' discovering port are scanned in a period of time.
Accordingly, a threat event list as shown in fig. 11 can be obtained to record a threat event "find worm virus attack" and present the threat event on the event page, where #1 denotes a sub-event C and #2 denotes a sub-event B; the number #1, exist ═ 1 and the number #2, exist ═ 1 respectively indicate that the matching condition of the sub-event C and the sub-event B exists, and equal to 1 indicates that the corresponding sub-event exists; #1.dstip ═ 2.distip characterizes the connection condition, which means that the destination IP of the sub-event C is attacked by the worm virus of the sub-event B (as described in the event report description), seq { #1, #2} characterizes that the two sub-events are sequentially matched, i.e. matching of the sub-event C is performed first, and then matching of the sub-event B is performed; 300 ═ atleast {1} indicates that an alarm is given if at least 1 worm virus attack is detected within 300 seconds; max { #1. threat level, #2.threat level } indicates that the threat level for threat event a takes the greatest threat level of sub-event C and sub-event B.
it is also possible to get the sub-event list as shown in fig. 12 to record the sub-event "port scan event", the sub-event list as shown in fig. 13 to record the sub-event "firewall found virus event", and present the two sub-event lists on the event page. Wherein #1.result indicates that the detection result of the sub-event C is successful in scanning; 100 ═ atleast {20} indicates that an alarm is given if at least 20 scan events are detected within 100 seconds; the threat level of sub-event C is level 2. "thread > -" MEDIUM "indicates that the virus attack detected by sub-event B is greater than normal; #2.result indicates that the detection result of the sub-event B is successful in virus attack; 100 ═ atleast {1} indicates that at least 1 virus attack event is detected within 100 seconds, and then an alarm is given; the threat level of sub-event B is level 1. In summary, the threat level of the threat event a is the maximum threat level of the sub-event C and the sub-event B, and the threat level of the threat event a is level 2.
Corresponding to the above method embodiment, an embodiment of the present invention provides a threat event warning apparatus, as shown in fig. 14, where the apparatus may include:
A receiving module 1410, configured to receive security information of a sub-event reported by each device in a specified network;
The analysis module 1420 is configured to perform association analysis on the received security information of all sub-events by using a pre-established association model to obtain an association analysis result, where the association model is a preset model that includes matching conditions of the security information of a plurality of specified sub-events and association rules among the plurality of specified sub-events;
A generating module 1430, configured to generate threat event warning information based on the association analysis result.
Optionally, the apparatus may further include:
And the normalization processing module is used for performing normalization processing on the received safety information of each sub-event to obtain the safety information of each sub-event with a uniform data format.
Optionally, the analysis module 1420 may be specifically configured to:
Sequentially aiming at each received sub-event, judging whether the safety information of the sub-event is matched with the matching condition of the safety information of any appointed sub-event in the association model and whether the sub-event is matched with the association rule corresponding to any appointed sub-event in the association model, and obtaining an association analysis result;
The generating module 1430 may be specifically configured to:
and aiming at each sub-event, if the safety information of the sub-event is matched with the matching condition corresponding to any specified sub-event in the association model and the sub-event is matched with the association rule corresponding to any specified sub-event in the association model, generating the threat event alarm information related to the sub-event.
optionally, the matching condition may include at least one of a statistical matching condition, an intelligence matching condition, a vulnerability matching condition, and a status matching condition;
The statistical matching conditions comprise matching conditions that the frequency of sub-events occurring in a preset time period is not less than a preset frequency; the intelligence matching condition comprises a matching condition of equipment information of the attacked terminal; the vulnerability matching condition comprises a matching condition of software information with a vulnerability; the state matching condition comprises a matching condition that the CPU utilization rate of the terminal exceeds a preset threshold value;
The association rules may include at least: or at least one of logically associated, and sequentially associated.
Optionally, the apparatus may further comprise a display module configured to:
recording the alarm information of the threat event and the association rules among all the sub-events by using the threat event list, and presenting the threat event list to an event page;
And/or the presence of a gas in the gas,
And recording the safety information and the matching conditions of all the sub-events by utilizing the sub-event list, and presenting the sub-event list to an event page.
by applying the embodiment of the invention, the alarm equipment receives the security information of the sub-events reported by each equipment in the appointed group network, and performs association analysis on the received security information of all the sub-events by utilizing the pre-established association model to obtain the association analysis result, wherein the association model is a preset model comprising the matching conditions of the security information of a plurality of appointed sub-events and the association rules among the appointed sub-events, and generates the threat event alarm information based on the association analysis result. The association model defines association rules among different appointed sub-events and matching conditions of the security information of each appointed sub-event, reflects the process of a threat event caused by a plurality of appointed sub-events, performs association analysis on all received sub-events by using the association model, and can find potential threat events which are difficult to find by analyzing a single sub-event through the matching process of the association model on the matching conditions of the security information and the association rules, and associates a plurality of sub-events with association relationship into a threat event for warning, so that the number of warning information is obviously reduced, and the burden of a network administrator in processing the warning information can be relieved.
An embodiment of the present invention further provides an alerting device, as shown in fig. 15, including a processor 1501 and a machine-readable storage medium 1502, where the machine-readable storage medium 1502 stores machine-executable instructions capable of being executed by the processor 1501, and the processor 1501 is caused by the machine-executable instructions to perform all the steps of the threat event alerting method provided by the embodiment of the present invention.
the computer-readable storage medium may include a RAM (Random Access Memory) and a NVM (Non-volatile Memory), such as at least one disk Memory. Alternatively, the computer readable storage medium may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
In this embodiment, the processor 1501, by reading machine executable instructions stored in the machine-readable storage medium 1502, is caused by the machine executable instructions to enable: the method comprises the steps that the alarm equipment receives security information of sub-events reported by each equipment in a specified group network, correlation analysis is carried out on the received security information of all the sub-events by utilizing a pre-established correlation model to obtain a correlation analysis result, wherein the correlation model is a preset model comprising matching conditions of the security information of a plurality of specified sub-events and correlation rules among the plurality of specified sub-events, and threat event alarm information is generated based on the correlation analysis result. The association model defines association rules among different appointed sub-events and matching conditions of the security information of each appointed sub-event, reflects the process of a threat event caused by a plurality of appointed sub-events, performs association analysis on all received sub-events by using the association model, and can find potential threat events which are difficult to find by analyzing a single sub-event through the matching process of the association model on the matching conditions of the security information and the association rules, and associates a plurality of sub-events with association relationship into a threat event for warning, so that the number of warning information is obviously reduced, and the burden of a network administrator in processing the warning information can be relieved.
additionally, embodiments of the present invention also provide a machine-readable storage medium storing machine-executable instructions, which, when invoked and executed by a processor, cause the processor to perform all the steps of the threat event alerting method provided by embodiments of the present invention.
In this embodiment, when running, the machine-readable storage medium executes the machine-executable instructions of the threat event alert method provided in the embodiment of the present invention, so that the following can be implemented: the method comprises the steps that the alarm equipment receives security information of sub-events reported by each equipment in a specified group network, correlation analysis is carried out on the received security information of all the sub-events by utilizing a pre-established correlation model to obtain a correlation analysis result, wherein the correlation model is a preset model comprising matching conditions of the security information of a plurality of specified sub-events and correlation rules among the plurality of specified sub-events, and threat event alarm information is generated based on the correlation analysis result. The association model defines association rules among different appointed sub-events and matching conditions of the security information of each appointed sub-event, reflects the process of a threat event caused by a plurality of appointed sub-events, performs association analysis on all received sub-events by using the association model, and can find potential threat events which are difficult to find by analyzing a single sub-event through the matching process of the association model on the matching conditions of the security information and the association rules, and associates a plurality of sub-events with association relationship into a threat event for warning, so that the number of warning information is obviously reduced, and the burden of a network administrator in processing the warning information can be relieved.
For the embodiments of the alert device and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
all the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, the alert device, and the machine-readable storage medium embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (12)

1. A threat event alerting method, the method comprising:
Receiving safety information of sub-events reported by each device in a specified group network;
performing association analysis on the received security information of all sub-events by using a pre-established association model to obtain an association analysis result, wherein the association model is a preset model comprising matching conditions of the security information of a plurality of specified sub-events and association rules among the specified sub-events;
And generating threat event warning information based on the correlation analysis result.
2. the method of claim 1, wherein after receiving security information specifying sub-events reported by devices within a group, the method further comprises:
and carrying out normalization processing on the received safety information of each sub-event to obtain the safety information of each sub-event with uniform data format.
3. The method according to claim 1, wherein the performing correlation analysis on the received security information of all sub-events by using a pre-established correlation model to obtain a correlation analysis result comprises:
Sequentially aiming at each received sub-event, judging whether the safety information of the sub-event is matched with the matching condition of the safety information of any appointed sub-event in the association model and whether the sub-event is matched with the association rule corresponding to any appointed sub-event in the association model, and obtaining an association analysis result;
Generating threat event alert information based on the correlation analysis result, comprising:
and aiming at each sub-event, if the safety information of the sub-event is matched with the matching condition corresponding to any specified sub-event in the association model and the sub-event is matched with the association rule corresponding to any specified sub-event in the association model, generating the threat event alarm information related to the sub-event.
4. the method according to any one of claims 1-3, wherein the matching condition comprises at least one of a statistical matching condition, an intelligence matching condition, a vulnerability matching condition, and a status matching condition;
the statistical matching conditions comprise matching conditions that the frequency of sub-events occurring in a preset time period is not less than a preset frequency; the intelligence matching condition comprises a matching condition of equipment information of an attacked terminal; the vulnerability matching condition comprises a matching condition of software information with a vulnerability; the state matching condition comprises a matching condition that the CPU utilization rate of a central processing unit of the terminal exceeds a preset threshold value;
the association rule includes at least: or at least one of logically associated, and sequentially associated.
5. The method of claim 1, wherein after the generating threat event alert information based on the correlation analysis results, the method further comprises:
Recording the alarm information of the threat event and the association rules among all the sub-events by using a threat event list, and presenting the threat event list to an event page;
and/or the presence of a gas in the gas,
and recording the safety information and the matching conditions of all the sub-events by utilizing the sub-event list, and presenting the sub-event list to the event page.
6. A threat event alerting apparatus, the apparatus comprising:
the receiving module is used for receiving the safety information of the sub-event reported by each device in the appointed group network;
The analysis module is used for carrying out correlation analysis on the received safety information of all the sub-events by utilizing a pre-established correlation model to obtain a correlation analysis result, wherein the correlation model is a preset model comprising matching conditions of the safety information of a plurality of specified sub-events and correlation rules among the specified sub-events;
And the generating module is used for generating threat event warning information based on the correlation analysis result.
7. The apparatus of claim 6, further comprising:
and the normalization processing module is used for performing normalization processing on the received safety information of each sub-event to obtain the safety information of each sub-event with a uniform data format.
8. The apparatus of claim 6, wherein the analysis module is specifically configured to:
Sequentially aiming at each received sub-event, judging whether the safety information of the sub-event is matched with the matching condition of the safety information of any appointed sub-event in the association model and whether the sub-event is matched with the association rule corresponding to any appointed sub-event in the association model, and obtaining an association analysis result;
The generation module is specifically configured to:
And aiming at each sub-event, if the safety information of the sub-event is matched with the matching condition corresponding to any specified sub-event in the association model and the sub-event is matched with the association rule corresponding to any specified sub-event in the association model, generating the threat event alarm information related to the sub-event.
9. The apparatus according to any one of claims 6-8, wherein the matching condition comprises at least one of a statistical matching condition, an intelligence matching condition, a vulnerability matching condition, and a status matching condition;
the statistical matching conditions comprise matching conditions that the frequency of sub-events occurring in a preset time period is not less than a preset frequency; the intelligence matching condition comprises a matching condition of equipment information of an attacked terminal; the vulnerability matching condition comprises a matching condition of software information with a vulnerability; the state matching condition comprises a matching condition that the CPU utilization rate of a central processing unit of the terminal exceeds a preset threshold value;
The association rule includes at least: or at least one of logically associated, and sequentially associated.
10. the apparatus of claim 6, further comprising a display module to:
Recording the alarm information of the threat event and the association rules among all the sub-events by using a threat event list, and presenting the threat event list to an event page;
And/or the presence of a gas in the gas,
and recording the safety information and the matching conditions of all the sub-events by utilizing the sub-event list, and presenting the sub-event list to the event page.
11. an alerting device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform the method of any of claims 1-5.
12. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to perform the method of any of claims 1-5.
CN201910828683.2A 2019-09-03 2019-09-03 Threat event warning method and device, warning equipment and machine-readable storage medium Active CN110545276B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910828683.2A CN110545276B (en) 2019-09-03 2019-09-03 Threat event warning method and device, warning equipment and machine-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910828683.2A CN110545276B (en) 2019-09-03 2019-09-03 Threat event warning method and device, warning equipment and machine-readable storage medium

Publications (2)

Publication Number Publication Date
CN110545276A true CN110545276A (en) 2019-12-06
CN110545276B CN110545276B (en) 2022-06-21

Family

ID=68712425

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910828683.2A Active CN110545276B (en) 2019-09-03 2019-09-03 Threat event warning method and device, warning equipment and machine-readable storage medium

Country Status (1)

Country Link
CN (1) CN110545276B (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112073437A (en) * 2020-10-09 2020-12-11 腾讯科技(深圳)有限公司 Multidimensional security threat event analysis method, device, equipment and storage medium
CN112688956A (en) * 2020-12-29 2021-04-20 成都科来网络技术有限公司 Real-time safety detection method and system based on association rule
CN112966002A (en) * 2021-02-28 2021-06-15 新华三信息安全技术有限公司 Security management method, device, equipment and machine readable storage medium
CN113037774A (en) * 2021-03-31 2021-06-25 新华三信息安全技术有限公司 Security management method, device, equipment and machine readable storage medium
CN113079126A (en) * 2020-01-03 2021-07-06 国网湖北省电力有限公司 Intelligent analysis method and equipment for network security threat event
CN113382015A (en) * 2021-06-24 2021-09-10 北京恒安嘉新安全技术有限公司 Handling method, device, equipment and storage medium of network threat
CN113449116A (en) * 2021-06-22 2021-09-28 青岛海信网络科技股份有限公司 Map construction and early warning method, device and medium
CN114186227A (en) * 2021-12-08 2022-03-15 上海观安信息技术股份有限公司 Method, device and storage medium for converting safety alarm into safety event
CN115022152A (en) * 2022-06-02 2022-09-06 北京天融信网络安全技术有限公司 Method and device for judging threat degree of event and electronic equipment
CN117201165A (en) * 2023-09-29 2023-12-08 中国电子科技集团公司第十五研究所 Threat alarm association analysis method based on network threat information

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101610174A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 A kind of log correlation analysis system and method
CN101697545A (en) * 2009-10-29 2010-04-21 成都市华为赛门铁克科技有限公司 Security incident correlation method and device as well as network server
CN102148827A (en) * 2011-02-11 2011-08-10 成都市华为赛门铁克科技有限公司 Security event management method, device and security management platform
EP2439877A1 (en) * 2009-06-05 2012-04-11 ZTE Corporation Method and device for analyzing alarm correlation, system and method for checking alarm correlation analyzing device
CN103746831A (en) * 2013-12-24 2014-04-23 华为技术有限公司 Alarm analysis method, device and system
CN104636989A (en) * 2015-02-11 2015-05-20 广东电网有限责任公司中山供电局 Electric power system monitoring warning information processing method and system
CN105376193A (en) * 2014-08-15 2016-03-02 中国电信股份有限公司 Intelligent association analysis method and intelligent association analysis device for security events
US20170317872A1 (en) * 2014-10-24 2017-11-02 Zte Corporation Alarm Processing Method and Apparatus
CN110011849A (en) * 2019-04-08 2019-07-12 郑州轨道交通信息技术研究院 A kind of association analysis alarm method based on normalization event format

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2439877A1 (en) * 2009-06-05 2012-04-11 ZTE Corporation Method and device for analyzing alarm correlation, system and method for checking alarm correlation analyzing device
CN101610174A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 A kind of log correlation analysis system and method
CN101697545A (en) * 2009-10-29 2010-04-21 成都市华为赛门铁克科技有限公司 Security incident correlation method and device as well as network server
CN102148827A (en) * 2011-02-11 2011-08-10 成都市华为赛门铁克科技有限公司 Security event management method, device and security management platform
CN103746831A (en) * 2013-12-24 2014-04-23 华为技术有限公司 Alarm analysis method, device and system
CN105376193A (en) * 2014-08-15 2016-03-02 中国电信股份有限公司 Intelligent association analysis method and intelligent association analysis device for security events
US20170317872A1 (en) * 2014-10-24 2017-11-02 Zte Corporation Alarm Processing Method and Apparatus
CN104636989A (en) * 2015-02-11 2015-05-20 广东电网有限责任公司中山供电局 Electric power system monitoring warning information processing method and system
CN110011849A (en) * 2019-04-08 2019-07-12 郑州轨道交通信息技术研究院 A kind of association analysis alarm method based on normalization event format

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
樊宁等: "电信网络海量安全事件关联分析引擎技术研究 ", 《电信科学》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079126A (en) * 2020-01-03 2021-07-06 国网湖北省电力有限公司 Intelligent analysis method and equipment for network security threat event
CN112073437B (en) * 2020-10-09 2023-12-19 腾讯科技(深圳)有限公司 Multi-dimensional security threat event analysis method, device, equipment and storage medium
CN112073437A (en) * 2020-10-09 2020-12-11 腾讯科技(深圳)有限公司 Multidimensional security threat event analysis method, device, equipment and storage medium
CN112688956B (en) * 2020-12-29 2023-04-28 科来网络技术股份有限公司 Real-time security detection method and system based on association rule
CN112688956A (en) * 2020-12-29 2021-04-20 成都科来网络技术有限公司 Real-time safety detection method and system based on association rule
CN112966002A (en) * 2021-02-28 2021-06-15 新华三信息安全技术有限公司 Security management method, device, equipment and machine readable storage medium
CN113037774A (en) * 2021-03-31 2021-06-25 新华三信息安全技术有限公司 Security management method, device, equipment and machine readable storage medium
CN113449116A (en) * 2021-06-22 2021-09-28 青岛海信网络科技股份有限公司 Map construction and early warning method, device and medium
CN113449116B (en) * 2021-06-22 2022-12-20 青岛海信网络科技股份有限公司 Map construction and early warning method, device and medium
CN113382015A (en) * 2021-06-24 2021-09-10 北京恒安嘉新安全技术有限公司 Handling method, device, equipment and storage medium of network threat
CN114186227A (en) * 2021-12-08 2022-03-15 上海观安信息技术股份有限公司 Method, device and storage medium for converting safety alarm into safety event
CN115022152A (en) * 2022-06-02 2022-09-06 北京天融信网络安全技术有限公司 Method and device for judging threat degree of event and electronic equipment
CN115022152B (en) * 2022-06-02 2024-04-23 北京天融信网络安全技术有限公司 Method and device for judging threat degree of event and electronic equipment
CN117201165A (en) * 2023-09-29 2023-12-08 中国电子科技集团公司第十五研究所 Threat alarm association analysis method based on network threat information

Also Published As

Publication number Publication date
CN110545276B (en) 2022-06-21

Similar Documents

Publication Publication Date Title
CN110545276B (en) Threat event warning method and device, warning equipment and machine-readable storage medium
US11204996B2 (en) Retention and accessibility of data characterizing events on an endpoint computer
CN113515433B (en) Alarm log processing method, device, equipment and storage medium
EP1995929B1 (en) Distributed system for the detection of eThreats
US7231637B1 (en) Security and software testing of pre-release anti-virus updates on client and transmitting the results to the server
US20180255080A1 (en) System and Method for Cyber Security Threat Detection
EP1708114B1 (en) Aggregating the knowledge base of computer systems to proactively protect a computer from malware
EP2946332B1 (en) Automated forensics of computer systems using behavioral intelligence
Xu et al. Alert correlation through triggering events and common resources
US7583187B1 (en) System, method and computer program product for automatically summarizing security events
CN106537872B (en) Method for detecting attacks in a computer network
EP3158706A1 (en) Ineffective network equipment identification
CN112134877A (en) Network threat detection method, device, equipment and storage medium
CN105580022A (en) Systems and methods for using a reputation indicator to facilitate malware scanning
US11258825B1 (en) Computer network monitoring with event prediction
US7844999B1 (en) Message parsing in a network security system
WO2017040957A1 (en) Process launch, monitoring and execution control
Avritzer et al. Monitoring for security intrusion using performance signatures
US11372971B2 (en) Threat control
CN111542811B (en) Enhanced network security monitoring
Xu et al. Correlation analysis of intrusion alerts
Giacinto et al. Alarm clustering for intrusion detection systems in computer networks
CN115632884B (en) Network security situation perception method and system based on event analysis
CN113055362A (en) Method, device, equipment and storage medium for preventing abnormal behaviors
Zhuang et al. Applying data fusion in collaborative alerts correlation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant