CN110704837A - Network security event statistical analysis method - Google Patents
Network security event statistical analysis method Download PDFInfo
- Publication number
- CN110704837A CN110704837A CN201910913563.2A CN201910913563A CN110704837A CN 110704837 A CN110704837 A CN 110704837A CN 201910913563 A CN201910913563 A CN 201910913563A CN 110704837 A CN110704837 A CN 110704837A
- Authority
- CN
- China
- Prior art keywords
- event
- analysis
- network security
- statistical analysis
- ending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000007619 statistical method Methods 0.000 title claims abstract description 14
- 238000004458 analytical method Methods 0.000 claims abstract description 41
- 230000008451 emotion Effects 0.000 claims description 8
- 239000003086 colorant Substances 0.000 claims description 4
- 230000002996 emotional effect Effects 0.000 claims description 2
- 241000700605 Viruses Species 0.000 abstract description 9
- 230000000694 effects Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 230000009545 invasion Effects 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000001681 protective effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000002633 protecting effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The invention relates to a statistical analysis method for network security events, which comprises the following steps: s1, collecting events according to a certain period, and unifying the events into a standard format; s2, judging whether the event is false, if the event is false, ending, if the event is real, entering the next procedure; s3, carrying out event analysis on the real event; s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure; s5, carrying out deep analysis on the event to obtain the detailed information of the event; s6, outputting an analysis result and ending the process; the invention can separate the virus and the normal link after the whitewash, thereby knowing the source of the link and the invading object and having good protection effect on network security.
Description
Technical Field
The invention relates to the technical field of computer network security, in particular to a network security event statistical analysis method.
Background
In recent years, with the continuous promotion of information-oriented construction and the wide application of information technology in China, outstanding safety problems are brought while economic development, social progress and technological innovation are promoted. The network attack and destruction behaviors are increasingly frequent, and the network security situation is increasingly severe. Network attack events such as trojan horses, malicious code, worms, DDOS attacks, etc. are becoming more and more extensive, such as the well-known red code worm virus infecting more than 25 million computer systems within the first 9 hours of transmission over the internet, causing losses that grow at 2 billion dollars per day, ultimately causing losses of 26 billion dollars, such as this type of worm virus, and security events such as DDOS attacks, malicious code, network intrusions, etc. are evolving.
In the face of the current situation that the network information security problem in China is becoming more serious, relevant special network information security protection laws and regulations are continuously issued by China, and the national network letter issues 'national network space security strategy' in 2016, so that the importance of network security to national informatization construction is emphasized. These viruses such as Trojan horse, worm are generally whitewashed at the surface by speech, entice the user to open through some surface speech, thereby cause the invasion to the network and exert the virus, among the prior art, generally prevent the invasion of network through protective equipment layer upon layer, because protective equipment generally can not protect the virus after decorating, consequently the virus after decorating still can cause the invasion to the network, the protecting effect is general, and after the network security incident takes place, can not comparatively quick judge the maintenance.
Based on the above, the present invention designs a statistical analysis method for network security events, so as to solve the above mentioned problems.
Disclosure of Invention
The present invention is directed to a method for statistical analysis of network security events, so as to solve the problems mentioned in the background art.
In order to achieve the purpose, the invention provides the following technical scheme: a network security event statistical analysis method comprises the following steps:
s1, collecting events according to a certain period, and unifying the events into a standard format;
s2, judging whether the event is false, if the event is false, ending, if the event is real, entering the next procedure;
s3, carrying out event analysis on the real event;
s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure;
s5, carrying out deep analysis on the event to obtain the detailed information of the event;
and S6, outputting the analysis result and ending the process.
Preferably, the event analysis includes lexical analysis, sentiment analysis and contextual analysis.
Preferably, the vocabulary analysis mainly comprises analyzing the words with emotional colors, such as adjectives, negative words, positive words, and negative words in the event.
Preferably, the emotion analysis analyzes, processes, generalizes and infers subjective text with emotion colors in the event.
Preferably, the contextual analysis analyzes the environment of occurrence of phonemes, morphemes, words, phrases, sentences and the like of the sentences in the event.
Preferably, the deep analysis includes analyzing the attack object, the access record, the attack event and the IP address of the attacker.
Compared with the prior art, the invention has the beneficial effects that: the invention can separate the virus and normal link after being decorated by judging the true and false of the event and analyzing the true event, and then deeply analyze the link with problems, thereby knowing the source of the link and the invading object and having good protection effect on network security.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a schematic diagram of event analysis according to the present invention;
FIG. 3 is a schematic diagram of depth analysis according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, the present invention provides a technical solution of a network security event statistical analysis method: the method comprises the following steps:
s1, collecting events according to a certain period, unifying the events into a standard format, taking the attacked object as an object related to the network security event, and inputting the security event and the related object which are unified into the standard format into a security event library;
s2, judging whether the event is false, if the event is a false event, ending, if the event is a real event, entering the next procedure, judging the false of the event and preliminarily judging and screening the event, thereby avoiding the need of analyzing all events, preventing the phenomenon of server congestion and facilitating the realization of quickly processing the event;
s3, analyzing the real event, comparing the event with the events in the safety event library, and knowing the information of the event, thereby facilitating the judgment of the event;
s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure;
s5, deeply analyzing the event, and obtaining the detailed information of the event by deeply analyzing the event, such as important information of analyzing an attack object, an access record, an attack event, an IP address of an attacker and the like;
and S6, outputting an analysis result, so that the staff can conveniently and visually know the event and finish the process.
Referring to fig. 2, the event analysis includes vocabulary analysis, emotion analysis and context analysis, the vocabulary analysis mainly includes analysis of words with emotion color such as adjectives, negatives, commendates and derogates in the event, the emotion analysis analyzes, processes, induces and infers subjective texts with emotion color in the event, and the context analysis analyzes the occurrence environment of phonemes, morphemes, words, phrases and sentences of sentences in the event.
Referring to fig. 3, the deep analysis includes analyzing an attack object, an access record, an attack event and an IP address of an attacker, and the attack object can be known through the deep analysis, and determining an intruding network and a computer, and by knowing the access record, the potential safety hazard that may exist in the network that is not attacked is known, so that the security of the network can be checked conveniently, and the attack event can be known through the deep analysis, so that the fault reason of the network can be determined, the network maintenance can be performed conveniently, and the IP address of the attacker can be known through the deep analysis, so that the source of a virus can be found conveniently, and thus, the rapid network maintenance can be realized.
In the description herein, references to the description of "one embodiment," "an example," "a specific example" or the like are intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention. The invention is limited only by the claims and their full scope and equivalents.
Claims (6)
1. A network security event statistical analysis method is characterized by comprising the following steps:
s1, collecting events according to a certain period, and unifying the events into a standard format;
s2, judging whether the event is false, if the event is false, ending, if the event is real, entering the next procedure;
s3, carrying out event analysis on the real event;
s4, judging whether the event belongs to a safety event, if the event is a safety event, ending the process, and if the event is a non-safety event, entering the next procedure;
s5, carrying out deep analysis on the event to obtain the detailed information of the event;
and S6, outputting the analysis result and ending the process.
2. The method of claim 1, wherein the statistical analysis of network security events comprises: the event analysis includes lexical analysis, sentiment analysis, and contextual analysis.
3. The method of claim 2, wherein the statistical analysis of network security events comprises: the vocabulary analysis mainly comprises the analysis of the vocabularies with emotional colors, such as adjectives, negative words, positive words, depreciative words and the like in the event.
4. The method of claim 2, wherein the statistical analysis of network security events comprises: the emotion analysis analyzes, processes, induces and infers subjective text with emotion colors in the event.
5. The method of claim 2, wherein the statistical analysis of network security events comprises: the contextual analysis analyzes the environment of occurrence of phonemes, morphemes, words, phrases, sentences, and the like of the sentences in the event.
6. The method of claim 1, wherein the statistical analysis of network security events comprises: the deep analysis comprises analyzing an attack object, an access record, an attack event and an attacker IP address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910913563.2A CN110704837A (en) | 2019-09-25 | 2019-09-25 | Network security event statistical analysis method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910913563.2A CN110704837A (en) | 2019-09-25 | 2019-09-25 | Network security event statistical analysis method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110704837A true CN110704837A (en) | 2020-01-17 |
Family
ID=69198007
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910913563.2A Pending CN110704837A (en) | 2019-09-25 | 2019-09-25 | Network security event statistical analysis method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110704837A (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102035855A (en) * | 2010-12-30 | 2011-04-27 | 江苏省电力公司 | Network security incident association analysis system |
CN104836815A (en) * | 2015-06-01 | 2015-08-12 | 广东电网有限责任公司信息中心 | Security event backtracking method and system based on log analysis function |
US20170093902A1 (en) * | 2015-09-30 | 2017-03-30 | Symantec Corporation | Detection of security incidents with low confidence security events |
CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
CN107733693A (en) * | 2017-09-22 | 2018-02-23 | 中国人民解放军国防科技大学 | Network security operation and maintenance capability evaluation method and system based on security event statistics |
CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
CN108259202A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems |
CN108270785A (en) * | 2018-01-15 | 2018-07-10 | 中国人民解放军国防科技大学 | Knowledge graph-based distributed security event correlation analysis method |
CN110011849A (en) * | 2019-04-08 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of association analysis alarm method based on normalization event format |
-
2019
- 2019-09-25 CN CN201910913563.2A patent/CN110704837A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102035855A (en) * | 2010-12-30 | 2011-04-27 | 江苏省电力公司 | Network security incident association analysis system |
CN104836815A (en) * | 2015-06-01 | 2015-08-12 | 广东电网有限责任公司信息中心 | Security event backtracking method and system based on log analysis function |
US20170093902A1 (en) * | 2015-09-30 | 2017-03-30 | Symantec Corporation | Detection of security incidents with low confidence security events |
CN108259202A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems |
CN107241352A (en) * | 2017-07-17 | 2017-10-10 | 浙江鹏信信息科技股份有限公司 | A kind of net security accident classificaiton and Forecasting Methodology and system |
CN107733693A (en) * | 2017-09-22 | 2018-02-23 | 中国人民解放军国防科技大学 | Network security operation and maintenance capability evaluation method and system based on security event statistics |
CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
CN108270785A (en) * | 2018-01-15 | 2018-07-10 | 中国人民解放军国防科技大学 | Knowledge graph-based distributed security event correlation analysis method |
CN110011849A (en) * | 2019-04-08 | 2019-07-12 | 郑州轨道交通信息技术研究院 | A kind of association analysis alarm method based on normalization event format |
Non-Patent Citations (2)
Title |
---|
张小军 等: "基于主动防御模型的信息安全管理平台研究", 《遥测遥控》 * |
王敬东 等: "数字图书馆内网安全事件联动分析引擎设计", 《图书馆学研究》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106960269B (en) | Safety emergency disposal method and system based on analytic hierarchy process | |
CN110233849B (en) | Method and system for analyzing network security situation | |
US20170295187A1 (en) | Detection of malicious domains using recurring patterns in domain names | |
CN113283476B (en) | Internet of things network intrusion detection method | |
CN105956180B (en) | A kind of filtering sensitive words method | |
CN113194058B (en) | WEB attack detection method, equipment, website application layer firewall and medium | |
CN109376537B (en) | Asset scoring method and system based on multi-factor fusion | |
US20220019658A1 (en) | Systems and methods for improving accuracy in recognizing and neutralizing injection attacks in computer services | |
Li et al. | Security OSIF: Toward automatic discovery and analysis of event based cyber threat intelligence | |
CN112001170B (en) | Method and system for identifying deformed sensitive words | |
Zhou et al. | CTI view: APT threat intelligence analysis system | |
CN112738107B (en) | Network security evaluation method, device, equipment and storage medium | |
CN110147839A (en) | The method that algorithm based on XGBoost generates domain name detection model | |
CN110704837A (en) | Network security event statistical analysis method | |
CN112804204A (en) | Intelligent network safety system based on big data analysis | |
Boholm | Twenty-five years of cyber threats in the news: a study of Swedish newspaper coverage (1995–2019) | |
Friis et al. | From cyber threats to cyber risks | |
Al-Murjan et al. | Network forensic investigation of internal misuse/crime in Saudi Arabia: A hacking case | |
Park | Text-based phishing detection using a simulation model | |
Straub | Beyond kinetic harm and towards a dynamic conceptualization of cyberterrorism | |
CN111447211A (en) | Network fraud prevention system | |
US20230336528A1 (en) | System and method for detecting dictionary-based dga traffic | |
US20240039948A1 (en) | Mail protection system | |
CN108337238B (en) | Information security detection system for teaching network | |
CN116089669B (en) | Browser-based website uploading interception mode and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200117 |