CN112383503A - Network security event processing method - Google Patents
Network security event processing method Download PDFInfo
- Publication number
- CN112383503A CN112383503A CN202010991945.XA CN202010991945A CN112383503A CN 112383503 A CN112383503 A CN 112383503A CN 202010991945 A CN202010991945 A CN 202010991945A CN 112383503 A CN112383503 A CN 112383503A
- Authority
- CN
- China
- Prior art keywords
- host
- risk
- threat
- analysis
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims description 17
- 238000004458 analytical method Methods 0.000 claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 15
- 230000009471 action Effects 0.000 claims abstract description 9
- 238000010219 correlation analysis Methods 0.000 claims abstract description 9
- 238000012545 processing Methods 0.000 claims abstract description 9
- 238000012502 risk assessment Methods 0.000 claims abstract description 9
- 230000000875 corresponding effect Effects 0.000 claims description 17
- 238000011282 treatment Methods 0.000 claims description 11
- 230000002776 aggregation Effects 0.000 claims description 9
- 238000004220 aggregation Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 7
- 238000012098 association analyses Methods 0.000 claims description 6
- 230000002596 correlated effect Effects 0.000 claims description 6
- 230000007547 defect Effects 0.000 claims description 5
- 238000011269 treatment regimen Methods 0.000 claims description 5
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 3
- 230000009897 systematic effect Effects 0.000 abstract description 4
- 230000009286 beneficial effect Effects 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 description 14
- 230000007123 defense Effects 0.000 description 6
- 230000003321 amplification Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006378 damage Effects 0.000 description 3
- 238000011835 investigation Methods 0.000 description 3
- 238000003199 nucleic acid amplification method Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000003204 osmotic effect Effects 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000001939 inductive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Entrepreneurship & Innovation (AREA)
- Strategic Management (AREA)
- Economics (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Development Economics (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开一种网络安全事件的处理方法,由不同职责的分析引擎分析不同类型的日志数据,生成相应的安全事件,并对安全事件涉及的主机根据类型计算风险主机的风险值,以确定其风险等级;并且进一步对主机的风险进行分析,输出处置建议和信息展示;对于风险主机,执行相应的处置动作。该技术方案至少具有以下有益效果:对多个来源的日志数据进行系统性的综合的关联分析,生成安全事件;并且对于网络安全事件的主机进行进一步的风险分析输出更具体的风险信息,给出更细粒度的处置建议、做出处置动作。The invention discloses a method for processing network security events. Analysis engines with different responsibilities analyze different types of log data, generate corresponding security events, and calculate the risk value of risk hosts according to the types of hosts involved in security events to determine its Risk level; and further analyze the risk of the host, output disposal suggestions and information display; for the risk host, perform corresponding disposal actions. The technical solution has at least the following beneficial effects: performing a systematic and comprehensive correlation analysis on log data from multiple sources to generate security events; and performing further risk analysis on the hosts of network security events to output more specific risk information, giving More fine-grained disposal suggestions and disposal actions.
Description
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for processing a network security event.
Background
With the technical progress, the internet has deepened into various aspects, attack events increase year by year, and the problem of network security gradually becomes a social focus. The network security event refers to a situation that a potential hazard is formed to the information system and even normal service provision of the information system is influenced due to human and software and hardware defects or faults. Network security events generally have negative impacts on society, and certain measures need to be taken after confirmation.
In the prior art, on one hand, the basic information of the security event lacks systematic comprehensive analysis, and the attention to the internal relevance of each event is less; on the other hand, for handling network security events, the handling of the events is mostly stopped, further analysis on event related information is lacked, and sufficient display information cannot be output and handling measures with finer granularity cannot be made.
Disclosure of Invention
In view of the foregoing background, the present invention is directed to a method for processing a security event, which collects log information, obtains a security event existing on a host through analysis of big data, analyzes and discovers a risky host, measures a risk level of the risky host, and further performs a targeted handling action, and the specific technical solution is as follows.
A network security event processing method comprises the following steps: different analysis engines are called to respectively process log data of different protocols or different sources, and the processing result and threat information are subjected to correlation analysis to generate a security event; and determining host risk values in the security events, and executing preset corresponding-level handling actions on the risk hosts reaching the specific risk values.
The determining of the host risk value includes determining that the host type is a server or a terminal according to the IP, and if the host is the server, determining the host risk value according to the collapse level of the host, the threat level of the host to the intranet, and the vulnerability level of the host; and if the host is a terminal, determining the risk value of the host according to the defect level of the host, the threat level of the host to the intranet and the threat level of the file/mail.
Further, according to the risk value of the host, determining the risk rating of the security domain to which the host belongs, specifically, specifying the corresponding relation between the rating of the security domain and the score, specifying the assigned points of the hosts with different risk values, when the host with a specific risk value appears, deducting the corresponding assigned points from the total points of the security domain until the deducted points reach the upper limit, and determining the rating according to the remaining score of the security domain.
Preferably, the level of vulnerability includes lost, high suspicious and low suspicious, the level of threat includes high threat, medium threat and low threat, and the level of vulnerability includes severe, high risk, medium risk, low risk and security for evaluating the host vulnerability level;
the host risk value is positively correlated with the collapse grade; when the collapse grades are the same, the risk value is positively correlated with the threat grade;
and when the failure levels of the servers are low and suspicious, determining that the risk values are high threat, medium threat, low threat, serious or high risk vulnerability, medium risk or low risk vulnerability in turn from large to small.
Preferably, behavior characteristics of the host are extracted from log data, an attack stage where the host is located is determined, and the sink level is higher the later the attack stage where the host is located is; extracting external attack behavior characteristics from log data, and judging that the larger the attack threat is, the higher the threat level of the host computer to the intranet is according to threat information; the more serious the vulnerability of the host is determined according to vulnerability scanning, the higher the vulnerability risk of the host.
In addition, the safety event processing method further comprises the steps of outputting a treatment suggestion according to the risk analysis of the host; the risk analysis content comprises a host threat range, an attack time axis, an attack chain tracing source and a host access relation, wherein,
the host threat range comprises attack and abnormal access of the host to other hosts in the intranet, and IP and/or URL connected with the intranet by the host;
the attack timeline comprises the following time points for judging specific events: a point of failure and a point of attack;
the attack chain tracing comprises tracing the attack behavior of the risk host, and distinguishing indirect and direct attack sources from an internal network and an external network;
the host access relation comprises determining the transverse network access of the host according to the flow log so as to determine the potential threat of the risk host;
the treatment suggestion comprises a preset treatment strategy which is manually or automatically executed, wherein the treatment strategy comprises the steps of sending out a notice, carrying out equipment linkage and creating a treatment work order.
Preferably, in the present invention, the process of generating the security event includes: acquiring detection, audit and flow logs and collecting third-party logs, respectively submitting the third-party logs to different analysis engines for behavior analysis according to log data protocols and sources, wherein the behavior analysis comprises security log analysis, DNS analysis, HTTP analysis, NetFlow analysis, mail analysis, AD domain analysis, SmbFlow analysis and file threat analysis, judging whether related IP, URL, domain name and file MD5 values are in a threat information white list, if so, finishing, otherwise, performing association analysis on threat information and generating a security event;
before performing behavior analysis on the safety detection log, judging whether the log belongs to a global white list, if so, discarding, and otherwise, marking the service attribute.
Preferably, in the present invention, the correlation analysis between the log data processing result and the threat intelligence information specifically includes: and querying a threat intelligence library according to the IP, URL, domain name or MD5 value information of the log data, and if the threat intelligence library is queried, returning the corresponding intelligence type, attack stage and threat level.
Preferably, in the invention, the security events after pre-screening are aggregated to obtain an aggregation list; the aggregation list includes: the failure level, threat level, risk host number and disposal state of the public field, and the risk host IP, host type, recent occurrence time and disposal state of the aggregated event field; and if at most one event is not processed, the aggregated handling state is not handled. And respectively outputting the statistical results and the variation trends of the events and the host according to the information of the aggregation list.
The technical scheme of the invention is as follows: analyzing different types of log data by analysis engines with different responsibilities to generate corresponding security events, and calculating risk values of risk hosts according to types of the hosts involved in the security events to determine risk levels of the hosts; the risk of the host is further analyzed, and output proposal and information display are carried out; for the risk host, the corresponding handling action is performed. The technical scheme at least has the following beneficial effects: performing systematic and comprehensive association analysis on log data from multiple sources to generate a security event; and further risk analysis is carried out on the host of the network security event to output more specific risk information, and finer-grained treatment suggestions and treatment actions are given.
Drawings
FIG. 1 is a schematic diagram of an overall working flow of an embodiment of a network security event processing method according to the present invention;
fig. 2 is a schematic diagram of a generation process of the security event in fig. 1.
Detailed Description
The technical solution of the present invention will be described in detail below with reference to the accompanying drawings and examples.
To facilitate understanding of the embodiments of the present invention, related art terminology and the background are briefly described.
Traditional security defense mainly based on IDS, Firewall, VDS and other single-point defense actually divides network security into various security islands, and mutual correlation and cooperation are lacked. A network security situation awareness product is used for analyzing network security conditions and predicting network security trends by acquiring, extracting and fusing network environment elements (such as assets, network traffic, operation states, equipment alarms, vulnerability, security events, threat information and other data) which can cause network security state and trend changes in a large-scale network environment and utilizing analysis technologies such as data mining and the like, so as to assist emergency disposal and security decision-making.
The network security event is a situation that a potential hazard is formed to the information system and even the normal service provision of the information system is influenced due to human factors and defects or faults of software and hardware.
Threat intelligence is evidence-based knowledge, and comprises context, an attack mechanism, an attack index, revelation and feasible suggestions; existing, or imminent, threats or dangers to an asset are described and may be used to notify a subject to take some response to the relevant threat or danger; it is intended to provide the entity of the asset that faces the threat (typically the enterprise or organization to which the asset belongs) with comprehensive, accurate knowledge and information related thereto that can be performed and decided upon.
Vulnerabilities, vulnerabilities of the asset or assets that may be compromised, including vulnerabilities, unsafe configurations, and the like.
Network traffic, the collection of data packets generated on the network by the devices connected to the network (including various network devices, security devices, servers, etc.).
The association analysis is a rule that a user defines the association between various security events (log information, alarm information and the like) in terms of occurrence sequence, after-the-fact influence and the like according to the actual environment, and then makes a preventive response according to a known situation. Some association analysis rules such as the following: taking partial content of a single log as alarm information, wherein login, startup and shutdown occurring in the log can be taken as the alarm information; according to the frequency of special events in unit time, if the user password error occurs 3 times in 1 minute in the log, the user password can be cracked by brute force; the correlation analysis among the logs of the multiple devices can be used as a DDOS attack if a plurality of logs with the same IP address and different IP addresses are used as the logs.
Advanced persistent threat attacks are typically composed of multiple stages. For example, one of the dividing methods of the attack stage (link): investigation and tracking, load delivery, defense utilization, installation and implantation, communication control and osmotic damage.
common ways are: a DOS possible Memcached DDoS amplification query (set), a VOIP REGISTER message Flood UDP, a VOIP INVITE message Flood UDP, a GPL VOIP SIP INVITE message Flood, a DOS possible Sentinal LM amplification attack (request) inbound, a DOS DNS amplification attack inbound, a DOS possible NTP DDoS inbound frequent unverified MON _ LIST requests IMPL 0x03, and so on.
And in different attack stages, the threat of the equipment to the network is different. As an example, when the behavior of the attack conforms to the last two phases (i.e., "communication control" or "penetration destruction" phases), the device may be defined as lost, where the device has a greater threat; the devices conforming to the first two stages (i.e., "investigation and tracking" or "load delivery" stage) are relatively less threatening and are low suspicious; and the devices conforming to the two intermediate stages (i.e., the "defense utilization" and "installation placement" stages) are mostly between low suspicious and lost, and are defined as high suspicious. It should be noted here that the foregoing attacking or attacked device includes various network accessible devices such as a server, a router, a switch, and a PC.
The embodiment of the security event processing method is one of important components of a situation awareness product, analysis engines with different responsibilities analyze different types of data to generate security events with corresponding levels, then a risk host is calculated by combining asset vulnerability and analysis center data, and then analysis display and corresponding handling behaviors are performed according to two perspectives of the security events and the risk host.
As shown in fig. 1, a method for processing network security events mainly includes: different analysis engines are called to respectively process log data of different protocols or different sources, and the processing result and threat information are subjected to correlation analysis to generate a security event; and determining host risk values in the security events, and executing preset corresponding-level handling actions on the risk hosts reaching the specific risk values.
The process of generating the security event according to S100 and S200 is as shown in fig. 2:
and acquiring a security detection log, a security audit and a network flow log, collecting a third-party log (such as other network equipment, security equipment, an operating system log and the like), storing the third-party log into Kafka message middleware, judging whether log data are in a global white list, if so, ending, and otherwise, carrying out the next step.
And the Flink engine processes the data stream, including marking a service label for the data, wherein the service label comprises time, a protocol, a source (including an equipment IP), an internal/external network and the like, judging whether the data stream is in a host detection white list or not according to the service label, if so, ending, and otherwise, carrying out the next step.
And respectively submitting the log data to different analysis engines for behavior analysis according to the protocol and the source of the log data, wherein the behavior analysis specifically comprises security log analysis, DNS analysis, HTTP analysis, NetFlow analysis, mail analysis, AD domain analysis, SmbFlow analysis, file threat analysis and the like. And further judging whether the IP, URL, domain name and the MD5 value related to the analysis result are in a threat information white list, if so, ending, otherwise, carrying out correlation analysis on the IP, URL, domain name and MD5 value and generating a security event.
As a preferred embodiment, the correlation analysis between the log data processing result and the threat intelligence information specifically includes: and querying a threat intelligence library according to the IP, URL, domain name or MD5 value information of the log data, and if the threat intelligence library is queried, returning the corresponding intelligence type, attack stage and threat level.
In another preferred embodiment, the data processed by the Flink engine is stored as original log information.
Calculating a risk value of the risk host, specifically including the following:
extracting host behavior characteristics from log data, and determining the attack stage of the host, wherein the higher the attack stage of the host is, the higher the collapse level is; extracting external attack behavior characteristics from log data, and judging that the larger the attack threat is, the higher the threat level of the host computer to the intranet is according to threat information; the more serious the vulnerability of the host is determined according to vulnerability scanning, the higher the vulnerability risk of the host.
Determining the host risk value, firstly judging whether the host type is a server or a terminal according to the IP, and,
if the host is a server, the following steps are carried out: determining a risk value of the host according to the collapse grade of the host, the threat grade of the host to an intranet and the vulnerability grade of the host;
if the host is a terminal, the following steps are carried out: the risk value of the host is determined according to the defect level of the host, the threat level of the host to the intranet and the threat level of the file/mail.
As a preferred embodiment, the level of vulnerability includes lost, high suspicious and low suspicious, the level of threat includes high threat, medium threat and low threat, the level of vulnerability includes severe, high risk, medium risk, low risk and security for evaluating the host vulnerability level;
the host risk value is positively correlated with the collapse grade; when the collapse grades are the same, the risk value is positively correlated with the threat grade;
and when the failure levels of the servers are low and suspicious, determining that the risk values are high threat, medium threat, low threat, serious or high risk vulnerability, medium risk or low risk vulnerability in turn from large to small.
For example, tables 1 and 2 below show one way to calculate the risk value for the risk host.
TABLE 1 calculation of risk values for servers
| Has lost its fall 10 | Occurrence of a lost event with a high threat level |
| Has lost the subsidence 9 | Event of a failed threat with medium threat level |
| Has lost its fall 8 | Event that has been lost and has a threat level of low threat occurs |
| High risk 7 | Occurrence of highly suspicious events with low threat level |
| High risk 6 | Event with high suspicion and medium threat level |
| High risk 5 | Occurrence of highly suspicious events with low threat level |
| Middle risk 4 | Suffering from external high risk events |
| Low risk 3 | Occurrence of low suspicious events |
| Low risk 2 | The vulnerability risks such as high-risk loopholes, configuration risks, WEB plaintext transmission or weak passwords exist |
| Information 1 | Only has middle-low risk loopholes |
TABLE 2 calculation of terminal Risk values
| Has lost its fall 10 | Occurrence of a lost event with a high threat level |
| Has lost the subsidence 9 | Event of a failed threat with medium threat level |
| Has lost its fall 8 | Event that has been lost and has a threat level of low threat occurs |
| High risk 7 | Occurrence of highly suspicious events with low threat level |
| High risk 6 | Event with high suspicion and medium threat level |
| High risk 5 | Occurrence of highly suspicious events with low threat level |
| Middle risk 4 | Threatened by external virus files or malicious mails |
| Low risk 3 | Occurrence of highly suspicious and threat-rated high threat events |
| Low risk 2 | Event that is suspicious in occurrence and has threat level of medium threat |
| Information 1 | Occurrence of low suspicious event with low threat level |
As another embodiment, according to the host risk value, a risk rating of a security domain to which the host belongs may be determined, which specifically includes: and when the host with a specific risk value appears, deducting the corresponding points from the total points of the security domain until the deduction points reach the upper limit, and determining the grades according to the residual points of the security domain.
For example, the risk hosts of the whole network are ranked according to regions, and are divided into 4 grades, namely, a good grade (100 grades), (91-100 grades), a good grade (81-90 grades), a medium grade (61-80 grades) and a poor grade (60 grades and below), wherein the total grades are divided into 100 grades; table 3 shows one of the scoring criteria (of course, the scoring rules could be in other forms).
TABLE 3 Security Domain score criteria
| Button item | Score value | Upper limit of deduction |
| Lost host | 10 | 100 |
| High-risk host | 3 | 39 |
| Medium-risk host | 2 | 19 |
| Low-risk host | 1 | 9 |
| InformationMain unit | 0.1 | 2 |
In addition, the safety event processing method further comprises the steps of outputting a treatment suggestion according to the risk analysis of the host; the risk analysis content comprises a host threat range, an attack time axis, an attack chain tracing source and a host access relation, wherein,
the host threat range comprises attack and abnormal access of the host to other hosts in the intranet, and IP and/or URL connected with the intranet by the host;
the attack timeline comprises the following time points for judging specific events: a point of failure and a point of attack;
the attack chain tracing comprises tracing the attack behavior of the risk host, and distinguishing indirect and direct attack sources from an internal network and an external network;
the host access relation comprises determining the transverse network access of the host according to the flow log so as to determine the potential threat of the risk host;
the treatment suggestion comprises a preset treatment strategy which is manually or automatically executed, and comprises the steps of sending out a notice, carrying out equipment linkage and creating a treatment work order.
Preferably, in the invention, the security events after pre-screening are aggregated to obtain an aggregation list; the aggregation list includes: the failure level, threat level, risk host number and disposal state of the public field, and the risk host IP, host type, recent occurrence time and disposal state of the aggregated event field; and if at most one event is not processed, the aggregated handling state is not handled. And respectively outputting the statistical results and the variation trends of the events and the host according to the information of the aggregation list.
The technical scheme is as follows: analyzing different types of log data by analysis engines with different responsibilities to generate corresponding security events, and calculating risk values of risk hosts according to types of the hosts involved in the security events to determine risk levels of the hosts; the risk of the host is further analyzed, and output proposal and information display are carried out; for the risk host, the corresponding handling action is performed. The technical scheme at least has the following beneficial effects: performing systematic and comprehensive association analysis on log data from multiple sources to generate a security event; and further risk analysis is carried out on the host computer of the network security event to output more specific risk information and give treatment suggestions.
It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by a program instructing associated hardware, and the program may be stored in a computer-readable storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A network security event processing method is characterized by comprising the following steps:
different analysis engines are called to respectively process log data of different protocols or different sources, and the processing result and threat information are subjected to correlation analysis to generate a security event; and determining host risk values in the security events, and executing preset corresponding-level handling actions on the risk hosts reaching the specific risk values.
2. The security event processing method of claim 1 wherein determining the host risk value comprises determining the host type as server or terminal based on IP, and,
if the host is a server, the following steps are carried out: determining a risk value of the host according to the collapse grade of the host, the threat grade of the host to an intranet and the vulnerability grade of the host;
if the host is a terminal, the following steps are carried out: the risk value of the host is determined according to the defect level of the host, the threat level of the host to the intranet and the threat level of the file/mail.
3. The security event processing method according to claim 2, wherein the risk rating of the security domain to which the host belongs is determined according to the risk value of the host, specifically, a corresponding relationship between the rating of the security domain and the score is defined, assigning scores of hosts with different risk values are defined, when a host with a specific risk value appears, the corresponding assigning score is deducted from the total score of the security domain until the assigning score reaches an upper limit, and the rating is determined according to the remaining score of the security domain.
4. The security event processing method of claim 2, wherein the level of vulnerability includes vulnerability, high suspicion, and low suspicion, the level of threat includes high threat, medium threat, and low threat, the level of vulnerability includes severity, high risk, medium risk, low risk, and security for evaluating a host vulnerability level;
the host risk value is positively correlated with the collapse grade; when the collapse grades are the same, the risk value is positively correlated with the threat grade;
and when the failure levels of the servers are low and suspicious, determining that the risk values are high threat, medium threat, low threat, serious or high risk vulnerability, medium risk or low risk vulnerability in turn from large to small.
5. The security event processing method according to any one of claims 1 to 4,
extracting host behavior characteristics from log data, and determining the attack stage of the host, wherein the higher the attack stage of the host is, the higher the collapse level is;
extracting external attack behavior characteristics from log data, and judging that the larger the attack threat is, the higher the threat level of the host computer to the intranet is according to threat information;
the more serious the vulnerability of the host is determined according to vulnerability scanning, the higher the vulnerability risk of the host.
6. The security event processing method of claim 1, further comprising outputting a disposition recommendation according to a risk analysis on the host; the risk analysis content comprises a host threat range, an attack time axis, an attack chain tracing source and a host access relation, wherein,
the host threat range comprises attack and abnormal access of the host to other hosts in the intranet, and IP and/or URL connected with the intranet by the host;
the attack timeline comprises a time point for judging a specific event;
the attack chain tracing comprises tracing the attack behavior of the risk host, and distinguishing indirect and direct attack sources from an internal network and an external network;
the host access relation comprises determining the transverse network access of the host according to the flow log so as to determine the potential threat of the risk host;
the treatment suggestion comprises a preset treatment strategy which is manually or automatically executed, wherein the treatment strategy comprises the steps of sending out a notice, carrying out equipment linkage and creating a treatment work order.
7. The security event processing method of claim 1, wherein the process of generating the security event comprises: acquiring detection, audit and flow logs and collecting third-party logs, respectively submitting the third-party logs to different analysis engines for behavior analysis according to log data protocols and sources, wherein the behavior analysis comprises security log analysis, DNS analysis, HTTP analysis, NetFlow analysis, mail analysis, AD domain analysis, SmbFlow analysis and file threat analysis, judging whether related IP, URL, domain name and file MD5 values are in a threat information white list, if so, finishing, otherwise, performing association analysis on threat information and generating a security event;
and before the behavior analysis of the safety monitoring log, judging whether the safety monitoring log belongs to a global white list, if so, discarding, and otherwise, marking the service attribute.
8. The security event processing method of claim 7, wherein the correlation analysis with threat intelligence information specifically comprises: and querying a threat intelligence library according to the IP, URL, domain name or MD5 value information of the log data, and if the threat intelligence library is queried, returning the corresponding intelligence type, attack stage and threat level.
9. The security event processing method according to claim 7 or 8, wherein the security events after pre-screening are aggregated to obtain an aggregation list;
the aggregation list includes: a public field: failure level, threat level, number of risk hosts, handling status, aggregated event field: risk host IP, host type, latest occurrence time, disposal state; and if at most one event is not processed, the aggregated handling state is not handled.
10. The security event processing method of claim 9, wherein the statistical results and the variation trends of the event and the host are output according to the information of the aggregation list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010991945.XA CN112383503A (en) | 2020-09-21 | 2020-09-21 | Network security event processing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010991945.XA CN112383503A (en) | 2020-09-21 | 2020-09-21 | Network security event processing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112383503A true CN112383503A (en) | 2021-02-19 |
Family
ID=74586452
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010991945.XA Pending CN112383503A (en) | 2020-09-21 | 2020-09-21 | Network security event processing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112383503A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966002A (en) * | 2021-02-28 | 2021-06-15 | 新华三信息安全技术有限公司 | Security management method, device, equipment and machine readable storage medium |
| CN113542311A (en) * | 2021-09-17 | 2021-10-22 | 成都数默科技有限公司 | Method for detecting and backtracking defect host in real time |
| CN113810362A (en) * | 2021-07-28 | 2021-12-17 | 中国人寿保险股份有限公司上海数据中心 | Safety risk detection and disposal system and method thereof |
| CN113821425A (en) * | 2021-09-30 | 2021-12-21 | 奇安信科技集团股份有限公司 | Tracking method, device, electronic device and storage medium for trust risk event |
| CN114006802A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Situation awareness prediction method, device and system for equipment with failure |
| CN114244809A (en) * | 2021-12-24 | 2022-03-25 | 北京天融信网络安全技术有限公司 | Method and device for detecting host computer failure level in target network |
| CN114338237A (en) * | 2022-03-01 | 2022-04-12 | 中国工商银行股份有限公司 | Terminal behavior monitoring method, device, equipment, medium and computer program product |
| CN114584365A (en) * | 2022-03-01 | 2022-06-03 | 北京优炫软件股份有限公司 | Security event analysis response method and system |
| CN114760150A (en) * | 2022-06-13 | 2022-07-15 | 交通运输通信信息集团有限公司 | Network security protection method and system based on big data |
| CN116032534A (en) * | 2022-11-30 | 2023-04-28 | 广西电网有限责任公司 | Network security processing system based on cooperative intrusion detection |
| CN116506208A (en) * | 2023-05-17 | 2023-07-28 | 河南省电子信息产品质量检验技术研究院 | Computer software information security maintenance system based on local area network |
| CN118381657A (en) * | 2024-06-17 | 2024-07-23 | 湘江实验室 | Security assessment method for computing-network fusion system based on interactive update of multiple assessment items |
| CN118611997A (en) * | 2024-08-09 | 2024-09-06 | 国网浙江省电力有限公司杭州供电公司 | A method, system and device for perceptual security protection based on network port protection device |
| CN119155121A (en) * | 2024-11-18 | 2024-12-17 | 深圳市常行科技有限公司 | Security threat defense method and system for internal and external networks |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN108494727A (en) * | 2018-02-06 | 2018-09-04 | 成都清华永新网络科技有限公司 | A kind of security incident closed-loop process method for network security management |
| CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | A network threat identification method and identification system based on threat intelligence |
-
2020
- 2020-09-21 CN CN202010991945.XA patent/CN112383503A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN108494727A (en) * | 2018-02-06 | 2018-09-04 | 成都清华永新网络科技有限公司 | A kind of security incident closed-loop process method for network security management |
| CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | A network threat identification method and identification system based on threat intelligence |
Cited By (22)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112966002A (en) * | 2021-02-28 | 2021-06-15 | 新华三信息安全技术有限公司 | Security management method, device, equipment and machine readable storage medium |
| CN113810362A (en) * | 2021-07-28 | 2021-12-17 | 中国人寿保险股份有限公司上海数据中心 | Safety risk detection and disposal system and method thereof |
| CN113810362B (en) * | 2021-07-28 | 2024-02-13 | 中国人寿保险股份有限公司上海数据中心 | Safety risk detection and treatment method |
| CN114006802A (en) * | 2021-09-14 | 2022-02-01 | 上海纽盾科技股份有限公司 | Situation awareness prediction method, device and system for equipment with failure |
| CN114006802B (en) * | 2021-09-14 | 2023-11-21 | 上海纽盾科技股份有限公司 | Situation awareness prediction method, device and system for collapse equipment |
| CN113542311B (en) * | 2021-09-17 | 2021-11-26 | 成都数默科技有限公司 | Method for detecting and backtracking defect host in real time |
| CN113542311A (en) * | 2021-09-17 | 2021-10-22 | 成都数默科技有限公司 | Method for detecting and backtracking defect host in real time |
| CN113821425B (en) * | 2021-09-30 | 2024-03-08 | 奇安信科技集团股份有限公司 | Tracking method and device for trust risk event, electronic equipment and storage medium |
| CN113821425A (en) * | 2021-09-30 | 2021-12-21 | 奇安信科技集团股份有限公司 | Tracking method, device, electronic device and storage medium for trust risk event |
| CN114244809A (en) * | 2021-12-24 | 2022-03-25 | 北京天融信网络安全技术有限公司 | Method and device for detecting host computer failure level in target network |
| CN114244809B (en) * | 2021-12-24 | 2024-05-17 | 北京天融信网络安全技术有限公司 | Method and device for detecting host computer collapse level in target network |
| CN114338237B (en) * | 2022-03-01 | 2024-02-02 | 中国工商银行股份有限公司 | Terminal behavior monitoring method, device, equipment, medium and computer program product |
| CN114338237A (en) * | 2022-03-01 | 2022-04-12 | 中国工商银行股份有限公司 | Terminal behavior monitoring method, device, equipment, medium and computer program product |
| CN114584365A (en) * | 2022-03-01 | 2022-06-03 | 北京优炫软件股份有限公司 | Security event analysis response method and system |
| CN114760150A (en) * | 2022-06-13 | 2022-07-15 | 交通运输通信信息集团有限公司 | Network security protection method and system based on big data |
| CN116032534A (en) * | 2022-11-30 | 2023-04-28 | 广西电网有限责任公司 | Network security processing system based on cooperative intrusion detection |
| CN116506208B (en) * | 2023-05-17 | 2023-12-12 | 河南省电子信息产品质量检验技术研究院 | Computer software information security maintenance system based on local area network |
| CN116506208A (en) * | 2023-05-17 | 2023-07-28 | 河南省电子信息产品质量检验技术研究院 | Computer software information security maintenance system based on local area network |
| CN118381657A (en) * | 2024-06-17 | 2024-07-23 | 湘江实验室 | Security assessment method for computing-network fusion system based on interactive update of multiple assessment items |
| CN118611997A (en) * | 2024-08-09 | 2024-09-06 | 国网浙江省电力有限公司杭州供电公司 | A method, system and device for perceptual security protection based on network port protection device |
| CN118611997B (en) * | 2024-08-09 | 2024-11-08 | 国网浙江省电力有限公司杭州供电公司 | Perception safety protection method, system and equipment based on network port protection device |
| CN119155121A (en) * | 2024-11-18 | 2024-12-17 | 深圳市常行科技有限公司 | Security threat defense method and system for internal and external networks |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112383503A (en) | Network security event processing method | |
| CN108259449B (en) | Method and system for defending against APT (android packet) attack | |
| CN111490970A (en) | Tracing analysis method for network attack | |
| JP6104149B2 (en) | Log analysis apparatus, log analysis method, and log analysis program | |
| Hoque et al. | Network attacks: Taxonomy, tools and systems | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| US7594270B2 (en) | Threat scoring system and method for intrusion detection security networks | |
| CN111245787A (en) | A method and device for identifying equipment that has failed and evaluating the failure degree of equipment | |
| US8312537B1 (en) | Reputation based identification of false positive malware detections | |
| CN108369541B (en) | System and method for threat risk scoring of security threats | |
| CN108965346A (en) | One kind is fallen Host Detection method | |
| US20170061126A1 (en) | Process Launch, Monitoring and Execution Control | |
| WO2012022225A1 (en) | Active defence method on the basis of cloud security | |
| Zou et al. | An approach for detection of advanced persistent threat attacks | |
| CN117319019A (en) | A dynamic defense system for power networks based on intelligent decision-making | |
| CN117294517A (en) | Network security protection method and system for solving abnormal traffic | |
| Chakir et al. | An efficient method for evaluating alerts of Intrusion Detection Systems | |
| Auliar et al. | Security in iot-based smart homes: A taxonomy study of detection methods of mirai malware and countermeasures | |
| Shabtai et al. | Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content | |
| Georgina et al. | Deception based techniques against ransomwares: A systematic review | |
| Boggs et al. | Measuring drive-by download defense in depth | |
| Hashem et al. | A proposed technique for simultaneously detecting DDoS and SQL injection attacks | |
| CN118233207A (en) | Network security threat detection method and device and computer program product | |
| Salour et al. | Dynamic two-layer signature-based ids with unequal databases | |
| Anwar et al. | Understanding internet of things malware by analyzing endpoints in their static artifacts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |