CN110704837A - Network security event statistical analysis method - Google Patents

Network security event statistical analysis method Download PDF

Info

Publication number
CN110704837A
CN110704837A CN201910913563.2A CN201910913563A CN110704837A CN 110704837 A CN110704837 A CN 110704837A CN 201910913563 A CN201910913563 A CN 201910913563A CN 110704837 A CN110704837 A CN 110704837A
Authority
CN
China
Prior art keywords
event
analysis
network security
statistical analysis
ending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910913563.2A
Other languages
Chinese (zh)
Inventor
韩冰
梁露露
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Yuanbao Science And Technology Research Institute Co Ltd
Original Assignee
Nanjing Yuanbao Science And Technology Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Yuanbao Science And Technology Research Institute Co Ltd filed Critical Nanjing Yuanbao Science And Technology Research Institute Co Ltd
Priority to CN201910913563.2A priority Critical patent/CN110704837A/en
Publication of CN110704837A publication Critical patent/CN110704837A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The invention relates to a statistical analysis method for network security events, which comprises the following steps: s1, collecting events according to a certain period, and unifying the events into a standard format; s2, judging whether the event is false, if the event is false, ending, if the event is real, entering the next procedure; s3, carrying out event analysis on the real event; s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure; s5, carrying out deep analysis on the event to obtain the detailed information of the event; s6, outputting an analysis result and ending the process; the invention can separate the virus and the normal link after the whitewash, thereby knowing the source of the link and the invading object and having good protection effect on network security.

Description

Network security event statistical analysis method
Technical Field
The invention relates to the technical field of computer network security, in particular to a network security event statistical analysis method.
Background
In recent years, with the continuous promotion of information-oriented construction and the wide application of information technology in China, outstanding safety problems are brought while economic development, social progress and technological innovation are promoted. The network attack and destruction behaviors are increasingly frequent, and the network security situation is increasingly severe. Network attack events such as trojan horses, malicious code, worms, DDOS attacks, etc. are becoming more and more extensive, such as the well-known red code worm virus infecting more than 25 million computer systems within the first 9 hours of transmission over the internet, causing losses that grow at 2 billion dollars per day, ultimately causing losses of 26 billion dollars, such as this type of worm virus, and security events such as DDOS attacks, malicious code, network intrusions, etc. are evolving.
In the face of the current situation that the network information security problem in China is becoming more serious, relevant special network information security protection laws and regulations are continuously issued by China, and the national network letter issues 'national network space security strategy' in 2016, so that the importance of network security to national informatization construction is emphasized. These viruses such as Trojan horse, worm are generally whitewashed at the surface by speech, entice the user to open through some surface speech, thereby cause the invasion to the network and exert the virus, among the prior art, generally prevent the invasion of network through protective equipment layer upon layer, because protective equipment generally can not protect the virus after decorating, consequently the virus after decorating still can cause the invasion to the network, the protecting effect is general, and after the network security incident takes place, can not comparatively quick judge the maintenance.
Based on the above, the present invention designs a statistical analysis method for network security events, so as to solve the above mentioned problems.
Disclosure of Invention
The present invention is directed to a method for statistical analysis of network security events, so as to solve the problems mentioned in the background art.
In order to achieve the purpose, the invention provides the following technical scheme: a network security event statistical analysis method comprises the following steps:
s1, collecting events according to a certain period, and unifying the events into a standard format;
s2, judging whether the event is false, if the event is false, ending, if the event is real, entering the next procedure;
s3, carrying out event analysis on the real event;
s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure;
s5, carrying out deep analysis on the event to obtain the detailed information of the event;
and S6, outputting the analysis result and ending the process.
Preferably, the event analysis includes lexical analysis, sentiment analysis and contextual analysis.
Preferably, the vocabulary analysis mainly comprises analyzing the words with emotional colors, such as adjectives, negative words, positive words, and negative words in the event.
Preferably, the emotion analysis analyzes, processes, generalizes and infers subjective text with emotion colors in the event.
Preferably, the contextual analysis analyzes the environment of occurrence of phonemes, morphemes, words, phrases, sentences and the like of the sentences in the event.
Preferably, the deep analysis includes analyzing the attack object, the access record, the attack event and the IP address of the attacker.
Compared with the prior art, the invention has the beneficial effects that: the invention can separate the virus and normal link after being decorated by judging the true and false of the event and analyzing the true event, and then deeply analyze the link with problems, thereby knowing the source of the link and the invading object and having good protection effect on network security.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a schematic diagram of event analysis according to the present invention;
FIG. 3 is a schematic diagram of depth analysis according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, the present invention provides a technical solution of a network security event statistical analysis method: the method comprises the following steps:
s1, collecting events according to a certain period, unifying the events into a standard format, taking the attacked object as an object related to the network security event, and inputting the security event and the related object which are unified into the standard format into a security event library;
s2, judging whether the event is false, if the event is a false event, ending, if the event is a real event, entering the next procedure, judging the false of the event and preliminarily judging and screening the event, thereby avoiding the need of analyzing all events, preventing the phenomenon of server congestion and facilitating the realization of quickly processing the event;
s3, analyzing the real event, comparing the event with the events in the safety event library, and knowing the information of the event, thereby facilitating the judgment of the event;
s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure;
s5, deeply analyzing the event, and obtaining the detailed information of the event by deeply analyzing the event, such as important information of analyzing an attack object, an access record, an attack event, an IP address of an attacker and the like;
and S6, outputting an analysis result, so that the staff can conveniently and visually know the event and finish the process.
Referring to fig. 2, the event analysis includes vocabulary analysis, emotion analysis and context analysis, the vocabulary analysis mainly includes analysis of words with emotion color such as adjectives, negatives, commendates and derogates in the event, the emotion analysis analyzes, processes, induces and infers subjective texts with emotion color in the event, and the context analysis analyzes the occurrence environment of phonemes, morphemes, words, phrases and sentences of sentences in the event.
Referring to fig. 3, the deep analysis includes analyzing an attack object, an access record, an attack event and an IP address of an attacker, and the attack object can be known through the deep analysis, and determining an intruding network and a computer, and by knowing the access record, the potential safety hazard that may exist in the network that is not attacked is known, so that the security of the network can be checked conveniently, and the attack event can be known through the deep analysis, so that the fault reason of the network can be determined, the network maintenance can be performed conveniently, and the IP address of the attacker can be known through the deep analysis, so that the source of a virus can be found conveniently, and thus, the rapid network maintenance can be realized.
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.

Claims (6)

1. A network security event statistical analysis method is characterized by comprising the following steps:
s1, collecting events according to a certain period, and unifying the events into a standard format;
s2, judging whether the event is false, if the event is false, ending, if the event is real, entering the next procedure;
s3, carrying out event analysis on the real event;
s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure;
s5, carrying out deep analysis on the event to obtain the detailed information of the event;
and S6, outputting the analysis result and ending the process.
2. The method of claim 1, wherein the statistical analysis of network security events comprises: the event analysis includes lexical analysis, sentiment analysis, and contextual analysis.
3. The method of claim 2, wherein the statistical analysis of network security events comprises: the vocabulary analysis mainly comprises the analysis of the vocabularies with emotional colors, such as adjectives, negative words, positive words, depreciative words and the like in the event.
4. The method of claim 2, wherein the statistical analysis of network security events comprises: the emotion analysis analyzes, processes, induces and infers subjective text with emotion colors in the event.
5. The method of claim 2, wherein the statistical analysis of network security events comprises: the contextual analysis analyzes the environment of occurrence of phonemes, morphemes, words, phrases, sentences, and the like of the sentences in the event.
6. The method of claim 1, wherein the statistical analysis of network security events comprises: the deep analysis comprises analyzing an attack object, an access record, an attack event and an attacker IP address.
CN201910913563.2A 2019-09-25 2019-09-25 Network security event statistical analysis method Pending CN110704837A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910913563.2A CN110704837A (en) 2019-09-25 2019-09-25 Network security event statistical analysis method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910913563.2A CN110704837A (en) 2019-09-25 2019-09-25 Network security event statistical analysis method

Publications (1)

Publication Number Publication Date
CN110704837A true CN110704837A (en) 2020-01-17

Family

ID=69198007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910913563.2A Pending CN110704837A (en) 2019-09-25 2019-09-25 Network security event statistical analysis method

Country Status (1)

Country Link
CN (1) CN110704837A (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102035855A (en) * 2010-12-30 2011-04-27 江苏省电力公司 Network security incident association analysis system
CN104836815A (en) * 2015-06-01 2015-08-12 广东电网有限责任公司信息中心 Security event backtracking method and system based on log analysis function
US20170093902A1 (en) * 2015-09-30 2017-03-30 Symantec Corporation Detection of security incidents with low confidence security events
CN107241352A (en) * 2017-07-17 2017-10-10 浙江鹏信信息科技股份有限公司 A kind of net security accident classificaiton and Forecasting Methodology and system
CN107733693A (en) * 2017-09-22 2018-02-23 中国人民解放军国防科技大学 Network security operation and maintenance capability evaluation method and system based on security event statistics
CN108259462A (en) * 2017-11-29 2018-07-06 国网吉林省电力有限公司信息通信公司 Big data Safety Analysis System based on mass network monitoring data
CN108259202A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN108270785A (en) * 2018-01-15 2018-07-10 中国人民解放军国防科技大学 Knowledge graph-based distributed security event correlation analysis method
CN110011849A (en) * 2019-04-08 2019-07-12 郑州轨道交通信息技术研究院 A kind of association analysis alarm method based on normalization event format

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102035855A (en) * 2010-12-30 2011-04-27 江苏省电力公司 Network security incident association analysis system
CN104836815A (en) * 2015-06-01 2015-08-12 广东电网有限责任公司信息中心 Security event backtracking method and system based on log analysis function
US20170093902A1 (en) * 2015-09-30 2017-03-30 Symantec Corporation Detection of security incidents with low confidence security events
CN108259202A (en) * 2016-12-29 2018-07-06 航天信息股份有限公司 A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems
CN107241352A (en) * 2017-07-17 2017-10-10 浙江鹏信信息科技股份有限公司 A kind of net security accident classificaiton and Forecasting Methodology and system
CN107733693A (en) * 2017-09-22 2018-02-23 中国人民解放军国防科技大学 Network security operation and maintenance capability evaluation method and system based on security event statistics
CN108259462A (en) * 2017-11-29 2018-07-06 国网吉林省电力有限公司信息通信公司 Big data Safety Analysis System based on mass network monitoring data
CN108270785A (en) * 2018-01-15 2018-07-10 中国人民解放军国防科技大学 Knowledge graph-based distributed security event correlation analysis method
CN110011849A (en) * 2019-04-08 2019-07-12 郑州轨道交通信息技术研究院 A kind of association analysis alarm method based on normalization event format

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张小军 等: "基于主动防御模型的信息安全管理平台研究", 《遥测遥控》 *
王敬东 等: "数字图书馆内网安全事件联动分析引擎设计", 《图书馆学研究》 *

Similar Documents

Publication Publication Date Title
CN106960269B (en) Safety emergency disposal method and system based on analytic hierarchy process
CN110233849B (en) Method and system for analyzing network security situation
US20170295187A1 (en) Detection of malicious domains using recurring patterns in domain names
CN113283476B (en) Internet of things network intrusion detection method
CN105956180B (en) A kind of filtering sensitive words method
CN113194058B (en) WEB attack detection method, equipment, website application layer firewall and medium
CN109376537B (en) Asset scoring method and system based on multi-factor fusion
US20220019658A1 (en) Systems and methods for improving accuracy in recognizing and neutralizing injection attacks in computer services
Li et al. Security OSIF: Toward automatic discovery and analysis of event based cyber threat intelligence
CN112001170B (en) Method and system for identifying deformed sensitive words
Zhou et al. CTI view: APT threat intelligence analysis system
CN112738107B (en) Network security evaluation method, device, equipment and storage medium
CN110147839A (en) The method that algorithm based on XGBoost generates domain name detection model
CN110704837A (en) Network security event statistical analysis method
CN112804204A (en) Intelligent network safety system based on big data analysis
Boholm Twenty-five years of cyber threats in the news: a study of Swedish newspaper coverage (1995–2019)
Friis et al. From cyber threats to cyber risks
Al-Murjan et al. Network forensic investigation of internal misuse/crime in Saudi Arabia: A hacking case
Park Text-based phishing detection using a simulation model
Straub Beyond kinetic harm and towards a dynamic conceptualization of cyberterrorism
CN111447211A (en) Network fraud prevention system
US20230336528A1 (en) System and method for detecting dictionary-based dga traffic
US20240039948A1 (en) Mail protection system
CN108337238B (en) Information security detection system for teaching network
CN116089669B (en) Browser-based website uploading interception mode and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200117