CN113672913A - Security event processing method and device and electronic equipment - Google Patents
Security event processing method and device and electronic equipment Download PDFInfo
- Publication number
- CN113672913A CN113672913A CN202110958209.9A CN202110958209A CN113672913A CN 113672913 A CN113672913 A CN 113672913A CN 202110958209 A CN202110958209 A CN 202110958209A CN 113672913 A CN113672913 A CN 113672913A
- Authority
- CN
- China
- Prior art keywords
- event
- noise
- security event
- attribute field
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title description 15
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000012545 processing Methods 0.000 claims description 26
- 238000012216 screening Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 14
- 238000004422 calculation algorithm Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 11
- 230000006399 behavior Effects 0.000 description 9
- 238000013461 design Methods 0.000 description 9
- 230000009471 action Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000007717 exclusion Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000002699 waste material Substances 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The method can determine the noise identifier of the security event in a rule scene library, extract the attribute field information of the corresponding attribute field according to the noise identifier, finally judge whether the security event is the noise event or not according to the attribute field information, and discard the noise event under the condition of the noise event, so that the false alarm of a system is reduced, the system resource is saved, and the alarm accuracy of the security event is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for processing a security event, and an electronic device.
Background
With the development of digitization, the rapid update iteration of information technology, cloud computing, big data, internet of things, mobile internet of things and other emerging IT technologies bring new productivity for various industries, and great complexity to enterprise network infrastructure, especially the rapid development of the cloud computing new technology, the enterprise IT assets show geometric growth, the more the enterprise assets are, the larger the attack face is, and the more the generated security events and alarm events are.
Generally, many security events and alarm events are System false alarms, such as vulnerability scanning and network Intrusion, the vulnerability scanning itself is scanning server vulnerabilities, but the vulnerability scanning is detected as abnormal behavior by an Intrusion Prevention System (IPS) at the same time, and such security events or alarm events also cause System false alarms.
The large number of false alarms not only consumes a large amount of resources, but also reduces the accuracy of the alarm of the security event.
Disclosure of Invention
The application provides a security event processing method and device and electronic equipment, which are used for screening out noise events from security events, avoiding giving an alarm to the noise events, reducing the false alarm probability of the security events of a system and improving the alarm accuracy of the security events.
In a first aspect, the present application provides a security event processing method, including:
when an attack identification mark of a first security event acquired in a security event set is consistent with a main rule identification in a preset rule scene library, acquiring first attribute field information corresponding to the first security event;
screening out a first noise identifier in a noise rule identifier set corresponding to the main rule identifier;
screening out a second security event with an attack identification identical to the first noise identification in the security event set, and acquiring second attribute field information corresponding to the second security event;
determining whether the first attribute field information and the second attribute field information are consistent;
if the first safety event is consistent with the second safety event, taking the second safety event as a noise event, and discarding the noise event;
and if not, judging whether the second safety event is taken as the noise event according to the first parameter information of the first safety event and the second parameter information of the second safety event.
By the method, the noise identification of the security event can be determined by presetting the rule scene library, the attribute field information of the corresponding attribute field is extracted according to the noise identification, whether the security event is the noise event or not is judged according to the attribute field information, and the noise event is discarded under the condition of the noise event, so that the false alarm of the system is reduced, the system resource is saved, and the alarm accuracy of the security event is improved.
In one possible design, before obtaining the first attribute field information corresponding to the first security event, the method further includes:
determining attack identification marks and attribute field information corresponding to each security event and corresponding noise marks;
and storing the attribute field information corresponding to the attack identification mark and the corresponding noise identification into the preset rule scene library.
In one possible design, the obtaining first attribute field information corresponding to the first security event includes:
determining an event attribute field in the preset rule scene library;
and extracting first attribute field information corresponding to the event attribute field from the first security event.
In one possible design, the determining whether the second safety event is the noise event according to the first parameter information of the first safety event and the second parameter information of the second safety event includes:
extracting first execution operation information from the first security event, wherein the first execution operation information represents an operation executed by the first security event;
extracting second execution operation information from the second security event, wherein the second execution operation information represents an operation executed by the second security event;
and judging whether the second safety event is taken as the noise event or not according to the first execution operation information and the second execution operation information.
In one possible design, the determining whether the second safety event is the noise event according to the first execution operation information and the second execution operation information includes:
calculating a first hash value corresponding to the first execution operation information and calculating a second hash value corresponding to the second execution operation information through a hash algorithm;
calculating a hamming distance between the first hash value and the second hash value;
judging whether the hamming distance is smaller than a preset threshold value;
if so, taking the second safety event as the noise event;
if not, the second safety event is reserved and output.
By the method, the similarity of the behavior actions of the first safety event and the second safety event can be determined through the algorithm, so that whether the second event is a noise event or not can be determined according to the similarity, the noise event can be identified more accurately, the data volume of the noise event is reduced, the resource consumption and waste of a system are reduced, and the alarm accuracy of the safety event is improved.
In a second aspect, the present application provides a security event processing apparatus, the apparatus comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring first attribute field information corresponding to a first security event when an attack identification identifier of the first security event acquired in a security event set is consistent with a main rule identifier in a preset rule scene library;
the screening unit is used for screening out a first noise identifier in the noise rule identifier set corresponding to the main rule identifier; screening out a second security event with an attack identification identical to the first noise identification in the security event set, and acquiring second attribute field information corresponding to the second security event;
the processing unit is used for judging whether the first attribute field information is consistent with the second attribute field information; if the first safety event is consistent with the second safety event, taking the second safety event as a noise event, and discarding the noise event; and if not, judging whether the second safety event is taken as the noise event according to the first parameter information of the first safety event and the second parameter information of the second safety event.
In a possible design, the processing unit is further configured to determine an attack identification and attribute field information corresponding to each security event and a corresponding noise identification; and storing the attribute field information corresponding to the attack identification mark and the corresponding noise identification into the preset rule scene library.
In one possible design, the processing unit, specifically configured to determine whether to act as the noise event, includes: extracting first execution operation information from the first security event, wherein the first execution operation information represents an operation executed by the first security event; extracting second execution operation information from the second security event, wherein the second execution operation information represents an operation executed by the second security event; and judging whether the second safety event is taken as the noise event or not according to the first execution operation information and the second execution operation information.
In a third aspect, the present application provides an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the safety event processing method when executing the computer program stored in the memory.
In a fourth aspect, the present application provides a computer-readable storage medium having stored therein a computer program, which when executed by a processor, implements the above-mentioned security event handling method steps.
For each of the second to fourth aspects and possible technical effects of each aspect, please refer to the above description of the first aspect or the possible technical effects of each of the possible solutions in the first aspect, and no repeated description is given here.
Drawings
Fig. 1 is a flowchart of a security event processing method provided in the present application;
FIG. 2 is a schematic diagram of a mutual exclusion rule scenario library according to the present application;
fig. 3 is a schematic structural diagram of a security event processing apparatus provided in the present application;
fig. 4 is a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clear, the present application will be further described in detail with reference to the accompanying drawings. The particular methods of operation in the method embodiments may also be applied to apparatus embodiments or system embodiments. It should be noted that "a plurality" is understood as "at least two" in the description of the present application. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. A is connected with B and can represent: a and B are directly connected and A and B are connected through C. In addition, in the description of the present application, the terms "first," "second," and the like are used for descriptive purposes only and are not intended to indicate or imply relative importance nor order to be construed.
At present, under the condition that network security is gradually emphasized, when data acquisition is completed and a security event is output through an attack identification rule, the security event a and the security event B are output at the same time due to the attack identification rule, and actually, the security event a or the security event B is output, for example, vulnerability scanning and network intrusion, vulnerability scanning is scanning for a server vulnerability, but the vulnerability scanning is detected as an abnormal behavior by an IPS. That is, the a security event and the B security event are mutually exclusive events. If the output is performed simultaneously, false alarm of the security event is caused, which results in waste of system resources and also reduces the alarm accuracy of the security event.
In order to solve the above problems, the present application provides a security event processing method, which is used to screen out a noise event from security events and avoid alarming the noise event, thereby reducing the false alarm probability of the security event of the system and further improving the alarm accuracy of the security event. The method and the device in the embodiment of the application are based on the same technical concept, and because the principles of the problems solved by the method and the device are similar, the device and the embodiment of the method can be mutually referred, and repeated parts are not repeated.
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a security event processing method according to an embodiment of the present application, where the method includes:
s10, when the attack identification of the first security event acquired in the security event library is consistent with the main rule identification in the preset rule scene library, acquiring first attribute field information corresponding to the first security event;
before step S10 is executed, to avoid the influence of the mutual exclusion event on the security event alarm, in the embodiment of the present application, a preset rule scenario library, that is, the mutual exclusion rule scenario library shown in fig. 2 is created, where the mutual exclusion rule scenario library shown in fig. 2 includes a main rule ID, a security event attribute field, and a noise rule ID.
The main rule ID represents the identification of the security event, so that the mutual exclusion rule scene library comprises the identification corresponding to various security events.
The security event attribute field represents various attribute fields included in the security event, such as SIP and DIP, where SIP represents a source IP address and DIP represents a destination IP address, and of course, in this embodiment of the present application, the attribute field may also be a security event type event _ type and a protocol type protocol, and other attribute fields are not listed.
The noise rule ID represents a noise event identifier, and when a noise event is a mutually exclusive event of a security event, one or more noise events may be associated with the security event, so that one security event may correspond to one or more noise events. In fig. 2, one master rule ID corresponds to a plurality of noise rule IDs.
In the embodiment of the present application, the scene examples in the preset rule scene library are as follows:
{'main_ruleid':11005,'field':'sip,dip,log_type','noise_ruleid':'10001,11006,10002'}
based on the preset rule scene library, the system firstly extracts an attack identification from a security event, in the embodiment of the application, the example of the security event is as follows:
{ "rule _ id":11005, "event _ type": network intrusion "," sip ": 172.16.33.2", "dip": 172.16.33.23"," sport ":5599," dport ":6666," protocol ": https", "result":1, "occiurrent": 5, "action": uninstant "}
After the system acquires the attack identification of the first security event in a centralized manner, the attack identification is matched with the main rule identification in the preset rule scene library, and whether the main rule identification consistent with the attack identification exists is determined.
In addition, when a main rule identifier consistent with the attack identification identifier exists in the preset rule scene library, the security event attribute field corresponding to the main rule identifier is determined according to the corresponding relation between the main rule identifier and the security event attribute field. In fig. 2, the security event attribute field corresponding to the master rule ID of "11005" is "SIP, DIP", and a value corresponding to the security event attribute field is proposed in the first security event based on the security event attribute field. And taking the acquired value as first attribute field information. For example, SIP is 2.2.2.2, DIP is 3.3.3.3, and the first attribute field information is (ip ═ 2.2.2.2', DIP ═ 3.3.3').
S11, screening out a first noise identifier in the noise rule identifier set corresponding to the main rule identifier;
if a main rule identifier consistent with the attack identification identifier exists, it is determined that the main rule identifier corresponds to a noise rule identifier set, in fig. 2, each main rule identifier corresponds to a noise rule identifier set, for example, the main rule ID is "11005", and then the corresponding noise rule ID sets are "10001, 10002, 10003". And screening out the first noise identifier in the noise rule ID set. That is, 10001 was selected from "10001, 10002, 10003".
S12, screening out a second security event with the attack identification identical to the first noise identification in the security event set, and acquiring second attribute field information corresponding to the second security event;
after a first noise identifier corresponding to the attack identification identifier is determined in a preset rule scene library, matching is carried out on the security event set according to the first noise identifier, namely the attack identification identifier consistent with the first noise identifier is screened out, and a second security event corresponding to the attack identification identifier is determined.
After the second security event is determined, according to the security event attribute field determined in step S10, values corresponding to the security event attribute field are extracted from the second security event, for example, if the security event attribute field is SIP and DIP, SIP is 2.2.2.2, DIP is 3.3.3.3, and the second attribute field information is (ip ═ 2.2.2.2', DIP ═ 3.3.3').
S13, judging whether the first attribute field information is consistent with the second attribute field information;
after first attribute field information of the first security event and second attribute field information corresponding to the second security event are obtained, matching the first attribute field information with the second attribute field information, wherein the matching is to determine whether the first attribute field information and the second attribute field information are completely consistent.
If the first attribute field information is not consistent with the second attribute field information, step S15 is executed, and if the first attribute field information is consistent with the second attribute field information, step S14 is executed.
S14, taking the second safety event as a noise event and discarding the noise event;
when the first attribute field information is consistent with the second attribute field information, the second security event is a mutual exclusion event of the first security event, so that the second security event does not need to be alarmed as a real security event, and therefore the second security event is regarded as a noise event, and the noise event is discarded.
By the method, the noise identification of the security event can be determined by presetting the rule scene library, the attribute field information of the corresponding attribute field is extracted according to the noise identification, whether the security event is the noise event or not is judged according to the attribute field information, and the noise event is discarded under the condition of the noise event, so that the false alarm of the system is reduced, the system resource is saved, and the alarm accuracy of the security event is improved.
S15, determining whether the second security event is a noise event according to the first parameter information of the first security event and the second parameter information of the second security event.
Specifically, in the case where the first attribute field information does not coincide with the second attribute field information, it is necessary to further confirm whether the second security event is a security event of a direct attack system or a security event of an indirect attack system, and therefore, in the embodiment of the present application, it is determined whether the second security event is a noise event by a behavior action of the security event.
Firstly, source and destination information of a first security event is extracted, and source and destination information of a second security event is extracted, wherein the source and destination information refers to the source information and the destination information of the security events, such as SIP and DIP, the SIP is used as the source information, and the DIP is used as the destination information.
First execution operation information can be extracted from a threat precondition behavior set according to source and destination information of a first security event, where it needs to be explained that the threat precondition behavior set is obtained based on behavior information of real-time collection of terminal environment change, the threat precondition behavior set includes time of IP information, hash of terminal device, behavior action, and environment perception information, and a specific example is as follows:
{ 'ip': 2.2.2.2',' dev _ hash ': AAAA-AAAA-AAAA-AAAD', 'action': C: \ windows \ system32\ laser
Wherein, ip in the example represents the source target information, and "action" represents the specific action.
Therefore, after the source and destination information of the first security information is determined, the corresponding first execution operation information can be extracted from the threat premise behavior set according to the source and destination information. Similarly, second execution operation information corresponding to the second safety information can be obtained, and whether the second safety event is taken as a noise event can be judged according to the first execution operation information and the second execution operation information.
Further, in the embodiment of the present application, in order to improve the accuracy of determining a noise event, after first execution operation information and second execution operation information are obtained, a first hash value corresponding to the first execution operation information and a second hash value corresponding to the second execution operation information are calculated by using a hash algorithm.
Specifically, in the embodiment of the present application, a Simhash algorithm is used to perform Simhash signature calculation on the first execution operation information and the second execution operation, so as to obtain a hamming distance between two signatures, and determine whether the hamming distance is greater than a preset threshold. And if the hamming distance is smaller than the preset threshold value, taking the second safety event as a noise event, and discarding the noise event. And if the hamming distance is greater than the threshold value, the second safety event is reserved and output.
By the method, the similarity of the behavior actions of the first safety event and the second safety event can be determined through the algorithm, so that whether the second event is a noise event or not can be determined according to the similarity, the noise event can be identified more accurately, the data volume of the noise event is reduced, the resource consumption and waste of a system are reduced, and the alarm accuracy of the safety event is improved.
Based on the same invention concept, the application also provides a safety event processing device which is used for screening out noise events from the safety events and avoiding alarming the noise events, so that the false alarm probability of the safety events of the system is reduced, and the alarming accuracy of the safety events is improved. Referring to fig. 3, the apparatus includes:
an obtaining unit 301, configured to obtain first attribute field information corresponding to a first security event when an attack identification identifier of the first security event obtained in a security event set is consistent with a master rule identifier in a preset rule scene library;
a screening unit 302, configured to screen out a first noise identifier in a noise rule identifier set corresponding to the master rule identifier; screening out a second security event with an attack identification identical to the first noise identification in the security event set, and acquiring second attribute field information corresponding to the second security event;
a processing unit 303, configured to determine whether the first attribute field information and the second attribute field information are consistent; if the first safety event is consistent with the second safety event, taking the second safety event as a noise event, and discarding the noise event; and if not, judging whether the second safety event is taken as the noise event according to the first parameter information of the first safety event and the second parameter information of the second safety event.
By the device, the noise identification of the security event can be determined by presetting the rule scene library, the attribute field information of the corresponding attribute field is extracted according to the noise identification, whether the security event is the noise event or not is judged according to the attribute field information, and the noise event is discarded under the condition of the noise event, so that the false alarm of a system is reduced, the system resource is saved, and the alarm accuracy of the security event is improved.
In a possible design, the processing unit 303 is further configured to determine an attack identification and attribute field information corresponding to each security event, and a corresponding noise identification; and storing the attribute field information corresponding to the attack identification mark and the corresponding noise identification into the preset rule scene library.
In one possible design, the processing unit 303, specifically configured to determine whether to be the noise event, includes: extracting first execution operation information from the first security event, wherein the first execution operation information represents an operation executed by the first security event; extracting second execution operation information from the second security event, wherein the second execution operation information represents an operation executed by the second security event; and judging whether the second safety event is taken as the noise event or not according to the first execution operation information and the second execution operation information.
Based on the same inventive concept, an embodiment of the present application further provides an electronic device, where the electronic device may implement the function of the foregoing security event processing apparatus, and with reference to fig. 4, the electronic device includes:
at least one processor 401 and a memory 402 connected to the at least one processor 401, in this embodiment, a specific connection medium between the processor 401 and the memory 402 is not limited in this application, and fig. 4 illustrates an example in which the processor 401 and the memory 402 are connected by a bus 400. The bus 400 is shown in fig. 4 by a thick line, and the connection manner between other components is merely illustrative and not limited thereto. The bus 400 may be divided into an address bus, a data bus, a control bus, etc., and is shown with only one thick line in fig. 4 for ease of illustration, but does not represent only one bus or type of bus. Alternatively, processor 401 may also be referred to as a controller, without limitation to name a few.
In the embodiment of the present application, the memory 402 stores instructions executable by the at least one processor 401, and the at least one processor 401 may execute the security event processing method discussed above by executing the instructions stored in the memory 402. The processor 401 may implement the functions of the various modules in the apparatus shown in fig. 4.
The processor 401 is a control center of the apparatus, and may connect various parts of the entire control device by using various interfaces and lines, and perform various functions and process data of the apparatus by operating or executing instructions stored in the memory 402 and calling data stored in the memory 402, thereby performing overall monitoring of the apparatus.
In one possible design, processor 401 may include one or more processing units and processor 401 may integrate an application processor that handles primarily operating systems, user interfaces, application programs, and the like, and a modem processor that handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 401. In some embodiments, processor 401 and memory 402 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 401 may be a general-purpose processor, such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the security event processing method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
By programming the processor 401, the code corresponding to the security event processing method described in the foregoing embodiment may be solidified into the chip, so that the chip can execute the steps of the security event processing method of the embodiment shown in fig. 3 when running. How to program the processor 401 is well known to those skilled in the art and will not be described in detail herein.
Based on the same inventive concept, the present application also provides a storage medium storing computer instructions, which when executed on a computer, cause the computer to perform the security event processing method discussed above.
In some possible embodiments, the aspects of the security event processing method provided by the present application may also be implemented in the form of a program product comprising program code for causing the control device to perform the steps of the security event processing method according to various exemplary embodiments of the present application described above in this specification when the program product is run on an apparatus.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A method for security event processing, the method comprising:
when an attack identification mark of a first security event acquired in a security event set is consistent with a main rule identification in a preset rule scene library, acquiring first attribute field information corresponding to the first security event;
screening out a first noise identifier in a noise rule identifier set corresponding to the main rule identifier;
screening out a second security event with an attack identification identical to the first noise identification in the security event set, and acquiring second attribute field information corresponding to the second security event;
determining whether the first attribute field information and the second attribute field information are consistent;
if the first safety event is consistent with the second safety event, taking the second safety event as a noise event, and discarding the noise event;
and if not, judging whether the second safety event is taken as the noise event according to the first parameter information of the first safety event and the second parameter information of the second safety event.
2. The method of claim 1, wherein prior to obtaining the first attribute field information corresponding to the first security event, the method further comprises:
determining attack identification marks and attribute field information corresponding to each security event and corresponding noise marks;
and storing the attribute field information corresponding to the attack identification mark and the corresponding noise identification into the preset rule scene library.
3. The method of claim 1, wherein the obtaining of the first attribute field information corresponding to the first security event comprises:
determining an event attribute field in the preset rule scene library;
and extracting first attribute field information corresponding to the event attribute field from the first security event.
4. The method of claim 1, wherein said determining whether the second security event is the noise event based on the first parameter information of the first security event and the second parameter information of the second security event comprises:
extracting first execution operation information from the first security event, wherein the first execution operation information represents an operation executed by the first security event;
extracting second execution operation information from the second security event, wherein the second execution operation information represents an operation executed by the second security event;
and judging whether the second safety event is taken as the noise event or not according to the first execution operation information and the second execution operation information.
5. The method of claim 4, wherein said determining whether the second security event is the noise event based on the first execution operation information and the second execution operation information comprises:
calculating a first hash value corresponding to the first execution operation information and calculating a second hash value corresponding to the second execution operation information through a hash algorithm;
calculating a hamming distance between the first hash value and the second hash value;
judging whether the hamming distance is smaller than a preset threshold value;
if so, taking the second safety event as the noise event;
if not, the second safety event is reserved and output.
6. A security event processing apparatus, the apparatus comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring first attribute field information corresponding to a first security event when an attack identification identifier of the first security event acquired in a security event set is consistent with a main rule identifier in a preset rule scene library;
the screening unit is used for screening out a first noise identifier in the noise rule identifier set corresponding to the main rule identifier; screening out a second security event with an attack identification identical to the first noise identification in the security event set, and acquiring second attribute field information corresponding to the second security event;
the processing unit is used for judging whether the first attribute field information is consistent with the second attribute field information; if the first safety event is consistent with the second safety event, taking the second safety event as a noise event, and discarding the noise event; and if not, judging whether the second safety event is taken as the noise event according to the first parameter information of the first safety event and the second parameter information of the second safety event.
7. The apparatus of claim 6, wherein the processing unit is further configured to determine an attack identity and attribute field information and a corresponding noise identity corresponding to each security event; and storing the attribute field information corresponding to the attack identification mark and the corresponding noise identification into the preset rule scene library.
8. The apparatus as claimed in claim 6, wherein said processing unit, specifically configured to determine whether to act as said noise event, comprises: extracting first execution operation information from the first security event, wherein the first execution operation information represents an operation executed by the first security event; extracting second execution operation information from the second security event, wherein the second execution operation information represents an operation executed by the second security event; and judging whether the second safety event is taken as the noise event or not according to the first execution operation information and the second execution operation information.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1-5 when executing the computer program stored on the memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1-5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110958209.9A CN113672913B (en) | 2021-08-20 | 2021-08-20 | Security event processing method and device and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110958209.9A CN113672913B (en) | 2021-08-20 | 2021-08-20 | Security event processing method and device and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113672913A true CN113672913A (en) | 2021-11-19 |
CN113672913B CN113672913B (en) | 2024-06-28 |
Family
ID=78544155
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110958209.9A Active CN113672913B (en) | 2021-08-20 | 2021-08-20 | Security event processing method and device and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113672913B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114301567A (en) * | 2021-12-28 | 2022-04-08 | 绿盟科技集团股份有限公司 | Communication method and device based on artificial noise |
CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
CN115174201A (en) * | 2022-06-30 | 2022-10-11 | 北京安博通科技股份有限公司 | Security rule management method and device based on screening label |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105376193A (en) * | 2014-08-15 | 2016-03-02 | 中国电信股份有限公司 | Intelligent association analysis method and intelligent association analysis device for security events |
CN106326388A (en) * | 2016-08-17 | 2017-01-11 | 乐视控股(北京)有限公司 | Method and device for processing information |
KR20180080449A (en) * | 2017-01-04 | 2018-07-12 | 한국전자통신연구원 | Method and apparatus for recognizing cyber threats using correlational analytics |
CN109617885A (en) * | 2018-12-20 | 2019-04-12 | 北京神州绿盟信息安全科技股份有限公司 | Capture host automatic judging method, device, electronic equipment and storage medium |
US20200314117A1 (en) * | 2019-03-28 | 2020-10-01 | Crowdstrike, Inc. | Computer-Security Event Clustering and Violation Detection |
CN112637194A (en) * | 2020-12-18 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Security event detection method and device, electronic equipment and storage medium |
CN112769612A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Alarm event false alarm removing method and device |
-
2021
- 2021-08-20 CN CN202110958209.9A patent/CN113672913B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105376193A (en) * | 2014-08-15 | 2016-03-02 | 中国电信股份有限公司 | Intelligent association analysis method and intelligent association analysis device for security events |
CN106326388A (en) * | 2016-08-17 | 2017-01-11 | 乐视控股(北京)有限公司 | Method and device for processing information |
KR20180080449A (en) * | 2017-01-04 | 2018-07-12 | 한국전자통신연구원 | Method and apparatus for recognizing cyber threats using correlational analytics |
CN109617885A (en) * | 2018-12-20 | 2019-04-12 | 北京神州绿盟信息安全科技股份有限公司 | Capture host automatic judging method, device, electronic equipment and storage medium |
US20200314117A1 (en) * | 2019-03-28 | 2020-10-01 | Crowdstrike, Inc. | Computer-Security Event Clustering and Violation Detection |
CN112637194A (en) * | 2020-12-18 | 2021-04-09 | 北京天融信网络安全技术有限公司 | Security event detection method and device, electronic equipment and storage medium |
CN112769612A (en) * | 2020-12-30 | 2021-05-07 | 北京天融信网络安全技术有限公司 | Alarm event false alarm removing method and device |
Non-Patent Citations (2)
Title |
---|
李炜键;金倩倩;郭靓;: "基于威胁情报共享的安全态势感知和入侵意图识别技术研究", 《计算机与现代化》, no. 3, 15 March 2017 (2017-03-15) * |
李阳: "网络安全事件关联规则自动生成技术的研究与实现", 《中国优秀硕士学位论文全文库》, 15 March 2012 (2012-03-15) * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114301567A (en) * | 2021-12-28 | 2022-04-08 | 绿盟科技集团股份有限公司 | Communication method and device based on artificial noise |
CN114301567B (en) * | 2021-12-28 | 2023-07-28 | 绿盟科技集团股份有限公司 | Communication method and device based on artificial noise |
CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
CN114826727B (en) * | 2022-04-22 | 2024-05-07 | 南方电网数字电网研究院有限公司 | Flow data acquisition method, device, computer equipment and storage medium |
CN115174201A (en) * | 2022-06-30 | 2022-10-11 | 北京安博通科技股份有限公司 | Security rule management method and device based on screening label |
CN115174201B (en) * | 2022-06-30 | 2023-08-01 | 北京安博通科技股份有限公司 | Security rule management method and device based on screening tag |
Also Published As
Publication number | Publication date |
---|---|
CN113672913B (en) | 2024-06-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113672913B (en) | Security event processing method and device and electronic equipment | |
CN108881294B (en) | Attack source IP portrait generation method and device based on network attack behaviors | |
US11451566B2 (en) | Network traffic anomaly detection method and apparatus | |
CN109299135B (en) | Abnormal query recognition method, recognition equipment and medium based on recognition model | |
CN111813845B (en) | Incremental data extraction method, device, equipment and medium based on ETL task | |
CN110647750B (en) | File integrity measurement method and device, terminal and security management center | |
CN112995236B (en) | Internet of things equipment safety management and control method, device and system | |
EP3742322A1 (en) | Operational policies or industrial field devices and distributed databases | |
CN113987492A (en) | Method and device for determining alarm event | |
CN112632564B (en) | Threat assessment method and device | |
CN112134906B (en) | Network flow sensitive data identification and dynamic management and control method | |
Ebrahimi et al. | Automatic attack scenario discovering based on a new alert correlation method | |
CN112866300A (en) | Block chain big data safety protection method and system based on artificial intelligence | |
CN114760113B (en) | Abnormality alarm detection method and device, electronic equipment and storage medium | |
CN114584391B (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
CN111064730A (en) | Network security detection method, device, equipment and storage medium | |
CN114567482A (en) | Alarm classification method and device, electronic equipment and storage medium | |
CN113709153A (en) | Log merging method and device and electronic equipment | |
CN115001774A (en) | Method, device and equipment for analyzing association of alarm event | |
CN112511568A (en) | Correlation analysis method, device and storage medium for network security event | |
CN113194075B (en) | Access request processing method, device, equipment and storage medium | |
CN111353155B (en) | Detection method, device, equipment and medium for process injection | |
CN118487872B (en) | Nuclear power industry-oriented network abnormal behavior detection and analysis method | |
CN114338145B (en) | Safety protection method and device and electronic equipment | |
CN118250093B (en) | Transverse threat perception method, device, equipment, medium and product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |