CN110933101A - Security event log processing method, device and storage medium - Google Patents

Security event log processing method, device and storage medium Download PDF

Info

Publication number
CN110933101A
CN110933101A CN201911257641.4A CN201911257641A CN110933101A CN 110933101 A CN110933101 A CN 110933101A CN 201911257641 A CN201911257641 A CN 201911257641A CN 110933101 A CN110933101 A CN 110933101A
Authority
CN
China
Prior art keywords
entity
node
event
address
nodes
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911257641.4A
Other languages
Chinese (zh)
Other versions
CN110933101B (en
Inventor
毛婷伟
梁玉
洪春华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201911257641.4A priority Critical patent/CN110933101B/en
Publication of CN110933101A publication Critical patent/CN110933101A/en
Application granted granted Critical
Publication of CN110933101B publication Critical patent/CN110933101B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/35Network arrangements, protocols or services for addressing or naming involving non-standard use of addresses for implementing network functionalities, e.g. coding subscription information within the address or functional addressing, i.e. assigning an address to a function
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The application discloses a security event log processing method, a security event log processing device and a storage medium, and belongs to the technical field of network security. The method comprises the following steps: extracting a plurality of entity identifications and entity description information related to the security event from a security event log, wherein the plurality of entity identifications comprise Internet Protocol (IP) addresses; determining the incidence relation among the entity identifications according to the entity description information; and taking each entity identifier in the entity identifiers as a node in a network relationship graph, and constructing an edge in the network relationship graph according to the incidence relation among the entity identifiers to obtain the network relationship graph. The obtained network relationship graph can visually display the incidence relationship among the nodes corresponding to the entity identifications, namely, the method is comprehensively analyzed based on the global information, so that technicians can quickly find entities needing high attention, and the safety operation efficiency can be improved.

Description

Security event log processing method, device and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for processing a security event log, and a storage medium.
Background
With the development of network security technology, enterprises can deploy security devices to protect their assets and data. The security device may detect security threats, security issues, etc., and send them to an SOC (secure operation Center) in the form of a security event log. Therefore, a large amount of security event logs are stored in the SOC, and the information is messy and huge, so that the security event logs need to be processed, so that technicians can find the most concerned security events, and secure operation is ensured.
In the related art, when the security event log is processed, information such as a domain name and an IP (Internet Protocol) address appearing in all the stored security event logs may be counted respectively, and then the domain name and the IP address appearing in the security event logs for a large number of times are acquired as target information. Thereafter, the security attributes of the target information, which may include malicious, normal, or suspicious, are queried. And finally, displaying the target information and the security attribute of the target information.
However, the above method only analyzes the information that appears frequently in the security event log, and only inquires the security attributes of the information during analysis. Thus, only a small amount of information is simply analyzed, and the analysis is not comprehensive, so that some information needing high attention is possibly ignored.
Disclosure of Invention
The application provides a security event log processing method, a security event log processing device and a storage medium, which can solve the problem that the analysis of the related technology is incomplete, which may cause that some information which needs to be paid high attention is ignored. The technical scheme is as follows:
in one aspect, a method for processing a security event log is provided, where the method includes:
extracting a plurality of entity identifications and entity description information related to the security event from a security event log, wherein the plurality of entity identifications comprise IP addresses;
determining the incidence relation among the entity identifications according to the entity description information;
and taking each entity identifier in the entity identifiers as a node in a network relationship graph, and constructing an edge in the network relationship graph according to the incidence relation among the entity identifiers to obtain the network relationship graph.
In another aspect, a security event log processing apparatus is provided, the apparatus including:
an extraction module, configured to extract, from a security event log, a plurality of entity identifiers and entity description information related to a security event, where the plurality of entity identifiers include IP addresses;
the determining module is used for determining the incidence relation among the entity identifications according to the entity description information;
and the building module is used for taking each entity identifier in the entity identifiers as a node in a network relationship graph, and building an edge in the network relationship graph according to the incidence relation among the entity identifiers to obtain the network relationship graph.
In another aspect, an apparatus is provided, which includes a processor and a memory, where at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the memory, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the security event log processing method described above.
In another aspect, a computer-readable storage medium is provided, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, and loaded and executed by a processor to implement the above-mentioned security event log processing method.
In another aspect, a computer program product is provided comprising instructions which, when run on a computer, cause the computer to perform the security event log handling method described above.
The technical scheme provided by the application can at least bring the following beneficial effects:
a plurality of entity identifications and entity description information related to the security event are extracted from the security event log, and the plurality of entity identifications may include IP addresses. And then determining the incidence relation among the entity identifications according to the entity description information, taking each entity identification in the entities as a node in the network relation graph, and constructing an edge in the network relation graph according to the determined incidence relation among the entity identifications to obtain the network relation graph. The obtained network relationship graph can visually display the incidence relationship among the nodes corresponding to the entity identifications, namely, the method is comprehensively analyzed based on the global information, so that technicians can quickly find entities needing high attention, and the safety operation efficiency can be improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of an implementation environment shown in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating a method of security event log processing in accordance with an exemplary embodiment;
FIG. 3 is a schematic diagram illustrating a network relationship diagram in accordance with an illustrative embodiment;
FIG. 4 is a schematic diagram illustrating a relationship diffusion graph for a node, according to an example embodiment;
FIG. 5 is a schematic diagram illustrating a relationship diffusion graph for a node, according to another illustrative embodiment;
FIG. 6 is a flow diagram illustrating a method of security event log processing in accordance with another illustrative embodiment;
FIG. 7 is a block diagram illustrating a security event log processing apparatus in accordance with an exemplary embodiment;
FIG. 8 is a schematic diagram illustrating the structure of an apparatus according to an exemplary embodiment.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
Before explaining the security event log processing method provided by the embodiment of the present application in detail, an application scenario and an implementation environment provided by the embodiment of the present application are introduced.
First, an application scenario provided in the embodiment of the present application is introduced.
In order to protect assets and data from leakage, enterprises generally deploy various levels of security devices to protect their assets and data, for example, security devices such as traffic firewalls, intrusion detection devices, virus protection devices, and the like may be deployed. The security device may detect security threats, security issues, etc., and send to the SOC in the form of a security event log. However, as the security situation is increased, more and more security devices are deployed in enterprises, more and more security event logs are generated every day, and the SOC only stores the security event logs of various security devices and cannot assist technicians in analysis and decision making. Therefore, there is a need to process security event logs so that a technician can quickly find information that needs attention from a large number of security event logs. In the prior art, information in a security event log is counted, only information with a large number of occurrences is simply analyzed, and the analysis is not comprehensive, so that some information needing high attention may be ignored. Therefore, the embodiments of the present application provide a method for processing a security event log, which can solve the above problems, and specific implementations can be seen in the following embodiments.
Next, an implementation environment provided by the embodiment of the present application is described.
Referring to FIG. 1, FIG. 1 is a schematic diagram illustrating an implementation environment in accordance with an example embodiment. The implementation environment includes an SOC platform 101 and a plurality of security devices 102. The SOC platform 101 may be respectively in communication connection with the plurality of security devices 102, where the communication connection may be a wired connection or a wireless connection, which is not limited in this embodiment of the present application.
The SOC platform 101 is configured to receive a security event log sent by each of the plurality of security devices 102, and construct a network relationship graph according to the security event log, so that a technician can determine information that needs to pay high attention according to the network relationship graph.
Each of the plurality of security devices 102 is configured to detect security of a network environment, including traffic detection, network attack identification, virus trojan identification, bad content identification, abnormal operation, and malware early warning, and for a detected security event, take measures such as prohibition, discarding, and warning according to a prevention and control policy, and send the detected security event to the SOC platform 101 in the form of a security event log. Each of the plurality of security devices 102 may be a server or a terminal, which is not limited in this embodiment of the application.
Those skilled in the art will appreciate that the above-described SOC platform 101 and plurality of security devices 102 are merely exemplary, and that other existing or future SOC platforms or security devices may be suitable for use in the present application and are intended to be included within the scope of the present application and are hereby incorporated by reference.
After introducing the application scenario and the implementation environment provided by the embodiment of the present application, a detailed explanation is next provided for the security event log processing method provided by the embodiment of the present application.
Fig. 2 is a flowchart illustrating a security event log processing method according to an exemplary embodiment, which is applied to the SOC platform 101 in the implementation environment shown in fig. 1. Referring to fig. 2, the method may include the following steps.
Step 201: a plurality of entity identifications and entity description information related to the security event are extracted from the security event log, and the plurality of entity identifications may include IP addresses.
As an example, the SOC platform may receive security event logs sent by multiple security devices, and store the security event logs in a json format, where all the security event logs sent by the same security device are stored in the same file. Each security device may send multiple security event logs, with each security event log corresponding to a security event.
Illustratively, one security event log may include event occurrence time, source IP address, source port, destination IP address, destination port, event identifier, event type, identifier of the security device performing event detection, domain name, file identifier, file name, file path, http method, http user-agent, vulnerability identifier, event severity, confidence level, event description, vulnerability description, corresponding information of IP address and domain name, corresponding information of IP address and port number, and the like.
Wherein the source IP address is an IP address of the device initiating the security event, and the source port is a port of the device initiating the security event. The destination IP address is the IP address of the device for which the security event is intended, and the destination port is the port of the device for which the security event is intended. The event identification may be used to uniquely identify a security event, for example, the event identification may be an event name of a security event. The event types may include scans, attacks, intrusions, and the like. The identity of the security device performing the event detection may be used to uniquely identify a security device. The file identifier may be used to uniquely identify a file that is generated during the occurrence of a security event, for example, the file identifier may be a file MD5(MD5 Message-DigestAlgorithm, information digest algorithm) value. The file path may be a storage location of the file. The http method refers to a transport protocol used in communication between two devices corresponding to a source IP address and a destination IP address, and may include GET and POST, for example. The http user-agent may be used to indicate a type of a device corresponding to a source IP address from which the http request is sent, for example, may indicate an http request sent by a browser, or an http request sent by another tool. The vulnerability identification can be used for indicating existing vulnerabilities in a system or software installed by a device corresponding to the source IP address or the target IP address. The event severity may be used to indicate the degree of threat to network security by the security event, which is predicted and therefore a confidence level is required to indicate the trustworthiness of the event severity. The event description can be used to describe a security event, and the event description can include the relationship between the source IP address, the event identifier, and the destination IP address. For example, the event description may be that the device corresponding to the IP address a attacks the device corresponding to the IP address B in a manner of a, where a is an event identifier of the security event.
As an example, the SOC platform may pre-process the information in the received security event log before step 201, mainly including supplementing the missing value. When a value in a field of event severity or confidence is missing from a received security event log, the SOC platform may determine an event severity mode according to event severity in other security event logs that correspond to the same security event as the received security event log, and populate the event severity mode into the field of event severity in the received security event log; and determining a confidence mode according to the received confidence degrees in other security event logs corresponding to the same security event with the security event log, and filling the confidence mode into a field of the confidence degree in the security event log.
For example, assuming that a security event log includes an identifier of a security device performing event detection, an event type, an event identifier, an event occurrence time, a source IP address, a source port, a destination IP address, and a destination port, a corresponding set of data may be: imperva WaF, Web _ Attack _ or _ Scan, HTTP Signature Violation, 2019-07-2413: 07:01, 10.10.21.231, 38121, 202.38.131.7, 80.
In some embodiments, the entity identifiers and entity description information related to the security events that can be obtained by different security devices are different, and some of the entity identifiers and entity description information related to the security events are not helpful for determining the information that needs to be focused. Therefore, when the safety event log is processed, some entity identifications and entity description information which can be acquired by all safety devices and are relatively representative can be extracted.
As an example, the plurality of entity identities may include at least one of an event identity, a domain name, a port number (including a source port and a destination port), a file identity, and a vulnerability identity, in addition to an IP address (including a source IP address and a destination IP address).
As an example, the entity description information extracted from the security event log may include: at least one of event description, vulnerability description, corresponding information of the IP address and the domain name, and corresponding information of the IP address and the port number.
Step 202: and determining the incidence relation among the entity identifications according to the entity description information.
In some embodiments, the association relationship may include: a first relationship, a second relationship, a third relationship, or a fourth relationship. Alternatively, the association relationship may include a fifth relationship, a third relationship, or a fourth relationship.
The first relation indicates that the entity identified by one entity identifier is an initiator of an event, the second relation indicates that the entity identified by one entity identifier is a destination of the event, the third relation indicates that the entity identified by one entity identifier belongs to the entity identified by another entity identifier, and the fourth relation indicates that the two entity identifiers are extracted from the same security event log. The fifth relationship indicates that one entity identifies that the identified entity is the initiator of an event and the other entity identifies that the identified entity is the destination of the event.
As an example, the source IP address, destination IP address, and event identification of the security event may be determined from the event description. In this manner, the association between the source IP address, the event identification, and the destination IP address can be determined.
Illustratively, when the plurality of entity identifiers include an IP address and an event identifier, a first relationship may be between a source IP address of the security event and the event identifier, which indicates that a device corresponding to the source IP address is an initiator of the security event corresponding to the event identifier; the destination IP address of the security event and the event identifier may have a second relationship, which indicates that the device corresponding to the destination IP address is the destination of the security event corresponding to the event identifier.
Illustratively, when the IP address is included in the plurality of entity identifiers, a fifth relationship may be between the source IP address and the destination IP address of the security event, which indicates that the device corresponding to the source IP address is the initiator of the security event, and the device corresponding to the destination IP address is the destination of the security event.
As an example, an association between the vulnerability identity and the IP address may be determined from the vulnerability description. According to the corresponding information of the IP address and the domain name, the incidence relation between the domain name and the IP address can be determined. And according to the corresponding information of the IP address and the port number, the incidence relation between the IP address and the port number can be determined.
For example, a third relationship may be between the vulnerability identification and the IP address corresponding to the vulnerability identification, and indicates that the vulnerability corresponding to the vulnerability identification belongs to the device corresponding to the IP address. The IP address and the domain name corresponding to the IP address may have a third relationship therebetween, which indicates that the domain name belongs to the IP address corresponding to the domain name. The third relationship between the IP address and the port number corresponding thereto may also be a relationship indicating that the port number belongs to the device corresponding to the IP address corresponding thereto.
As an example, for any two entity identifiers extracted from the same security event log, the association relationship between the two entity identifiers may be a fourth relationship.
For example, a fourth relationship may be between the event identifier and the file identifier, which indicates that the event identifier and the file identifier are extracted from the same security event log, that is, a file corresponding to the file identifier is generated in a process of occurrence of a security event corresponding to the event identifier. The event identifier and the domain name may also have a fourth relationship, which indicates that the event identifier and the domain name are extracted from the same security event log, that is, the domain name is accessed in the process of the security event corresponding to the event identifier.
Step 203: and taking each entity identifier in the plurality of entity identifiers as a node in the network relationship graph, and constructing an edge in the network relationship graph according to the incidence relation among the plurality of entity identifiers to obtain the network relationship graph.
In some embodiments, when the plurality of entity identifiers include at least one of an IP address, an event identifier, a domain name, a port number, a file identifier, a vulnerability identifier, and the like, an edge between the plurality of entity identifiers may be constructed according to the determined association relationship between the plurality of entity identifiers, and the direction of the edge constructed according to different association relationships may be different. And, after an edge is constructed according to a certain association relationship, the attribute of the edge may include the association relationship.
For example, the direction of the edge constructed according to the first relationship is that the entity identifier corresponding to the initiator points to the event identifier, and the attribute of the edge includes the first relationship; the direction of the edge constructed according to the second relation is an entity identifier corresponding to the destination party pointed by the event identifier, and the attribute of the edge comprises the second relation; the direction of the edge constructed according to the third relation is pointed to another entity identifier to which the edge belongs by one entity identifier, and the attribute of the edge comprises the third relation; the direction of the edge constructed according to the fourth relationship is from one entity identifier to another entity identifier, and the attribute of the edge includes the fourth relationship.
For another example, the direction of the edge constructed according to the fifth relationship is that the entity identifier corresponding to the initiator points to the entity identifier corresponding to the destination, and the attribute of the edge includes the fifth relationship. Optionally, the attribute of the edge constructed according to the fifth relationship may further include an event identifier of an event corresponding to both the initiator and the destination.
As an example, when the plurality of entity identifiers includes an IP address and an event identifier, an edge between the source IP address and the event identifier points to the event identifier from the source IP address, and an attribute of the edge includes a first relationship indicating that a device corresponding to the source IP address is an initiator of a security event corresponding to the event identifier. And the destination IP address are pointed by the edge between the event identifications, the attribute of the edge comprises a second relation, and the second relation indicates that the equipment corresponding to the destination IP address is the destination of the security event corresponding to the event identification.
When the plurality of entity identifications include the IP address, the direction between the source IP address and the destination IP address is from the source IP address to the destination IP address, the attribute of the edge includes a fifth relationship indicating that the device corresponding to the source IP address is the initiator of the security event, and the device corresponding to the destination IP address is the destination of the security event. Further, the attribute of the edge may also include an event identification of the security event.
As an example, the edge between the vulnerability identity and the IP address points to the IP address from the vulnerability identity, and the attribute of the edge includes a third relationship indicating that the vulnerability corresponding to the vulnerability identity belongs to the device corresponding to the IP address. The edge between the domain name and the IP address points to the IP address from the domain name, and the attribute of the edge includes a third relationship indicating that the domain name belongs to the IP address. The pointing of the edge between the event identifier and the file identifier may be that the event identifier points to the file identifier, and the attribute of the edge includes a fourth relationship indicating that a file corresponding to the file identifier is generated in a process of occurrence of a security event corresponding to the event identifier. The direction of the edge between the event identifier and the domain name may be that the event identifier points to the domain name, and the attribute of the edge includes a fourth relationship, which indicates that the domain name is accessed in a process of occurrence of a security event corresponding to the event identifier.
Illustratively, referring to fig. 3, fig. 3 is a schematic diagram of a network relationship diagram shown in accordance with an exemplary embodiment. The IP address a in fig. 3 is a source IP address in the security event corresponding to the event identifier a and the security event corresponding to the event identifier b, and is a destination IP address in the security event corresponding to the event identifier c. Therefore, the edge between the IP address a and the event identifier a points to the event identifier a from the IP address a, the edge between the IP address a and the event identifier b points to the event identifier b from the IP address a, and the edge between the IP address a and the event identifier c points to the IP address from the event identifier c. The IP address B is the destination IP address in the security event corresponding to the event identifier a. Therefore, the edge between the IP address B and the event identifier a points to the IP address B by the event identifier a. Domain name 1 belongs to IP address a, and thus the edge between IP address a and domain name 1 points to IP address a from domain name 1. The vulnerability identification 1 belongs to the device corresponding to the IP address A, and therefore the direction of the edge between the IP address A and the vulnerability identification 1 is from the vulnerability identification 1 to the IP address A. The security event log corresponding to the event identifier a includes an event identifier a, a domain name 1, a file identifier 2, and the like, which indicates that the domain name 1 is accessed in the process of occurrence of the security event corresponding to the event identifier a, and a file corresponding to the file identifier 1 and a file corresponding to the file identifier 2 are generated, so that the direction of the edge between the event identifier a and the domain name 1 is that the event identifier a points to the domain name 1, the direction of the edge between the event identifier a and the file identifier 1 is that the event identifier a points to the file identifier 1, and the direction of the edge between the event identifier a and the file identifier 2 is that the event identifier a points to the file identifier 2.
It is worth to be noted that, in the embodiment of the present application, a graph-based entity mining and analyzing method is provided, and an association relationship between nodes corresponding to a plurality of entity identifiers is visually displayed in an obtained network relationship graph, so that a technician can quickly find an entity that needs high attention, and the safe operation efficiency can be improved.
It should be noted that the technical solution of the present application can be realized through the above steps. The subsequent steps are further implementations of processing the security event log.
Step 204: and setting the attributes of the nodes and edges in the network relationship graph.
After the network relationship graph is constructed, attributes can be set for nodes and edges in the network relationship graph to enrich the network relationship graph, so that the network relationship graph can convey more information, and the presentation of security events is more intuitive. At the moment, technicians can not only quickly know the association relationship among the nodes through the network relationship graph, but also know the attributes of the nodes, so that the technicians can be further helped to determine entities needing high attention, and the safety operation efficiency is improved.
It should be noted that, since the nodes in the network relationship graph may include multiple types, and the attributes of different types of nodes are different, the attributes may be set for the nodes according to the types of the nodes.
In some embodiments, the attributes of the IP address nodes in the network relationship graph may include at least one of intranet and extranet information, or device type. The internal and external network information is used for indicating whether the IP address is the IP address in the designated network segment. The device type is the type of the device corresponding to the IP address. For example, the device type may include a Web (World Wide Web) server, a server, an office machine, and others.
As an example, the internal and external network information of the IP address node can be determined according to the reference network segment range divided by the user. If the IP address belongs to the reference network segment range, the IP address can be determined to be an intranet IP address; if the IP address does not belong to the reference network segment range, the IP address can be determined to be an external network IP address. Further, when the IP address is an external network IP address, the country information and the province information to which the IP address belongs may also be determined, and the country information and the province information are also added to the attribute of the IP address node.
As an example, when determining the device type of the IP address node, it may be determined whether a device type field corresponding to the IP address is included in the security event log, and if so, a value in the device type field is used as the type of the device corresponding to the IP address.
As another example, if the security event log does not include the device type field corresponding to the IP address, all security event logs including the IP address may be determined, and according to the identifier of the security device that has the largest occurrence number in all security event logs and performs event detection, the type of the device corresponding to the IP address is determined through the correspondence between the identifier of the security device and the device type. Or, the type of the device corresponding to the IP address may be determined according to the event descriptions in all the security event logs.
Illustratively, assume that there are 100 security event logs including the IP address, each security event log including an identification of a security device performing event detection. Among the identifiers of the security devices performing event detection, 86 are first security device identifiers, 10 are second security device identifiers, and 4 are third security device identifiers. The device type corresponding to the first security device identifier may be obtained from the correspondence between the security device identifiers and the device types, and if the obtained device type is a web server, it may be determined that the device type corresponding to the IP address is the web server.
Illustratively, assume that there are 100 security event logs including the IP address, each security event log including an event description. Assuming that the IP address is subjected to a web type attack in all 86 event descriptions of the 100 event descriptions, it may be determined that the type of the device corresponding to the IP address is a web server.
In some embodiments, the attributes of the event identification nodes in the network relationship graph may include at least one of an event type, an event severity, a confidence level, an identification of a security device performing the event detection.
In some embodiments, the attribute of the vulnerability identification node in the network relationship diagram may include a version of software or system corresponding to the vulnerability identification, a repair scheme corresponding to the vulnerability identification, and the like. The attributes of the file identification node in the network relationship graph may include a file name, a file size, a file path, and the like. The attributes of the domain name node in the network relationship graph may include the registration time of the domain name, the category of the domain name, and the like.
In some embodiments, the attributes of the edges in the network relationship graph may include a risk degree of the corresponding event, and the risk degree is determined according to at least one of the occurrence frequency, the severity of the event, and the confidence of the event. Wherein, the event corresponding to the edge is the event corresponding to the event identification node connected with the edge; or the event corresponding to the edge identifies the identified event for the event included in the attribute of the edge.
As one example, the frequency of occurrence of an event may be determined as the risk of the event.
As another example, the severity of an event may be determined as the risk of the event; alternatively, the risk of the event may be determined based on the severity and confidence of the event; alternatively, the risk of an event may be determined based on the frequency of occurrence of the event, the severity of the event, and the confidence level. In this case, the attribute of the edge may further include the occurrence frequency of the corresponding event.
In one possible implementation, the risk of the event may be calculated according to the following equation (1).
ES=(log p)*s*c (1)
Where p is the frequency of occurrence of the event, s is the average severity of the event, and c is the average confidence of the event. As an example, the occurrence frequency p of the event corresponding to the event identifier connected to the edge may be determined by counting the event identifiers in the received security event log. The mean severity of the events was determined by counting the severity of each of the same events. The average confidence of the events is determined by counting the confidence of each of the same events.
Optionally, when the event corresponding to the edge identifies the identified event for the event included in the attribute of the edge, at least one of an event type, an event severity, a confidence level, and an identification of a security device performing event detection of the corresponding event may also be included in the attribute of the edge.
Further, the attributes of the nodes in the network relationship graph further include attention, and the attention is determined according to at least one of the number of the neighbor nodes, the types of the neighbor nodes, and the directions of the edges between the neighbor nodes.
The attention degree can be used to indicate the risk degree and the threat degree of the node, that is, the degree of security risk of the node and the degree of threat to other nodes by the node. The neighbor node is a node connected with the node through at least one edge.
In some embodiments, the attention of the node may be determined according to the type of the node. For the IP address node, different methods can be used for determining the attention degree of the IP address node according to the internal and external network information of the IP address node. For other types of nodes, the degree of the node, which refers to the number of edges directly connected to the node, may be determined as the attention of the node.
As an example, for an IP address node, when the intranet and extranet information of the IP address node indicates that the IP address is an extranet IP address, the attention of the IP address node may be determined according to the number of IP address nodes in the second-order neighbor node of the IP address node and the number of event identification nodes in the first-order neighbor node of the IP address node.
And the second-order neighbor node is a node connected with the IP address node through two edges. The first-order neighbor node is a node directly connected with the IP address node through an edge. Referring to fig. 3, the IP address node B is a second-order neighbor node of the IP address node a, and the event a is a first-order neighbor node of the IP address node a.
Illustratively, the degree of attention of the IP address node can be determined by the following formula (2).
s=log10m*n (2)
Wherein m is the number of IP address nodes in the second-order neighbor node of the IP address node, and n is the number of event identification nodes in the first-order neighbor node of the IP address node.
Illustratively, referring to FIG. 3, assume IP address A is an extranet IP address. Through fig. 3, it can be determined that the second-order neighbor nodes of the IP address a include a file 1 node, a file 2 node, and an IP address B node, and the IP address node has only one IP address B node, that is, m is 1. The first-order neighbor nodes of the IP address A node comprise an event identifier a node, an event identifier b node, an event identifier c node, a domain name 1 node and a vulnerability identifier 1 node, wherein the number of the event identifier nodes is 3, and n can be determined to be 3.
As another example, for an IP address node, when the intranet and extranet information of the IP address node indicates that the IP address is an intranet IP address, the attention of the IP address node may be determined according to the number of IP address nodes in the second-order proximity neighbor node of the IP address node and the number of event identification nodes in the second-order proximity neighbor node of the IP address node.
The second-order entry neighbor node is connected with the IP address node through two edges, and the direction of the two edges is a node pointing to the IP address node. Referring to fig. 3, an IP address node a is a second-order in-degree neighbor node of an IP address node B.
Illustratively, the degree of attention of the IP address node can be determined by the following formula (3).
Figure BDA0002310726740000121
Wherein, x is the number of IP address nodes in the second-order entry neighbor node of the IP address node, y is the number of event identification nodes in the second-order entry neighbor node of the IP address node, and δ is a mapping function, when the out-degree of the IP address node is 0, δ is 0, and when the out-degree of the IP address node is not 0, δ is 1. The out-degree of the IP address node refers to the number of edges pointed to by the IP address node to other nodes.
Exemplarily, referring to fig. 3, assume that IP address B is an intranet IP address. From fig. 3, it can be determined that the second-order entry neighbor node of the IP address node B includes the IP address node a, and the IP address node only has one IP address node a, that is, x is 1. And no event identification node exists in the second-order entry neighbor node of the IP address node B, namely y is 0. The out degree of the IP address node B is 2, and thus δ is 1.
Step 205: according to the attributes of the edges in the network relationship graph, the network relationship graph is divided into a plurality of subgraphs, and each subgraph in the plurality of subgraphs comprises a plurality of nodes.
In some embodiments, in order to show the relationship between nodes more clearly, the network relationship graph may be divided by a community discovery algorithm, so as to divide the closely-connected nodes in the same subgraph. In the same subgraph, if any node goes wrong, the influence on other nodes in the subgraph is large. For example, when a node may attack other nodes, the risk of attacking the node in the same sub-graph as the node is higher; when a node may be attacked by other nodes, the risk of attacking the node in the same subgraph as the node is higher.
As one example, a network relationship graph may be partitioned into multiple subgraphs using a modularity-based community discovery algorithm. The modularity is defined in equation (4).
Figure BDA0002310726740000131
Wherein A isijIs the attribute value of the edge between node i and node j, ciA sub-graph representing to which node i belongs, cjRepresents the subgraph to which node j belongs, kiThe sum of the attribute values, k, representing all edges connected to node ijRepresents the sum of the attribute values of all edges connected to node j, and m represents the sum of the attribute values of all edges in the network relationship graph. Delta (c)i,cj) Is an indicator function when ciAnd cjAnd when the values are equal, the value is 1, otherwise, the value is 0. The community discovery algorithm based on the modularity aims at maximizing the Q function so as to divide each node into different subgraphs.
That is to say, two nodes in the network relationship graph try to be divided into the same subgraph, the value of Q is calculated, if Q is greater than 0, it is indicated that the two nodes can be divided into the same subgraph, and if Q is less than or equal to 0, it is indicated that the two nodes cannot be divided into the same subgraph. By analogy, the modularity is calculated for every two nodes in the network relationship graph to divide the network relationship graph into a plurality of subgraphs.
It should be noted that other community discovery algorithms may also be used to divide the network relationship graph into multiple sub-graphs. For example, GN (Girvan-Newman) algorithm, Louvain algorithm, etc., which are not limited in the embodiments of the present application.
It is worth to be noted that by dividing the network relationship graph, the network relationship graph containing more nodes can be divided into a plurality of sub-graphs according to the degree of contact closeness, and when a technician determines that a certain node is a node needing attention, the technician can further pay high attention to other nodes belonging to the same sub-graph, so that the technician can be helped to quickly determine the node highly associated with the node needing attention, and the safe operation efficiency is improved.
In some embodiments, after the plurality of subgraphs are obtained through partitioning, the attention of each subgraph can be determined according to the attention of the nodes included in each subgraph in the plurality of subgraphs. And sequencing the multiple subgraphs according to the sequence of the attention degree of each subgraph from large to small, and displaying the sequenced multiple subgraphs.
That is to say, the attention of the subgraph can be determined according to the attention of the nodes, the subgraphs are sorted according to the attention, and the sorted subgraphs are displayed.
Therefore, the attention degree is generated for each subgraph, so that a technician can associate and aggregate a plurality of nodes needing high attention, and the sequenced subgraphs can give clear guidance to the technician, so that the technician can intuitively determine the subgraph needing the most attention and the nodes needing the most attention, the technician can be rapidly helped to determine the information needing the high attention, and the operation efficiency is improved.
As an example, for any sub-graph in the multiple sub-graphs, the attention degrees of the nodes in the sub-graph may be sorted, the attention degrees of N before sorting are added to obtain a sum of the attention degrees of the nodes, and the sum of the attention degrees of the nodes is determined as the attention degree of the sub-graph. Wherein, N may be preset, and N may be a positive integer, for example, N may be 5.
It should be noted that step 205 is to perform sub-graph partitioning and sorting on the network relationship graph, and step 206 is to construct a relationship diffusion graph of nodes according to the network relationship graph, which are two implementation manners for further operating the network relationship graph, so that step 205 and step 206 do not have a sequential execution order.
Step 206: and determining a first node from the network relationship graph, and constructing and displaying a relationship diffusion graph of the first node.
In some embodiments, in order to more clearly show information related to a certain node, a relationship diffusion graph of the node in the network relationship graph can also be determined.
In one possible implementation, the step may include: the method comprises the steps of determining a first node from a network relationship graph, and determining one or more second nodes from all neighbor nodes of the first node in the network relationship graph. And constructing a relation diffusion graph of the first node according to the first node, the one or more second nodes and the edge between the first node and each second node in the one or more second nodes, and displaying the relation diffusion graph of the first node.
As an example, the first node may be a node with the highest attention degree in the network relationship diagram, or the first node may be a node with the attention degree greater than the attention degree threshold in the network relationship diagram, or the first node may be any node selected by a technician in the network relationship diagram. The attention threshold may be set by a user according to actual needs, or may be set by default by the SOC platform, which is not limited in the embodiments of the present application.
As an example, a neighbor node that does not point to the first node in all neighbor nodes of the first node may be determined as the second node.
As another example, when the first node is an IP address node or an event identification node, all neighbor nodes of the first node may be determined as the second node.
As yet another example, when the first node is a node other than the IP address node and the event identification node, neighbor nodes directly connected to the first node through one edge and connected through two edges may be determined as the second node.
As an example, after the first node and the one or more second nodes are determined, the relationship diffusion graph of the first node may be constructed by taking the first node and the one or more second nodes as nodes in the relationship diffusion graph and taking an edge between the first node and each second node as an edge in the relationship diffusion graph, and the relationship diffusion graph is displayed. Therefore, technicians can observe the diffusion paths of the events more conveniently, the relationship among the nodes is presented more thoroughly and clearly, and the potential affected nodes can be found conveniently.
Illustratively, referring to fig. 4, fig. 4 is a relationship flooding graph of IP address a nodes determined from the network relationship graph of fig. 3. The IP address A node is a first node, and the event identifier a node, the event identifier B node, the domain name 1 node, the file identifier 2 node and the IP address B node are second nodes.
Illustratively, referring to FIG. 5, FIG. 5 is a second order subgraph of file identification 1 nodes determined from the network relationship graph of FIG. 3. The file identifier 1 node is a first node, and the event identifier a node, the IP address B node, the file identifier 2 node and the domain name 1 node are second nodes.
It should be noted that after the relationship diffusion graph of a certain node is displayed, a technician may perform analysis and investigation according to the relationship diffusion graph, determine the threatened asset and find the initial attack source by manually searching for relevant clues, and may also remove viruses/trojans and the like for the determined attacked asset.
For convenience of understanding, the security event log processing method provided by the embodiment of the present application is illustrated below with reference to fig. 6.
Referring to fig. 6, in a first step, information in the security event log is preprocessed, including but not limited to missing value supplementation; secondly, constructing a network relation graph; thirdly, setting attributes for nodes and edges in the network relationship graph, and enriching the content of the network relationship graph; fourthly, calculating the attention of the nodes; fifthly, carrying out sub-graph division on the network relation graph to obtain a plurality of sub-graphs; sixthly, sequencing the sub-graphs according to the attention of the nodes in the sub-graphs; and seventhly, constructing and displaying a relationship diffusion graph of the nodes.
In an embodiment of the present application, a plurality of entity identifications and entity description information related to a security event are extracted from a security event log, and the plurality of entity identifications may include IP addresses. And then determining the incidence relation among the entity identifications according to the entity description information, taking each entity identification in the entities as a node in the network relation graph, and constructing an edge in the network relation graph according to the determined incidence relation among the entity identifications to obtain the network relation graph. The obtained network relationship graph can visually display the incidence relationship among the nodes corresponding to the entity identifications, namely, the method is comprehensively analyzed based on the global information, so that technicians can quickly find entities needing high attention, and the safety operation efficiency can be improved.
Fig. 7 is a schematic structural diagram illustrating a security event log processing apparatus, which may be implemented as part or all of a device by software, hardware, or a combination of the two, according to an exemplary embodiment. Referring to fig. 7, the apparatus includes: an extraction module 701, a determination module 702 and a construction module 703.
An extracting module 701, configured to extract, from a security event log, a plurality of entity identifiers and entity description information related to a security event, where the plurality of entity identifiers include IP addresses;
a determining module 702, configured to determine an association relationship between multiple entity identifiers according to the entity description information;
the constructing module 703 is configured to use each entity identifier in the multiple entity identifiers as a node in the network relationship graph, and construct an edge in the network relationship graph according to an association relationship between the multiple entity identifiers, so as to obtain the network relationship graph.
In one possible implementation manner of the present application, the plurality of entity identifiers include: at least one of an event identifier, a domain name, a port number, a file identifier and a vulnerability identifier;
the entity description information includes: at least one of event description, vulnerability description, corresponding information of the IP address and the domain name, and corresponding information of the IP address and the port number.
In one possible implementation manner of the present application, the association relationship includes: a first relationship, a second relationship, a third relationship, or a fourth relationship;
the first relation indicates that the entity identified by one entity identifier is the initiator of an event, the second relation indicates that the entity identified by one entity identifier is the destination of an event, the third relation indicates that the entity identified by one entity identifier belongs to the entity identified by another entity identifier, and the fourth relation indicates that the two entity identifiers are extracted from the same security event log.
In a possible implementation manner of the present application, the building module 703 is further configured to:
setting the attributes of nodes and edges in the network relationship graph;
the attributes of the IP address nodes in the network relationship graph comprise at least one of internal and external network information or device types, and the attributes of the event identification nodes in the network relationship graph comprise at least one of event types, event severity, confidence degrees and identifications of security devices for detecting events;
the attributes of the edges in the network relationship graph comprise the risk degree of the corresponding events, and the risk degree is determined according to at least one of the occurrence frequency, the severity of the events and the confidence degree of the events.
In a possible implementation manner of the present application, the attribute of the node in the network relationship graph further includes a degree of attention, and the degree of attention is determined according to at least one of the number of the neighbor nodes, the type of the neighbor nodes, and the direction of the edge between the neighbor nodes.
In a possible implementation manner of the present application, the building module 703 is further configured to:
according to the attributes of the edges in the network relationship graph, the network relationship graph is divided into a plurality of subgraphs, and each subgraph in the plurality of subgraphs comprises a plurality of nodes.
In a possible implementation manner of the present application, the building module 703 is further configured to:
determining the attention degree of each subgraph according to the attention degree of the nodes included in each subgraph in the multiple subgraphs;
sequencing the multiple subgraphs according to the sequence of the attention degree of each subgraph from large to small;
and displaying the sequenced multiple subgraphs.
In a possible implementation manner of the present application, the building module 703 is further configured to:
determining a first node from the network relationship graph;
determining one or more second nodes from all neighbor nodes of the first node in the network relationship graph;
constructing a relation diffusion graph of the first node according to the first node, the one or more second nodes and the edge between the first node and each of the one or more second nodes;
and displaying the relation diffusion graph of the first node.
In an embodiment of the present application, a plurality of entity identifications and entity description information related to a security event are extracted from a security event log, and the plurality of entity identifications may include IP addresses. And then determining the incidence relation among the entity identifications according to the entity description information, taking each entity identification in the entities as a node in the network relation graph, and constructing an edge in the network relation graph according to the determined incidence relation among the entity identifications to obtain the network relation graph. The obtained network relationship graph can visually display the incidence relationship among the nodes corresponding to the entity identifications, namely, the method is comprehensively analyzed based on the global information, so that technicians can quickly find entities needing high attention, and the safety operation efficiency can be improved.
It should be noted that: in the security event log processing apparatus provided in the foregoing embodiment, when processing the security event log, only the division of the functional modules is illustrated, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the apparatus is divided into different functional modules, so as to complete all or part of the above described functions. In addition, the security event log processing apparatus provided in the foregoing embodiment and the security event log processing method embodiment belong to the same concept, and specific implementation processes thereof are described in the method embodiment and are not described herein again.
FIG. 8 is a schematic diagram illustrating the structure of an apparatus according to an exemplary embodiment. The device may be an SOC platform. The device 800 includes a Central Processing Unit (CPU) 801, a system Memory 804 including a Random Access Memory (RAM) 802 and a Read-Only Memory (ROM) 803, and a system bus 805 connecting the system Memory 804 and the Central Processing Unit 801. The device 800 also includes a basic Input/Output system (I/O system) 806 for facilitating information transfer between devices within the computer, and a mass storage device 807 for storing an operating system 813, application programs 814, and other program modules 815.
The basic input/output system 806 includes a display 808 for displaying information and an input device 809 such as a mouse, keyboard, etc. for user input of information. Wherein a display 808 and an input device 809 are connected to the central processing unit 801 through an input output controller 810 connected to the system bus 805. The basic input/output system 806 may also include an input/output controller 810 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 810 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 807 is connected to the central processing unit 801 through a mass storage controller (not shown) connected to the system bus 805. The mass storage device 807 and its associated computer-readable media provide non-volatile storage for the device 800. That is, the mass storage device 807 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM (Compact disk-Only Memory) drive.
Without loss of generality, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM (Erasable Programmable Read Only Memory), EEPROM (electrically Erasable Programmable Read Only Memory), flash Memory or other solid state Memory technology, CD-ROM, DVD (Digital Video Disc) or other optical, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that computer storage media is not limited to the foregoing. The system memory 804 and mass storage 807 described above may be collectively referred to as memory.
According to various embodiments of the present application, device 800 may also operate as a remote computer connected to a network through a network, such as the Internet. That is, the device 800 may be connected to a network 812 through a network interface unit 811 coupled to the system bus 805, or may be connected to other types of networks or remote computer systems (not shown) using the network interface unit 811.
The memory further includes one or more programs, and the one or more programs are stored in the memory and configured to be executed by the CPU.
In some embodiments, there is also provided a computer readable storage medium having at least one instruction, at least one program, set of codes, or set of instructions stored therein, the at least one instruction, the at least one program, set of codes, or set of instructions being loaded and executed by a processor to implement the security event log processing method in the above embodiments. For example, the computer readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It is noted that the computer-readable storage medium referred to herein may be a non-volatile storage medium, in other words, a non-transitory storage medium.
It should be understood that all or part of the steps for implementing the above embodiments may be implemented by software, hardware, firmware or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The computer instructions may be stored in the computer-readable storage medium described above.
That is, in some embodiments, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the security event log processing method described above.
The above-mentioned embodiments are provided not to limit the present application, and any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (10)

1. A method of security event log processing, the method comprising:
extracting a plurality of entity identifications and entity description information related to the security event from a security event log, wherein the plurality of entity identifications comprise Internet Protocol (IP) addresses;
determining the incidence relation among the entity identifications according to the entity description information;
and taking each entity identifier in the entity identifiers as a node in a network relationship graph, and constructing an edge in the network relationship graph according to the incidence relation among the entity identifiers to obtain the network relationship graph.
2. The method of claim 1, wherein the plurality of entity identifications further comprises: at least one of an event identifier, a domain name, a port number, a file identifier and a vulnerability identifier;
the entity description information includes: at least one of event description, vulnerability description, corresponding information of the IP address and the domain name, and corresponding information of the IP address and the port number.
3. The method of any of claims 1-2, wherein the association relationship comprises: a first relationship, a second relationship, a third relationship, or a fourth relationship;
the first relationship indicates that the entity identified by one entity identifier is the initiator of an event, the second relationship indicates that the entity identified by one entity identifier is the destination of an event, the third relationship indicates that the entity identified by one entity identifier belongs to the entity identified by another entity identifier, and the fourth relationship indicates that two entity identifiers are extracted from the same security event log.
4. The method of claim 1, wherein after obtaining the network relationship graph, further comprising:
setting the attributes of nodes and edges in the network relationship graph;
the attributes of the IP address nodes in the network relationship graph comprise at least one of internal and external network information or device types, and the attributes of the event identification nodes in the network relationship graph comprise at least one of event types, event severity, confidence degrees and identifications of security devices for detecting events;
the attributes of the edges in the network relationship graph comprise risk degrees of corresponding events, and the risk degrees are determined according to at least one of the occurrence frequency, the severity of the events and the confidence degree of the events.
5. The method of claim 4, wherein the attributes of the nodes in the network relationship graph further include a degree of interest, the degree of interest determined from at least one of a number of neighboring nodes, a type of neighboring node, and a direction of an edge between neighboring nodes.
6. The method of claim 4 or 5, wherein after setting the attributes of the nodes and edges in the network relationship graph, further comprising:
dividing the network relationship graph into a plurality of subgraphs according to the attributes of the edges in the network relationship graph, wherein each subgraph in the plurality of subgraphs comprises a plurality of nodes.
7. The method of claim 6, wherein after the dividing the network relationship graph into a plurality of subgraphs, further comprising:
determining the attention degree of each subgraph according to the attention degree of the nodes included in each subgraph in the multiple subgraphs;
sequencing the multiple subgraphs according to the sequence of the attention degree of each subgraph from large to small;
displaying the ordered plurality of subgraphs.
8. The method of any of claims 1, 4-7, wherein after obtaining the network relationship graph, further comprising:
determining a first node from the network relationship graph;
determining one or more second nodes from all neighboring nodes of the first node in the network relationship graph;
constructing a relationship diffusion graph of the first node according to the first node, the one or more second nodes and edges between the first node and each of the one or more second nodes;
and displaying the relation diffusion graph of the first node.
9. A security event log processing apparatus, the apparatus comprising:
an extraction module, configured to extract, from a security event log, a plurality of entity identifiers and entity description information related to a security event, where the plurality of entity identifiers include internet protocol, IP, addresses;
the determining module is used for determining the incidence relation among the entity identifications according to the entity description information;
and the building module is used for taking each entity identifier in the entity identifiers as a node in a network relationship graph, and building an edge in the network relationship graph according to the incidence relation among the entity identifiers to obtain the network relationship graph.
10. A computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement the security event log processing method of any of claims 1 to 8.
CN201911257641.4A 2019-12-10 2019-12-10 Security event log processing method, device and storage medium Active CN110933101B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911257641.4A CN110933101B (en) 2019-12-10 2019-12-10 Security event log processing method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911257641.4A CN110933101B (en) 2019-12-10 2019-12-10 Security event log processing method, device and storage medium

Publications (2)

Publication Number Publication Date
CN110933101A true CN110933101A (en) 2020-03-27
CN110933101B CN110933101B (en) 2022-11-04

Family

ID=69859434

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911257641.4A Active CN110933101B (en) 2019-12-10 2019-12-10 Security event log processing method, device and storage medium

Country Status (1)

Country Link
CN (1) CN110933101B (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111625837A (en) * 2020-05-22 2020-09-04 北京金山云网络技术有限公司 Method and device for identifying system vulnerability and server
CN111641621A (en) * 2020-05-21 2020-09-08 杭州安恒信息技术股份有限公司 Internet of things security event identification method and device and computer equipment
CN111858527A (en) * 2020-06-22 2020-10-30 清华大学深圳国际研究生院 Log data modeling analysis method and computer readable storage medium
CN111930722A (en) * 2020-09-21 2020-11-13 北京嘀嘀无限科技发展有限公司 Heterogeneous information network processing method, heterogeneous information network processing device, server and readable storage medium
CN112235367A (en) * 2020-09-29 2021-01-15 中孚安全技术有限公司 Method, system, terminal and storage medium for subscribing entity behavior relation message
CN112351008A (en) * 2020-10-27 2021-02-09 杭州安恒信息技术股份有限公司 Network attack analysis method and device, readable storage medium and computer equipment
CN112784025A (en) * 2021-01-12 2021-05-11 北京明略软件系统有限公司 Method and device for determining target event
CN113472725A (en) * 2020-03-31 2021-10-01 阿里巴巴集团控股有限公司 Data processing method and device
CN113722576A (en) * 2021-05-07 2021-11-30 北京达佳互联信息技术有限公司 Network security information processing method, query method and related device
CN114338190A (en) * 2021-12-30 2022-04-12 奇安信科技集团股份有限公司 Entity behavior correlation analysis method and device, electronic equipment and storage medium
CN115048533A (en) * 2022-06-21 2022-09-13 四维创智(北京)科技发展有限公司 Knowledge graph construction method and device, electronic equipment and readable storage medium
CN115086013A (en) * 2022-06-13 2022-09-20 北京奇艺世纪科技有限公司 Risk identification method, risk identification device, electronic equipment, storage medium and computer program product
CN115098602A (en) * 2022-08-26 2022-09-23 矩阵起源(深圳)信息科技有限公司 Data processing method, device and equipment based on big data platform and storage medium
CN116318751A (en) * 2022-09-07 2023-06-23 上海金电网安科技有限公司 Vulnerability identification method, device, equipment and storage medium

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820357A (en) * 2010-02-11 2010-09-01 哈尔滨工业大学 Network security incident visualization system
US20140280108A1 (en) * 2013-03-14 2014-09-18 Jeffrey Dunn Systems, methods, and apparatuses for implementing an interface to view and explore socially relevant concepts of an entity graph
CN104428805A (en) * 2012-07-13 2015-03-18 脸谱公司 Search-powered connection targeting
CN104572740A (en) * 2013-10-23 2015-04-29 华为技术有限公司 Data storage method and device
CN104883356A (en) * 2015-04-24 2015-09-02 北京邮电大学 Target model-based network attack detection method
CN105450434A (en) * 2014-08-27 2016-03-30 苏州大数聚信息技术有限公司 Internet traffic analysis method based on traffic graphs
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis
CN106355405A (en) * 2015-07-14 2017-01-25 阿里巴巴集团控股有限公司 Method and device for identifying risks and system for preventing and controlling same
US20180048662A1 (en) * 2016-08-15 2018-02-15 International Business Machines Corporation Cognitive offense analysis using enriched graphs
CN108270785A (en) * 2018-01-15 2018-07-10 中国人民解放军国防科技大学 Knowledge graph-based distributed security event correlation analysis method
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN109460664A (en) * 2018-10-23 2019-03-12 北京三快在线科技有限公司 Risk analysis method, device, Electronic Design and computer-readable medium
CN109598509A (en) * 2018-10-17 2019-04-09 阿里巴巴集团控股有限公司 The recognition methods of risk clique and device
CN109842612A (en) * 2018-12-18 2019-06-04 中国科学院计算机网络信息中心 Log security analysis method, device and storage medium based on picture library model
US20190171756A1 (en) * 2017-12-04 2019-06-06 Accenture Global Solutions Limited Cognitive decision system for security and log analysis using associative memory mapping in graph database
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment
CN110213077A (en) * 2019-04-18 2019-09-06 国家电网有限公司 A kind of method, apparatus and system of determining electric power monitoring system security incident
CN110289995A (en) * 2019-06-11 2019-09-27 同济大学 Based on the social networks behavior monitoring method and device using attribute attack graph

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820357A (en) * 2010-02-11 2010-09-01 哈尔滨工业大学 Network security incident visualization system
CN104428805A (en) * 2012-07-13 2015-03-18 脸谱公司 Search-powered connection targeting
US20140280108A1 (en) * 2013-03-14 2014-09-18 Jeffrey Dunn Systems, methods, and apparatuses for implementing an interface to view and explore socially relevant concepts of an entity graph
CN104572740A (en) * 2013-10-23 2015-04-29 华为技术有限公司 Data storage method and device
CN105450434A (en) * 2014-08-27 2016-03-30 苏州大数聚信息技术有限公司 Internet traffic analysis method based on traffic graphs
CN104883356A (en) * 2015-04-24 2015-09-02 北京邮电大学 Target model-based network attack detection method
CN106355405A (en) * 2015-07-14 2017-01-25 阿里巴巴集团控股有限公司 Method and device for identifying risks and system for preventing and controlling same
CN105847029A (en) * 2015-09-08 2016-08-10 南京联成科技发展有限公司 Information security event automatic association and rapid response method and system based on big data analysis
US20180048662A1 (en) * 2016-08-15 2018-02-15 International Business Machines Corporation Cognitive offense analysis using enriched graphs
US20190171756A1 (en) * 2017-12-04 2019-06-06 Accenture Global Solutions Limited Cognitive decision system for security and log analysis using associative memory mapping in graph database
CN108270785A (en) * 2018-01-15 2018-07-10 中国人民解放军国防科技大学 Knowledge graph-based distributed security event correlation analysis method
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN109598509A (en) * 2018-10-17 2019-04-09 阿里巴巴集团控股有限公司 The recognition methods of risk clique and device
CN109460664A (en) * 2018-10-23 2019-03-12 北京三快在线科技有限公司 Risk analysis method, device, Electronic Design and computer-readable medium
CN109842612A (en) * 2018-12-18 2019-06-04 中国科学院计算机网络信息中心 Log security analysis method, device and storage medium based on picture library model
CN109922075A (en) * 2019-03-22 2019-06-21 中国南方电网有限责任公司 Network security knowledge map construction method and apparatus, computer equipment
CN110213077A (en) * 2019-04-18 2019-09-06 国家电网有限公司 A kind of method, apparatus and system of determining electric power monitoring system security incident
CN110289995A (en) * 2019-06-11 2019-09-27 同济大学 Based on the social networks behavior monitoring method and device using attribute attack graph

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113472725A (en) * 2020-03-31 2021-10-01 阿里巴巴集团控股有限公司 Data processing method and device
CN111641621A (en) * 2020-05-21 2020-09-08 杭州安恒信息技术股份有限公司 Internet of things security event identification method and device and computer equipment
CN111625837A (en) * 2020-05-22 2020-09-04 北京金山云网络技术有限公司 Method and device for identifying system vulnerability and server
CN111858527A (en) * 2020-06-22 2020-10-30 清华大学深圳国际研究生院 Log data modeling analysis method and computer readable storage medium
CN111858527B (en) * 2020-06-22 2023-07-07 清华大学深圳国际研究生院 Log data modeling analysis method and computer readable storage medium
CN111930722A (en) * 2020-09-21 2020-11-13 北京嘀嘀无限科技发展有限公司 Heterogeneous information network processing method, heterogeneous information network processing device, server and readable storage medium
CN112235367A (en) * 2020-09-29 2021-01-15 中孚安全技术有限公司 Method, system, terminal and storage medium for subscribing entity behavior relation message
CN112235367B (en) * 2020-09-29 2023-02-17 中孚安全技术有限公司 Method, system, terminal and storage medium for subscribing entity behavior relation message
CN112351008B (en) * 2020-10-27 2022-07-22 杭州安恒信息技术股份有限公司 Network attack analysis method and device, readable storage medium and computer equipment
CN112351008A (en) * 2020-10-27 2021-02-09 杭州安恒信息技术股份有限公司 Network attack analysis method and device, readable storage medium and computer equipment
CN112784025A (en) * 2021-01-12 2021-05-11 北京明略软件系统有限公司 Method and device for determining target event
CN112784025B (en) * 2021-01-12 2023-08-18 青岛明略软件技术开发有限公司 Method and device for determining target event
CN113722576A (en) * 2021-05-07 2021-11-30 北京达佳互联信息技术有限公司 Network security information processing method, query method and related device
CN114338190A (en) * 2021-12-30 2022-04-12 奇安信科技集团股份有限公司 Entity behavior correlation analysis method and device, electronic equipment and storage medium
CN115086013A (en) * 2022-06-13 2022-09-20 北京奇艺世纪科技有限公司 Risk identification method, risk identification device, electronic equipment, storage medium and computer program product
CN115048533A (en) * 2022-06-21 2022-09-13 四维创智(北京)科技发展有限公司 Knowledge graph construction method and device, electronic equipment and readable storage medium
CN115048533B (en) * 2022-06-21 2023-06-27 四维创智(北京)科技发展有限公司 Knowledge graph construction method and device, electronic equipment and readable storage medium
CN115098602A (en) * 2022-08-26 2022-09-23 矩阵起源(深圳)信息科技有限公司 Data processing method, device and equipment based on big data platform and storage medium
CN116318751A (en) * 2022-09-07 2023-06-23 上海金电网安科技有限公司 Vulnerability identification method, device, equipment and storage medium
CN116318751B (en) * 2022-09-07 2023-10-03 上海金电网安科技有限公司 Vulnerability identification method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN110933101B (en) 2022-11-04

Similar Documents

Publication Publication Date Title
CN110933101B (en) Security event log processing method, device and storage medium
CN109922075B (en) Network security knowledge graph construction method and device and computer equipment
CN110719291B (en) Network threat identification method and identification system based on threat information
JP6201614B2 (en) Log analysis apparatus, method and program
CN107786564B (en) Attack detection method and system based on threat intelligence and electronic equipment
EP3337106B1 (en) Identification system, identification device and identification method
CN112511561A (en) Network attack path determination method, equipment, storage medium and device
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
CN110691072A (en) Distributed port scanning method, device, medium and electronic equipment
CN111581643A (en) Penetration attack evaluation method and device, electronic equipment and readable storage medium
CN114268452A (en) Network security protection method and system
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
JP7396371B2 (en) Analytical equipment, analytical methods and analytical programs
US9794274B2 (en) Information processing apparatus, information processing method, and computer readable medium
KR100819049B1 (en) Apparatus for detecting and analyzing alert of intrusion and method for displaying it by graph in n-dimensions using the same
US20150222648A1 (en) Apparatus for analyzing the attack feature dna and method thereof
CN116127453A (en) APT attack detection method, system, device, medium and equipment
CN113055362B (en) Method, device, equipment and storage medium for preventing abnormal behaviors
CN110830518B (en) Traceability analysis method and device, electronic equipment and storage medium
CN112953895B (en) Attack behavior detection method, device and equipment and readable storage medium
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium
US20230024824A1 (en) Analysis apparatus, analysis method, and non-transitory computer readable mediumstoring analysis program
CN112688944B (en) Local area network security state detection method, device, equipment and storage medium
CN110445799B (en) Method and device for determining intrusion stage and server
US20230275908A1 (en) Thumbprinting security incidents via graph embeddings

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40022973

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant