CN112583848A

CN112583848A - Remote security log analysis system

Info

Publication number: CN112583848A
Application number: CN202011560990.6A
Authority: CN
Inventors: 不公告发明人
Original assignee: Nanjing Liancheng Technology Development Co ltd
Current assignee: Nanjing Liancheng Technology Development Co ltd
Priority date: 2020-12-25
Filing date: 2020-12-25
Publication date: 2021-03-30

Abstract

The invention discloses a remote security log analysis system which is characterized in that data are collected across different remote sensors, the flow of analyzing the collected data is divided into four stages and seven sub-stages, each sub-stage is evaluated as a table in a relational database, metadata in each sub-stage is used as a main key or an external key for connecting adjacent sub-stage data, an event correlation function can be executed by using SQL query, logical data aggregation and event correlation analysis are carried out on the seven sub-stages based on an aggregation field used as the main key or the external key, the relationship among security alarms or events can be identified, the root cause of the security alarms or events can be determined, event playback can be realized, security operation and maintenance service personnel can be facilitated to systematically execute security investigation and comprise a network stage, an endpoint stage, a domain stage and a leaving stage, and investigation, delivery, and the like, Seven sub-stages of installation, privilege elevation, traversing, attack on target, and withdrawal. By the method and the system, the safety operation and maintenance service personnel can be liberated from incomplete and massive disordered safety log information.

Description

Remote security log analysis system

Technical Field

The invention relates to the technical field of computers, network security, artificial intelligence, network management and automatic control, in particular to a remote security log analysis system.

Background

Information security is one of the most concerned issues of enterprises, and the transparency of key decision makers is improved year by year. Reports of security breaches by media upsets have exacerbated concerns about the lack of current strategies for detecting and preventing intrusions. Some studies suggest that this deficiency stems from reliance on statistical models or hackers have long learned to avoid security attack signatures. It is also believed that existing solutions may be able to detect certain aspects of an attack but fail to provide all the data needed to verify malicious activity because they cannot observe all the events occurring on the network that affect multiple computing systems. Because of these limitations, it is becoming increasingly important to analyze data from multiple auditing systems or bastion machines or IDS or IPS or load balancing devices deployed at different locations in a network topology to detect complex attacks. Unfortunately, aggregating data from multiple different sources and determining the root cause (root cause) of a security alarm or event and implementing "event replay" presents some challenges; for example, managing mass data from different sensors, and ascertaining out-of-order, incompatible, or seemingly chaotic data; on the other hand, the safety operation and maintenance service personnel often encounter the following situations: either the information is incomplete or a large amount of information is disorganized. Both of these situations can greatly affect the ability of event responders and/or security operation and maintenance service personnel to correctly locate and respond when a security event occurs; these challenges greatly impact the ability of information security and event response teams to locate security failures or implement corrective measures to detect, prevent, or mitigate damage caused during an attack. .

Disclosure of Invention

In order to solve the above technical problems, the present invention provides a remote security log analysis system, which is different from the conventional analysis system, and is capable of performing logical data aggregation in a relational database, collecting data across different remote sensors, and issuing more detailed alarms to security operation and maintenance service personnel.

A remote security log analysis system, characterized in that data is collected across different remote sensors, the flow of analyzing the collected data is divided into four phases and seven sub-phases, each sub-phase is evaluated as a table in a relational database, metadata in each sub-phase is used as a primary key or a foreign key for connecting adjacent sub-phase data, because SQL query can be used to perform event correlation function, logical data aggregation and event correlation analysis are performed on seven sub-phases based on an aggregation field as a primary key or a foreign key, relationships between security alarms or events can be identified, root cause of security alarms or events can be determined, event playback can be realized, security operation and maintenance service personnel can be facilitated to systematically perform security investigation including network phase, endpoint phase, domain phase and leaving phase, and investigation, delivery, installation, right lifting, Traversing, attacking and withdrawing seven sub-stages.

The network stage is pre-cracked and comprises a scout sub-stage and a delivery sub-stage;

the end point stage is cracked and comprises an installation sub-stage and an authority promotion sub-stage;

the domain stage is intrusive and comprises a traversing sub-stage and an attack sub-stage for a target;

the leave phase, stealing, includes a withdraw sub-phase;

the reconnaissance sub-stage surveys according to the source IP address, and the data generally reflects a one-to-many relationship between the source IP address and a plurality of target IP addresses, including two tasks: probing and enumerating;

the delivery sub-phase, whose data typically shows a single source IP address, a single destination IP address, and enumerates a large number of potential exploitable vulnerabilities, including two tasks: host access and network access;

the installation sub-phase, which is typically investigated according to the name of the computer that is hacked into the machine, because the IP address data is typically omitted from the system for detecting malware or software modifications, involves two tasks: host delivery and software modification;

the elevated permissions sub-phase, whose data is investigated according to user credentials, often shows that a newly created administrator is attempting to perform a number of command line operations, including two tasks: promoting the authority and using the authority;

the traversing sub-phase, based on the user credentials used to investigate, appears as a single user attempting to access multiple different machines in the intranet, and includes two tasks: inner net scouting and traversing;

the sub-stage of attack on the target is investigated by the computer name of the suspicious system to determine the nature of the system change, and comprises two tasks: data manipulation and obfuscation;

the withdraw sub-phase, investigating the destination IP address of the unusual extranet, comprises a task: and transmitting data of the external network.

Further, the logic data aggregation is performed on the seven sub-phases in the relational database based on the aggregation field, and the logic data aggregation comprises a scout sub-phase aggregation field, a delivery sub-phase aggregation field, an installation sub-phase aggregation field, a promotion authority sub-phase aggregation field, a traversing sub-phase aggregation field, a target attack launching sub-phase aggregation field and a withdrawal sub-phase aggregation field.

Further, the reconnaissance sub-phase aggregation field, source IP address.

Further, the delivery sub-phase aggregation field, a target IP address.

Further, the install sub-phase aggregate field, computer name.

Further, the privilege elevation sub-stage aggregates a field, an account name.

Further, the traversing sub-stage aggregation field, a login name.

Further, the attack on target sub-phase aggregate field, computer name.

Further, the retirement sub-phase aggregation field, the target IP address.

The invention has the technical effects that:

in the present invention, there is provided a remote security log analysis system characterized in that data is collected across different remote sensors, a flow of analyzing the collected data is divided into four phases and seven sub-phases, each sub-phase is evaluated as a table in a relational database, metadata in each sub-phase is used as a main key or an outer key for connecting adjacent sub-phase data, since an event correlation function can be performed using SQL query, logical data aggregation and event correlation analysis are performed on seven sub-phases based on an aggregation field as a main key or an outer key, a relationship between security alarms or events can be identified, a root cause of a security alarm or event can be determined, and event playback can be achieved, it is helpful for a security operation and maintenance attendant to systematically perform security investigation including a network phase, an endpoint phase, a domain phase, and a departure phase, and reconnaissance, security and security, Delivering, installing, elevating the authority, traversing, attacking the target and withdrawing seven sub-stages. By the method and the system, the safety operation and maintenance service personnel can be liberated from incomplete and massive disordered safety log information.

Drawings

FIG. 1 is a schematic diagram of a remote secure log analysis system;

FIG. 2 is a schematic diagram of a primary key and foreign key relationship for a remote security log analysis system;

FIG. 3 is a schematic diagram of a network-decomposed phase of a remote security log analysis system;

FIG. 4 is a schematic diagram of a decomposition endpoint phase of a remote secure log analysis system;

FIG. 5 is a schematic diagram of a decomposition domain phase of a remote secure log analysis system;

FIG. 6 is a schematic diagram of a decomposition exit phase of a remote secure log analysis system.

Detailed Description

The invention is described in further detail below with reference to the figures and examples:

the application provides a mechanism to collect and associate data from different sensor systems, and aims to help metadata aggregation and overcome challenges of sensor data incompleteness, breakage and the like by implementing a mechanism, and fuse various different sensor data into an alarm or event generated by a security device, so that attack behaviors across multiple different sensors are accurately described, and finally, the detection rate is improved and the workflow of security operation and maintenance service is simplified. In one embodiment, analysis of historical security vulnerability data and investigation of successful security operation and maintenance service personnel has generated insight to effectively locate threats through behavioral modeling. The behavioral modeling is used to describe the sequence of events that an attacker/hacker must perform in order to succeed in an attack.

The alarm generated by the correlation framework greatly reduces the alarm noise and the quantity, and provides the aggregation field which is beneficial to more effective investigation of the working flow and quick positioning of the threat by the safety operation and maintenance service personnel.

The system provided by the present application, as shown in fig. 1, consists of four stages: network phase, endpoint phase, domain phase, and leave phase, which represent the goals of an attacker, who should accomplish in order to successfully invade the target network and perform malicious acts, such as data theft, denial of service, or destruction of the system.

The present application identifies different features from data extracted from four different macro-stages (network, endpoint, domain, and egress). The data extracted from each stage may be further broken down into sub-stages according to the behavior of the attacker or the abnormal behavior observed in the data; this is similar to the software development flow cmm (capability mapping model) Maturity model, which is divided into 5 stages, and further decomposed from each stage into several key domains (sub-stages described with respect to the present application). FIG. 1 shows a schematic diagram of a remote secure log analysis system.

FIG. 2 is a schematic diagram of a relationship between a primary key and a foreign key of a remote security log analysis system. The application is also designed to be consistent with the natural identifier used by the security operation and maintenance service personnel when conducting surveys within each phase. As shown in fig. 2, scout activities are typically investigated according to an originating IP address, and data typically reflects a one-to-many relationship between a source IP address and a plurality of destination IP addresses. The data in the delivery sub-phase typically exhibits a single source IP address, targets a single target IP address, and enumerates a number of potential exploits. Installation activities are typically investigated according to the computer name of the intruding machine, as the IP address data is typically omitted from the system for detecting malware or software modifications. The data in the elevated permissions phase is investigated according to user credentials and often shows that a newly created administrator is attempting to perform multiple command line operations. Traversing also surveys based on the user credentials used, typically appearing as a single user attempting to access multiple different machines in the intranet. Attacks against a target are typically investigated by the computer name of the suspect system to determine the nature of the system change. Finally, the departure phase is studied by analyzing the abnormal extranet target IP address. The ability to apply a natural identifier for each phase during the investigation process is evaluated as an advantage over existing security log analysis systems.

Deconstructing the data flow model and analyzing the metadata in each sub-phase can provide insight into potential data pairings for association. Each sub-phase is evaluated as a table in a relational database, with the metadata in each sub-phase being used as a primary or foreign key to connect adjacent sub-phase data, since the related functions can be performed using SQL queries. FIG. 2 shows the relationship of primary keys, identified by boxes, and foreign keys, identified by dashed lines, to adjacent stages.

It is worth noting that some models fail to provide enough data to compare to neighboring phases without aggregating the data with another sensor source within the same phase. Associating network delivery events with installation events is one of the primary examples of this phenomenon. Network intrusion detection systems typically ignore host names, while host-based malware solutions typically contain host names and ignore local IP addresses. This problem is solved by fusing the two data sets by DHCP, DNS or domain authentication data available on domain controllers or servers hosting these public services (as shown in fig. 2).

The sensor logs, events of the security log analysis system, or security alarms are aggregated within each sub-phase, and the SQL queries link the metadata via the classification fields and the sub-phase specific aggregation fields shown in fig. 2. For example, all events classified as being associated with a set of reconnaissance targets (reconnaissance, probing, or enumeration) having the same source IP address are aggregated in a single event. To provide the greatest reconnaissance value to security operations and maintenance service personnel, the aggregate event preserves all unique metadata fields observed in the aggregate record.

In most cases, the generated aggregated events show a greatly improved reconnaissance value for security operation and maintenance service personnel, especially for attack activities that typically generate large logs on sensor devices. One primary example of this phenomenon is the scout activity associated with network scan tools. During the evaluation, a single aggregated alarm is generated from the 100 individual events observed during the vulnerability scan. The resulting alarm fuses the information from multiple logging systems and accurately identifies all target computers affected by the attacker, as well as all unique attacks or features observed by the logging device.

The application provides a novel remote security log analysis system, which adopts a staged process to analyze data flow, and organizes data of each stage/sub-stage into a structured database to support data query and association routines. It consists of 4 stages and 7 sub-stages. The delivery sub-phase occurs immediately after the reconnaissance sub-phase and the installation sub-phase follows the delivery sub-phase.

The data flow of the remote security log analysis process is divided into four stages and seven sub-stages, and the data flow model resolves the sensor information into the four stages and the seven sub-stages. The data flow model is applied in two distinct phases: the message processing engine is in the initial parsing and normalization phase, or the advanced intelligence engine is during association and later reclassification. The data flows have unique functionality in that they introduce new metadata into event records that do not exist in the original log information. This provides a mechanism for combining previously different data from different sensors into a true data set. The classification fields that make up the 4 phases and 7 sub-phases are determined to be ideal candidates for implementing new models within the security log analysis, as this will help to quickly identify events of related security attacks and enable future event correlation during an alarm.

As shown in fig. 3, 4, 5 and 6, the four phases described in the present application can be further decomposed into seven sub-phases, which are: reconnaissance, delivery, installation, privilege elevation, traversing, attack on a target, and withdrawal. The pay sub-phase is performed immediately after the reconnaissance sub-phase, and the install sub-phase is ordered after the pay sub-phase. To distinguish between scout activity from the external network and scout activity from the internal network, the present application introduces a traverse sub-phase. The final sub-phase is withdrawn to emphasize particularly the anomalous data transfer from the internal network to the external network. In addition, as can also be appreciated from fig. 3, 4, 5 and 6, the present application presents empirical data for each stage and/or sub-stage and attributes such data to typical characteristics of an attempt to achieve the attacker's goal as defined by the respective stage and/or sub-stage.

The application provides a remote security log analysis system, which is characterized in that data are collected across different remote sensors, the flow of analyzing the collected data is divided into four stages and seven sub-stages, each sub-stage is evaluated as a table in a relational database, metadata in each sub-stage is used as a main key or an external key for connecting adjacent sub-stage data, because an event correlation function can be executed by using SQL query, and the seven sub-stages are subjected to logic data aggregation and event correlation analysis based on an aggregation field used as the main key or the external key, so that the relationship among security alarms or events can be identified, the root cause of the security alarms or events can be determined, the event playback can be realized, and the security operation and maintenance service personnel can be helped to systematically execute security investigation, including a network stage, an endpoint stage, a domain stage and a leaving stage, and investigation, delivery, and, Seven sub-stages of installation, privilege elevation, traversing, attack on target, and withdrawal.

the leave phase, stealing, includes a withdraw sub-phase;

Further, as shown in fig. 2, the aggregation fields based on the primary key or the foreign key include a scout sub-phase aggregation field, a delivery sub-phase aggregation field, an installation sub-phase aggregation field, a promotion authority sub-phase aggregation field, a traversing sub-phase aggregation field, a launch attack on target sub-phase aggregation field, and a withdrawal sub-phase aggregation field.

Further, as shown in fig. 2, the reconnaissance sub-phase aggregation field is a source IP address.

Further, as shown in fig. 2, the delivery sub-phase aggregation field is a target IP address.

Further, as shown in fig. 2, the install sub-phase aggregation field is a computer name.

Further, as shown in fig. 2, the elevated authority sub-phase aggregation field is an account name.

Further, as shown in FIG. 2, the traverse sub-phase aggregation field is the login name.

Further, as shown in fig. 2, the attack-target-launching sub-phase aggregation field is a computer name.

Further, as shown in fig. 2, the retirement sub-phase aggregation field is the destination IP address.

The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; all equivalent changes and modifications made according to the present invention are considered to be covered by the scope of the present invention.

Claims

1. A remote security log analysis system, characterized in that data is collected across different remote sensors, the flow of analyzing the collected data is divided into four phases and seven sub-phases, each sub-phase is evaluated as a table in a relational database, metadata in each sub-phase is used as a primary key or a foreign key for connecting adjacent sub-phase data, because SQL query can be used to perform event correlation function, logical data aggregation and event correlation analysis are performed on seven sub-phases based on an aggregation field as a primary key or a foreign key, relationships between security alarms or events can be identified, root cause of security alarms or events can be determined, event playback can be realized, security operation and maintenance service personnel can be facilitated to systematically perform security investigation including network phase, endpoint phase, domain phase and leaving phase, and investigation, delivery, installation, right lifting, Traversing, attacking the target and withdrawing seven sub-stages;

the leave phase, stealing, includes a withdraw sub-phase;

the traverse sub-stage, conducting surveys based on the user credentials used, appears as a single user.