CN113783891A - Event identification method and device - Google Patents

Event identification method and device Download PDF

Info

Publication number
CN113783891A
CN113783891A CN202111129182.9A CN202111129182A CN113783891A CN 113783891 A CN113783891 A CN 113783891A CN 202111129182 A CN202111129182 A CN 202111129182A CN 113783891 A CN113783891 A CN 113783891A
Authority
CN
China
Prior art keywords
event
identified
false alarm
events
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111129182.9A
Other languages
Chinese (zh)
Other versions
CN113783891B (en
Inventor
赵志伟
顾涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202111129182.9A priority Critical patent/CN113783891B/en
Publication of CN113783891A publication Critical patent/CN113783891A/en
Application granted granted Critical
Publication of CN113783891B publication Critical patent/CN113783891B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides an event identification method and device, which are applied to the technical field of data processing, wherein the method comprises the following steps: acquiring an event to be identified which occurs within a preset time period, wherein the event to be identified is as follows: security events with the same destination address, source address belonging to a preset intranet segment and the same type of events; determining a first number of different source addresses corresponding to the event to be identified and a second number of different C-segment network segments to which the source addresses corresponding to the event to be identified belong; and identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second quantity and the first quantity. By applying the scheme provided by the embodiment of the invention, the efficiency of event identification can be improved.

Description

Event identification method and device
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to an event identification method and apparatus.
Background
During the operation of a network, a number of network security related events can occur. The event may be a dangerous event that actually affects network security, such as a botnet attack, a trojan attack, or the like, or may be a false alarm event that does not affect network security. The network administrator can respectively identify each event, distinguish the dangerous events and the false alarm events contained in the events, and carry out subsequent processing such as virus killing and fault removal on the dangerous events, thereby ensuring the network safety.
However, when the number of events occurring in the network is large, the network administrator needs to identify each event in sequence, and it takes a long time to identify a dangerous event, which results in low efficiency of event identification.
Disclosure of Invention
The embodiment of the invention aims to provide an event identification method and device so as to improve the efficiency of event identification. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides an event identification method, where the method includes:
acquiring an event to be identified occurring in a preset time period, wherein the event to be identified is as follows: security events with the same destination address, source address belonging to a preset intranet segment and the same type of events;
determining a first number of different source addresses corresponding to the event to be identified and a second number of different C-segment network segments to which the source addresses corresponding to the event to be identified belong;
and identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second quantity and the first quantity.
In an embodiment of the present invention, before the identifying whether the event to be identified is a false alarm event based on the magnitude relationship between the second number and the first number, the method further includes:
determining a third number of the events to be identified;
determining the average occurrence number of the target historical events in the unit time length based on the total occurrence number of the target historical events, wherein the target historical events are as follows: the safety event which is generated before the preset time period, belongs to the same event type as the event to be identified, corresponds to the same destination address and has a source address belonging to the intranet address;
predicting the probability that the event to be identified occurs the third number of times within the unit time length based on the average number of times;
the identifying whether the event to be identified is a false alarm event based on the magnitude relation between the second quantity and the first quantity includes:
calculating a first ratio between the second quantity and the first quantity;
and identifying whether the event to be identified is a false alarm event or not based on the first ratio and the probability.
In an embodiment of the present invention, the identifying whether the event to be identified is a false alarm event based on a magnitude relationship between the second number and the first number includes:
and if the first number is larger than the preset number, identifying whether the event to be identified is a false alarm event or not based on the size relation between the second number and the first number.
In an embodiment of the present invention, the identifying whether the event to be identified is a false alarm event based on a magnitude relationship between the second number and the first number includes:
calculating a first ratio between the second quantity and the first quantity;
and if the first ratio is larger than a first preset ratio, determining that the event to be identified is a false alarm event.
In one embodiment of the present invention, the first preset ratio is determined by:
determining a first historical number of different C-segment network segments to which source addresses corresponding to historical false alarm events belong and a second historical number of different source addresses corresponding to the historical false alarm events, wherein the historical false alarm events are as follows: the safety event which is determined to be a false alarm event and is the same as the event type of the event to be identified occurs before the preset time period;
and calculating the first preset ratio based on the first historical quantity and the second historical quantity.
In a second aspect, an embodiment of the present invention provides an event identification apparatus, where the apparatus includes:
the event acquiring module is used for acquiring an event to be identified, which occurs within a preset time period, wherein the event to be identified is as follows: security events with the same destination address, source address belonging to a preset intranet segment and the same type of events;
a first quantity determining module, configured to determine a first quantity of different source addresses corresponding to the event to be identified, and a second quantity of different C-segment network segments to which the source addresses corresponding to the event to be identified belong;
and the event identification module is used for identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second quantity and the first quantity.
In one embodiment of the present invention, the apparatus further comprises:
a second number determination module, configured to determine a third number of the events to be identified;
an average frequency determining module, configured to determine an average frequency of occurrence of a target historical event within the unit time length based on a total frequency of occurrence of the target historical event, where the target historical event is: the safety event which is generated before the preset time period, belongs to the same event type as the event to be identified, corresponds to the same destination address and has a source address belonging to the intranet address;
a probability prediction module, configured to predict, based on the average number of times, a probability that the event to be identified occurs the third number of times within the unit duration;
the event identification module is specifically configured to:
calculating a first ratio between the second quantity and the first quantity;
and identifying whether the event to be identified is a false alarm event or not based on the first ratio and the probability.
In an embodiment of the present invention, the event identification module is specifically configured to:
and if the first number is larger than the preset number, identifying whether the event to be identified is a false alarm event or not based on the size relation between the second number and the first number.
In an embodiment of the present invention, the event identification module is specifically configured to:
calculating a first ratio between the second quantity and the first quantity;
and if the first ratio is larger than a first preset ratio, determining that the event to be identified is a false alarm event.
In an embodiment of the present invention, the apparatus further includes a ratio determining module, configured to determine the first preset ratio by:
determining a first historical number of different C-segment network segments to which source addresses corresponding to historical false alarm events belong and a second historical number of different source addresses corresponding to the historical false alarm events, wherein the historical false alarm events are as follows: the safety event which is determined to be a false alarm event and is the same as the event type of the event to be identified occurs before the preset time period;
and calculating the first preset ratio based on the first historical quantity and the second historical quantity.
In a third aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface complete communication between the memory and the processor through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of the first aspect when executing a program stored in the memory.
In a fourth aspect, the present invention provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the method steps of any one of the first aspect.
In a fifth aspect, embodiments of the present invention also provide a computer program product comprising instructions, which when run on a computer, cause the computer to perform the method steps of any of the first aspects described above.
The embodiment of the invention has the following beneficial effects:
after the events to be identified, which have the same destination address, the same source address belonging to the intranet section and the same type of the events, occurring in the preset time period are obtained, the first number of different source addresses corresponding to the events to be identified and the second number of different C-section network sections to which the source addresses belong are determined. And identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second number and the first number.
As can be seen from the above, the smaller the difference between the second number of the C-segment network segments to which the source addresses corresponding to the events to be identified belong and the first number of the source addresses corresponding to the events to be identified is, the more C-segment network segments to which the devices triggering the security events in the intranet segment within the preset time period belong are, the more the devices triggering the security events are dispersed in different C-segment network segments. In practical situations, the security of the devices in the intranet segment is often high, and therefore, the devices belonging to different C-segment network segments do not often cause a large-scale security event in a short time, and therefore, if the difference between the second number and the first number is small, the probability that the security event is a false alarm event is high. Whether the event to be identified is a false alarm event can be identified based on the magnitude relation between the first number and the second number.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a schematic flowchart of a first event identification method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a second event identification method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a third event identification method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a first event recognition device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a second event recognition device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived from the embodiments given herein by one of ordinary skill in the art, are within the scope of the invention.
The embodiment of the invention provides an event identification method and device in order to identify whether an event occurring in a network is a false alarm event.
The embodiment of the invention provides an event identification method, which comprises the following steps:
acquiring an event to be identified which occurs within a preset time period, wherein the event to be identified is as follows: security events with the same destination address, source address belonging to a preset intranet segment and the same type of events;
determining a first number of different source addresses corresponding to the event to be identified and a second number of different C-segment network segments to which the source addresses corresponding to the event to be identified belong;
and identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second number and the first number.
As can be seen from the above, the smaller the difference between the second number of the C-segment network segments to which the source addresses corresponding to the events to be identified belong and the first number of the source addresses corresponding to the events to be identified is, the more C-segment network segments to which the devices triggering the security events in the intranet segment within the preset time period belong are, the more the devices triggering the security events are dispersed in different C-segment network segments. In practical situations, the security of the devices in the intranet segment is often high, and therefore, the devices belonging to different C-segment network segments do not often cause a large-scale security event in a short time, and therefore, if the difference between the second number and the first number is small, the probability that the security event is a false alarm event is high. Whether the event to be identified is a false alarm event can be identified based on the magnitude relation between the first number and the second number.
Referring to fig. 1, a flowchart of a first event identification method according to an embodiment of the present invention is shown, where the method includes the following steps S101 to S103.
S101: and acquiring the event to be identified which occurs in a preset time period.
Wherein, the event to be identified is: and the destination addresses are the same, the source addresses belong to a preset intranet segment, and the belonging events are the same in type.
Specifically, the security event may be recognized by a firewall, antivirus software configured in the terminal, IPS (Intrusion Prevention System) configured in the terminal, and the like.
The security event may be a dangerous event which substantially affects network security caused by a network virus or a botnet attack, or may be a misrecognized event such as the firewall, antivirus, IPS, or the like.
In an embodiment of the present invention, after the security event is obtained, information such as a source address, information that the source address belongs to an intranet segment or an extranet segment, a source port, a destination address, information that the destination address belongs to the intranet segment or the extranet segment, a destination port, an event name, latest occurrence time, first occurrence time, occurrence frequency, and the like corresponding to the security event may be recorded.
The external network segment is a network segment except a preset internal network segment.
The source address corresponding to the security event indicates an address of a device causing the security event, and the source address may be an IP address, for example, if the security event is an attack event, the source address is an address of a device initiating a network attack.
The source port corresponding to the security event represents a port from which the device causing the security event initiates the security event, for example, if the security event is an attack event, the source port is a port used by the device initiating the network attack to initiate the network attack.
The destination address corresponding to the security event indicates an address of a network device affected by the security event, and the destination address may be an IP address, for example, if the security event is a network device sending a network virus to another network device, the destination address of the security event is an address of the network device receiving the network virus.
The destination port corresponding to the security event represents a port of the network device affected by the security event, for example, if the security event is that the network device sends an attack packet to another network device, the destination address of the security event is a port that receives the attack packet.
The event name of the security event may be used to distinguish different security events, and represents an event type to which the security event belongs, for example, the event name may include: trojan program communication, malicious domain name communication, C & C (Command and Control Server) host communication, mine excavation program communication, botnet communication, worm program communication, and the like.
The number of occurrences of the security event may be the sum of the number of occurrences of the detected security event belonging to the event type, or the number of occurrences of the security event belonging to the event type within a preset time period, for example, about 1 week, about 1 month, and the like.
In an embodiment of the present invention, after a security event that a source address generated within a preset time period belongs to an intranet segment is acquired, clustering may be performed on the security event, the acquired security event may be clustered into different events to be identified according to a destination address and an event type, and only destination address, event name, and source address information of the event to be identified may be retained after clustering, where the event name is used to indicate an event type to which the event to be identified belongs. For different events to be identified, whether the event to be identified is a false alarm event can be identified according to the following steps S102 to S103.
Specifically, the events to be identified are security events with the same destination address and the same event type, that is, the events to be identified are security events of the same event type initiated for the same device, and the source address of the events to be identified belongs to a preset intranet segment, so that the devices initiating the events to be identified are all security events in the intranet segment.
S102: and determining a first number of different source addresses corresponding to the event to be identified and a second number of different C-segment network segments to which the source addresses corresponding to the event to be identified belong.
Specifically, the source addresses of the events to be identified may be traversed, and a first number of different source addresses may be counted, where the first number may represent the number of devices that initiate the events to be identified.
In addition, the source address of each event to be identified may be traversed, and a second number of different C-segment network segments to which the source address belongs may be counted, where the second number may represent the number of C-segment network segments to which the device initiating the event to be identified belongs.
Each segment C network segment belongs to segments 192.0.0.0 to 223.255.255.255, specifically, the first 24-bit same source address belongs to the same segment C network segment, and the first 24-bit source addresses with different values belong to different segment C network segments.
S103: and identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second number and the first number.
In an embodiment of the present invention, if the segment C network segments to which the source addresses of the events to be identified belong are different, the first number is the same as the second number, and the second number is always less than or equal to the first number. The smaller the number of the C-segment network segments to which the source addresses of the events to be identified belong, the larger the difference between the first number and the second number. Therefore, the size relationship between the second number and the first number may reflect the distribution of the C segment network segment to which the source address of the event to be identified belongs, that is, the distribution of the device initiating the event to be identified in the C segment network segment.
In a practical situation, the devices in the intranet segment are relatively safe, and a plurality of devices in the intranet segment belonging to different C-segment network segments rarely initiate a dangerous event of the same event type to other devices within a relatively short time period, so that if the difference between the first number and the second number is relatively large, the event to be identified may be a dangerous event, and otherwise, the event to be identified may be a false alarm event.
Specifically, the magnitude relationship between the second number and the first number may be expressed as a difference between the first number and the second number, and the smaller the difference, the smaller the difference between the first number and the second number. If the difference is lower than the preset difference, the event to be identified can be regarded as a false alarm event.
In addition, the above step S103 can be realized by the following steps a to B.
Step A: a first ratio between the second number and the first number is calculated.
Specifically, since the second number is always not greater than the first number, the value of the first ratio is (0, 1).
And B: and if the first ratio is larger than a first preset ratio, determining that the event to be identified is a false alarm event.
Specifically, the first preset ratio may be set manually, for example, 0.6, 0.7, etc., or the first preset ratio may be determined based on steps C to D, which will not be described in detail herein.
In an embodiment of the present invention, if the first ratio is greater than a first preset ratio, it indicates that the second number is closer to the first number, and the difference between the second number and the first number is smaller, the event to be identified is considered to be a false alarm event.
As can be seen from the above, the smaller the difference between the second number of the C-segment network segments to which the source addresses corresponding to the events to be identified belong and the first number of the source addresses corresponding to the events to be identified is, the more C-segment network segments to which the devices triggering the security events in the intranet segment within the preset time period belong are, the more the devices triggering the security events are dispersed in different C-segment network segments. In practical situations, the security of the devices in the intranet segment is often high, and therefore, the devices belonging to different C-segment network segments do not often cause a large-scale security event in a short time, and therefore, if the difference between the second number and the first number is small, the probability that the security event is a false alarm event is high. Whether the event to be identified is a false alarm event can be identified based on the magnitude relation between the first number and the second number.
In one embodiment of the present invention, the first preset ratio may be determined based on the following steps C to D.
And C: and determining a first historical number of different C-section network segments to which source addresses corresponding to historical false alarm events belong and a second historical number of different source addresses corresponding to the historical false alarm events.
Wherein, the history false alarm event is as follows: and the safety event which is generated before the preset time period, is judged as a false alarm event and has the same type as the event to be identified.
Specifically, the historical false alarm event may be all the security events that occur before the preset time period, are determined as false alarm events, and have the same event type as the event to be identified, or may be the security events that occur before the preset time period, are determined as false alarm events, and have the same event type as the event to be identified, and occur within a certain time period. For example, the time period may be the last week, the last month, the last quarter, the last year, and the like.
In an embodiment of the present invention, the history false alarm event may be traversed, the second history number of different source addresses corresponding to the history false alarm event may be determined, and the first history number of different C-segment network segments to which the source addresses corresponding to the history false alarm event belong may be determined.
Step D: and calculating the first preset ratio based on the first history quantity and the second history quantity.
Specifically, the first preset ratio may be a ratio between a first historical number and a second historical number, the ratio may reflect an overall situation of a ratio between the number of the segment C network segments corresponding to the false alarm event belonging to the event type and the number of the corresponding source addresses, and the ratio may be used as the first preset ratio as a reference for determining whether the event to be identified is the false alarm event.
As can be seen from the above, the first preset ratio is calculated based on the first history number and the second history number of the false alarm events which have occurred historically and belong to the same event type as the event to be identified, and is used for determining whether the event to be identified is the false alarm event. The first preset ratio is calculated based on the history occurring false alarm event, so that the first preset ratio can reflect the distribution condition of the equipment corresponding to the history occurring false alarm event in the network segment C, and has strong representativeness. And judging whether the event to be identified is a false alarm event or not based on the first preset ratio, wherein the judgment result is more accurate.
Referring to fig. 2, a schematic flowchart of a second event identification method provided for the embodiment of the present invention further includes the following steps S104 to S106 before the step S103, compared with the embodiment shown in fig. 1.
S104: and determining a third number of the events to be identified.
S105: and determining the average occurrence frequency of the target historical events in the unit time length based on the total occurrence frequency of the target historical events.
Wherein, the target historical event is: and the security event occurs before the preset time period, belongs to the same event type as the event to be identified, corresponds to the same destination address, and has a source address belonging to the intranet address.
Specifically, the time difference between the latest occurrence time and the first occurrence time of the target historical event before the preset time period may be calculated, the ratio between the time difference and the unit time length may be calculated, and the average number of times may be obtained by dividing the total number of occurrences by the ratio.
The unit time length is the same as the preset time period.
S106: and predicting the probability of the event to be identified occurring the third number of times in the unit time length based on the average number of times.
Specifically, the target historical event and the event to be identified have the same event type, the same destination address and the same source address, and belong to an intranet segment, so the target historical event may be regarded as a similar event with a time different from the time of the event to be identified, and the average number of the events to be identified may reflect the average historical level of the security events occurring in a unit time length. In most cases, the probability that the event to be identified similar to the target historical event occurs the average number of times within the preset time period is higher, and the probability that the difference between the third number and the average number is larger is lower.
In an embodiment of the present invention, a preset probability corresponding to the average number of times may be set, and the larger the absolute value of the first difference between the average number of times and the third number is, the larger the second difference between the probability corresponding to the third number and the preset probability is. A second difference corresponding to the absolute value of the different first differences may be set, so that the probability that the event to be identified occurs for the third number of times is determined according to the first difference and the preset probability.
For example, if the average number of times is 60, the preset probability may be set to be 0.4, the second difference corresponding to the absolute value 20 of the first difference is 0.2, and if the third number is 40, the probability that the event to be identified actually occurs 40 times in the unit time length is 0.2.
In another embodiment of the present invention, the probability that the event to be identified occurs a third number of times within the unit time length may be calculated based on the poisson distribution, with the average number of times as an average value and the third number as a variable.
Specifically, the formula of the poisson distribution is as follows:
Figure BDA0003279872260000111
wherein x is the third number, λ is the average number of times, and p (x) is the probability that the event to be identified actually occurs the third number of times in the unit time length.
In addition, compared to the aforementioned embodiment shown in FIG. 1, the above step S103 can be realized by the following steps S103A-S103B.
S103A: a first ratio between the second number and the first number is calculated.
S103B: and identifying whether the event to be identified is a false alarm event or not based on the first ratio and the probability.
Wherein the probability belongs to the interval of (0,1), the first ratio belongs to the interval of (0,1), and the value of the first ratio is not much different from that of the probability.
Specifically, the smaller the probability is, the larger the difference between the third number and the average number of times is, on one hand, the smaller the third number is compared with the average number of times, which indicates that the number of occurrences of the event to be identified in the preset time period is smaller, the number of data available for analysis is smaller, and it is difficult to identify whether the event to be identified is a false alarm event. On the other hand, the third number is larger than the average number, the event to be identified frequently occurs within the preset time period, and if the event to be identified belongs to a dangerous event, the network security is greatly affected.
Therefore, on the contrary, when the probability is considered to be high, the possibility that the event to be recognized belongs to the false alarm event is high.
In an embodiment of the present invention, when the first ratio is greater than a first preset ratio and the probability is greater than a preset probability, it may be determined that the event to be identified is a false alarm event.
As can be seen from the above, in addition to determining whether the event to be identified is a false alarm event based on the magnitude relationship between the first number and the second number, the embodiment of the present invention may also predict the probability of the event to be identified occurring a third number of times based on the average number of times of the target historical event, and may determine the difference between the actual number of times of the event to be identified in the preset time period and the historical average level according to the probability, so as to eliminate the case where the third number is lower or higher, and only when the number of times of the event to be identified in the preset time period is considered to be close to the historical average level, the event to be identified may be a false alarm event. By applying the scheme provided by the embodiment of the invention, the accuracy of the identification result can be improved, and the network safety problem caused by the identification error can be prevented.
Referring to fig. 3, a flowchart of a third event identification method provided for the embodiment of the present invention is shown, and compared with the foregoing embodiment shown in fig. 1, the foregoing step S103 may be implemented by the following step S103C.
S103C: and if the first number is larger than the preset number, identifying whether the event to be identified is a false alarm event or not based on the size relation between the second number and the first number.
Specifically, the preset number may be set artificially, such as 3, 5, etc. If the first number is less than or equal to the preset number, the numerical values of the first number and the second number are smaller in theory, that is, the second number is closer to the first number, and therefore, no matter whether the event to be identified is a false alarm event, the magnitude relation between the second number and the first number is smaller in the difference between the second number and the first number, and it is difficult to identify whether the event to be identified is a false alarm event based on the magnitude relation between the second number and the first number. Therefore, the embodiment of the invention identifies whether the event to be identified is the false alarm event only under the condition that the first number is greater than the preset number.
As can be seen from the above, since a large size difference may be generated between the first number and the second number when the first number is large, it is possible to distinguish whether the event to be identified is a false alarm event based on the size relationship between the first number and the second number. The embodiment of the invention identifies whether the event to be identified is the false alarm event only when the first number is greater than the preset number, so that the accuracy of the identification result can be improved.
Corresponding to the foregoing event identification method, an embodiment of the present invention provides an event identification apparatus.
Referring to fig. 4, a schematic structural diagram of a first event recognition device according to an embodiment of the present invention is provided, where the device includes:
the event obtaining module 401 is configured to obtain an event to be identified, which occurs within a preset time period, where the event to be identified is: security events with the same destination address, source address belonging to a preset intranet segment and the same type of events;
a first quantity determining module 402, configured to determine a first quantity of different source addresses corresponding to the event to be identified, and a second quantity of different C-segment network segments to which the source addresses corresponding to the event to be identified belong;
an event identification module 403, configured to identify whether the event to be identified is a false alarm event based on a magnitude relationship between the second number and the first number.
As can be seen from the above, the smaller the difference between the second number of the C-segment network segments to which the source addresses corresponding to the events to be identified belong and the first number of the source addresses corresponding to the events to be identified is, the more C-segment network segments to which the devices triggering the security events in the intranet segment within the preset time period belong are, the more the devices triggering the security events are dispersed in different C-segment network segments. In practical situations, the security of the devices in the intranet segment is often high, and therefore, the devices belonging to different C-segment network segments do not often cause a large-scale security event in a short time, and therefore, if the difference between the second number and the first number is small, the probability that the security event is a false alarm event is high. Whether the event to be identified is a false alarm event can be identified based on the magnitude relation between the first number and the second number.
Referring to fig. 5, a schematic structural diagram of a second event recognition device provided in the embodiment of the present invention is shown, and compared with the foregoing embodiment shown in fig. 4, the device further includes:
a second number determining module 404, configured to determine a third number of the events to be identified;
an average number determining module 405, configured to determine, based on a total number of occurrences of a target historical event, an average number of occurrences of the target historical event within the unit time length, where the target historical event is: the safety event which is generated before the preset time period, belongs to the same event type as the event to be identified, corresponds to the same destination address and has a source address belonging to the intranet address;
a probability prediction module 406, configured to predict, based on the average number of times, a probability that the event to be identified occurs the third number of times within the unit duration;
the event identification module 403 is specifically configured to:
calculating a first ratio between the second quantity and the first quantity;
and identifying whether the event to be identified is a false alarm event or not based on the first ratio and the probability.
As can be seen from the above, in addition to determining whether the event to be identified is a false alarm event based on the magnitude relationship between the first number and the second number, the embodiment of the present invention may also predict the probability of the event to be identified occurring a third number of times based on the average number of times of the target historical event, and may determine the difference between the actual number of times of the event to be identified in the preset time period and the historical average level according to the probability, so as to eliminate the case where the third number is lower or higher, and only when the number of times of the event to be identified in the preset time period is considered to be close to the historical average level, the event to be identified may be a false alarm event. By applying the scheme provided by the embodiment of the invention, the accuracy of the identification result can be improved, and the network safety problem caused by the identification error can be prevented.
In an embodiment of the present invention, the event identification module 403 is specifically configured to:
and if the first number is larger than the preset number, identifying whether the event to be identified is a false alarm event or not based on the size relation between the second number and the first number.
As can be seen from the above, since a large size difference may be generated between the first number and the second number when the first number is large, it is possible to distinguish whether the event to be identified is a false alarm event based on the size relationship between the first number and the second number. The embodiment of the invention identifies whether the event to be identified is the false alarm event only when the first number is greater than the preset number, so that the accuracy of the identification result can be improved.
In an embodiment of the present invention, the event identification module 403 is specifically configured to:
calculating a first ratio between the second quantity and the first quantity;
and if the first ratio is larger than a first preset ratio, determining that the event to be identified is a false alarm event.
In an embodiment of the present invention, the apparatus further includes a ratio determining module, configured to determine the first preset ratio by:
determining a first historical number of different C-segment network segments to which source addresses corresponding to historical false alarm events belong and a second historical number of different source addresses corresponding to the historical false alarm events, wherein the historical false alarm events are as follows: the safety event which is determined to be a false alarm event and is the same as the event type of the event to be identified occurs before the preset time period;
and calculating the first preset ratio based on the first historical quantity and the second historical quantity.
As can be seen from the above, the first preset ratio is calculated based on the first history number and the second history number of the false alarm events which have occurred historically and belong to the same event type as the event to be identified, and is used for determining whether the event to be identified is the false alarm event. The first preset ratio is calculated based on the history occurring false alarm event, so that the first preset ratio can reflect the distribution condition of the equipment corresponding to the history occurring false alarm event in the network segment C, and has strong representativeness. And judging whether the event to be identified is a false alarm event or not based on the first preset ratio, wherein the judgment result is more accurate.
An embodiment of the present invention further provides an electronic device, as shown in fig. 6, including a processor 601, a communication interface 602, a memory 603, and a communication bus 604, where the processor 601, the communication interface 602, and the memory 603 complete mutual communication through the communication bus 604,
a memory 603 for storing a computer program;
the processor 601 is configured to implement the method steps of any of the above event recognition methods when executing the program stored in the memory 603.
When the electronic device provided by the embodiment of the invention is applied to event identification, the difference between the second number of the C-segment network segments to which the source addresses corresponding to the events to be identified belong and the first number of the source addresses corresponding to the events to be identified is smaller, which means that the more C-segment network segments to which devices triggering security events in the intranet segments in the preset time period belong, the more the devices triggering security events are dispersed in different C-segment network segments. In practical situations, the security of the devices in the intranet segment is often high, and therefore, the devices belonging to different C-segment network segments do not often cause a large-scale security event in a short time, and therefore, if the difference between the second number and the first number is small, the probability that the security event is a false alarm event is high. Whether the event to be identified is a false alarm event can be identified based on the magnitude relation between the first number and the second number.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above-mentioned event recognition methods.
When the computer program stored in the computer readable storage medium provided in this embodiment is used to perform event identification, the smaller the difference between the second number of the C-segment network segments to which the source addresses corresponding to the events to be identified belong and the first number of the source addresses corresponding to the events to be identified is, the more the C-segment network segments to which the devices that cause the security events in the intranet segment within the preset time period belong are, the more the devices that cause the security events are dispersed in different C-segment network segments. In practical situations, the security of the devices in the intranet segment is often high, and therefore, the devices belonging to different C-segment network segments do not often cause a large-scale security event in a short time, and therefore, if the difference between the second number and the first number is small, the probability that the security event is a false alarm event is high. Whether the event to be identified is a false alarm event can be identified based on the magnitude relation between the first number and the second number.
In yet another embodiment, a computer program product containing instructions is provided, which when run on a computer, causes the computer to perform any of the above described event recognition methods.
When the computer program product provided in this embodiment is executed to perform event identification, the smaller the difference between the second number of the C-segment network segments to which the source addresses corresponding to the events to be identified belong and the first number of the source addresses corresponding to the events to be identified is, the more the C-segment network segments to which the devices triggering the security events in the intranet segments within the preset time period belong are, the more the devices triggering the security events are dispersed in different C-segment network segments. In practical situations, the security of the devices in the intranet segment is often high, and therefore, the devices belonging to different C-segment network segments do not often cause a large-scale security event in a short time, and therefore, if the difference between the second number and the first number is small, the probability that the security event is a false alarm event is high. Whether the event to be identified is a false alarm event can be identified based on the magnitude relation between the first number and the second number.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, the electronic device, the computer-readable storage medium, and the computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to them, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (12)

1. An event recognition method, the method comprising:
acquiring an event to be identified occurring in a preset time period, wherein the event to be identified is as follows: security events with the same destination address, source address belonging to a preset intranet segment and the same type of events;
determining a first number of different source addresses corresponding to the event to be identified and a second number of different C-segment network segments to which the source addresses corresponding to the event to be identified belong;
and identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second quantity and the first quantity.
2. The method according to claim 1, wherein before said identifying whether the event to be identified is a false positive event based on the magnitude relationship between the second number and the first number, further comprising:
determining a third number of the events to be identified;
determining the average occurrence number of the target historical events in the unit time length based on the total occurrence number of the target historical events, wherein the target historical events are as follows: the safety event which is generated before the preset time period, belongs to the same event type as the event to be identified, corresponds to the same destination address and has a source address belonging to the intranet address;
predicting the probability that the event to be identified occurs the third number of times within the unit time length based on the average number of times;
the identifying whether the event to be identified is a false alarm event based on the magnitude relation between the second quantity and the first quantity includes:
calculating a first ratio between the second quantity and the first quantity;
and identifying whether the event to be identified is a false alarm event or not based on the first ratio and the probability.
3. The method according to claim 1, wherein the identifying whether the event to be identified is a false positive event based on a magnitude relationship between the second number and the first number comprises:
and if the first number is larger than the preset number, identifying whether the event to be identified is a false alarm event or not based on the size relation between the second number and the first number.
4. The method according to claim 1, wherein the identifying whether the event to be identified is a false positive event based on a magnitude relationship between the second number and the first number comprises:
calculating a first ratio between the second quantity and the first quantity;
and if the first ratio is larger than a first preset ratio, determining that the event to be identified is a false alarm event.
5. The method according to claim 4, characterized in that the first preset ratio is determined by:
determining a first historical number of different C-segment network segments to which source addresses corresponding to historical false alarm events belong and a second historical number of different source addresses corresponding to the historical false alarm events, wherein the historical false alarm events are as follows: the safety event which is determined to be a false alarm event and is the same as the event type of the event to be identified occurs before the preset time period;
and calculating the first preset ratio based on the first historical quantity and the second historical quantity.
6. An event recognition apparatus, comprising:
the event acquiring module is used for acquiring an event to be identified, which occurs within a preset time period, wherein the event to be identified is as follows: security events with the same destination address, source address belonging to a preset intranet segment and the same type of events;
a first quantity determining module, configured to determine a first quantity of different source addresses corresponding to the event to be identified, and a second quantity of different C-segment network segments to which the source addresses corresponding to the event to be identified belong;
and the event identification module is used for identifying whether the event to be identified is a false alarm event or not based on the magnitude relation between the second quantity and the first quantity.
7. The apparatus of claim 6, further comprising:
a second number determination module, configured to determine a third number of the events to be identified;
an average frequency determining module, configured to determine an average frequency of occurrence of a target historical event within the unit time length based on a total frequency of occurrence of the target historical event, where the target historical event is: the safety event which is generated before the preset time period, belongs to the same event type as the event to be identified, corresponds to the same destination address and has a source address belonging to the intranet address;
a probability prediction module, configured to predict, based on the average number of times, a probability that the event to be identified occurs the third number of times within the unit duration;
the event identification module is specifically configured to:
calculating a first ratio between the second quantity and the first quantity;
and identifying whether the event to be identified is a false alarm event or not based on the first ratio and the probability.
8. The apparatus according to claim 6, wherein the event recognition module is specifically configured to:
and if the first number is larger than the preset number, identifying whether the event to be identified is a false alarm event or not based on the size relation between the second number and the first number.
9. The apparatus according to claim 6, wherein the event recognition module is specifically configured to:
calculating a first ratio between the second quantity and the first quantity;
and if the first ratio is larger than a first preset ratio, determining that the event to be identified is a false alarm event.
10. The apparatus of claim 9, further comprising a ratio determination module configured to determine the first preset ratio by:
determining a first historical number of different C-segment network segments to which source addresses corresponding to historical false alarm events belong and a second historical number of different source addresses corresponding to the historical false alarm events, wherein the historical false alarm events are as follows: the safety event which is determined to be a false alarm event and is the same as the event type of the event to be identified occurs before the preset time period;
and calculating the first preset ratio based on the first historical quantity and the second historical quantity.
11. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1 to 5 when executing a program stored in the memory.
12. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-5.
CN202111129182.9A 2021-09-26 2021-09-26 Event identification method and device Active CN113783891B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111129182.9A CN113783891B (en) 2021-09-26 2021-09-26 Event identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111129182.9A CN113783891B (en) 2021-09-26 2021-09-26 Event identification method and device

Publications (2)

Publication Number Publication Date
CN113783891A true CN113783891A (en) 2021-12-10
CN113783891B CN113783891B (en) 2023-06-20

Family

ID=78853632

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111129182.9A Active CN113783891B (en) 2021-09-26 2021-09-26 Event identification method and device

Country Status (1)

Country Link
CN (1) CN113783891B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707539A (en) * 2009-11-26 2010-05-12 成都市华为赛门铁克科技有限公司 Method and device for detecting worm virus and gateway equipment
CN108156165A (en) * 2017-12-28 2018-06-12 北京奇虎科技有限公司 A kind of method and system for reporting detection by mistake
CN108171053A (en) * 2017-12-28 2018-06-15 北京奇虎科技有限公司 The method and system of a kind of rule discovery
CN109561097A (en) * 2018-12-17 2019-04-02 泰康保险集团股份有限公司 Structured query language injects security flaw detection method, device, equipment and storage medium
US20190342307A1 (en) * 2018-05-01 2019-11-07 Royal Bank Of Canada System and method for monitoring security attack chains
CN111787000A (en) * 2020-06-30 2020-10-16 绿盟科技集团股份有限公司 Network security evaluation method and electronic equipment
CN112165466A (en) * 2020-09-16 2021-01-01 杭州安恒信息技术股份有限公司 Method and device for false alarm identification, electronic device and storage medium
US10924503B1 (en) * 2018-05-30 2021-02-16 Amazon Technologies, Inc. Identifying false positives in malicious domain data using network traffic data logs
CN112637194A (en) * 2020-12-18 2021-04-09 北京天融信网络安全技术有限公司 Security event detection method and device, electronic equipment and storage medium
CN112769612A (en) * 2020-12-30 2021-05-07 北京天融信网络安全技术有限公司 Alarm event false alarm removing method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101707539A (en) * 2009-11-26 2010-05-12 成都市华为赛门铁克科技有限公司 Method and device for detecting worm virus and gateway equipment
CN108156165A (en) * 2017-12-28 2018-06-12 北京奇虎科技有限公司 A kind of method and system for reporting detection by mistake
CN108171053A (en) * 2017-12-28 2018-06-15 北京奇虎科技有限公司 The method and system of a kind of rule discovery
US20190342307A1 (en) * 2018-05-01 2019-11-07 Royal Bank Of Canada System and method for monitoring security attack chains
US10924503B1 (en) * 2018-05-30 2021-02-16 Amazon Technologies, Inc. Identifying false positives in malicious domain data using network traffic data logs
CN109561097A (en) * 2018-12-17 2019-04-02 泰康保险集团股份有限公司 Structured query language injects security flaw detection method, device, equipment and storage medium
CN111787000A (en) * 2020-06-30 2020-10-16 绿盟科技集团股份有限公司 Network security evaluation method and electronic equipment
CN112165466A (en) * 2020-09-16 2021-01-01 杭州安恒信息技术股份有限公司 Method and device for false alarm identification, electronic device and storage medium
CN112637194A (en) * 2020-12-18 2021-04-09 北京天融信网络安全技术有限公司 Security event detection method and device, electronic equipment and storage medium
CN112769612A (en) * 2020-12-30 2021-05-07 北京天融信网络安全技术有限公司 Alarm event false alarm removing method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
程杰仁;殷建平;刘运;蔡志平;李敏;: "基于地址相关度的分布式拒绝服务攻击检测方法", no. 08 *

Also Published As

Publication number Publication date
CN113783891B (en) 2023-06-20

Similar Documents

Publication Publication Date Title
CN108092975B (en) Abnormal login identification method, system, storage medium and electronic equipment
CN112003838B (en) Network threat detection method, device, electronic device and storage medium
CN109936475B (en) Anomaly detection method and device
CN107992738B (en) Account login abnormity detection method and device and electronic equipment
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN109495521B (en) Abnormal flow detection method and device
CN110213255B (en) Method and device for detecting Trojan horse of host and electronic equipment
CN108390856B (en) DDoS attack detection method and device and electronic equipment
CN109067794B (en) Network behavior detection method and device
CN112532631A (en) Equipment safety risk assessment method, device, equipment and medium
CN112769775A (en) Threat information correlation analysis method, system, equipment and computer medium
EP3331210B1 (en) Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination
CN114329469A (en) API abnormal calling behavior detection method, device, equipment and storage medium
CN106850632B (en) Method and device for detecting abnormal combined data
CN113783891B (en) Event identification method and device
CN113779564A (en) Security event prediction method and device
CN113704749B (en) Malicious mining detection processing method and device
CN111639340B (en) Malicious application detection method and device, electronic equipment and readable storage medium
CN114629723A (en) Attack detection method, device and related equipment
CN114124560A (en) Method and device for detecting defect host, electronic equipment and storage medium
CN113837285A (en) Event identification method and device
CN111147497B (en) Intrusion detection method, device and equipment based on knowledge inequality
CN116318751B (en) Vulnerability identification method, device, equipment and storage medium
CN113987482B (en) IP first access detection method, system and equipment based on FM
CN114679306B (en) Attack detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant