CN115632884A

CN115632884A - Network security situation perception method and system based on event analysis

Info

Publication number: CN115632884A
Application number: CN202211644978.2A
Authority: CN
Inventors: 赵玉成; 徐丽萍; 刘冲
Original assignee: XCMG Hanyun Technologies Co Ltd
Current assignee: XCMG Hanyun Technologies Co Ltd
Priority date: 2022-12-21
Filing date: 2022-12-21
Publication date: 2023-01-20
Anticipated expiration: 2042-12-21
Also published as: CN115632884B

Abstract

The application provides a network security situation awareness method, a system, a storage medium and electronic equipment based on event analysis, wherein the method comprises the following steps: acquiring a first event which can be used from a message queue; querying a message queue for a second set of events that are available for use in association with the first event; generating a synthetic event according to the first event and at least one second event in the second event set; a security value for the network is determined based on the first event, the second set of events, and the synthetic event. The method and the device can improve the timeliness of sensing the network security situation.

Description

Network security situation perception method and system based on event analysis

Technical Field

The application relates to the technical field of network information security, in particular to a network security situation perception method and system based on event analysis, a storage medium and electronic equipment.

Background

The network security situation perception is a novel network security technology, which evaluates the network security situation in real time from the macroscopic aspect, predicts the development trend of the network security situation and provides a basis for decision analysis of an administrator. At present, most situation awareness systems access log data of various safety devices and display the log data by using some charts.

However, the incoming log data can only be analyzed afterwards, which makes it difficult to predict in advance, and secondly, the data of various security devices are relatively independent, and as the behavior threatening network security is more and more concealed, the combined analysis of the risk behavior can not be realized only by detecting the data of a single device, so that the timely and accurate prediction is difficult.

Disclosure of Invention

In view of the foregoing, there is a need for a method, a system, a storage medium, and an electronic device for sensing network security situation based on event analysis to solve at least one of the above problems.

In a first aspect of the present application, a method for sensing network security situation based on event analysis is provided, including: acquiring a first event which can be used from a message queue; querying the message queue for a second set of events that are available for use that are associated with the first event; generating a synthetic event according to the first event and at least one second event in the second event set; and determining a security value of the network according to the first event, the second event set and the synthetic event.

In a second aspect of the present application, there is provided a network security situation awareness system based on event analysis, the system including:

the event acquisition module is used for acquiring a first available event from the message queue;

an event query module for querying the message queue for a second set of events that are available for use in association with the first event;

an event synthesis module, configured to generate a synthesized event according to the first event and at least one second event in the second event set;

and the network security evaluation module is used for determining a security value of the network according to the first event, the second event set and the synthetic event.

In a third aspect of the present application, an electronic device is provided, including:

one or more processors;

a memory for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the methods described in the embodiments of the present application.

In a fourth aspect of the present application, a computer-readable storage medium is provided, having executable instructions stored thereon, which when executed by a processor, cause the processor to perform the method described in the embodiments of the present application.

According to the network security situation perception method, the network security situation perception system, the storage medium and the electronic equipment based on event analysis, the concept of the event is introduced, the defects that behavior data volume is large and readability is not high are overcome, the obtained basic behaviors are filtered through configuration, and the obtained basic behaviors are converted into the event which is more beneficial to reading.

By introducing the concept of synthesizing events, the situation that the original behaviors can come from a plurality of systems and the disorder cannot be associated is avoided. In addition, a combination of multiple behaviors that are not inherently harmful may be harmful, and such harmful behaviors may be analyzed by introducing a correlation event.

For example, the action of logging in the server, the single password is normally operated due to error, the single login is more normal in success, but when the password is wrong for many times, a success occurs, and the server is possibly cracked violently. The above is a behavior in which a plurality of harmless behaviors are combined to become harmful. And the behavior of the network sending the mail can deeply analyze the behavior of stealing the encrypted file and sending the file through the mail by combining the behavior of the server moving the encrypted file.

Compared with the method for storing the behavior data into the database for analysis, the method for analyzing the events by introducing the message queue can reduce consumption of system resources and improve analysis instantaneity. And some behaviors are not analyzed by pure aggregation if in the database, and are combined with other behaviors before, even behaviors which are about to happen after waiting.

The message queue combines with event analysis to set effective time and use times for the event, so that the event can always participate in the analysis. Possibly associated by previous configurations and possibly also by subsequent configurations, and may even be the point of initiation of the event itself. The real-time performance, the functionality and the expansibility are greatly improved.

By introducing a situation awareness scoring algorithm, the risk level of the event is subjected to level weight analysis configuration, so that the scoring algorithm is more reasonable and more flexible and configurable.

By introducing situation-aware predictive analysis, possible events can be predicted based on some actions that have occurred.

Drawings

FIG. 1 is a flowchart illustrating a method for sensing network security situation based on event analysis according to an embodiment;

FIG. 2 is a flow diagram that illustrates the steps of generating events from behavioral data and/or events, in one embodiment;

FIG. 3 is a flow diagram illustrating the generation of a synthetic event based on a first event and at least one second event of a second set of events, according to an embodiment;

FIG. 4 is a schematic flow chart of generating a synthesized event according to a first event and at least one second event in a second event set according to another embodiment;

FIG. 5 is a flow diagram illustrating a process for determining a security value for a network based on a first event, a second event that may be used, and a synthetic event, in one embodiment;

FIG. 6 is a flowchart illustrating a process of calculating level weights in one embodiment;

FIG. 7 is a flow diagram that illustrates a statistical analysis of network security in one embodiment;

FIG. 8 is a block diagram of a network security situation awareness system based on event analysis, according to an embodiment;

FIG. 9 is a block diagram that illustrates the architecture of a network security assessment module in one embodiment;

FIG. 10 is a block diagram of a network security situation awareness system based on event analysis in another embodiment;

FIG. 11 is a diagram of the internal structure of an electronic device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.

Such as the terms "first," "second," etc., as used herein, may be used herein to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish one element from another. For example, a first event can be termed a second event, and, similarly, a second event can be termed a first event, without departing from the scope of the present application. The first event and the second event are both events, but they are not the same event.

As used herein, the terms "comprises," "comprising," or the like, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

In one embodiment, the event in the present application is an event that is generated based on the collected network behavior of the user and affects the security of the network. Specifically, the event may be generated according to one or more normal network behaviors, one or more abnormal network behaviors, which are taken by a user in the network, or may be synthesized according to one or more generated events, or may be generated according to a combination of the network behaviors and the generated events.

Wherein, the event generated according to the single network behavior is the basic event; an event formed by combining or synthesizing a plurality of events is a synthesized event. The events incorporated in a synthetic event can be one or more base events and/or one or more synthetic events. The synthetic events may be divided into aggregate events, associated events, and aggregate associated events according to a combination.

According to the fact that one event or action is within a preset time range, the event generated when the corresponding times occur is an aggregation event; the events generated by the serial association of the plurality of events are associated events; the events generated by serial association or parallel association of a plurality of events are aggregate association events. It is to be understood that the aggregate associated event can be a specific associated event or a specific aggregate event. The basic event, the aggregate event, the associated event, and the aggregate associated event may be 4 event attributes of the event, and it is understood that the event attributes of the event may be divided in other forms.

The serial association means that a plurality of events are associated linearly, the next event is verified after the last event is triggered, and when the configured events are all satisfied, the associated event is triggered. Multiple events need to be configured in sequence, with subsequent events configured to follow a rule duration.

The aggregate association event refers to an event generated by serial association or parallel association of a plurality of events. Parallel association means an event in which a plurality of events satisfy the logical judgment of "& &" (meaning "with parallel", meaning that the events on both sides of & & trigger at the same time) or "|" (meaning "or parallel", meaning that the events on both sides of | | trigger any one). Both serial and parallel associations may be configured as aggregate events, with subsequent serial events configured for a rule duration.

The information of the event comprises one or more basic information of an event name, an event risk category, an event risk level, an event effective duration, whether the event can be reused, the number of times of reuse, the number of remaining use times and the like, and also comprises one or more additional information of a trigger event, a time interval, the number of trigger times and the like.

The event risk category represents a possible security risk degree of the event, and may be divided into 4 types, for example, a general network security event, a large network security event, a major network security event, and a particularly major network security event, according to the risk degree, and it can be understood that the event risk category may also be divided into other suitable number of categories.

The network is described as an example of a power monitoring system network, and particularly important network security events include: (1) The power monitoring system suffers from network intrusion or hacker attack to cause a power failure accident of the power grid for large job; (2) The equal protection 4-level power monitoring system suffers from particularly serious system loss, so that 80% of services of the system are paralyzed; (3) Important sensitive information or more than one month of key data of the equal-protection 4-level power monitoring system is lost or stolen, tampered and counterfeited, and the method forms a particularly serious threat to the stable operation of the power monitoring system; (4) Other network security events pose a particularly serious threat to power monitoring systems, causing a particularly serious impact.

Significant network security events include: (1) The guaranteed-4-level power monitoring system suffers from serious system loss, which causes interruption of the system for 4 hours or more or paralysis of more than 30% of business service processing capacity. (2) Sensitive information and key data of one week or more are lost or stolen, tampered and counterfeited, and the sensitive information and the key data form serious threats to national security and social stability; (3) The equal protection level-3 power monitoring system suffers from particularly serious system loss, so that 80% of services of the system are paralyzed; (4) Important sensitive information or more than one month of key data of the equal-protection 3-level power monitoring system is lost or stolen, tampered and counterfeited, and the method forms a particularly serious threat to the stable operation of the power monitoring system; (5) Other network security events pose a particularly serious threat to power monitoring systems, causing serious impact.

The larger net given security events include: (1) The equal protection level-3 power monitoring system suffers from serious system loss, so that the system is interrupted for 4 hours or more or is paralyzed in service processing capacity of more than 40 percent; (2) Important sensitive information and key data of one week or more are lost or stolen, tampered and counterfeited, and the like of the equal-protection 3-level power monitoring system threatens national security and social stability; (3) The guaranteed-class-2 power monitoring system suffers from particularly serious system loss, so that the system is paralyzed, and the loss of service processing capacity exceeds 4 hours; (4) The production control large-area real-time area finds malicious codes such as viruses, worms, trojan horse programs and the like; (5) The real-time area network of the production control large area is illegally connected with other networks, so that the boundary protection capability is invalid; (6) Other network security events which pose a great threat to the power monitoring system and cause great influence.

General network security events include: (1) The equal protection 2-level power monitoring system fails and loses the service processing capability; (2) The production control large-area non-real-time area finds malicious codes such as viruses, worms, trojan horse programs and the like; (3) Discovering the network intrusion and hacker totalization behaviors, but failing to break through the network boundary protection of the production control large area; (4) The non-real-time area network of the production control large area is illegally connected with other networks, so that the boundary protection capability is invalid; (5) Scheduling a main station end longitudinal boundary safety protection device fault to cause data transmission interruption for more than 15 minutes, or scheduling a station end longitudinal boundary safety protection device fault to cause data transmission interruption for more than 1 hour, and scheduling a transverse boundary network safety protection device fault to cause data transmission interruption for more than 4 hours; (6) Other network security events which pose a certain threat to the power monitoring system and cause a certain influence.

The event risk level is a level representing the degree of security risk that an event may pose, which is different from the dimension of the division of the event risk categories. For example, the risk level can be classified into a crisis (indicated by "0"), an alarm (indicated by "1"), a severity (indicated by "2"), an error (indicated by "3"), a warning (indicated by "4"), a prompt (indicated by "5"), a message (indicated by "6"), and a debugging (indicated by "7"). It will be appreciated that other suitable number of levels may be divided. The different risk categories of the event may represent the same or different risk levels of the event, for example, the risk category of the event in one category is general cyber security event, but the risk level of the event may be 1 or 5, while the risk category of the event in another category is particularly significant cyber security event, but the risk level of the event may be 3 or 6.

The electronic device may perform event configuration according to the definition of the event in the present application. For example, several events are configured as follows according to the event.

Example 1-a basic event, the event name: installing violation software; event risk level: 4; event risk categories: a general network security event; the effective duration of the event: infinity; reuse (i.e., "whether or not it can be reused"): is that; the repeated use times are as follows: infinity; number of uses: infinity; triggering action: and installing violation software.

Example 2-a certain aggregated event, its event name: a brute force cracking server; event risk level: 4; event risk categories: a general network security event; the effective duration of the event: infinity; repeated use: if not; the repeated use times are as follows: 0; number of uses: 1; trigger event (and/or trigger behavior): server password error; triggering time: 30 minutes; triggering times are as follows: 5.

for the generation logic of the brute force server event, the electronic device can read the action or the event which meets the condition from the message queue (the event which meets the condition refers to the event which is in the valid time and can be used for more than 0 times). And acquiring all server password error events, sequencing according to the generation time, and analyzing one by one. The 5 th event or action counted from the beginning of one of the events or actions can be acquired, and if the generation time of the 5 th event and the generation time interval of the current event exceed the correspondingly configured trigger time (for example, 30 minutes), or if no 5 th item of data exists, it indicates that the brute force server event is not triggered. If the triggering time is not exceeded, the event is triggered, an event for brute force to crack the server is generated in the message queue, and the event is set to be used only once and is permanently effective. Meanwhile, the number of events usable is reduced by 1 from the beginning of the current event until the 5 th event is the event satisfying the condition.

Example 3-a certain associated event, its event name: steal files (offline); event risk level: 2; event risk categories: a major network security event; the effective duration of the event: infinity; and (3) repeated use: if not; the repeated use times are as follows: 0; number of uses: 1. the trigger conditions are as follows:

condition 1: aggregate events-a brute force cracking server,

condition 2: within 30 minutes of the last event, the USB device is connected,

condition 3: within 30 minutes of the last event, the file moves,

condition 4: within 30 minutes of the last event, the USB is removed.

According to the generation logic of the associated event stealing file (offline), all events meeting the condition 1 can be read from the message queue and analyzed one by one. The event that triggers the condition may be selected to be any event other than itself.

Logic of analysis piece by piece: and acquiring the event configured by the condition 2 according to the time interval configured by the condition 2, and if the event is not matched, continuing to analyze the next event according to the logic. And if the matching is successful, continuing to match the condition 3 until the last condition can be successfully matched, indicating event triggering, generating an event for stealing the file (offline) in the message queue, and setting the event to be only used once, wherein the event is permanently effective. And the number of event usages that satisfy all the conditions is reduced by 1.

Example 4-some aggregate associated event, event name: steal files (online); event risk level: 2; event risk categories: a major network security event; the effective duration of the event: infinity; repeated use: if not; the repeated use times are as follows: 0; number of uses: 1. its related events may include:

event 1: aggregation event-illegal external connection (remote connection-5 min-3 times),

event 2: aggregate events-a brute force cracking server,

event 3: the violation software (QQ) is installed,

event 4: the offending software is installed (Wechat),

event 5: logging in the illegal website (QQ),

event 6: logging in the illegal website (Wechat),

event 7: the encrypted file is moved so that the encrypted file,

event 8: the mail sends the classified files,

the trigger conditions are as follows: (1 & & 2) - > (((3 | |4| |5| | 6) - > (7)) | | (8)).

The condition 1"1& & 2' indicates that the event 1 and the event 2 are triggered simultaneously, namely that an illegal external connection and a brute force cracking server are started simultaneously; after the condition 1 is satisfied, the condition 2 "(((3 | |4| |5| | 6) - > (7)) | | (8))") needs to be satisfied again. For example, the condition 2-1 "((3 | |4| |5| | 6) - > (7))" or the condition 2-2 "(8)" may be arbitrarily satisfied within a preset first duration threshold (e.g., 30 minutes) following the previous condition (i.e., the condition 1).

The condition 2-1 "((3 | |4| |5| | | 6) - > 7)" indicates that the event 7 needs to be satisfied again (within a preset second duration threshold) after the condition 2-1-1 "(3 | |4| | |5| | 6)" is satisfied. The condition 2-1-1 "(3 | |4| |5| | | 6)" indicates that any trigger is to install one of 4 events of the illegal software (QQ), install the illegal software (WeChat), log in the illegal website (QQ) and log in the illegal website (WeChat), namely the condition 2-1-2 "event 7" can be the condition (namely the condition 2-1-1 "(3 |4| 5| 6)") that is connected, and the encrypted file is triggered and moved within 5 minutes. Condition 2-2 "event 8" indicates that the mail is triggered to send the classified file.

For the generation logic of the stolen file (online) event, all data of the first condition can be acquired first, and then the subsequent conditions are verified one by one. The difference here in the correlation of events is that each condition is no longer satisfied by a single event, but is the result of multiple event logic operations.

In one embodiment, a method for sensing network security situation based on event analysis is provided, which is shown in fig. 1 and includes:

step 102, a first event that can be used is obtained from a message queue.

In this embodiment, the event is stored in a message queue, and the event may include events of various attributes, such as the basic event, the composite event, and the like. The first event is an event to be subjected to security threat analysis on the network, and the first event is an event in a usable state.

The event in the message queue is correspondingly provided with a usable or not flag, and the flag can be determined according to the relevant information of the event. The usable event represents an event that can be analyzed for cyber security threats, and the unusable event represents an event that has been analyzed or expired or used for a number of times, etc., and is no longer taken for cyber security threat analysis.

The information of the first event comprises one or more of an event name, an event category, an event risk level, event usage information, additional information and the like. The event usage information may reflect whether the corresponding event is available.

Specifically, the event usage information may include one or more of whether the event can be reused, the number of times of reuse, the number of remaining uses, the event effective duration, and the like. For example, when the remaining number of uses is 0, or the event validity duration has expired with respect to the current analysis time, it indicates that the event is not available. And when the residual using times are more than 0 and the previous time is within the effective time of the event, the event is a usable event.

Different events are correspondingly configured with the same or different use information. For example, the effective duration configured for installing illegal software, brute force cracking a server, stealing a file (offline), stealing a file (online), and other events is permanent; the effective duration configured for the USB device connection event and the login violation website event may be a suitable duration such as 30 minutes or 1 hour.

The electronic device may detect whether each event is in a usable state from the message queue, or select whether a recently generated event is in a usable state from the message queue, and filter the usable event as the first event. Wherein the recent period may be any suitable predetermined period, such as any suitable period within 10 minutes, within 1 hour, within 2 hours, within 1 day, etc.

At step 104, a second set of events that can be used in association with the first event is queried from the message queue.

And the second event set comprises at least one usable second event. The information of each second event may include one or more basic information of an event name, an event risk category, an event risk level, an event effective duration, whether the second event can be reused, the number of times of reuse, the number of remaining uses, and the like of the second event, and may further include one or more additional information of a trigger event, a time interval, the number of triggers, and the like.

Because some behaviors threatening network security usually consist of a series of non-threatening behaviors, or some major threatening behaviors consist of a series of small threatening behaviors. For example, installing a non-allowed application (e.g., weChat, QQ, etc.) is classified as belonging to a smaller threat behavior or event, while sending a file may belong to a normal behavior, but sending a file multiple times through a non-allowed application may pose a larger threat. Similarly, a single password entry error is generally a normal action, but the action of frequently entering a password for a short period of time may be a dangerous action in which a brute force attack on the password is taking place.

Therefore, the electronic device configures the association relationship between different events in advance based on the logical relationship between various risk behaviors, can query out the event in the message queue having the association relationship with the first event based on the association relationship, and takes the usable event having the association relationship as the second event. Events that have an associative relationship may result in a synthetic event.

For example, the electronic device is pre-configured with an event that the illegal software is installed and has an association relationship with an event such as a brute force server, a mobile encrypted file and the like. When the first event is a mobile encrypted file, based on the association relationship, an available brute force server and an illegal software event are inquired in the message queue and can be used as a second event. The association relationship can be associated according to the name of the event, and the electronic device queries the second event in the message queue according to the name of the usable event.

It is understood that the formation of the composite event is not necessarily separated from the formation of the at least one first event and the at least one second event having an association relationship, but the at least one first event and the at least one second event having an association relationship are not necessarily capable of generating the corresponding composite event. Preferably, the first event and the second event in the present application may be events generated by the same user.

For example, the related event "steal a file (offline)" in the above example 3 is a synthetic event, which forms the corresponding events such as a brute force cracking server, a USB device connection, a file movement, and a USB removal, but the events such as the brute force cracking server, the USB device connection, the file movement, and the USB removal need to satisfy a certain logical relationship (for example, a time limit relationship occurring between the events) to trigger the formation of a file steal (offline) event.

The electronic device may detect whether the first event has at least one corresponding synthetic event, and if so, for each synthetic event, query whether a corresponding event exists according to a basic condition that needs to be satisfied, and use the queried event as a second event. Preferably, both the first and second mentioned events are events that can be used.

And 106, generating a synthetic event according to the first event and at least one second event in the second event set.

In this embodiment, the electronic device may detect whether the combination between the queried first event and second event satisfies a trigger condition of the synthetic event, and if so, generate a corresponding synthetic event. The trigger condition may further include additional condition information such as an occurrence time interval between events, in addition to a basic condition such as a corresponding event.

All the independent events or behaviors required for composing the composite event can be used as the basic conditions for triggering the event, and the logic relationship required to be met between the required independent events can be used as the additional conditions for triggering the event. Part of the synthetic events may only need to satisfy the base condition, while part of the events need to satisfy both the base condition and the additional condition. The basic conditions of the trigger such as "steal file (offline)" described above include events such as corresponding brute force server, USB device connection, file movement, USB removal, and the like, and the additional conditions include logical relationships between these events, such as time limit relationships occurring between the events.

For example, the first event is a file moving event, the second event obtained by query includes a brute force cracking server, a USB device connection, and a USB removal event, and the occurrence time interval between these events satisfies the additional condition triggered by a file stealing (offline) event, then a corresponding file stealing (offline) can be synthesized based on the first event and the second event, and the file stealing (offline) event is a synthesized event.

The information of the synthetic event may also include one or more of a corresponding event name, an event attribute, an event risk category, an event risk level, event usage information, additional information, and the like.

And step 108, determining the safety value of the network according to the first event, the usable second event and the composite event.

In this embodiment, the electronic device presets threat values or threat value calculation manners for network security of various events, and after determining a corresponding event, may query the corresponding threat value or calculate the corresponding threat value, and determine a security value of the network based on the threat value. The threat value may be determined according to the information of the event risk level and the event risk category corresponding to the event.

In one embodiment, the greater the threat value, the greater the security threat to the network is declared to the corresponding event. The larger the safety value is, the higher the safety factor of the network is, and the safer the network is. The threat value and the safety value are in a negative correlation relationship, and the larger the threat value is, the smaller the safety value is.

In one embodiment, the electronic device may calculate respective threat values for the first event, the second event, and the synthetic event to the network security, and determine the security value of the network based on the threat value with the largest value. The first event, the second event and the synthetic event can be weighted and summed for the threat value of the network security respectively, the summed threat value is calculated, and the security value of the network is determined based on the value. The weight coefficient may be a preset fixed weight, or an appropriate weight automatically calculated according to a related event.

According to the network security situation awareness method based on event analysis, the event analysis is put in the message queue instead of the database, so that the real-time performance of the network security analysis can be improved, and the occupation of analysis resources is reduced. Meanwhile, through analysis in the message queue, a concept of association can be introduced between events, so that original disorderly behaviors can be associated, single harmless behaviors can be found in time and even judged in advance to be combined to form a hazard behavior, and the timeliness of sensing the network security situation is further improved.

Meanwhile, the availability of the events is further considered, so that the effective events can be always involved in analysis and are associated with other events for analysis, and the real-time performance, the functionality and the expansibility of network security situation perception are further improved.

In one embodiment, the application further comprises a step of generating an event according to the behavior data and/or the event, and the generated event may be the first event described above. As shown in fig. 2, the step of generating an event includes:

step 202, collecting behavior data of the user from at least one data terminal, and storing the behavior data into a message queue.

In this embodiment, the electronic device may collect behavior data of all or part of the security assets in the network environment that needs situational awareness. The data end comprises one or more of a host end, a server end, a network data end, a database end, a network security equipment end, an application system, a security system data related equipment end and the like.

For the host, data acquisition can be performed by installing a client, and the acquired and analyzed behavior data content can be one or more of the following: logging in, including the user logging in behavior; users, including adding, deleting, modifying user's behavior; files, including the actions of opening, creating, writing, renaming, deleting, moving and printing the files; hardware, including the behavior of configuration, connection, removal of hardware; the software comprises the behaviors of installation, uninstallation, use, no installation of antivirus software and long-time non-update of a virus library; system services, including the actions of starting and stopping the services; other actions include modification of IP addresses, power on, power off, external connection, etc.

Aiming at the server, the data acquisition of the server is carried out by adopting a mode of installing a client, and the acquired and analyzed behavior data content can be one or more of the following contents: monitoring the state, including the actions of starting and stopping a network port, starting and stopping a process, ultrahigh memory, full hard disk and the like; users, including adding, deleting, modifying user's behavior; logging in, including user logging in behavior; files, including the actions of opening, creating, writing, renaming, deleting, moving and printing the files; hardware, including the behavior of configuration, connection, removal of hardware; the software comprises the behaviors of installation, uninstallation, use, no installation of antivirus software and long-time non-update of a virus library; system services, including the actions of starting and stopping the services; other actions include modification of IP addresses, power on, power off, external connection, etc.

Aiming at the behavior data of the network data end, all network packets passing through the switch can be obtained from the switch mapping port through a bypass packet capturing technology and special hardware, and are analyzed, and the specific content of the acquisition and the analysis comprises one or more of the following contents: an HTTP access behavior; TELNET access behavior; FTP access behavior; netBIOS access behavior; mail transmission behavior in SMTP and POP3 modes; a DNS resolution action; an SNMP access behavior; NFS access behavior.

For the data at the database end, a bypass technology can be adopted, the remote connection operation of the database is analyzed from a switch mapping port through special hardware, and the collected and analyzed behavior data content can be one or more of the following contents: a database connection behavior; the user of the database comprises the actions of adding, deleting and modifying the user; and the sql statement executes, including actions of inserting a statement, updating a statement, deleting a statement, creating a table statement, changing a table structure statement, deleting a table statement, creating a library statement, clearing a table statement and the like.

Aiming at the data of the network security equipment end, the network security equipment comprises a firewall, a switch, a bastion machine and the like, the data acquisition of the network security equipment is carried out by adopting interface docking or syslog sending, and the content of behavior data acquired and analyzed can be one or more of the following: attack behavior detected by the firewall; anti-virus behavior detected by a firewall; blocking behavior of a firewall; warning of the firewall system and alarm behaviors at the above levels; warning of the switch system and alarm behavior at levels above; the behavior of logging in assets of the fortress machine; and (4) warning of the fortress system and alarm behaviors at the levels above.

For the device data related to the application system and the safety system data, the interface docking can be adopted to collect the log data of the application system, and the collected and analyzed behavior data content can be one or more of the following: logging in, operating and alarming behaviors of the application system; logging in, operating and alarming behaviors of the safety system; traffic data for the security system.

In this embodiment, the data of each data end is collected and stored in the message queue, so that the data of each data end can be analyzed, and the comprehensiveness of the data source is improved.

And 204, analyzing the behavior data according to a preset event trigger condition.

In one embodiment, the analyzed content may include, in addition to the behavioral data, the generated actionable events.

In this embodiment, the electronic device presets trigger conditions of various events, where the trigger conditions include basic conditions on which behavior data can be used for event trigger analysis. Preferably, additional conditions can be further included, such as one or more of the number of occurrences, time of occurrence, frequency of occurrence, serial association between events, parallel association between events, and the like of these behavior data and/or events that can be subjected to event analysis. Different behavior data corresponds to the triggered event and is different. The electronic equipment establishes basic conditions and/or additional conditions corresponding to various events in advance, and based on the corresponding relation, the events possibly generated by corresponding behaviors can be inquired from the message queue.

For example, the trigger conditions of the events with different attributes such as the basic event, the aggregation event, the association event, and the aggregation association event are preset, or even further, the corresponding trigger conditions are set for each event. Such as the triggering conditions of events like the installation of an illegal software event, a brute force server event, a file stealing (offline) event, a file stealing (online) event, etc. configured as described above.

In particular, the electronic device may read actions and/or events from the message queue that satisfy the underlying condition. The base condition is the basis on which the associated action and/or event belongs to generate an event. For example, an install violation belongs to a base condition for an install violation event; the behavior of server password error is a basic condition for brute force to crack the server; the behaviors of file movement, USB equipment connection, USB removal and the like belong to basic conditions for stealing files (offline); the mobile encrypted file behavior is the underlying condition for a steal file (online) event.

After the events which are possibly triggered or generated by a certain behavior are screened out based on the corresponding relation of the basic conditions, whether one or more behaviors corresponding to the possibly triggered or generated same event pair meet additional conditions is further detected. If the condition is satisfied, the corresponding event can be generated, and if the condition is not satisfied, the corresponding event is not generated.

With the above description of the brute force server event, the electronic device may read from the message queue the behaviors and/or events that satisfy the underlying conditions of the brute force server event. Wherein, the event and/or behavior meeting the basic condition refers to the event and/or behavior within the effective time and the number of times of use is more than 0.

After all server password error events and/or behaviors are acquired, further analysis is carried out according to the additional condition of brute force server event cracking. The additional condition is that the number of times of the behaviors and/or events with wrong server passwords is triggered is not less than 5 times, and the triggering time of the behaviors and/or events of 5 times is within 30 minutes.

The event and/or behavior generation times are ordered and analyzed piece by piece. If the generation time of the 5 th event and the generation time interval of the current event exceed the correspondingly configured triggering time (such as 30 minutes), or if no 5 th data exists, the additional condition is not met, and then the brute force server event is not triggered. If the triggering time is not exceeded, the additional condition is met, and an event for brute force to crack the server can be generated in the message queue by event triggering.

In one embodiment, after step 204, the method further comprises: and detecting whether the basic conditions of the events to be generated corresponding to the behaviors meeting the basic conditions which are preliminarily screened out include other behavior data and/or events, if so, inquiring the generated events related to the events to be generated from the message queue, and performing trigger analysis on the events to be generated according to the generated events and the screened behavior data.

In this embodiment, if the event corresponding to the behavior data is the above-mentioned synthesized event, the trigger condition needs other corresponding events besides the behavior data. The electronic device can search for the generated event related to the synthetic event to be generated according to the trigger condition of the synthetic event to be generated. And determining whether the trigger condition of the synthetic event is satisfied in combination with the behavior data and the found generated event.

Specifically, for example, the behavior data in step 202 may be behavior data of file movement, and the corresponding event to be generated may include stealing a file (offline), and then the electronic device may detect that the basic conditions of the file (offline) stealing event further include a brute force server event, a USB device connecting behavior, and a USB removing behavior, and may query whether there is a usable brute force server event, a USB device connecting behavior, and a USB removing behavior from the message queue based on the basic conditions, and if both of them exist, perform additional condition analysis based on the found result.

And step 206, generating a corresponding event according to the behavior data meeting the event trigger condition, and carrying out use marking on the behavior data meeting the event configuration rule.

When the analyzed meeting event is triggered, corresponding events can be generated, for example, the above-mentioned software violation event, server brute force event, file stealing (offline) event, and file stealing (online) event can be generated.

Further, after generating the corresponding event, the behavior data and/or the event using the generated event may be marked for use, indicating that a new event has been generated using the corresponding behavior data and/or the event.

For example, when the brute force cracking server is generated, information such as an event name, an event risk level, an event risk category, an event validity duration, repeated use times, and use times of the event may be generated, and for example, the event is set to be usable only once and permanently valid. Meanwhile, the number of events and/or behaviors that satisfy the conditions from the beginning of the current item to the 5 th event is reduced by 1, and when the number of times of usage becomes 0, it indicates that it is not available.

Compared with the traditional method of analyzing the behavior data directly based on the user, in the embodiment, the concept of the event is introduced, the network behavior data is filtered through the configuration information of the event, the filtered behavior is converted into the event which is more favorable for interpretation, and the convenience and the analysis efficiency of the subsequent situation analysis on the network security can be improved.

In one embodiment, as shown in connection with FIG. 3, step 106 includes:

step 302, performing a first screening from the second events in the second event set according to the basic conditions of the synthetic events to be generated, and screening out the events that need to be included in the synthetic events to be generated.

After querying all the second event sets associated with the first event, since the combination of the inner part of the second event a and the first event may generate a certain composite event a, the combination of the first event and another part of the second event B may generate a certain composite event B.

Preferably, a synthetic event that may be generated for the first event may be used as the synthetic event to be generated, and the second event set is filtered according to the basic conditions required by the synthetic event, so as to filter all events related to the synthetic event.

For example, the first event is a brute force server event, which may trigger composite events including both a steal file (offline) event and a steal file (online) event. The electronic device may perform a separate synthetic analysis for each possible generated synthetic event.

Taking the file stealing (offline) event as an example, it can be found that the events which need to be contained by the file stealing (offline) event include a USB device connection event, a file moving event and a USB removal event besides a brute force cracking server. It may be queried in the second event set whether there are corresponding USB device connection events, file move events, USB removal events, and filter out these events.

And step 304, detecting whether the first event and the first screened second event meet all events required by the synthetic event to be generated. If all events are satisfied, go to step 306.

After filtering out the events required by the synthetic event to be generated, the electronic device may detect whether the filtered out events already contain all events. For example, for a file stealing (offline) event, if the selected events are only file moving events, but lack USB device connection events and USB removal events, it means that all the required events are not satisfied, and if all the 3 events are present and the first event (brute force server event) is added, it is determined that all the required events of the composite event to be generated are satisfied.

If not, detecting whether the first event and the first screened second event meet the necessary events required by the synthetic event or not when the synthetic event to be generated is the aggregation associated event; and if the necessary events are met, correlating the first event and the first screened second event according to the correlation requirement between the events required to be included in the synthetic event to be generated, detecting whether the correlated event meets the correlation requirement of the generated synthetic event, and if the correlation requirement is met, executing the step 306.

In one embodiment, all events required by the synthetic event to be generated include all necessary events, and when the necessary events are not satisfied, the corresponding synthetic event cannot be generated. Such as the aggregated events and associated events described above, all of which are required are essential events. For example, a file stealing (offline) aggregation event, 4 events such as a brute force cracking server, a USB device connection, a file movement, a USB removal and the like required by the file stealing (offline) aggregation event are necessary events, and the file stealing (offline) aggregation event cannot be generated unless any one of the events is used.

In an embodiment, the events required by the synthetic event to be generated may have multiple choices, an intersection event in each choice is an essential event, events that do not belong to the intersection may be non-essential events, and the electronic device may not consider that the corresponding synthetic event cannot be generated without all events. For example, the synthetic event to be generated is an aggregate associated event, and there are various options for generating the event required for the aggregate associated event.

For example, for aggregate associated events, it steals file (online) aggregate associated events, which include all events including at least: event 1-aggregate event-illegal external connection (remote connection-5 min-3 times), event 2-aggregate event-brute force server, event 3-install violation software (QQ), event 4-install violation software (WeChat), event 5-log-in violation Web site (QQ), event 6-log-in violation Web site (WeChat), event 7-mobile encrypted file, event 8: e, sending a confidential file by the mail, and the like. However, not all of the 8 events need to generate the stolen file (online) aggregation related event, but the stolen file (online) aggregation related event cannot be generated necessarily when the event 1 and the event 2 are lacked, so the event 1 and the event 2 are necessary events, and the rest of the events 3~8 are unnecessary events.

If the event to be generated is a file stealing (on-line) aggregation association event, and the first event and the first screened event comprise all events 1-8, the events are considered to meet all the events; if all of the events 1 to 8 are not included, it is considered that all of the events are not satisfied. However, if the above-mentioned event 1 and event 2 are included, it is indicated that the necessary event is satisfied; if event 1 and event 2 are not included (not just if event 1 or event 2 is included), it is said that they do not satisfy the necessary events.

For the event which meets the necessary events but does not meet all the events, association can be performed according to the association requirement of the synthetic event to be generated for each required event, wherein the association comprises serial association and parallel association. For example, for a stolen document (on-line) aggregation correlation event, the correlation can be performed according to the above-mentioned "(1 & & 2) - > ((3 | |4| 5| | 6) - > (7)) | | (8))", and if only the event 8 is lacked, the correlation is formed as "(1 & & 2) - > ((3 |4| 5| 6) - > (7))"; if only event 7 is absent, it forms a correlation relationship of "(1 & & 2) - > (3 | |4| 5| | 6) | (8))"; if only events 7 and 8 are absent, then they form a correlation relationship of "(1 & & 2) - > (3 | |4| |5| | 6)".

The electronic device performs association requirement detection on the formed associated events based on the association requirement configuration of the aggregated associated events, and it is known that the association combination of the lack of events 7 and the lack of events 8 can meet the association requirement, but the association combination of the lack of events 7 and 8 does not meet the association requirement.

Step 306, detecting whether the occurrence time between the first event and the first screened second event meets a first time limit required by the synthetic event to be generated, and if the occurrence time meets the first time limit, executing step 308.

In this embodiment, because the behavior of the user has a time sequence relationship, the electronic device may compare an interval between generation times of each event and other events in the first event and the selected second event, and compare whether the interval satisfies the first time length limit. For example, in the events 1 to 8 required for stealing the file (online) event, the time length between the event 1 and the event 2 is limited to ∞ (infinity, that is, there is no time limit), and the time length between the event 2 and the events 3 to 6 is limited to 30 minutes, that is, the events 3 to 6 occur within 30 minutes after the event 2 occurs.

Specifically, the electronic device may sequence the first event and the screened second event according to the generation time of the events, detect whether the time length limit between the event before the sequencing and all the events after the sequencing is within the corresponding first time length limit, if yes, execute step 308, and if not, not generate the corresponding synthetic event.

And 308, generating a synthetic event based on the first event and the first screened second event.

In this embodiment, by generating a synthetic event based on the relationship between a plurality of events, it is possible to more accurately know whether the behavior of the user can threaten the network security.

In one embodiment, as shown in FIG. 4, step 106 includes:

and 402, performing second screening on the second event set to screen out the events which are in serial association with the first events.

All events required for generating the associated events have a serial association and parallel association relationship. In this embodiment, all second events having a serial association with the first event may be queried first.

And step 404, performing third screening on the second screened events, and screening out events which are within a second time length corresponding to the event occurrence time of the first event.

For all the second events screened out in the second screening, the second events can be analyzed according to the time limit among the events in the aggregation related events to be generated, and the events meeting the requirements within the corresponding time length are screened out.

For example, the brute force server events are serially associated with events such as logging-in illegal websites and mobile encrypted files, the occurrence time range between the events is required to be within 0-30 minutes, whether the event range between the events meets corresponding configuration is detected, if yes, the events are reserved, and if not, corresponding events which are not met are eliminated.

And 406, performing fourth screening on the second event set to screen out events which have parallel association with the first event.

And step 408, performing fifth screening on the fourth screened events, and screening out events of which the event occurrence time is within a third time length corresponding to the event occurrence time of the first event.

Similarly, the electronic device also conducts screening of parallel associated events on the first event, and detects whether the time length requirement of the event to be generated on the required events is also met between the events with parallel association.

For example, the above-mentioned violation software installation (QQ), violation software installation (wechat), violation website login (QQ), and violation website login (wechat) have a parallel association relationship, and the electronic device may detect whether the time duration between these events satisfies the time duration interval required by the event to be generated.

And step 410, performing serial association and parallel association combination on the first event, the third screened event and the fifth screened event according to the occurrence time sequence of the events.

In step 412, it is detected whether the combined event satisfies the trigger condition of any synthetic event, and if so, a synthetic event corresponding to the satisfying of the trigger condition is generated.

In this embodiment, the first event and the events selected according to the third and fifth screens are the events 1 to 8, and the combination of the serial association and the parallel association performed according to the event occurrence time has a combination of "(1 & & 2) - > (((3 | |4| |5| | 6) - > (7)) | (8))", so that it can be recognized that the triggering condition of the file (online) stealing event is satisfied, and a corresponding file (online) stealing event can be generated.

If the first event and the events selected according to the third screening and the fifth screening are the events 1 to 6, respectively, and the combination formed is "(1 & & 2) - > ((3 | |4| |5| | 6)", which does not satisfy the trigger condition of any event, a corresponding combination event cannot be generated.

In this embodiment, by using serial association and parallel association between events and event occurrence time limitation, a synthetic event meeting requirements can be generated, so that whether the behavior of a user can threaten network security can be known more accurately.

In one embodiment, the used event may be marked by its use, for example, the first event that originally can only be used N times, after the used event generates the corresponding composite event, the number of times of its use is reduced by 1, and it can also be used N-1 times, and when it becomes 0, it indicates that it is not usable. By setting the use flag, the event can be prevented from being abused, and the network security assessment is not accurate enough.

In one embodiment, as shown in FIG. 5, step 108 includes:

step 502, obtaining a current security value of the network.

In this embodiment, the current security data of the network is used to represent the current network security condition, and the size of the numerical value may represent the network security level. The security value may be positively or negatively correlated with the network security. For example, the higher the security value, the more secure the network, and the smaller the security value, the less secure the network. Or the higher the security value is, the more insecure the network is, and the smaller the security value is, the more secure the network is.

The electronic device can update the security value of the network in real time or periodically according to a certain frequency.

Step 504, a synthetic threat value of the synthetic event to the network is calculated.

At step 506, a first threat value to the network for a first event in the synthetic events is calculated.

Step 508, calculating a second threat value to the network of a second event in the synthetic events.

In this embodiment, the threat value of the event is used to represent the threat level of the corresponding event to the network security, and similarly, the threat value may be positively or negatively correlated with the network security. For example, the higher the threat value, the more secure the network, and the smaller the threat value, the less secure the network. Or the higher the threat value, the more insecure the network, and the smaller the threat value, the more secure the network.

The magnitude of the security value is related to the threat value. Preferably, the security value is positively correlated with the network security, and the threat value is negatively correlated with the network security, for example, the larger the threat value is, the smaller the security value is.

In one embodiment, the security value N = M-

Wherein, M is the basic security value of the network, and k is the corresponding threat value. I.e. the difference between the security value of the network as the base security value and the threat value of each usable event.

The electronic device presets a calculation mode of the threat value of the event, and the calculation mode can be related to the event risk category and the event risk level of the corresponding event.

In one embodiment, taking the threat value of the synthetic event (i.e., the synthetic threat value) as an example of a calculation, step 506 includes: acquiring a synthetic category weight corresponding to the synthetic event risk category and a synthetic level weight corresponding to the synthetic event risk level; and multiplying the preset basic numerical value of the network by the synthesis category weight and the synthesis level weight to obtain a synthesis threat numerical value of the synthesis event.

And if the class weight is M and the level weight is n, the threat value k = M M n of the event.

The electronic equipment is configured with category weights corresponding to different event risk categories and level weights corresponding to different event risk levels. Wherein the class weight and the level weight, which cause a larger security threat, are also larger.

Step 510, detecting whether a first threat value and a second threat value are considered in the current security value; if yes, go to step 512, otherwise go to step 514.

And step 512, eliminating the influence of the first threat value and the second threat value on the current security value, and updating the security value of the network according to the synthesized threat value and the current security value after the influence is eliminated.

And 514, updating the security value of the network according to the synthetic threat value and the current security value.

In this embodiment, the threat values of the first event and the second event used in the synthetic event are removed, so as to calculate the security value of the network according to the threat values of the synthetic event. The security impact of the first event and the second event on the network can be prevented from being reused, so that the accuracy of the network security evaluation is improved.

For example, M may be set to 100. For 4 types of events, such as general network security events, major network security events, and particularly major network security events, the corresponding category weights may be set to 10%, 20%, 30%, and 40%, respectively. For 8 event level 0 crisis, 1 alarm, 2 severe, 3 error, 4 warning, 5 prompt, 6 info, 7 debug, the corresponding weights can be set to 20%, 18%, 17%, 15%, 10%, 5%, 3%, and 2%.

The security value of the network N =100-

. If the safety value N calculated based on the method is 100 minutes, the network is very safe, if the safety value N is 90 to 99 minutes, the network is safe, if the safety value N is 80 to 89 minutes, the network is relatively safe, if the safety value N is 70 to 79 minutes, the network is dangerous, if the safety value N is 60 to 69 minutes, the network is dangerous, and if the safety value N is 0 to 59 minutes, the network is very dangerous.

In one embodiment, the electronic device is further preconfigured with a level weight calculation process, which includes:

step 602, a judgment matrix a is constructed for the risk level of the event.

In this embodiment, the element a in the determination matrix a _ij The ith risk level phase is shownFor the priority or severity of the jth class, a _ij Is a suitable value arbitrarily set larger than 0, and a _ij *a _ji And =1. Wherein, a value of 1 indicates that the priority or severity of the two is the same; greater than 1 and greater indicates a higher priority or severity of the ith risk level relative to the jth level; less than 1 and less indicates a lower priority or severity of the ith risk level relative to the jth level.

And step 604, performing normalization processing on the judgment matrix A to form a normalization matrix B.

For example, when the ith representation is debug and the jth representation is severe, a may be set _ij Is 0.2,a _ji Is 5. The element B in the formed normalized matrix B _ij May be 0.0392,b _ji May be 0.2.

Step 606, calculating the requirement BW = lambda _max The characteristic root λ of the normalized matrix of W and the characteristic vector W.

Wherein λ is _max Is the largest feature root of the normalized matrix B.

Step 608, for the calculated maximum feature root λ _max And performing consistency check, executing step 610 when the consistency check is passed, and returning to execute step 602 when the consistency check is not passed.

Step 610, determining a level weight corresponding to the risk level of the event based on the calculated feature vector W.

When the consistency check is not passed, returning and re-executing the judgment matrix A constructed according to the event risk level until the calculated maximum characteristic root lambda _max The consistency check is satisfied.

In particular, the consistency check may be calculated according to the formula CR = CI/RI, where CI = (λ) _max N)/(n-1), wherein CI represents an consistency ratio, and RI is an average random consistency index, and the value of RI can be obtained according to a table lookup, for example, the table lookup can use the value corresponding to n as the value of RI. n is the number of risk levels, which is the order of matrix A, B. For example, if n is 8, the corresponding RI value is 1.41.

The electronic device can detect whether the calculated CI value is smaller than a consistency threshold value, if so, the consistency check is passed, and if not, the consistency check is not passed. When not, return to step 602 to readjust the configured aij until the computed CI value consistency check passes.

After passing the consistency check, the calculated feature vector W may be directly used as the level weight corresponding to the risk level, or the feature vector W may be normalized, and the formed normalized feature vector may be used as the level weight corresponding to the risk level. For example, the element wi in the formed feature vector W may represent a level weight corresponding to the ith risk level.

In the embodiment, the risk level of each event can be reasonably set through the method, so that the calculation accuracy of the threat value of the event on the network security is further improved.

In one embodiment, the application further includes a process for performing statistical analysis on network security. Specifically, as shown in fig. 7, the process includes:

step 702, providing a basic behavior analysis report.

The method comprises a host side behavior list, a server side behavior list, a network behavior list, a database behavior list, a network security device behavior list, an application system behavior list, a 7-day trend graph of each behavior, a 7-day histogram of each behavior and a proportion pie graph of each behavior. A behavior override function is provided.

Step 704, provide an event analysis report.

The event clustering system comprises a basic event list, an aggregation event list, an associated event list, an aggregation associated event list, a trend graph of 7 days of each event, a histogram of 7 days of each event and a pie chart of the proportion of each event. An event override function is provided.

Step 706, provide an event category analysis report.

The method comprises a general network security event list, a larger network security event list, a major network security event list, a special major network security event list, 7-day trend graphs of each event category, 7-day bar graphs of each event category, proportion pie graphs of each event category, 30-day trend graphs of major network security events and 30-day trend graphs of special major network security events. In addition to the extra-significant network security event reports, a flag-processed function is provided.

At step 708, an event level analysis report is provided.

The method comprises a high-risk event list (crisis, alarm and serious), a medium-risk event list (error and alarm), a low-risk event list (prompt, information and debugging), 7-day trend graphs of each event level, 7-day histogram of each event level, a pie chart of each event level proportion, a 30-day trend graph of the high-risk event and a 30-day trend graph of the medium-risk event.

In one embodiment, the application further comprises a process for analyzing and predicting the situation of the network security. Specifically, the process includes:

and developing basic behavior statistics, event category statistics and event level statistics for sensing the overall situation of the current network environment.

And generating a 7-day trend graph of the basic behaviors and the basic events, and sensing the degree of relationship between the basic behaviors and the trigger events.

And generating an event history top10, an event history top10 under each event category and an event history top10 under each event level, and sensing the past defense vulnerability.

And generating the processing duration of the major network security event, particularly the major network security event, and sensing the timely processing capability of the past coping attack behavior.

The capability of predicting a significant network security event, particularly a significant network security event, is provided.

When the associated event and the aggregated associated event are configured, if the event type is a major network security event, particularly a major network security event, the early warning node is allowed to be added into the condition (the node cannot set a starting node and an ending node). If the trigger early warning event is detected, a corresponding early warning event is generated in the message queue (the early warning event does not participate in the subsequent event analysis).

The prediction capability of medium-risk and high-risk events is provided. If the event level is crisis, alarm, serious, error and warning, the early warning node is allowed to be added in the condition.

And providing an early warning event analysis report. The method comprises an early warning event list, an early warning event suppression rate and an early warning event false alarm rate. And providing processing and ignoring functions, marking the event as containment after the processing, and marking the event as false alarm after the ignoring.

A function of sending a warning for predicting a crisis is provided. And reading the unprocessed and non-ignored early warning events from the message queue, and pushing the early warning events to a responsible person in real time in a mode of not limited to WeChat, short message and mail notification.

In one embodiment, as shown in fig. 8, there is provided a network security situation awareness system based on event analysis, the system comprising:

an event obtaining module 802, configured to obtain a first event that can be used from a message queue;

an event query module 804, configured to query the message queue for a second set of events that can be used and are associated with the first event;

an event generating module 806, configured to generate a composite event according to the first event and at least one second event in the second event set;

a network security evaluation module 810, configured to determine a security value of the network according to the first event, the second event set, and the synthetic event.

In an embodiment, the event generating module 806 is further configured to perform a first filtering on a second event in the second event set according to a basic condition of a synthetic event to be generated, so as to filter out an event that is required to be included in the synthetic event to be generated; detecting whether the first event and the first screened second event meet all events required by the synthetic event to be generated; if all events are met, detecting whether the occurrence time between the first event and the first screened second event meets a first time length limit required by the synthetic event to be generated; and if the first time length limit is met, generating the synthetic event based on the first event and the first screened second event.

In one embodiment, the event generating module 806 is further configured to perform a second filtering on the second event set to filter out events having serial associations with the first event; performing third screening on the second screened events, and screening out the events which are within a second time length corresponding to the event occurrence time of the first event; performing fourth screening on the second event set to screen out events which are in parallel association with the first event; performing fifth screening on the fourth screened events, and screening out events which are within a third time length corresponding to the event occurrence time of the first event; performing serial association and parallel association combination among the first event, the third screened event and the fifth screened event according to the occurrence time sequence of the events; detecting whether the combined event meets the triggering condition of any one synthetic event; and if so, generating a synthetic event corresponding to the trigger condition being met.

In one embodiment, the event generating module 806 is further configured to collect behavior data of the user from at least one data terminal, and store the behavior data in the message queue; analyzing the behavior data according to a preset event trigger condition; and generating a corresponding event according to the behavior data meeting the event trigger condition, and carrying out use marking on the behavior data meeting the event configuration rule.

In one embodiment, as shown in FIG. 9, the network security evaluation module 810 further comprises:

a value obtaining unit 902, configured to obtain a current security value of the network;

a value calculating unit 904, configured to calculate a synthetic threat value of the synthetic event to the network; calculating a first threat value to the network for a first event of the synthetic events; calculating a second threat value to the network for a second event of the synthetic events;

a value updating unit 906 for detecting whether the first threat value and the second threat value are considered in the current security value; and if so, eliminating the influence of the first threat numerical value and the second threat numerical value on the current per-numerical value, and updating the security numerical value of the network according to the synthesized threat numerical value and the current security numerical value after the influence is eliminated.

In one embodiment, the numerical calculation unit 904 is further configured to obtain a composite category weight corresponding to the composite event risk category and a composite level weight corresponding to the composite event risk level; and multiplying a preset basic numerical value of the network by the synthesis category weight and the synthesis level weight to obtain a synthesis threat numerical value of the synthesis event.

In one embodiment, as shown in fig. 10, the system further comprises:

a weight setting module 812, configured to construct a determination matrix a for the risk level of the event; carrying out normalization processing on the judgment matrix A to form a normalization matrix B; calculation satisfies BW = λ _max The characteristic root lambda and the characteristic vector W of the normalized matrix of W; wherein λ is _max Is the maximum characteristic root of the normalized matrix B; for the calculated maximum feature root λ _max Carrying out consistency check; when the consistency check passes, determining a level weight corresponding to the risk level of the event based on the calculated feature vector W; when the consistency check is not passed, returning and re-executing the risk level construction judgment matrix A aiming at the event until the calculated maximum characteristic root lambda is obtained _max Passing the consistency check.

In one embodiment, a computer-readable storage medium is provided having executable instructions stored thereon that, when executed by a processor, cause the processor to perform the steps in the method embodiments described above.

In one embodiment, there is also provided an electronic device comprising one or more processors; memory having one or more programs stored therein, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the steps of the above-described method embodiments.

In one embodiment, as shown in fig. 11, a schematic structural diagram of an electronic device for implementing an embodiment of the present application is shown. The electronic device 1100 includes a Central Processing Unit (CPU) 1101, which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM) 1102 or a program loaded from a storage section 1108 into a Random Access Memory (RAM) 1103. In the RAM 1103, various programs and data necessary for the operation of the electronic device 1100 are also stored. The CPU 1101, ROM 1102, and RAM 1103 are connected to each other by a bus 1104. An input/output (I/O) interface 1105 is also connected to bus 1104.

The following components are connected to the I/O interface 1105: an input portion 1106 including a keyboard, mouse, and the like; an output portion 1107 including a signal output unit such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 1108 including a hard disk and the like; and a communication section 1109 including a network interface card such as a LAN card, a modem, or the like. The communication section 1109 performs communication processing via a network such as the internet. A driver 1110 is also connected to the I/O interface 1105 as necessary. A removable medium 1111, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is installed on the drive 1110 as necessary, so that a computer program read out therefrom is installed into the storage section 1108 as necessary.

In particular, according to embodiments of the application, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer readable medium bearing instructions that, in such embodiments, may be downloaded and installed over a network via the communication portion 1109 and/or installed from the removable media 1111. The instructions, when executed by a Central Processing Unit (CPU) 1101, perform the various method steps described in the present application.

Although example embodiments have been described, it will be apparent to those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the inventive concept. Accordingly, it should be understood that the above-described exemplary embodiments are not limiting, but illustrative.

Claims

1. A network security situation awareness method based on event analysis is characterized by comprising the following steps:

acquiring a first event which can be used from a message queue;

querying the message queue for a second set of events that are available for use that are associated with the first event;

generating a composite event according to the first event and at least one second event in the second event set;

and determining a security value of the network according to the first event, the second event set and the synthetic event.

2. The method of claim 1, wherein generating a synthetic event from the first event and at least one second event of the set of second events comprises:

performing first screening on a second event in the second event set according to the basic condition of the synthetic event to be generated, and screening out the event which is required to be included by the synthetic event to be generated;

detecting whether the first event and the first screened second event meet all events required by the synthetic event to be generated; if all events are satisfied, then

Detecting whether the occurrence time between the first event and the first screened second event meets a first time length limit required by the synthetic event to be generated; if the first time limit is satisfied, then

Generating the synthetic event based on the first event and the first screened second event.

3. The method of claim 1, wherein generating a synthetic event from the first event and at least one second event of the set of second events comprises:

performing second screening on the second event set to screen out events which are in serial association with the first events;

performing third screening on the second screened events, and screening out events which are within a second time length corresponding to the event occurrence time of the first event;

performing fourth screening on the second event set to screen out events which are in parallel association with the first event;

performing fifth screening on the fourth screened events, and screening out events which are within a third time length corresponding to the event occurrence time of the first event;

performing serial association and parallel association combination among the first event, the third screened event and the fifth screened event according to the occurrence time sequence of the events;

detecting whether the combined event meets the triggering condition of any one synthetic event;

and if so, generating a synthetic event corresponding to the trigger condition being met.

4. The method of claim 1, further comprising:

acquiring behavior data of a user from at least one data terminal, and storing the behavior data into the message queue;

analyzing the behavior data according to a preset event trigger condition;

and generating a corresponding event according to the behavior data meeting the event trigger condition, and carrying out use marking on the behavior data meeting the event configuration rule.

5. The method according to any one of claims 1 to 4, wherein determining a security value of a network from the first event, the usable second event, and the synthetic event comprises:

acquiring a current security value of the network;

calculating a synthetic threat value of the synthetic event to the network;

calculating a first threat value to the network for a first event of the synthetic events;

calculating a second threat value to the network for a second event of the synthetic events;

detecting whether the first threat value and the second threat value are considered in the current security value; if so, then

And eliminating the influence of the first threat numerical value and the second threat numerical value on the current per-numerical value, and updating the security numerical value of the network according to the synthesized threat numerical value and the current security numerical value after the influence is eliminated.

6. The method of claim 5, wherein the computing the synthetic threat value for the synthetic event to the network comprises:

acquiring a composite category weight corresponding to the composite event risk category and a composite level weight corresponding to the composite event risk level;

and multiplying a preset basic numerical value of the network by the synthesis category weight and the synthesis level weight to obtain a synthesis threat numerical value of the synthesis event.

7. The method of claim 6, further comprising:

constructing a judgment matrix A aiming at the risk level of the event;

carrying out normalization processing on the judgment matrix A to form a normalization matrix B;

calculation satisfies BW = λ _max A characteristic root λ and a characteristic vector W of the normalized matrix of W; wherein λ is _max Is the maximum characteristic root of the normalized matrix B;

for the calculated maximum feature root λ _max Carrying out consistency check;

when the consistency check passes, determining a level weight corresponding to the risk level of the event based on the calculated feature vector W;

when the consistency check is not passed, returning and re-executing the risk level construction judgment matrix A aiming at the event until the calculated risk level construction judgment matrix A is reachedMaximum characteristic root λ _max Passing the consistency check.

8. A network security situation awareness system based on event analysis, the system comprising:

an event query module for querying the message queue for a second set of available events associated with the first event;

9. An electronic device, comprising:

one or more processors;

a memory for storing one or more programs,

wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.

10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 7.