CN112671767A - Security event early warning method and device based on alarm data analysis - Google Patents
Security event early warning method and device based on alarm data analysis Download PDFInfo
- Publication number
- CN112671767A CN112671767A CN202011542476.XA CN202011542476A CN112671767A CN 112671767 A CN112671767 A CN 112671767A CN 202011542476 A CN202011542476 A CN 202011542476A CN 112671767 A CN112671767 A CN 112671767A
- Authority
- CN
- China
- Prior art keywords
- alarm data
- alarm
- data set
- time
- correlation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safety event early warning method and a device based on alarm data analysis, which comprises the following steps: collecting alarm data of each safety device; wherein, the alarm data comprises alarm severity and destination IP; aggregating all alarm data according to the alarm severity and the target IP to generate a plurality of alarm data groups; the alarm severity of the alarm data in the same group is the same as that of the father node corresponding to the target IP; calculating the correlation degree of each alarm data set and each safety event stored in a preset database, and determining the safety event corresponding to each alarm data set according to the correlation degree; and carrying out safety event early warning according to the safety event corresponding to each alarm data set. By implementing the embodiment of the invention, the corresponding security event can be automatically associated according to various collected alarm data and then the user can be informed by early warning without manually judging the security event.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a security event early warning method and device based on alarm data analysis.
Background
With the continuous growth of computer network scale and the continuous rich expansion of various network-based applications, the security problem of the network becomes more and more prominent, and becomes one of the main factors restricting the development thereof. The security devices deployed in the network space generally serve as sensors, and when an attack activity occurs in the network space, the security devices are triggered to generate attack-related data, and record and alarm the attack behavior.
In the prior art, most of original alarm data generated by various safety devices are trivial, redundant and dispersed, a system cannot automatically and visually present associated safety event information according to the original alarm data, only network safety technicians can screen the associated alarm data in massive original alarm data, and then judge the safety event information according to the screened associated alarm data, so that the operation process is complicated.
Disclosure of Invention
The embodiment of the invention provides a safety event early warning method and device based on alarm data analysis, which can analyze original alarm data, automatically associate corresponding safety event information and perform early warning.
An embodiment of the present invention provides a security event early warning method based on alarm data analysis, including: collecting alarm data of each safety device; wherein the alarm data comprises alarm severity and destination IP;
aggregating the alarm data according to the alarm severity and the target IP to generate a plurality of alarm data groups; the alarm severity of the alarm data in the same group is the same as that of the father node corresponding to the target IP;
calculating the correlation degree of each alarm data set and each safety event stored in a preset database, and determining the safety event corresponding to each alarm data set according to the correlation degree;
and carrying out safety event early warning according to the safety event corresponding to each alarm data set.
Further, the alarm data further comprises a safety device identifier, an alarm identifier, alarm generation time, an alarm type, a source IP, a source port, a destination port and a vulnerability number.
Further, after the alarm data of each safety device is collected, the method further includes:
judging whether the collected alarm data contains repeated alarm data or not, if so, rejecting the repeated alarm data to obtain a duplicate-removed alarm data set;
judging whether the security equipment indicated by the target IP of each alarm data in the duplicate-removed alarm data set has the same vulnerability number as the alarm data; if not, eliminating the alarm data.
Further, the calculating the correlation between each alarm data set and each security event stored in a preset database, and determining the security event corresponding to each alarm data set according to the correlation specifically includes:
arranging all alarm data in the alarm data group according to the sequence of alarm generation time to generate a time-serialized alarm data group;
calculating the time correlation between the time-sequenced alarm data set and each safety event according to the alarm generation time of the first alarm data in the time-sequenced alarm data set and the starting time of each safety event;
calculating the node correlation of the time-serialized alarm data set and each safety event according to the target IP of each alarm data in the time-serialized alarm data set and the target IP of each safety event;
calculating a severity correlation between the time-sequenced alarm data set and each of the security events according to the alarm severity of the time-sequenced alarm data set and the severity of the security event of each of the security events;
and calculating the correlation degree of the time-serialized alarm data set and each safety event according to the time correlation, the node correlation and the severity correlation, and taking the safety event of which the correlation degree exceeds a preset threshold value as the safety event corresponding to the alarm data set.
On the basis of the above method item embodiments, the present invention correspondingly provides apparatus item embodiments;
another embodiment of the invention provides a security event early warning device based on alarm data analysis, which comprises a data acquisition module, a data aggregation module, a security event correlation module and an early warning module;
the data acquisition module is used for acquiring alarm data of each safety device; wherein the alarm data comprises alarm severity and destination IP;
the data aggregation module is used for aggregating the alarm data according to the alarm severity and the target IP to generate a plurality of alarm data groups; the alarm severity of the alarm data in the same group is the same as that of the father node corresponding to the target IP;
the safety event correlation module is used for calculating the correlation degree of each alarm data set and each safety event stored in a preset database, and determining the safety event corresponding to each alarm data set according to the correlation degree;
and the early warning module is used for carrying out early warning on the safety event according to the safety event corresponding to each alarm data set.
Further, the system also comprises a data screening module;
the data screening module is used for judging whether the collected alarm data contains repeated alarm data or not, if so, the repeated alarm data is removed, and a duplicate-removed alarm data set is obtained;
judging whether the security equipment indicated by the target IP of each alarm data in the duplicate-removed alarm data set has the same vulnerability number as the alarm data; if not, eliminating the alarm data.
Further, the security event correlation module calculates a degree of correlation between each alarm data set and each security event stored in a preset database, and determines a security event corresponding to each alarm data set according to the degree of correlation, and specifically includes:
arranging all alarm data in the alarm data group according to the sequence of alarm generation time to generate a time-serialized alarm data group;
calculating the time correlation between the time-sequenced alarm data set and each safety event according to the alarm generation time of the first alarm data in the time-sequenced alarm data set and the starting time of each safety event;
calculating the node correlation of the time-serialized alarm data set and each safety event according to the target IP of each alarm data in the time-serialized alarm data set and the target IP of each safety event;
calculating a severity correlation between the time-sequenced alarm data set and each of the security events according to the alarm severity of the time-sequenced alarm data set and the severity of the security event of each of the security events;
and calculating the correlation degree of the time-serialized alarm data set and each safety event according to the time correlation, the node correlation and the severity correlation, and taking the safety event of which the correlation degree exceeds a preset threshold value as the safety event corresponding to the alarm data set.
The embodiment of the invention has the following beneficial effects:
the embodiment of the invention provides a safety event early warning method and a device based on alarm data analysis, the method firstly collects alarm data generated by each safety device, then aggregates the alarm severity and a target IP according to the alarm data to generate a plurality of alarm data groups, the alarm severity of the alarm data in each alarm data group is the same as a father node corresponding to the target IP, the alarm data which are mutually dispersed are classified through the step, the alarm data with corresponding association relation are associated, then the correlation degree of each alarm data group and each pre-stored safety event is calculated, the alarm data groups and the corresponding safety events are associated through the correlation degree, and finally the early warning is carried out aiming at the safety events corresponding to each alarm data. By implementing the embodiment of the invention, the corresponding security events can be automatically associated according to various collected alarm data and then the user can be informed by early warning, so that the user can more intuitively know the corresponding security events when the alarm data is generated, and the user does not need to distinguish the security events according to massive alarm data.
Drawings
Fig. 1 is a schematic flowchart of a security event early warning method based on alarm data analysis according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a security event early warning apparatus based on alarm data analysis according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a security event early warning method based on alarm data analysis, including:
s101, collecting alarm data of each safety device; wherein, the alarm data comprises the alarm severity and the destination IP.
Step S102, aggregating all alarm data according to the alarm severity and the target IP to generate a plurality of alarm data groups; the alarm severity of the alarm data in the same group is the same as the parent node corresponding to the destination IP.
And S103, calculating the correlation degree of each alarm data set and each safety event stored in a preset database, and determining the safety event corresponding to each alarm data set according to the correlation degree.
And S104, performing safety event early warning according to the safety event corresponding to each alarm data set.
First, a brief description of the alarm data and security events to which the present invention relates is given:
a security event in the art refers to any event that attempts to change the security state of an information system (e.g., change access control measures, change security levels, change user passwords, etc.). The existing computer network is often attacked by external malicious users during operation, and when the system is attacked, the security device generates a series of corresponding alarm data according to the attack type. Therefore, the corresponding security event type can be obtained through analyzing the alarm data.
For step S101, in a preferred embodiment, the security device includes, but is not limited to, any one or combination of: firewall equipment, an intrusion detection system, equipment with a leak library, equipment with antivirus software and host monitoring.
In a preferred embodiment, the alarm data includes, but is not limited to, the following attribute information: the security device identifier, the alarm generation time, the alarm type, the alarm severity, the source IP, the source port, the destination IP, the destination port, and the referenced vulnerability number, i.e., the vulnerability number.
In a preferred embodiment, after step S101 and before step S102, step S1011 is further included, in which whether repeated alarm data exists in the collected alarm data is determined, and if yes, the repeated alarm data is removed to obtain a duplicate-removed alarm data set;
judging whether the security equipment indicated by the target IP of each alarm data has the same vulnerability number as the alarm data in the duplicate-removed alarm data set; if not, eliminating the alarm data.
The step is mainly to eliminate repeated redundant alarm data and wrong false alarm data;
in particular, the alarm data collected from each safety device is assumed to be collected for a time period of t1-t 2.
And then judging whether repeated alarm data with the same safety equipment identifier, alarm generation time, alarm type, alarm severity, source IP, source port, destination IP, destination port and quoted vulnerability number exists in the time period of t1-t2, and if so, rejecting the repeated alarm data. If not, the removal processing is not performed.
And after the duplicate removal of the alarm data is finished, judging whether the residual alarm data has false alarm data or not. The specific operation mode is as follows: and extracting the vulnerability number of the alarm data, searching the security equipment corresponding to the alarm data according to the destination IP of the alarm data, immediately searching whether the corresponding vulnerability number exists in a vulnerability library prestored in the security equipment, if not, indicating that the alarm is wrong, and at the moment, rejecting the alarm data, and if so, indicating that the alarm data is correct without rejecting.
For step S102, in a preferred embodiment, a clustering algorithm such as a K-means algorithm or a density-based method may be used to aggregate the alarm data of the target IP and the alarm severity, so as to generate the alarm data group.
In the present invention, the destination IP of each alarm data is defined as an IP address formed by four segments of data, two IP addresses having the same three segments of data have the same parent node, for example (the destination IP address of the alarm data a is a.b.c.d, and the destination IP address of the alarm data B is a.b.c.e., then the alarm data a and the alarm data B are alarm data having the same parent node), and then the alarm data having the same parent node and the same alarm severity are grouped into the same group when aggregation is performed.
For step S103, in a preferred embodiment, the calculating a correlation degree between each alarm data set and each security event stored in the preset database, and determining the security event corresponding to each alarm data set according to the correlation degree specifically includes:
arranging all alarm data in the alarm data group according to the sequence of alarm generation time to generate a time-serialized alarm data group;
calculating the time correlation between the time-sequenced alarm data set and each safety event according to the alarm generation time of the first alarm data in the time-sequenced alarm data set and the starting time of each safety event;
calculating the node correlation of the time-serialized alarm data set and each safety event according to the target IP of each alarm data in the time-serialized alarm data set and the target IP of each safety event;
calculating the severity correlation between the time-serialized alarm data set and each safety event according to the alarm severity of the time-serialized alarm data set and the severity of each safety event;
and calculating the correlation degree of the time-serialized alarm data set and each safety event according to the time correlation, the node correlation and the severity correlation, and taking the safety event of which the correlation degree exceeds a preset threshold value as the safety event corresponding to the alarm data set.
Specifically, firstly, the alarm data in each alarm data group is subjected to time-series processing to generate time-series alarm data groups, and the specific method is that the alarm generation times of the alarm data groups are arranged from morning to evening.
And then carrying out correlation calculation on the time-series alarm data set and the safety events stored in the database. Each security event has the following attributes: a security event identification, a security event start time, a security event end time (i.e., the end time of the last alarm), a security event severity, a security event destination IP, and a security event source IP.
The specific correlation calculation adopts the following formula: q ═ α × a + β × B + γ × C;
where α, β, and γ are preset weighting coefficients, a is the severity correlation, B is the node correlation, and C is the time correlation, in this embodiment, α is 0.4, β is 0.3, and γ is 0.3.
For severity correlations: if the alarm information group has the same severity as the security event, a is 1, otherwise a is 0.
For node dependencies: firstly, determining a father node corresponding to the alarm data group according to the target IP of each alarm data in the alarm data group, and then determining the father node to which the security event belongs according to the target IP of the security event. If the alarm information group and the security event have the same father node, B is 1, otherwise B is 0;
for the time correlation, calculating a time difference T1 between the alarm data generation time of the first alarm data and the safety event starting time in the alarm information group, and if T1 is less than tau 1, then C is 1; if T1 is more than or equal to tau 1 and less than or equal to tau 2, then
If T1 > τ 2, C ═ 0, where EstarAlarm data generation time, H, for the first alarm data of an alarm information groupstarIs the security event start time. τ 1 and τ 2 are preset thresholds, and in a preferred embodiment, τ 1 is 10min and τ 2 is 60 min.
After the correlation degree is calculated according to the above formula, it is determined whether the correlation degree Q exceeds a preset threshold H, if so, the security event is taken as a corresponding security event of the alarm data set, and the alarm data set is associated therewith, it should be noted that the preset threshold H may be set according to an actual situation.
For step S104, in a preferred embodiment, after determining the security event corresponding to the alarm data set, an early warning is performed, and the corresponding security event may be directly displayed in a form of text representation on the display device during the early warning.
By implementing the method, the corresponding security events can be automatically associated according to various collected alarm data and then the user is informed through early warning, so that the user can more intuitively know the corresponding security events when the alarm data is generated, and the user does not need to distinguish the security events according to massive alarm data.
On the basis of the above method item embodiments, the present invention correspondingly provides apparatus item embodiments;
as shown in fig. 2, an embodiment of the present invention provides a security event early warning apparatus based on alarm data analysis, including: the system comprises a data acquisition module, a data aggregation module, a security event correlation module and an early warning module;
the data acquisition module is used for acquiring alarm data of each safety device; wherein, the alarm data comprises alarm severity and destination IP;
the data aggregation module is used for aggregating all alarm data according to the alarm severity and the target IP to generate a plurality of alarm data groups; the alarm severity of the alarm data in the same group is the same as that of the father node corresponding to the target IP;
the safety event correlation module is used for calculating the correlation degree of each alarm data set and each safety event stored in a preset database and determining the safety event corresponding to each alarm data set according to the correlation degree;
and the early warning module is used for carrying out early warning on the safety events according to the safety events corresponding to each alarm data set.
In a preferred embodiment, the system further comprises a data screening module;
the data screening module is used for judging whether the collected alarm data contains repeated alarm data or not, if so, the repeated alarm data is removed, and a duplicate-removed alarm data set is obtained;
judging whether the security equipment indicated by the target IP of each alarm data has the same vulnerability number as the alarm data in the duplicate-removed alarm data set; if not, eliminating the alarm data.
In a preferred embodiment, the security event correlation module calculates a degree of correlation between each alarm data set and each security event stored in the preset database, and determines the security event corresponding to each alarm data set according to the degree of correlation, and specifically includes:
arranging all alarm data in the alarm data group according to the sequence of alarm generation time to generate a time-serialized alarm data group;
calculating the time correlation between the time-sequenced alarm data set and each safety event according to the alarm generation time of the first alarm data in the time-sequenced alarm data set and the starting time of each safety event;
calculating the node correlation of the time-serialized alarm data set and each safety event according to the target IP of each alarm data in the time-serialized alarm data set and the target IP of each safety event;
calculating the severity correlation between the time-serialized alarm data set and each safety event according to the alarm severity of the time-serialized alarm data set and the severity of each safety event;
and calculating the correlation degree of the time-serialized alarm data set and each safety event according to the time correlation, the node correlation and the severity correlation, and taking the safety event of which the correlation degree exceeds a preset threshold value as the safety event corresponding to the alarm data set.
It should be noted that the above-mentioned embodiment of the apparatus of the present invention corresponds to an embodiment of the method of the present invention, which can implement any one of the above-mentioned security event early warning methods based on alarm data analysis of the present invention, and furthermore, the above-mentioned embodiment of the apparatus is merely illustrative, where the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. In addition, in the drawings of the embodiment of the apparatus provided by the present invention, the connection relationship between the modules indicates that there is a communication connection between them, and may be specifically implemented as one or more communication buses or signal lines. One of ordinary skill in the art can understand and implement it without inventive effort.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention.
Claims (8)
1. A safety event early warning method based on alarm data analysis is characterized by comprising the following steps:
collecting alarm data of each safety device; wherein the alarm data comprises alarm severity and destination IP;
aggregating the alarm data according to the alarm severity and the target IP to generate a plurality of alarm data groups; the alarm severity of the alarm data in the same group is the same as that of the father node corresponding to the target IP;
calculating the correlation degree of each alarm data set and each safety event stored in a preset database, and determining the safety event corresponding to each alarm data set according to the correlation degree;
and carrying out safety event early warning according to the safety event corresponding to each alarm data set.
2. The alarm data analysis-based security event early warning method of claim 1, wherein the alarm data further comprises a security device identifier, an alarm generation time, an alarm type, a source IP, a source port, a destination port, and a vulnerability number.
3. The security event warning method based on alarm data analysis of claim 2, further comprising, after collecting alarm data of each security device:
judging whether the collected alarm data contains repeated alarm data or not, if so, rejecting the repeated alarm data to obtain a duplicate-removed alarm data set;
judging whether the security equipment indicated by the target IP of each alarm data in the duplicate-removed alarm data set has the same vulnerability number as the alarm data; if not, eliminating the alarm data.
4. The alarm data analysis-based security event early warning method according to claim 3, wherein the calculating of the correlation degree between each alarm data set and each security event stored in a preset database and the determining of the security event corresponding to each alarm data set according to the correlation degree specifically comprises:
arranging all alarm data in the alarm data group according to the sequence of alarm generation time to generate a time-serialized alarm data group;
calculating the time correlation between the time-sequenced alarm data set and each safety event according to the alarm generation time of the first alarm data in the time-sequenced alarm data set and the starting time of each safety event;
calculating the node correlation of the time-serialized alarm data set and each safety event according to the target IP of each alarm data in the time-serialized alarm data set and the target IP of each safety event;
calculating a severity correlation between the time-sequenced alarm data set and each of the security events according to the alarm severity of the time-sequenced alarm data set and the severity of the security event of each of the security events;
and calculating the correlation degree of the time-serialized alarm data set and each safety event according to the time correlation, the node correlation and the severity correlation, and taking the safety event of which the correlation degree exceeds a preset threshold value as the safety event corresponding to the alarm data set.
5. A safety event early warning device based on alarm data analysis is characterized by comprising: the system comprises a data acquisition module, a data aggregation module, a security event correlation module and an early warning module;
the data acquisition module is used for acquiring alarm data of each safety device; wherein the alarm data comprises alarm severity and destination IP;
the data aggregation module is used for aggregating the alarm data according to the alarm severity and the target IP to generate a plurality of alarm data groups; the alarm severity of the alarm data in the same group is the same as that of the father node corresponding to the target IP;
the safety event correlation module is used for calculating the correlation degree of each alarm data set and each safety event stored in a preset database, and determining the safety event corresponding to each alarm data set according to the correlation degree;
and the early warning module is used for carrying out early warning on the safety event according to the safety event corresponding to each alarm data set.
6. The alarm-data-analysis-based security-event-warning apparatus of claim 5, wherein the alarm data further comprises a security device identifier, an alarm generation time, an alarm type, a source IP, a source port, a destination port, and a vulnerability number.
7. The alarm-data-analysis-based security-event warning device of claim 6, further comprising a data screening module;
the data screening module is used for judging whether the collected alarm data contains repeated alarm data or not, if so, the repeated alarm data is removed, and a duplicate-removed alarm data set is obtained;
judging whether the security equipment indicated by the target IP of each alarm data in the duplicate-removed alarm data set has the same vulnerability number as the alarm data; if not, eliminating the alarm data.
8. The security event early warning device based on alarm data analysis of claim 7, wherein the security event correlation module calculates a degree of correlation between each alarm data set and each security event stored in a preset database, and determines the security event corresponding to each alarm data set according to the degree of correlation, specifically comprising:
arranging all alarm data in the alarm data group according to the sequence of alarm generation time to generate a time-serialized alarm data group;
calculating the time correlation between the time-sequenced alarm data set and each safety event according to the alarm generation time of the first alarm data in the time-sequenced alarm data set and the starting time of each safety event;
calculating the node correlation of the time-serialized alarm data set and each safety event according to the target IP of each alarm data in the time-serialized alarm data set and the target IP of each safety event;
calculating a severity correlation between the time-sequenced alarm data set and each of the security events according to the alarm severity of the time-sequenced alarm data set and the severity of the security event of each of the security events;
and calculating the correlation degree of the time-serialized alarm data set and each safety event according to the time correlation, the node correlation and the severity correlation, and taking the safety event of which the correlation degree exceeds a preset threshold value as the safety event corresponding to the alarm data set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011542476.XA CN112671767B (en) | 2020-12-23 | 2020-12-23 | Security event early warning method and device based on alarm data analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011542476.XA CN112671767B (en) | 2020-12-23 | 2020-12-23 | Security event early warning method and device based on alarm data analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112671767A true CN112671767A (en) | 2021-04-16 |
| CN112671767B CN112671767B (en) | 2023-06-23 |
Family
ID=75409273
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011542476.XA Active CN112671767B (en) | 2020-12-23 | 2020-12-23 | Security event early warning method and device based on alarm data analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671767B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978757A (en) * | 2022-06-23 | 2022-08-30 | 杭州安恒信息技术股份有限公司 | Alarm aggregation method and device, electronic equipment and storage medium |
| CN115174251A (en) * | 2022-07-19 | 2022-10-11 | 深信服科技股份有限公司 | False alarm identification method and device for safety alarm and storage medium |
| CN116232751A (en) * | 2023-03-16 | 2023-06-06 | 中国华能集团有限公司北京招标分公司 | Safety alarm analysis method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001811A (en) * | 2012-12-31 | 2013-03-27 | 北京启明星辰信息技术股份有限公司 | Method and device for fault locating |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际系统应用有限公司 | Association analysis method and association analysis system |
| CN106375339A (en) * | 2016-10-08 | 2017-02-01 | 电子科技大学 | Attack mode detection method based on event slide window |
-
2020
- 2020-12-23 CN CN202011542476.XA patent/CN112671767B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103001811A (en) * | 2012-12-31 | 2013-03-27 | 北京启明星辰信息技术股份有限公司 | Method and device for fault locating |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN105681286A (en) * | 2015-12-31 | 2016-06-15 | 中电长城网际系统应用有限公司 | Association analysis method and association analysis system |
| CN106375339A (en) * | 2016-10-08 | 2017-02-01 | 电子科技大学 | Attack mode detection method based on event slide window |
Non-Patent Citations (2)
| Title |
|---|
| ALI AHMADIAN RAMAKI等: "RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection", 《COMPUTERS & SECURITY》 * |
| 李程雄: "基于告警流的安全事件挖掘引擎设计", 《电力信息与通信技术》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114978757A (en) * | 2022-06-23 | 2022-08-30 | 杭州安恒信息技术股份有限公司 | Alarm aggregation method and device, electronic equipment and storage medium |
| CN115174251A (en) * | 2022-07-19 | 2022-10-11 | 深信服科技股份有限公司 | False alarm identification method and device for safety alarm and storage medium |
| CN115174251B (en) * | 2022-07-19 | 2023-09-05 | 深信服科技股份有限公司 | False alarm identification method and device for safety alarm and storage medium |
| CN116232751A (en) * | 2023-03-16 | 2023-06-06 | 中国华能集团有限公司北京招标分公司 | Safety alarm analysis method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112671767B (en) | 2023-06-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111475804B (en) | Alarm prediction method and system | |
| US10476749B2 (en) | Graph-based fusing of heterogeneous alerts | |
| CN107154950B (en) | Method and system for detecting log stream abnormity | |
| CN112671767B (en) | Security event early warning method and device based on alarm data analysis | |
| US8191149B2 (en) | System and method for predicting cyber threat | |
| JP6201614B2 (en) | Log analysis apparatus, method and program | |
| KR20070095718A (en) | System and method for detecting internet worm traffic by clustering traffic characterization classified by type | |
| CN108965340B (en) | Industrial control system intrusion detection method and system | |
| US10476752B2 (en) | Blue print graphs for fusing of heterogeneous alerts | |
| EP3488346B1 (en) | Anomaly detection using sequences of system calls | |
| CN101668012B (en) | Method and device for detecting security event | |
| CN110932901B (en) | Alarm level adjusting method and system | |
| CN111970229B (en) | CAN bus data anomaly detection method aiming at multiple attack modes | |
| CN113051573B (en) | Host safety real-time monitoring alarm system based on big data | |
| CN110598180A (en) | Event detection method, device and system based on statistical analysis | |
| CN111274218A (en) | Multi-source log data processing method for power information system | |
| KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN115396324A (en) | Network security situation perception early warning processing system | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN117375985A (en) | Method and device for determining security risk index, storage medium and electronic device | |
| CN116647389A (en) | Network access security early warning system and method for industrial control system | |
| CN114584391B (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN115801307A (en) | Method and system for carrying out port scanning detection by using server log | |
| CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |