CN112383503A - Network security event processing method - Google Patents

Network security event processing method Download PDF

Info

Publication number
CN112383503A
CN112383503A CN202010991945.XA CN202010991945A CN112383503A CN 112383503 A CN112383503 A CN 112383503A CN 202010991945 A CN202010991945 A CN 202010991945A CN 112383503 A CN112383503 A CN 112383503A
Authority
CN
China
Prior art keywords
host
risk
threat
analysis
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010991945.XA
Other languages
Chinese (zh)
Inventor
李福宜
王平
陈宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Jiaotong University Jump Network Technology Co ltd
Original Assignee
Xi'an Jiaotong University Jump Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Jiaotong University Jump Network Technology Co ltd filed Critical Xi'an Jiaotong University Jump Network Technology Co ltd
Priority to CN202010991945.XA priority Critical patent/CN112383503A/en
Publication of CN112383503A publication Critical patent/CN112383503A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Operations Research (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • Marketing (AREA)
  • Educational Administration (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a processing method of network security events, which comprises the steps of analyzing different types of log data by analysis engines with different responsibilities to generate corresponding security events, and calculating risk values of risk hosts for the hosts related to the security events according to the types to determine the risk levels of the hosts; the risk of the host is further analyzed, and output proposal and information display are carried out; for the risk host, the corresponding handling action is performed. The technical scheme at least has the following beneficial effects: performing systematic and comprehensive association analysis on log data from multiple sources to generate a security event; and further risk analysis is carried out on the host of the network security event to output more specific risk information, and finer-grained treatment suggestions and treatment actions are given.

Description

Network security event processing method
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method for processing a network security event.
Background
With the technical progress, the internet has deepened into various aspects, attack events increase year by year, and the problem of network security gradually becomes a social focus. The network security event refers to a situation that a potential hazard is formed to the information system and even normal service provision of the information system is influenced due to human and software and hardware defects or faults. Network security events generally have negative impacts on society, and certain measures need to be taken after confirmation.
In the prior art, on one hand, the basic information of the security event lacks systematic comprehensive analysis, and the attention to the internal relevance of each event is less; on the other hand, for handling network security events, the handling of the events is mostly stopped, further analysis on event related information is lacked, and sufficient display information cannot be output and handling measures with finer granularity cannot be made.
Disclosure of Invention
In view of the foregoing background, the present invention is directed to a method for processing a security event, which collects log information, obtains a security event existing on a host through analysis of big data, analyzes and discovers a risky host, measures a risk level of the risky host, and further performs a targeted handling action, and the specific technical solution is as follows.
A network security event processing method comprises the following steps: different analysis engines are called to respectively process log data of different protocols or different sources, and the processing result and threat information are subjected to correlation analysis to generate a security event; and determining host risk values in the security events, and executing preset corresponding-level handling actions on the risk hosts reaching the specific risk values.
The determining of the host risk value includes determining that the host type is a server or a terminal according to the IP, and if the host is the server, determining the host risk value according to the collapse level of the host, the threat level of the host to the intranet, and the vulnerability level of the host; and if the host is a terminal, determining the risk value of the host according to the defect level of the host, the threat level of the host to the intranet and the threat level of the file/mail.
Further, according to the risk value of the host, determining the risk rating of the security domain to which the host belongs, specifically, specifying the corresponding relation between the rating of the security domain and the score, specifying the assigned points of the hosts with different risk values, when the host with a specific risk value appears, deducting the corresponding assigned points from the total points of the security domain until the deducted points reach the upper limit, and determining the rating according to the remaining score of the security domain.
Preferably, the level of vulnerability includes lost, high suspicious and low suspicious, the level of threat includes high threat, medium threat and low threat, and the level of vulnerability includes severe, high risk, medium risk, low risk and security for evaluating the host vulnerability level;
the host risk value is positively correlated with the collapse grade; when the collapse grades are the same, the risk value is positively correlated with the threat grade;
and when the failure levels of the servers are low and suspicious, determining that the risk values are high threat, medium threat, low threat, serious or high risk vulnerability, medium risk or low risk vulnerability in turn from large to small.
Preferably, behavior characteristics of the host are extracted from log data, an attack stage where the host is located is determined, and the sink level is higher the later the attack stage where the host is located is; extracting external attack behavior characteristics from log data, and judging that the larger the attack threat is, the higher the threat level of the host computer to the intranet is according to threat information; the more serious the vulnerability of the host is determined according to vulnerability scanning, the higher the vulnerability risk of the host.
In addition, the safety event processing method further comprises the steps of outputting a treatment suggestion according to the risk analysis of the host; the risk analysis content comprises a host threat range, an attack time axis, an attack chain tracing source and a host access relation, wherein,
the host threat range comprises attack and abnormal access of the host to other hosts in the intranet, and IP and/or URL connected with the intranet by the host;
the attack timeline comprises the following time points for judging specific events: a point of failure and a point of attack;
the attack chain tracing comprises tracing the attack behavior of the risk host, and distinguishing indirect and direct attack sources from an internal network and an external network;
the host access relation comprises determining the transverse network access of the host according to the flow log so as to determine the potential threat of the risk host;
the treatment suggestion comprises a preset treatment strategy which is manually or automatically executed, wherein the treatment strategy comprises the steps of sending out a notice, carrying out equipment linkage and creating a treatment work order.
Preferably, in the present invention, the process of generating the security event includes: acquiring detection, audit and flow logs and collecting third-party logs, respectively submitting the third-party logs to different analysis engines for behavior analysis according to log data protocols and sources, wherein the behavior analysis comprises security log analysis, DNS analysis, HTTP analysis, NetFlow analysis, mail analysis, AD domain analysis, SmbFlow analysis and file threat analysis, judging whether related IP, URL, domain name and file MD5 values are in a threat information white list, if so, finishing, otherwise, performing association analysis on threat information and generating a security event;
before performing behavior analysis on the safety detection log, judging whether the log belongs to a global white list, if so, discarding, and otherwise, marking the service attribute.
Preferably, in the present invention, the correlation analysis between the log data processing result and the threat intelligence information specifically includes: and querying a threat intelligence library according to the IP, URL, domain name or MD5 value information of the log data, and if the threat intelligence library is queried, returning the corresponding intelligence type, attack stage and threat level.
Preferably, in the invention, the security events after pre-screening are aggregated to obtain an aggregation list; the aggregation list includes: the failure level, threat level, risk host number and disposal state of the public field, and the risk host IP, host type, recent occurrence time and disposal state of the aggregated event field; and if at most one event is not processed, the aggregated handling state is not handled. And respectively outputting the statistical results and the variation trends of the events and the host according to the information of the aggregation list.
The technical scheme of the invention is as follows: analyzing different types of log data by analysis engines with different responsibilities to generate corresponding security events, and calculating risk values of risk hosts according to types of the hosts involved in the security events to determine risk levels of the hosts; the risk of the host is further analyzed, and output proposal and information display are carried out; for the risk host, the corresponding handling action is performed. The technical scheme at least has the following beneficial effects: performing systematic and comprehensive association analysis on log data from multiple sources to generate a security event; and further risk analysis is carried out on the host of the network security event to output more specific risk information, and finer-grained treatment suggestions and treatment actions are given.
Drawings
FIG. 1 is a schematic diagram of an overall working flow of an embodiment of a network security event processing method according to the present invention;
fig. 2 is a schematic diagram of a generation process of the security event in fig. 1.
Detailed Description
The technical solution of the present invention will be described in detail below with reference to the accompanying drawings and examples.
To facilitate understanding of the embodiments of the present invention, related art terminology and the background are briefly described.
Traditional security defense mainly based on IDS, Firewall, VDS and other single-point defense actually divides network security into various security islands, and mutual correlation and cooperation are lacked. A network security situation awareness product is used for analyzing network security conditions and predicting network security trends by acquiring, extracting and fusing network environment elements (such as assets, network traffic, operation states, equipment alarms, vulnerability, security events, threat information and other data) which can cause network security state and trend changes in a large-scale network environment and utilizing analysis technologies such as data mining and the like, so as to assist emergency disposal and security decision-making.
The network security event is a situation that a potential hazard is formed to the information system and even the normal service provision of the information system is influenced due to human factors and defects or faults of software and hardware.
Threat intelligence is evidence-based knowledge, and comprises context, an attack mechanism, an attack index, revelation and feasible suggestions; existing, or imminent, threats or dangers to an asset are described and may be used to notify a subject to take some response to the relevant threat or danger; it is intended to provide the entity of the asset that faces the threat (typically the enterprise or organization to which the asset belongs) with comprehensive, accurate knowledge and information related thereto that can be performed and decided upon.
Vulnerabilities, vulnerabilities of the asset or assets that may be compromised, including vulnerabilities, unsafe configurations, and the like.
Network traffic, the collection of data packets generated on the network by the devices connected to the network (including various network devices, security devices, servers, etc.).
The association analysis is a rule that a user defines the association between various security events (log information, alarm information and the like) in terms of occurrence sequence, after-the-fact influence and the like according to the actual environment, and then makes a preventive response according to a known situation. Some association analysis rules such as the following: taking partial content of a single log as alarm information, wherein login, startup and shutdown occurring in the log can be taken as the alarm information; according to the frequency of special events in unit time, if the user password error occurs 3 times in 1 minute in the log, the user password can be cracked by brute force; the correlation analysis among the logs of the multiple devices can be used as a DDOS attack if a plurality of logs with the same IP address and different IP addresses are used as the logs.
Advanced persistent threat attacks are typically composed of multiple stages. For example, one of the dividing methods of the attack stage (link): investigation and tracking, load delivery, defense utilization, installation and implantation, communication control and osmotic damage.
Figure RE-344945DEST_PATH_IMAGE002
Detection and tracking: an attacker knows personnel information, an IT framework, defense measures and the like of a target organization through social networks, social engineering and other modes, and the process is a 'stepping on point' stage before attack; common behavioral characteristics such as port scans, network scans, system scans, vulnerability scans, SSH scans, and so forth. An attacker collects information such as a target network topology structure, an IP distribution situation, network connection equipment information, server distribution situation and the like through Google Hacking, WHOIS, DNS query and a network topology scanner (such as Solar windows and the like).
Figure RE-94418DEST_PATH_IMAGE004
Load delivery: based on the investigation and tracking result of the target, purchase or writeAiming at malicious codes attacking existing vulnerabilities of a target, performing escape testing to ensure that the attack can successfully bypass the existing protection system of the target organization; launching a spear attack by means of phishing mails, phishing webpages, USB storage and the like, inducing attack targets to click and downloading malicious codes prepared in advance;
common ways are: a DOS possible Memcached DDoS amplification query (set), a VOIP REGISTER message Flood UDP, a VOIP INVITE message Flood UDP, a GPL VOIP SIP INVITE message Flood, a DOS possible Sentinal LM amplification attack (request) inbound, a DOS DNS amplification attack inbound, a DOS possible NTP DDoS inbound frequent unverified MON _ LIST requests IMPL 0x03, and so on.
Figure RE-DEST_PATH_IMAGE005
And (3) emergent defense utilization: the malicious codes are successfully implanted into equipment and a system of an attack target, and higher execution authority is obtained by utilizing vulnerabilities existing in the target equipment and the system; common ways are: brute force cracking, harpoon attack, water pit attack, U disk ferry, access malicious links and malicious mails.
Figure RE-659843DEST_PATH_IMAGE006
Installing and implanting: and controlling the target equipment to download malicious software with richer functions by using the successfully obtained execution authority, and installing and starting the software.
Figure RE-DEST_PATH_IMAGE007
And (3) communication control: command and control to be deployed remotely from an attacker after malware launch (C)&C) The server actively establishes connection and receives C&C, control signaling sent by the server; common are as follows: DNS hidden channel detection (legal DNS request base line, frequency and rule, information entropy and semantic identification), authority abnormity promotion, service monitoring and the like.
Figure RE-485235DEST_PATH_IMAGE008
And (3) osmotic destruction: attacker pass through C&The C server controls the target equipment to initiate further malicious behaviors, such as scanning bugs of other equipment in the intranet, invading a new target, mining valuable data or externally transmitting stolen data; common modes of penetration are: TROJAN Windows executable base64 code, INFO suspected Mozilla user agent-possible fake (Mozilla/4.0), malline suspected user agent, etpoliwin 32/Sogou user agent (Sogou _ UPDATER), malline-CNC win.
And in different attack stages, the threat of the equipment to the network is different. As an example, when the behavior of the attack conforms to the last two phases (i.e., "communication control" or "penetration destruction" phases), the device may be defined as lost, where the device has a greater threat; the devices conforming to the first two stages (i.e., "investigation and tracking" or "load delivery" stage) are relatively less threatening and are low suspicious; and the devices conforming to the two intermediate stages (i.e., the "defense utilization" and "installation placement" stages) are mostly between low suspicious and lost, and are defined as high suspicious. It should be noted here that the foregoing attacking or attacked device includes various network accessible devices such as a server, a router, a switch, and a PC.
The embodiment of the security event processing method is one of important components of a situation awareness product, analysis engines with different responsibilities analyze different types of data to generate security events with corresponding levels, then a risk host is calculated by combining asset vulnerability and analysis center data, and then analysis display and corresponding handling behaviors are performed according to two perspectives of the security events and the risk host.
As shown in fig. 1, a method for processing network security events mainly includes: different analysis engines are called to respectively process log data of different protocols or different sources, and the processing result and threat information are subjected to correlation analysis to generate a security event; and determining host risk values in the security events, and executing preset corresponding-level handling actions on the risk hosts reaching the specific risk values.
The process of generating the security event according to S100 and S200 is as shown in fig. 2:
and acquiring a security detection log, a security audit and a network flow log, collecting a third-party log (such as other network equipment, security equipment, an operating system log and the like), storing the third-party log into Kafka message middleware, judging whether log data are in a global white list, if so, ending, and otherwise, carrying out the next step.
And the Flink engine processes the data stream, including marking a service label for the data, wherein the service label comprises time, a protocol, a source (including an equipment IP), an internal/external network and the like, judging whether the data stream is in a host detection white list or not according to the service label, if so, ending, and otherwise, carrying out the next step.
And respectively submitting the log data to different analysis engines for behavior analysis according to the protocol and the source of the log data, wherein the behavior analysis specifically comprises security log analysis, DNS analysis, HTTP analysis, NetFlow analysis, mail analysis, AD domain analysis, SmbFlow analysis, file threat analysis and the like. And further judging whether the IP, URL, domain name and the MD5 value related to the analysis result are in a threat information white list, if so, ending, otherwise, carrying out correlation analysis on the IP, URL, domain name and MD5 value and generating a security event.
As a preferred embodiment, the correlation analysis between the log data processing result and the threat intelligence information specifically includes: and querying a threat intelligence library according to the IP, URL, domain name or MD5 value information of the log data, and if the threat intelligence library is queried, returning the corresponding intelligence type, attack stage and threat level.
In another preferred embodiment, the data processed by the Flink engine is stored as original log information.
Calculating a risk value of the risk host, specifically including the following:
extracting host behavior characteristics from log data, and determining the attack stage of the host, wherein the higher the attack stage of the host is, the higher the collapse level is; extracting external attack behavior characteristics from log data, and judging that the larger the attack threat is, the higher the threat level of the host computer to the intranet is according to threat information; the more serious the vulnerability of the host is determined according to vulnerability scanning, the higher the vulnerability risk of the host.
Determining the host risk value, firstly judging whether the host type is a server or a terminal according to the IP, and,
if the host is a server, the following steps are carried out: determining a risk value of the host according to the collapse grade of the host, the threat grade of the host to an intranet and the vulnerability grade of the host;
if the host is a terminal, the following steps are carried out: the risk value of the host is determined according to the defect level of the host, the threat level of the host to the intranet and the threat level of the file/mail.
As a preferred embodiment, the level of vulnerability includes lost, high suspicious and low suspicious, the level of threat includes high threat, medium threat and low threat, the level of vulnerability includes severe, high risk, medium risk, low risk and security for evaluating the host vulnerability level;
the host risk value is positively correlated with the collapse grade; when the collapse grades are the same, the risk value is positively correlated with the threat grade;
and when the failure levels of the servers are low and suspicious, determining that the risk values are high threat, medium threat, low threat, serious or high risk vulnerability, medium risk or low risk vulnerability in turn from large to small.
For example, tables 1 and 2 below show one way to calculate the risk value for the risk host.
TABLE 1 calculation of risk values for servers
Has lost its fall 10 Occurrence of a lost event with a high threat level
Has lost the subsidence 9 Event of a failed threat with medium threat level
Has lost its fall 8 Event that has been lost and has a threat level of low threat occurs
High risk 7 Occurrence of highly suspicious events with low threat level
High risk 6 Event with high suspicion and medium threat level
High risk 5 Occurrence of highly suspicious events with low threat level
Middle risk 4 Suffering from external high risk events
Low risk 3 Occurrence of low suspicious events
Low risk 2 The vulnerability risks such as high-risk loopholes, configuration risks, WEB plaintext transmission or weak passwords exist
Information 1 Only has middle-low risk loopholes
TABLE 2 calculation of terminal Risk values
Has lost its fall 10 Occurrence of a lost event with a high threat level
Has lost the subsidence 9 Event of a failed threat with medium threat level
Has lost its fall 8 Event that has been lost and has a threat level of low threat occurs
High risk 7 Occurrence of highly suspicious events with low threat level
High risk 6 Event with high suspicion and medium threat level
High risk 5 Occurrence of highly suspicious events with low threat level
Middle risk 4 Threatened by external virus files or malicious mails
Low risk 3 Occurrence of highly suspicious and threat-rated high threat events
Low risk 2 Event that is suspicious in occurrence and has threat level of medium threat
Information 1 Occurrence of low suspicious event with low threat level
As another embodiment, according to the host risk value, a risk rating of a security domain to which the host belongs may be determined, which specifically includes: and when the host with a specific risk value appears, deducting the corresponding points from the total points of the security domain until the deduction points reach the upper limit, and determining the grades according to the residual points of the security domain.
For example, the risk hosts of the whole network are ranked according to regions, and are divided into 4 grades, namely, a good grade (100 grades), (91-100 grades), a good grade (81-90 grades), a medium grade (61-80 grades) and a poor grade (60 grades and below), wherein the total grades are divided into 100 grades; table 3 shows one of the scoring criteria (of course, the scoring rules could be in other forms).
TABLE 3 Security Domain score criteria
Button item Score value Upper limit of deduction
Lost host 10 100
High-risk host 3 39
Medium-risk host 2 19
Low-risk host 1 9
InformationMain unit 0.1 2
In addition, the safety event processing method further comprises the steps of outputting a treatment suggestion according to the risk analysis of the host; the risk analysis content comprises a host threat range, an attack time axis, an attack chain tracing source and a host access relation, wherein,
the host threat range comprises attack and abnormal access of the host to other hosts in the intranet, and IP and/or URL connected with the intranet by the host;
the attack timeline comprises the following time points for judging specific events: a point of failure and a point of attack;
the attack chain tracing comprises tracing the attack behavior of the risk host, and distinguishing indirect and direct attack sources from an internal network and an external network;
the host access relation comprises determining the transverse network access of the host according to the flow log so as to determine the potential threat of the risk host;
the treatment suggestion comprises a preset treatment strategy which is manually or automatically executed, and comprises the steps of sending out a notice, carrying out equipment linkage and creating a treatment work order.
Preferably, in the invention, the security events after pre-screening are aggregated to obtain an aggregation list; the aggregation list includes: the failure level, threat level, risk host number and disposal state of the public field, and the risk host IP, host type, recent occurrence time and disposal state of the aggregated event field; and if at most one event is not processed, the aggregated handling state is not handled. And respectively outputting the statistical results and the variation trends of the events and the host according to the information of the aggregation list.
The technical scheme is as follows: analyzing different types of log data by analysis engines with different responsibilities to generate corresponding security events, and calculating risk values of risk hosts according to types of the hosts involved in the security events to determine risk levels of the hosts; the risk of the host is further analyzed, and output proposal and information display are carried out; for the risk host, the corresponding handling action is performed. The technical scheme at least has the following beneficial effects: performing systematic and comprehensive association analysis on log data from multiple sources to generate a security event; and further risk analysis is carried out on the host computer of the network security event to output more specific risk information and give treatment suggestions.
It will be understood by those skilled in the art that all or part of the steps in the method for implementing the above embodiments may be implemented by a program instructing associated hardware, and the program may be stored in a computer-readable storage medium, such as: ROM/RAM, magnetic disk, optical disk, etc.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A network security event processing method is characterized by comprising the following steps:
different analysis engines are called to respectively process log data of different protocols or different sources, and the processing result and threat information are subjected to correlation analysis to generate a security event; and determining host risk values in the security events, and executing preset corresponding-level handling actions on the risk hosts reaching the specific risk values.
2. The security event processing method of claim 1 wherein determining the host risk value comprises determining the host type as server or terminal based on IP, and,
if the host is a server, the following steps are carried out: determining a risk value of the host according to the collapse grade of the host, the threat grade of the host to an intranet and the vulnerability grade of the host;
if the host is a terminal, the following steps are carried out: the risk value of the host is determined according to the defect level of the host, the threat level of the host to the intranet and the threat level of the file/mail.
3. The security event processing method according to claim 2, wherein the risk rating of the security domain to which the host belongs is determined according to the risk value of the host, specifically, a corresponding relationship between the rating of the security domain and the score is defined, assigning scores of hosts with different risk values are defined, when a host with a specific risk value appears, the corresponding assigning score is deducted from the total score of the security domain until the assigning score reaches an upper limit, and the rating is determined according to the remaining score of the security domain.
4. The security event processing method of claim 2, wherein the level of vulnerability includes vulnerability, high suspicion, and low suspicion, the level of threat includes high threat, medium threat, and low threat, the level of vulnerability includes severity, high risk, medium risk, low risk, and security for evaluating a host vulnerability level;
the host risk value is positively correlated with the collapse grade; when the collapse grades are the same, the risk value is positively correlated with the threat grade;
and when the failure levels of the servers are low and suspicious, determining that the risk values are high threat, medium threat, low threat, serious or high risk vulnerability, medium risk or low risk vulnerability in turn from large to small.
5. The security event processing method according to any one of claims 1 to 4,
extracting host behavior characteristics from log data, and determining the attack stage of the host, wherein the higher the attack stage of the host is, the higher the collapse level is;
extracting external attack behavior characteristics from log data, and judging that the larger the attack threat is, the higher the threat level of the host computer to the intranet is according to threat information;
the more serious the vulnerability of the host is determined according to vulnerability scanning, the higher the vulnerability risk of the host.
6. The security event processing method of claim 1, further comprising outputting a disposition recommendation according to a risk analysis on the host; the risk analysis content comprises a host threat range, an attack time axis, an attack chain tracing source and a host access relation, wherein,
the host threat range comprises attack and abnormal access of the host to other hosts in the intranet, and IP and/or URL connected with the intranet by the host;
the attack timeline comprises a time point for judging a specific event;
the attack chain tracing comprises tracing the attack behavior of the risk host, and distinguishing indirect and direct attack sources from an internal network and an external network;
the host access relation comprises determining the transverse network access of the host according to the flow log so as to determine the potential threat of the risk host;
the treatment suggestion comprises a preset treatment strategy which is manually or automatically executed, wherein the treatment strategy comprises the steps of sending out a notice, carrying out equipment linkage and creating a treatment work order.
7. The security event processing method of claim 1, wherein the process of generating the security event comprises: acquiring detection, audit and flow logs and collecting third-party logs, respectively submitting the third-party logs to different analysis engines for behavior analysis according to log data protocols and sources, wherein the behavior analysis comprises security log analysis, DNS analysis, HTTP analysis, NetFlow analysis, mail analysis, AD domain analysis, SmbFlow analysis and file threat analysis, judging whether related IP, URL, domain name and file MD5 values are in a threat information white list, if so, finishing, otherwise, performing association analysis on threat information and generating a security event;
and before the behavior analysis of the safety monitoring log, judging whether the safety monitoring log belongs to a global white list, if so, discarding, and otherwise, marking the service attribute.
8. The security event processing method of claim 7, wherein the correlation analysis with threat intelligence information specifically comprises: and querying a threat intelligence library according to the IP, URL, domain name or MD5 value information of the log data, and if the threat intelligence library is queried, returning the corresponding intelligence type, attack stage and threat level.
9. The security event processing method according to claim 7 or 8, wherein the security events after pre-screening are aggregated to obtain an aggregation list;
the aggregation list includes: a public field: failure level, threat level, number of risk hosts, handling status, aggregated event field: risk host IP, host type, latest occurrence time, disposal state; and if at most one event is not processed, the aggregated handling state is not handled.
10. The security event processing method of claim 9, wherein the statistical results and the variation trends of the event and the host are output according to the information of the aggregation list.
CN202010991945.XA 2020-09-21 2020-09-21 Network security event processing method Pending CN112383503A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010991945.XA CN112383503A (en) 2020-09-21 2020-09-21 Network security event processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010991945.XA CN112383503A (en) 2020-09-21 2020-09-21 Network security event processing method

Publications (1)

Publication Number Publication Date
CN112383503A true CN112383503A (en) 2021-02-19

Family

ID=74586452

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010991945.XA Pending CN112383503A (en) 2020-09-21 2020-09-21 Network security event processing method

Country Status (1)

Country Link
CN (1) CN112383503A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112966002A (en) * 2021-02-28 2021-06-15 新华三信息安全技术有限公司 Security management method, device, equipment and machine readable storage medium
CN113542311A (en) * 2021-09-17 2021-10-22 成都数默科技有限公司 Method for detecting and backtracking defect host in real time
CN113810362A (en) * 2021-07-28 2021-12-17 中国人寿保险股份有限公司上海数据中心 Safety risk detection and disposal system and method thereof
CN113821425A (en) * 2021-09-30 2021-12-21 奇安信科技集团股份有限公司 Trust risk event tracking method and device, electronic equipment and storage medium
CN114006802A (en) * 2021-09-14 2022-02-01 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system for equipment with failure
CN114244809A (en) * 2021-12-24 2022-03-25 北京天融信网络安全技术有限公司 Method and device for detecting host computer failure level in target network
CN114338237A (en) * 2022-03-01 2022-04-12 中国工商银行股份有限公司 Terminal behavior monitoring method, device, equipment, medium and computer program product
CN114584365A (en) * 2022-03-01 2022-06-03 北京优炫软件股份有限公司 Security event analysis response method and system
CN114760150A (en) * 2022-06-13 2022-07-15 交通运输通信信息集团有限公司 Network security protection method and system based on big data
CN116032534A (en) * 2022-11-30 2023-04-28 广西电网有限责任公司 Network security processing system based on cooperative intrusion detection
CN116506208A (en) * 2023-05-17 2023-07-28 河南省电子信息产品质量检验技术研究院 Computer software information security maintenance system based on local area network
CN118381657A (en) * 2024-06-17 2024-07-23 湘江实验室 Computing network fusion system security assessment method based on interaction and update of multiple assessment items
CN118611997A (en) * 2024-08-09 2024-09-06 国网浙江省电力有限公司杭州供电公司 Perception safety protection method, system and equipment based on network port protection device
CN118611997B (en) * 2024-08-09 2024-11-08 国网浙江省电力有限公司杭州供电公司 Perception safety protection method, system and equipment based on network port protection device

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112966002A (en) * 2021-02-28 2021-06-15 新华三信息安全技术有限公司 Security management method, device, equipment and machine readable storage medium
CN113810362A (en) * 2021-07-28 2021-12-17 中国人寿保险股份有限公司上海数据中心 Safety risk detection and disposal system and method thereof
CN113810362B (en) * 2021-07-28 2024-02-13 中国人寿保险股份有限公司上海数据中心 Safety risk detection and treatment method
CN114006802A (en) * 2021-09-14 2022-02-01 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system for equipment with failure
CN114006802B (en) * 2021-09-14 2023-11-21 上海纽盾科技股份有限公司 Situation awareness prediction method, device and system for collapse equipment
CN113542311B (en) * 2021-09-17 2021-11-26 成都数默科技有限公司 Method for detecting and backtracking defect host in real time
CN113542311A (en) * 2021-09-17 2021-10-22 成都数默科技有限公司 Method for detecting and backtracking defect host in real time
CN113821425B (en) * 2021-09-30 2024-03-08 奇安信科技集团股份有限公司 Tracking method and device for trust risk event, electronic equipment and storage medium
CN113821425A (en) * 2021-09-30 2021-12-21 奇安信科技集团股份有限公司 Trust risk event tracking method and device, electronic equipment and storage medium
CN114244809A (en) * 2021-12-24 2022-03-25 北京天融信网络安全技术有限公司 Method and device for detecting host computer failure level in target network
CN114244809B (en) * 2021-12-24 2024-05-17 北京天融信网络安全技术有限公司 Method and device for detecting host computer collapse level in target network
CN114338237B (en) * 2022-03-01 2024-02-02 中国工商银行股份有限公司 Terminal behavior monitoring method, device, equipment, medium and computer program product
CN114338237A (en) * 2022-03-01 2022-04-12 中国工商银行股份有限公司 Terminal behavior monitoring method, device, equipment, medium and computer program product
CN114584365A (en) * 2022-03-01 2022-06-03 北京优炫软件股份有限公司 Security event analysis response method and system
CN114760150A (en) * 2022-06-13 2022-07-15 交通运输通信信息集团有限公司 Network security protection method and system based on big data
CN116032534A (en) * 2022-11-30 2023-04-28 广西电网有限责任公司 Network security processing system based on cooperative intrusion detection
CN116506208B (en) * 2023-05-17 2023-12-12 河南省电子信息产品质量检验技术研究院 Computer software information security maintenance system based on local area network
CN116506208A (en) * 2023-05-17 2023-07-28 河南省电子信息产品质量检验技术研究院 Computer software information security maintenance system based on local area network
CN118381657A (en) * 2024-06-17 2024-07-23 湘江实验室 Computing network fusion system security assessment method based on interaction and update of multiple assessment items
CN118611997A (en) * 2024-08-09 2024-09-06 国网浙江省电力有限公司杭州供电公司 Perception safety protection method, system and equipment based on network port protection device
CN118611997B (en) * 2024-08-09 2024-11-08 国网浙江省电力有限公司杭州供电公司 Perception safety protection method, system and equipment based on network port protection device

Similar Documents

Publication Publication Date Title
CN112383503A (en) Network security event processing method
CN111490970A (en) Tracing analysis method for network attack
CN108259449B (en) Method and system for defending against APT (android packet) attack
JP6104149B2 (en) Log analysis apparatus, log analysis method, and log analysis program
US10095866B2 (en) System and method for threat risk scoring of security threats
CN111245787A (en) Method and device for equipment defect identification and equipment defect degree evaluation
Hoque et al. Network attacks: Taxonomy, tools and systems
US7594270B2 (en) Threat scoring system and method for intrusion detection security networks
Gautam et al. An ensemble approach for intrusion detection system using machine learning algorithms
US8312537B1 (en) Reputation based identification of false positive malware detections
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
CN108369541B (en) System and method for threat risk scoring of security threats
Zou et al. An approach for detection of advanced persistent threat attacks
CN117294517A (en) Network security protection method and system for solving abnormal traffic
Chakir et al. An efficient method for evaluating alerts of Intrusion Detection Systems
Auliar et al. Security in iot-based smart homes: A taxonomy study of detection methods of mirai malware and countermeasures
Shabtai et al. Monitoring, analysis, and filtering system for purifying network traffic of known and unknown malicious content
Hashem et al. A proposed technique for simultaneously detecting DDoS and SQL injection attacks
Boggs et al. Measuring drive-by download defense in depth
Georgina et al. Deception based techniques against ransomwares: a systematic review
Siraj et al. A cognitive model for alert correlation in a distributed environment
Anwar et al. Understanding internet of things malware by analyzing endpoints in their static artifacts
Kono et al. An unknown malware detection using execution registry access
Syaifuddin et al. Automation snort rule for XSS detection with honeypot
Kim et al. Adaptive pattern mining model for early detection of botnet‐propagation scale

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination