CN113965356B - Security event analysis method, device, equipment and machine-readable storage medium - Google Patents
Security event analysis method, device, equipment and machine-readable storage medium Download PDFInfo
- Publication number
- CN113965356B CN113965356B CN202111142145.1A CN202111142145A CN113965356B CN 113965356 B CN113965356 B CN 113965356B CN 202111142145 A CN202111142145 A CN 202111142145A CN 113965356 B CN113965356 B CN 113965356B
- Authority
- CN
- China
- Prior art keywords
- value
- address
- target address
- victim
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003860 storage Methods 0.000 title claims abstract description 24
- 238000004458 analytical method Methods 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000011835 investigation Methods 0.000 claims abstract description 18
- 239000000758 substrate Substances 0.000 claims 1
- 238000012423 maintenance Methods 0.000 abstract description 6
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a security event analysis method, apparatus, device, and machine-readable storage medium, the method comprising: establishing an association relationship between a source address, a destination address and an event according to the generated security event; calculating an attack value of a target address, wherein the attack value of the target address is related to victim values of all target addresses of security events taking the target address as a source address; calculating a victim value of a target address, wherein the victim value of the target address is associated with attack values of all source addresses of security events taking the target address as a target address; and setting an investigation sequence for each address according to the attack value of each address. According to the technical scheme, addresses corresponding to the risk assets are utilized, attack values and victim values of addresses corresponding to the risk assets are obtained according to the victim values and attack values of other associated addresses, then the addresses corresponding to the risk assets are ordered according to quantifiable values, the investigation sequence of the risk assets is obtained, and the operation and maintenance efficiency is improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a machine-readable storage medium for analyzing a security event.
Background
The security management platform (including but not limited to situation awareness, SOC, SIME and the like) is used for acquiring, understanding, evaluating and presenting elements capable of causing the change of the network situation and predicting the future development trend based on the security big data. The capabilities of discovery, identification, understanding, analysis and response treatment of security threats are improved from a global view, and the safety capability of the safety brain is realized by combining machine learning and artificial intelligence through intelligent analysis and linkage response.
The safety alarm reported to the safety management platform is the basis of analysis of the safety management platform, and if thousands of safety alarms are reported, huge working pressure is brought to the safety operation and maintenance personnel to check the safety operation and maintenance personnel. The current security operation and maintenance personnel can check the assets with higher collapse grades by qualitative methods such as the threat level of the risk assets, high suspicion, low suspicion and the like. However, if a large number of risk assets of the same threat level are present, security operators have to check the analysis one by one, thus making the check inefficient.
Disclosure of Invention
In view of the above, the present disclosure provides a method, an apparatus, an electronic device, and a machine-readable storage medium for analyzing security events, so as to solve the problem of low investigation efficiency when a large number of risk assets with the same threat level exist.
The technical scheme is as follows:
the present disclosure provides a security event analysis method applied to a network security device, the method comprising: according to the security event, establishing an association relation between a source address, a destination address and the event, wherein the source address is used as an attacker to have an attack value, and the destination address is used as a victim to have a victim value; calculating an attack value of a target address, wherein the attack value of the target address is related to victim values of all target addresses of security events taking the target address as a source address; calculating a victim value of a target address, wherein the victim value of the target address is associated with attack values of all source addresses of security events taking the target address as a target address; and setting an investigation sequence for each address according to the attack value of each address.
As a technical scheme, according to the associated victim value, an investigation order is set for addresses with the same attack value.
As one technical solution, the calculating an attack value of a target address, where the attack value of the target address is associated with all victim values of the target address of the security event using the target address as a source address, calculating a victim value of the target address, where the victim value of the target address is associated with all attack values of the source address of the security event using the target address as a destination address, includes: and (3) re-calculating the attack value according to the updated associated attack value, re-calculating the victim value according to the updated associated attack value, and stopping iteration after the iteration number reaches the preset number.
As a technical solution, the establishing an association relationship between a source address, a destination address and an event according to an occurred security event, taking the source address as an attacker with an attack value and taking the destination address as a victim with a victim value includes: establishing an association relation of a source address, a destination address and event weight according to the generated security event; the calculating the attack value of the target address, wherein the attack value of the target address is associated with the victim value of the target address of all security events taking the target address as a source address, and the method comprises the following steps: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, the victim value of the target address being associated with attack values of all source addresses of security events having the target address as a target address, includes: the victim value of the target address is associated with attack values of source addresses of all security events taking the target address as the target address and weights corresponding to the security events.
The present disclosure also provides a security event analysis apparatus applied to a network security device, the apparatus comprising: the association module is used for establishing association relation among the source address, the destination address and the event according to the generated security event, wherein the source address is used as an attacker to have an attack value, and the destination address is used as a victim to have a victim value; the computing module is used for computing the attack value of the target address, wherein the attack value of the target address is related to the victim value of the target address of all security events taking the target address as the source address; the computing module is further configured to compute a victim value of the target address, where the victim value of the target address is associated with attack values of all source addresses of security events having the target address as a target address; and the ordering module is used for setting an investigation sequence for each address according to the attack value of each address.
As a technical scheme, according to the associated victim value, an investigation order is set for addresses with the same attack value.
As one technical solution, the calculating an attack value of a target address, where the attack value of the target address is associated with all victim values of the target address of the security event using the target address as a source address, calculating a victim value of the target address, where the victim value of the target address is associated with all attack values of the source address of the security event using the target address as a destination address, includes: and (3) re-calculating the attack value according to the updated associated attack value, re-calculating the victim value according to the updated associated attack value, and stopping iteration after the iteration number reaches the preset number.
As a technical solution, the establishing an association relationship between a source address, a destination address and an event according to an occurred security event, taking the source address as an attacker with an attack value and taking the destination address as a victim with a victim value includes: establishing an association relation of a source address, a destination address and event weight according to the generated security event; the calculating the attack value of the target address, wherein the attack value of the target address is associated with the victim value of the target address of all security events taking the target address as a source address, and the method comprises the following steps: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, the victim value of the target address being associated with attack values of all source addresses of security events having the target address as a target address, includes: the victim value of the target address is associated with attack values of source addresses of all security events taking the target address as the target address and weights corresponding to the security events.
The present disclosure also provides an electronic device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the aforementioned security event analysis method.
The present disclosure also provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned security event analysis method.
The technical scheme provided by the disclosure at least brings the following beneficial effects:
and ordering the addresses corresponding to the risk assets according to quantifiable values to obtain the investigation sequence of the risk assets and improve the operation and maintenance efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required to be used in the embodiments of the present disclosure or the description of the prior art will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings may also be obtained according to these drawings of the embodiments of the present disclosure to those skilled in the art.
FIG. 1 is a flow chart of a security event analysis method in one embodiment of the present disclosure;
FIG. 2 is a block diagram of a security event analysis device in one embodiment of the present disclosure;
fig. 3 is a hardware configuration diagram of an electronic device in one embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to any or all possible combinations including one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in the embodiments of the present disclosure to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, furthermore, the word "if" used may be interpreted as "at … …" or "at … …" or "in response to a determination".
The disclosure provides a security event analysis method and device, electronic equipment and a machine-readable storage medium, so as to solve the problem of low investigation efficiency when a large number of risk assets with the same threat level exist.
Specifically, the technical scheme is as follows.
In one embodiment, the present disclosure provides a security event analysis method applied to a network security device, the method comprising: according to the security event, establishing an association relation between a source address, a destination address and the event, wherein the source address is used as an attacker to have an attack value, and the destination address is used as a victim to have a victim value; calculating an attack value of a target address, wherein the attack value of the target address is related to victim values of all target addresses of security events taking the target address as a source address; calculating a victim value of a target address, wherein the victim value of the target address is associated with attack values of all source addresses of security events taking the target address as a target address; and setting an investigation sequence for each address according to the attack value of each address.
Specifically, as shown in fig. 1, the method comprises the following steps:
step S11, establishing the association relation of the source address, the destination address and the event according to the generated security event;
the source address has an attack value as an attacker and the destination address has a victim value as a victim.
Step S12, calculating an attack value of the target address and calculating a victim value of the target address;
the attack value of the target address is associated with the victim value of the destination address of all security events having the target address as the source address, and the victim value of the target address is associated with the attack value of the source address of all security events having the target address as the destination address.
Step S13, setting the checking sequence for each address according to the attack value of each address.
And ordering the addresses corresponding to the risk assets according to quantifiable values to obtain the investigation sequence of the risk assets and improve the operation and maintenance efficiency.
In one embodiment, the investigation order is set for addresses with the same attack value according to the associated victim value.
In one embodiment, the calculating the attack value of the target address, the attack value of the target address being associated with all the victim values of the target addresses of the security events with the target address as the source address, calculating the victim value of the target address, the victim value of the target address being associated with all the attack values of the source addresses of the security events with the target address as the destination address, includes: and (3) re-calculating the attack value according to the updated associated attack value, re-calculating the victim value according to the updated associated attack value, and stopping iteration after the iteration number reaches the preset number.
In one embodiment, the establishing the association relationship between the source address, the destination address and the event according to the security event, taking the source address as an attacker to have an attack value, and taking the destination address as a victim to have a victim value includes: establishing an association relation of a source address, a destination address and event weight according to the generated security event; the calculating the attack value of the target address, wherein the attack value of the target address is associated with the victim value of the target address of all security events taking the target address as a source address, and the method comprises the following steps: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, the victim value of the target address being associated with attack values of all source addresses of security events having the target address as a target address, includes: the victim value of the target address is associated with attack values of source addresses of all security events taking the target address as the target address and weights corresponding to the security events.
In one embodiment, a trusted security event is added to the graph based on a graph computation engine such as spark graph, where the points are the source and destination IP addresses and the edges connecting the source and destination IP addresses are event weights. Wherein the event weight is related to the latest occurrence time of the event, the occurrence times of the event and the threat degree of the event, other required attributes can be added.
For special events, such as aggregation of multiple events into one event, the source IP address or destination IP address is converted into [ source ip=0.0.0.0 ] and [ destination ip=255.255.255.255 ]. Many-to-one aggregation events such as extranet DDoS attack intranet assets, source IP is denoted as 0.0.0.0. One-to-many aggregate events, such as worm intranet propagation, the destination IP is represented as 255.255.255.255.
The address of any node (risk asset correspondence) has two attributes, an attack value HUB and a victim value AUT, the attack value of the address being associated with the sum of the victim values of all nodes having the address as the source address, the victim value of the address being associated with the sum of the attack values of all nodes having the address as the destination address. In the calculation method, when calculating the HUB according to AUT, adding the weight value associated with each event, multiplying each AUT by each associated weight value respectively, and summing to obtain the HUB; in the calculating method, when AUT is calculated according to HUB, the weight value associated with each event is added, each HUB is multiplied by each associated weight value, and then the AUT is obtained by summation. Wherein the weight value of the event is related to the pre-configured threat level, the occurrence frequency and the time of the last occurrence of the event, the weight value is larger when the threat level is higher, the weight value is larger when the occurrence frequency is higher, and the weight value is larger when the time of the last occurrence is closer.
Since the AUT of an address associated with a HUB of an address should be changed after the HUB of the address is changed, and thus the HUB of the address should be changed after the AUT of the address associated with the HUB is changed, iterative calculation is performed herein. The iteration number sets an upper limit, such as 100 times, and normally, each HUB and AUT reaches a steady state before the iteration number reaches the upper limit. To prevent iterative overfitting, the iteration should be stopped when the second highest HUB is 40% or higher of the highest HUB.
And according to the associated HUB value, sorting each address, preferentially checking the risk asset with high associated address sorting, and when the HUB values are the same, performing secondary sorting by using the AUT value.
In one embodiment, the present disclosure also provides a security event analysis apparatus, as shown in fig. 2, applied to a network security device, the apparatus comprising: the association module 21 is configured to establish an association relationship between a source address, a destination address and an event according to an occurred security event, wherein the source address is used as an attacker to have an attack value, and the destination address is used as a victim to have a victim value; a calculation module 22, configured to calculate an attack value of a target address, where the attack value of the target address is associated with victim values of all destination addresses of security events having the target address as a source address; the computing module is further configured to compute a victim value of the target address, where the victim value of the target address is associated with attack values of all source addresses of security events having the target address as a target address; the sorting module 23 is configured to set an investigation order for each address according to the attack value of each address.
In one embodiment, the investigation order is set for addresses with the same attack value according to the associated victim value.
In one embodiment, the calculating the attack value of the target address, the attack value of the target address being associated with all the victim values of the target addresses of the security events with the target address as the source address, calculating the victim value of the target address, the victim value of the target address being associated with all the attack values of the source addresses of the security events with the target address as the destination address, includes: and (3) re-calculating the attack value according to the updated associated attack value, re-calculating the victim value according to the updated associated attack value, and stopping iteration after the iteration number reaches the preset number.
In one embodiment, the establishing the association relationship between the source address, the destination address and the event according to the security event, taking the source address as an attacker to have an attack value, and taking the destination address as a victim to have a victim value includes: establishing an association relation of a source address, a destination address and event weight according to the generated security event; the calculating the attack value of the target address, wherein the attack value of the target address is associated with the victim value of the target address of all security events taking the target address as a source address, and the method comprises the following steps: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, the victim value of the target address being associated with attack values of all source addresses of security events having the target address as a target address, includes: the victim value of the target address is associated with attack values of source addresses of all security events taking the target address as the target address and weights corresponding to the security events.
The device embodiments are the same as or similar to the corresponding method embodiments and are not described in detail herein.
In one embodiment, the present disclosure provides an electronic device including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the aforementioned security event analysis method, and from a hardware level, a hardware architecture diagram may be seen in fig. 3.
In one embodiment, the present disclosure provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned security event analysis method.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware when implementing the present disclosure.
It will be apparent to those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Moreover, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be appreciated by those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but are not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The foregoing is merely an embodiment of the present disclosure and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present disclosure, are intended to be included within the scope of the claims of the present disclosure.
Claims (10)
1. A security event analysis method, for use with a network security device, the method comprising:
according to the security event, establishing an association relation between a source address, a destination address and the event, wherein the source address is used as an attacker to have an attack value, and the destination address is used as a victim to have a victim value;
calculating an attack value of a target address, wherein the attack value of the target address is related to victim values of all target addresses of security events taking the target address as a source address;
calculating a victim value of a target address, wherein the victim value of the target address is associated with attack values of all source addresses of security events taking the target address as a target address;
and setting an investigation sequence for each address according to the attack value of each address.
2. A method according to claim 1, characterized in that the investigation order is set for addresses with the same attack value, depending on the associated victim value.
3. The method of claim 1, wherein the calculating the attack value for the target address, the attack value for the target address being associated with the victim value for all the target addresses for the security event having the target address as the source address, the calculating the victim value for the target address, the victim value for the target address being associated with the attack value for all the source addresses for the security event having the target address as the destination address, comprises:
and (3) re-calculating the attack value according to the updated associated attack value, re-calculating the victim value according to the updated associated attack value, and stopping iteration after the iteration number reaches the preset number.
4. The method of claim 1, wherein the step of determining the position of the substrate comprises,
the establishing the association relation between the source address, the destination address and the event according to the security event, wherein the source address is used as an attacker to have an attack value, the destination address is used as a victim to have a victim value, and the method comprises the following steps:
establishing an association relation of a source address, a destination address and event weight according to the generated security event;
the calculating the attack value of the target address, wherein the attack value of the target address is associated with the victim value of the target address of all security events taking the target address as a source address, and the method comprises the following steps:
the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events;
the calculating a victim value of the target address, the victim value of the target address being associated with attack values of all source addresses of security events having the target address as a target address, includes:
the victim value of the target address is associated with attack values of source addresses of all security events taking the target address as the target address and weights corresponding to the security events.
5. A security event analysis apparatus for use with a network security device, the apparatus comprising:
the association module is used for establishing association relation among the source address, the destination address and the event according to the generated security event, wherein the source address is used as an attacker to have an attack value, and the destination address is used as a victim to have a victim value;
the computing module is used for computing the attack value of the target address, wherein the attack value of the target address is related to the victim value of the target address of all security events taking the target address as the source address;
the computing module is further configured to compute a victim value of the target address, where the victim value of the target address is associated with attack values of all source addresses of security events having the target address as a target address;
and the ordering module is used for setting an investigation sequence for each address according to the attack value of each address.
6. The apparatus of claim 5, wherein the investigation order is set for addresses having the same attack value according to the associated victim value.
7. The apparatus of claim 5, wherein the means for calculating an attack value for the target address, the attack value for the target address being associated with victim values for all destination addresses for security events having the target address as a source address, the means for calculating a victim value for the target address, the victim value for the target address being associated with attack values for all source addresses for security events having the target address as a destination address, comprises:
and (3) re-calculating the attack value according to the updated associated attack value, re-calculating the victim value according to the updated associated attack value, and stopping iteration after the iteration number reaches the preset number.
8. The apparatus of claim 5, wherein the device comprises a plurality of sensors,
the establishing the association relation between the source address, the destination address and the event according to the security event, wherein the source address is used as an attacker to have an attack value, the destination address is used as a victim to have a victim value, and the method comprises the following steps:
establishing an association relation of a source address, a destination address and event weight according to the generated security event;
the calculating the attack value of the target address, wherein the attack value of the target address is associated with the victim value of the target address of all security events taking the target address as a source address, and the method comprises the following steps:
the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events;
the calculating a victim value of the target address, the victim value of the target address being associated with attack values of all source addresses of security events having the target address as a target address, includes:
the victim value of the target address is associated with attack values of source addresses of all security events taking the target address as the target address and weights corresponding to the security events.
9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any one of claims 1-4.
10. A machine-readable storage medium storing machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111142145.1A CN113965356B (en) | 2021-09-28 | 2021-09-28 | Security event analysis method, device, equipment and machine-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111142145.1A CN113965356B (en) | 2021-09-28 | 2021-09-28 | Security event analysis method, device, equipment and machine-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965356A CN113965356A (en) | 2022-01-21 |
| CN113965356B true CN113965356B (en) | 2023-12-26 |
Family
ID=79462648
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111142145.1A Active CN113965356B (en) | 2021-09-28 | 2021-09-28 | Security event analysis method, device, equipment and machine-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965356B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006071985A2 (en) * | 2004-12-29 | 2006-07-06 | Alert Logic, Inc. | Threat scoring system and method for intrusion detection security networks |
| CN109861985A (en) * | 2019-01-02 | 2019-06-07 | 平安科技(深圳)有限公司 | IP air control method, apparatus, equipment and the storage medium divided based on risk class |
| CN110598404A (en) * | 2019-09-17 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Security risk monitoring method, monitoring device, server and storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
-
2021
- 2021-09-28 CN CN202111142145.1A patent/CN113965356B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006071985A2 (en) * | 2004-12-29 | 2006-07-06 | Alert Logic, Inc. | Threat scoring system and method for intrusion detection security networks |
| CN109861985A (en) * | 2019-01-02 | 2019-06-07 | 平安科技(深圳)有限公司 | IP air control method, apparatus, equipment and the storage medium divided based on risk class |
| CN110598404A (en) * | 2019-09-17 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Security risk monitoring method, monitoring device, server and storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965356A (en) | 2022-01-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535702B (en) | Alarm information processing method and device | |
| CN107423883B (en) | Risk identification method and device for to-be-processed service and electronic equipment | |
| CN111859400A (en) | Risk assessment method, apparatus, computer system, and medium | |
| WO2016022720A2 (en) | Method and apparatus of identifying a transaction risk | |
| CN107231382B (en) | Network threat situation assessment method and equipment | |
| CN110458686B (en) | Method and device for determining loan risk | |
| CN113486339A (en) | Data processing method, device, equipment and machine-readable storage medium | |
| CN110457175B (en) | Service data processing method and device, electronic equipment and medium | |
| EP3132569A1 (en) | Rating threat submitter | |
| CN112995236A (en) | Internet of things equipment safety management and control method, device and system | |
| EP3172692A1 (en) | Remedial action for release of threat data | |
| CN111510434A (en) | Network intrusion detection method, system and related equipment | |
| CN106375259B (en) | Same-user account identification method and device | |
| CN113965356B (en) | Security event analysis method, device, equipment and machine-readable storage medium | |
| CN111597093B (en) | Exception handling method, device and equipment thereof | |
| CN113992355B (en) | Attack prediction method, device, equipment and machine-readable storage medium | |
| CN116070382A (en) | Risk prediction method and device for network, processor and electronic equipment | |
| CN113327169B (en) | Claims settlement method and device based on block chain and electronic equipment | |
| CN116204876A (en) | Abnormality detection method, apparatus, and storage medium | |
| KR101872406B1 (en) | Method and apparatus for quantitavely determining risks of malicious code | |
| CN113794727A (en) | Method and device for generating threat intelligence feature library, storage medium and processor | |
| Yang et al. | Towards Decentralized Trust Management Using Blockchain in Crowdsourcing Networks | |
| CN112437093B (en) | Method, device and equipment for determining safety state | |
| CN113872978B (en) | DNS hijacking monitoring method and device and electronic equipment | |
| CN112966002B (en) | Security management method, device, equipment and machine readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |