CN115664853A - Network security data association analysis method, device and system and storage medium - Google Patents
Network security data association analysis method, device and system and storage medium Download PDFInfo
- Publication number
- CN115664853A CN115664853A CN202211610750.1A CN202211610750A CN115664853A CN 115664853 A CN115664853 A CN 115664853A CN 202211610750 A CN202211610750 A CN 202211610750A CN 115664853 A CN115664853 A CN 115664853A
- Authority
- CN
- China
- Prior art keywords
- alarm
- event
- network security
- data
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012097 association analysis method Methods 0.000 title claims description 9
- 238000012098 association analyses Methods 0.000 claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 34
- 238000010219 correlation analysis Methods 0.000 claims description 22
- 238000004364 calculation method Methods 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 7
- 238000002372 labelling Methods 0.000 claims description 4
- 238000004458 analytical method Methods 0.000 abstract description 13
- 238000011160 research Methods 0.000 abstract description 11
- 238000004891 communication Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 101150082208 DIABLO gene Proteins 0.000 description 1
- 102100033189 Diablo IAP-binding mitochondrial protein Human genes 0.000 description 1
- MHABMANUFPZXEB-UHFFFAOYSA-N O-demethyl-aloesaponarin I Natural products O=C1C2=CC=CC(O)=C2C(=O)C2=C1C=C(O)C(C(O)=O)=C2C MHABMANUFPZXEB-UHFFFAOYSA-N 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003370 grooming effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Images
Abstract
The application discloses a method, a device, a system and a storage medium for analyzing network security data association, wherein the method comprises the following steps: acquiring data representing the current safety condition of a network as a sample, and extracting corresponding sample information from the sample as a log data label according to a preset service logic; and matching the characteristic rules of the log data labels based on preset association analysis rules to obtain alarm matching results, and generating corresponding prompt alarm events according to the alarm matching results. The invention effectively reduces the alarm quantity, improves the alarm accuracy rate, ensures that the final network security event not only reduces the alarm event quantity, but also can output the security event which affects the network security in a plurality of alarm events, and provides reliable basis for the analysis and research of the network security.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a system, and a storage medium for analyzing a network security data association.
Background
At present, network security related data are various and complex, generally include network traffic data, network normal log data, network environment asset data, network security event data and the like, and each data amount is huge and has no relevance. The network security event data are various and the number of alarm events is large, so that great challenges are brought to workers for judging and disposing alarm events which affect the network security in the massive and complicated alarm events.
Disclosure of Invention
The application mainly aims to provide a method, a device, a system and a storage medium for analyzing network security data association, aiming at effectively improving the accuracy rate of alarm events, reducing the number of alarms and providing reliable basis for analysis and research of network security by workers.
In order to achieve the above object, the present application provides a method for analyzing association of network security data, where the method includes:
acquiring data representing the current safety condition of a network as a sample, and extracting corresponding sample information from the sample according to a preset service logic to be used as a log data label;
and matching the characteristic rules of the log data labels based on preset association analysis rules to obtain alarm matching results, and generating corresponding prompt alarm events according to the alarm matching results.
Optionally, the method further comprises:
and carrying out alarm notification according to the prompt alarm event.
Optionally, the step of collecting data representing the current security condition of the network as a sample, and extracting corresponding sample information from the sample as a log data tag according to a preset service logic includes:
collecting network security data, and taking log data of the network security data as a sample;
performing regular matching on the sample, and extracting sample information in the sample according to a matching result;
labeling the sample information to obtain corresponding structured data serving as a log data label;
and determining a corresponding associated event through a preset calculation model according to the log data label, and determining the event label classification through the associated event.
Optionally, the step of performing feature rule matching on the log data tag based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding alarm prompting event according to the alarm matching result includes:
based on a preset association analysis rule and a preset event classification library, carrying out feature rule matching on the event label classification through a preset calculation model to obtain an event alarm label conforming to the alarm association analysis rule;
and generating a corresponding prompt alarm event according to the event alarm tag.
Optionally, the preset association analysis rule includes: a statistical class association rule and a sequence class association rule.
Optionally, the calculation model corresponding to the statistical class association rule is implemented by using a sequence count function; the calculation model corresponding to the sequence association rule is realized by adopting a windowFunnel function; the event alert tag includes: alarm ID, alarm type, alarm level, alarm description, and alarm handling suggestion.
The embodiment of the present application further provides a device for analyzing association of network security data, where the device includes:
the data processing module is used for acquiring data representing the current safety condition of the network as a sample and extracting corresponding sample information from the sample as a log data label according to a preset service logic;
and the association analysis module is used for matching the characteristic rules of the log data labels based on preset association analysis rules to obtain alarm matching results and generating corresponding prompt alarm events according to the alarm matching results.
Optionally, the apparatus further comprises:
the rule configuration module is used for managing a label generation rule for prompting an alarm event and an alarm correlation analysis rule of an event alarm label;
and the alarm module is used for receiving the prompt alarm event generated by the correlation analysis module and carrying out alarm notification.
The embodiment of the present application further provides a network security data association analysis system, which includes a memory, a processor, and a network security data association analysis program stored on the memory and executable on the processor, and when executed by the processor, the network security data association analysis program implements the network security data association analysis method described above.
An embodiment of the present application further provides a computer-readable storage medium, where a network security data association analysis program is stored on the computer-readable storage medium, and when executed by a processor, the network security data association analysis program implements the network security data association analysis method as described above.
According to the method, the device, the system and the storage medium for analyzing the network security data association, data representing the current security situation of a network are collected to be samples, and corresponding sample information is extracted from the samples to be used as a log data label according to the preset service logic; and matching the characteristic rules of the log data labels based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding prompt alarm event according to the alarm matching result. According to the scheme, log data labels with uniform formats are generated from various network security data, correlation analysis of log data generated by various security protection products is realized by setting correlation analysis rules applicable to the log data labels with uniform formats, and prompt alarm events influencing network security are output, so that the alarm quantity is effectively reduced, the alarm accuracy is improved, the final network security events not only reduce the alarm event quantity, but also can output security events influencing network security in numerous alarm events, and reliable bases are provided for analysis and research of network security.
Drawings
Fig. 1 is a schematic functional block diagram of a system to which a network security data association analysis device belongs according to the present application;
FIG. 2 is a flowchart illustrating an exemplary embodiment of a method for analyzing network security data association according to the present application;
FIG. 3 is a flowchart illustrating another exemplary embodiment of a method for analyzing network security data association according to the present application;
fig. 4 is a functional module diagram of an exemplary embodiment of a network security data association analysis apparatus according to the present application.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
The main solution of the embodiment of the application is as follows: acquiring data representing the current safety condition of a network as a sample, and extracting corresponding sample information from the sample according to a preset service logic to be used as a log data label; and matching the characteristic rules of the log data labels based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding prompt alarm event according to the alarm matching result. According to the scheme, log data labels with uniform formats are generated from various network security data, correlation analysis of log data generated by various security protection products is realized by setting correlation analysis rules suitable for the log data labels with uniform formats, and prompt alarm events influencing network security are output, so that the alarm quantity is effectively reduced, the alarm accuracy is improved, the final network security events not only reduce the alarm event quantity, but also can output the security events influencing network security in numerous alarm events, and reliable bases are provided for analysis and research of network security.
The embodiment of the application considers that the current network security related data are various and complex, and each data amount is huge and has no relevance. The network security event data are various and the number of alarm events is huge, so that great challenges are brought to workers to distinguish alarm events influencing network security from massive and complicated alarm events to study and judge and dispose.
Therefore, the solution provided by the embodiment of the application can effectively improve the accuracy of the alarm events, so that the final network security events not only reduce the number of the alarm events, but also can output the security events which affect the network security in a plurality of alarm events, and provide reliable basis for the analysis and research of the network security.
Specifically, referring to fig. 1, fig. 1 is a schematic functional module diagram of a system to which the network security data association analysis apparatus of the present application belongs. The network security data association analysis device may be a device independent of the system, and may be carried on the system in the form of hardware or software. The device to which the system belongs can be an intelligent mobile terminal with a data processing function, such as a mobile phone and a tablet personal computer, and can also be a fixed terminal device or a server with a data processing function.
In this embodiment, the system to which the network security data association analysis apparatus belongs at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.
The memory 130 stores therein an operating system and a network security data association analysis program; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.
Wherein the network security data association parser in the memory 130 when executed by the processor implements the steps of:
acquiring data representing the current safety condition of a network as a sample, and extracting corresponding sample information from the sample according to a preset service logic to be used as a log data label;
and matching the characteristic rules of the log data labels based on preset association analysis rules to obtain alarm matching results, and generating corresponding prompt alarm events according to the alarm matching results.
Further, the network security data association parser in memory 130 when executed by the processor further performs the steps of:
and carrying out alarm notification according to the prompt alarm event.
Further, the network security data association parser in memory 130 when executed by the processor further performs the steps of:
collecting network security data, and taking log data of the network security data as a sample;
performing regular matching on the sample, and extracting sample information in the sample according to a matching result;
labeling the sample information to obtain corresponding structured data serving as a log data label;
and determining a corresponding associated event through a preset calculation model according to the log data label, and determining the event label classification through the associated event.
Further, the network security data association parser in the memory 130 when executed by the processor further performs the steps of:
based on a preset association analysis rule and a preset event classification library, carrying out feature rule matching on the event label classification through a preset calculation model to obtain an event alarm label conforming to the alarm association analysis rule;
and generating a corresponding prompt alarm event according to the event alarm tag.
Wherein the preset association analysis rule comprises: a statistical class association rule and a sequence class association rule.
Wherein, the calculation model corresponding to the statistical association rule is realized by a sequence count function; the calculation model corresponding to the sequence type association rule is realized by adopting a windowFunnel function; the event alert tag includes: alarm ID, alarm type, alarm level, alarm description and alarm processing suggestion.
According to the scheme, data representing the current safety condition of the network are collected as samples, and corresponding sample information is extracted from the samples according to preset service logic and is used as a log data label; and matching the characteristic rules of the log data labels based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding prompt alarm event according to the alarm matching result. According to the scheme, log data labels with uniform formats are generated from various network security data, correlation analysis of log data generated by various security protection products is realized by setting correlation analysis rules suitable for the log data labels with uniform formats, and prompt alarm events influencing network security are output, so that the alarm quantity is effectively reduced, the alarm accuracy is improved, the final network security events not only reduce the alarm event quantity, but also can output the security events influencing network security in numerous alarm events, and reliable bases are provided for analysis and research of network security.
Based on the above system architecture, but not limited to the above architecture, embodiments of the method of the present application are presented.
The execution subject of the method of this embodiment may be a network security data association analysis device, and the network security data association analysis device may be a device independent from the system, and may be carried on the system in the form of hardware or software. The system can be a fixed terminal device or a server with a data processing function, and the like. This embodiment is exemplified by a network security device.
Referring to fig. 2, fig. 2 is a schematic flowchart of an exemplary embodiment of a network security data association analysis method according to the present application. The method for analyzing the association of the network security data provided by the embodiment comprises the following steps:
step S101, collecting data representing the current safety condition of a network as a sample, and extracting corresponding sample information from the sample according to a preset service logic to be used as a log data label;
wherein, the source of the sample can be obtained by screening from the network security related data.
As described above, the network security related data is various and complex, and generally includes network traffic data, network normal log data, network environment asset data, network security event data, and the like, and each data amount is huge and has no correlation. The network security event data are various and the number of alarm events is large, so that great challenges are brought to workers for judging and disposing alarm events which affect the network security in the massive and complicated alarm events.
The scheme of the embodiment can effectively improve the accuracy rate of the alarm event, reduce the alarm quantity and provide reliable basis for the analysis and research of network security of workers.
Specifically, as an implementation mode, network security data is collected, and log data of the network security data is used as a sample;
specifically, data which can represent the current safety condition of the network are collected, and whether the network has safety threat currently is determined by analyzing the data; the network security related data may include normal traffic log data and network security event data.
In particular, normal traffic log data can be used to assist in asset mapping and grooming, enabling the most appropriate protective measures to be taken after a clear understanding of which assets are present in the network environment;
the network security event data is a security event which occurs in real time in a network environment, and the association relationship can be discovered by combing the security event data, so that a latent security threat in the network environment can be discovered.
In a specific implementation manner, when collecting network security related data as a sample, asset logs and data traffic including the network security related data may be collected as a sample, and when collecting the asset logs, log source information of the asset logs, including but not limited to IP, asset type, asset log location, and the like, may be configured, and when collecting data traffic, asset traffic may be obtained by mirroring, and the configured information includes but not limited to IP, port, and the like.
Then, performing regular matching on the sample, and extracting sample information in the sample according to a matching result;
the embodiment creates a rule base with regular matching in advance, and based on the rule base, the regular matching is performed on the sample of the network security log data through a regular expression, and the sample is subjected to paradigm and enrichment.
The regular matching process is to perform regular matching on the structured data to obtain structured fields, for example, the log is split into corresponding fields, the fields may include a source IP, a target IP, event classification, features, and the like of the log, and then the fields are matched through a regular expression, and sample information in the sample is extracted according to a matching result.
Then, labeling the sample information to obtain corresponding structured data serving as a log data label;
after the samples are obtained, corresponding sample information can be extracted from the samples according to a preset service logic to serve as a log data label;
specifically, the content of the log data includes, but is not limited to, entities, attributes, and relationships, such as SIP (source IP), DIP (destination IP), SMAC (source MAC), DMAC (destination MAC), and the like.
The log data label can be stored in clickhouse in real time, the log data label can distinguish whether the log data are normal flow logs or network security event data, the normal flow log data can also distinguish different log types according to different logs, and the network security event data can also distinguish which kind of security event logs.
For example, the field IP is determined to be an intranet IP or an extranet IP, if the field IP is an intranet IP, an asset ID mark is marked, and if the field IP is an extranet asset, a region to which the asset belongs is identified, and different marks are correspondingly used as a label.
And finally, determining a corresponding associated event through a preset calculation model according to the log data label, and determining the event label classification through the associated event.
The method comprises the steps of storing log data label data into a clickhouse in real time, determining corresponding associated events through a clickhouse calculation model algorithm, and determining event label classification.
The method comprises the steps that a log classification mark is needed when a corresponding associated event is determined by a clickhouse computing model algorithm, wherein an associated rule of the associated event configured in the computing model algorithm comprises the log classification mark and the corresponding associated event.
And S102, performing characteristic rule matching on the log data labels based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding prompt alarm event according to the alarm matching result.
In this embodiment, a rule related to analysis is generated in advance, and the rule related to analysis is stored in the in-memory database.
As an implementation mode, based on a preset association analysis rule and a preset event classification library, performing feature rule matching on the event label classification through a preset calculation model to obtain an event alarm label conforming to the association analysis rule;
wherein the event alert tag comprises: alarm ID, alarm type, alarm level, alarm description, alarm handling advice, etc.
In the embodiment, an event classification library is pre-established, and related information such as the grade and the hazard description of the event is described in detail in the event classification library and used for generating an event warning label.
And then, generating a corresponding prompt alarm event according to the event alarm tag.
According to the alarm matching result, determining an event alarm tag set, wherein the event alarm tag set comprises the following steps: various information inquired from the event classification library; and generating a prompt alarm event corresponding to the event alarm tag based on the event alarm tag set.
As an embodiment, the preset association analysis rule may include: a statistical class association rule and a sequence class association rule.
As an implementation manner, the calculation model corresponding to the statistical association rule is implemented by adopting a sequence count function; the calculation model corresponding to the sequence association rule is realized by adopting a windowFunnel function;
that is, the preset association analysis rules are divided into two types, the first type is a statistical association rule, and the second type is a sequence association rule; different association rules are analyzed by different calculation model algorithms.
The calculation model algorithm of clickhouse is divided into two types, and the association rule of the statistic class is realized by adopting a sequence count function; the association rule of the sequence class is realized by adopting a windowFunnel function.
And when the characteristic rule matching is carried out on the log data tags based on a preset association analysis rule, the obtained log data tags are inserted into clickhouse in real time, aggregate asset group information meeting the condition can be obtained through a calculation model, and the asset group information meeting the condition is the asset hitting the association event.
For example, for the source IP, it is determined which assets meet the association rule according to the event classification tag, and then it is determined which association event is generated, and the association event is the alarm event.
As an implementation manner, the association analysis module calculates whether the data stored in the clickhouse is matched with the configured rule at intervals according to the configured association analysis rule, if so, corresponding aggregated asset information is obtained, and then corresponding information such as alarm type, level and the like is obtained according to an event alarm tag in the rule;
and then pushing the completed asset associated alarm information to an alarm module to perform corresponding alarm.
According to the scheme, log data labels with uniform formats are generated from various network security data, correlation analysis of log data generated by various security protection products is realized by setting correlation analysis rules suitable for the log data labels with uniform formats, and prompt alarm events influencing network security are output, so that the alarm quantity is effectively reduced, the alarm accuracy is improved, the final network security events not only reduce the alarm event quantity, but also can output the security events influencing network security in numerous alarm events, and reliable bases are provided for analysis and research of network security.
The following scenarios for the statistical class association rule and the sequence class association rule are exemplified as follows:
for statistical class association rules:
the preset association rule name is mysql brute force cracking for example;
the regular content is written with the log type equal to mysql that fails to log in, the time window is 100 times a minute, and the grouping condition is the target asset;
the regular alarm setting is written to generate a security event of brute force cracking;
when data enters clickhouse in real time, the correlation analysis calculation engine queries which assets meet the rule condition every minute according to a sequence count algorithm, and then obtains two information of asset and event classification through event classification set by an alarm. And then, inquiring the event classification library through event classification to obtain information such as event grades, treatment suggestions and the like.
For sequence class association rules:
the preset association rule name is, for example, invasion of webshell attack;
the content of the rule is written with the sequence one: the log type is equal to port scan, sequence two: the log type is equal to a webshell attack log, the time window is 30 minutes, and the grouping condition is source assets;
the regular alarm setting is written by generating a security event invading the webshell;
when data enter clickhouse in real time, the correlation analysis planning engine queries which assets meet the conditions of the rules every minute according to a windowFunnel algorithm, and then obtains two information of asset and event classification through event classification set by an alarm. And then, inquiring the event classification library through event classification to obtain information such as event grades, treatment suggestions and the like.
According to the scheme, data representing the current safety condition of the network are collected as samples, and corresponding sample information is extracted from the samples according to preset service logic and is used as a log data label; and matching the characteristic rules of the log data labels based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding prompt alarm event according to the alarm matching result. According to the scheme, log data labels with uniform formats are generated from various network security data, correlation analysis of log data generated by various security protection products is realized by setting correlation analysis rules suitable for the log data labels with uniform formats, and prompt alarm events influencing network security are output, so that the alarm quantity is effectively reduced, the alarm accuracy is improved, the final network security events not only reduce the alarm event quantity, but also can output the security events influencing network security in numerous alarm events, and reliable bases are provided for analysis and research of network security.
Referring to fig. 3, fig. 3 is a flowchart illustrating another exemplary embodiment of the network security data association analysis method according to the present application. Based on the embodiment shown in fig. 2, in this embodiment, the method further includes:
and step S103, carrying out alarm notification according to the prompt alarm event.
As an implementation manner, the association analysis module calculates whether the data stored in the clickhouse is matched with the configured rule at intervals according to the configured association analysis rule, if so, corresponding aggregated asset information is obtained, and then corresponding information such as alarm type, level and the like is obtained according to an event alarm tag in the rule;
and then pushing the completed asset associated alarm information to an alarm module to perform corresponding alarm.
According to the scheme, data representing the current safety condition of the network are collected as samples, and corresponding sample information is extracted from the samples according to preset service logic and is used as a log data label; and matching the characteristic rules of the log data tags based on preset association analysis rules to obtain an alarm matching result, generating a corresponding prompt alarm event according to the alarm matching result, and carrying out alarm notification according to the prompt alarm event. According to the scheme, log data labels with uniform formats are generated from various network security data, correlation analysis of log data generated by various security protection products is realized by setting correlation analysis rules suitable for the log data labels with uniform formats, and prompt alarm events influencing network security are output, so that the alarm quantity is effectively reduced, the alarm accuracy is improved, the final network security events not only reduce the alarm event quantity, but also can output the security events influencing network security in numerous alarm events, and reliable bases are provided for analysis and research of network security.
As shown in fig. 4, an embodiment of the present application further provides a network security data association analysis apparatus, where the apparatus includes:
the data processing module is used for acquiring data representing the current safety condition of the network as a sample and extracting corresponding sample information from the sample as a log data label according to a preset service logic;
and the association analysis module is used for matching the characteristic rules of the log data labels based on preset association analysis rules to obtain alarm matching results and generating corresponding prompt alarm events according to the alarm matching results.
Further, the apparatus further comprises:
the rule configuration module is used for managing a label generation rule for prompting an alarm event and an alarm correlation analysis rule of an event alarm label;
and the alarm module is used for receiving the prompt alarm event generated by the correlation analysis module and carrying out alarm notification.
Since the network security data association analysis program is executed by the processor, all technical solutions of all the foregoing embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments are achieved, and no further description is given here.
The embodiment of the present application further provides a terminal device, where the terminal device includes a memory, a processor, and a network security data association analysis program stored on the memory and capable of running on the processor, and when executed by the processor, the network security data association analysis program implements the network security data association analysis method according to the embodiment.
The embodiment of the present application further provides a computer-readable storage medium, where a network security data association analysis program is stored on the computer-readable storage medium, and when executed by a processor, the network security data association analysis program implements the network security data association analysis method according to the embodiment.
Since the network security data association analysis program is executed by the processor, all technical solutions of all the foregoing embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments are achieved, and no further description is given here.
According to the method, the device, the system and the storage medium for analyzing the network security data association, data representing the current security situation of a network are collected to be samples, and corresponding sample information is extracted from the samples to be used as a log data label according to the preset service logic; and matching the characteristic rules of the log data labels based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding prompt alarm event according to the alarm matching result. According to the scheme, log data labels with uniform formats are generated from various network security data, correlation analysis of log data generated by various security protection products is realized by setting correlation analysis rules suitable for the log data labels with uniform formats, and prompt alarm events influencing network security are output, so that the alarm quantity is effectively reduced, the alarm accuracy is improved, the final network security events not only reduce the alarm event quantity, but also can output the security events influencing network security in numerous alarm events, and reliable bases are provided for analysis and research of network security.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or system comprising the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application or portions contributing to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (such as a ROM/RAM, a magnetic disk, and an optical disk) as above, and includes several instructions to enable a terminal device (which may be a mobile phone, a computer, a server, a controlled terminal, or a network device) to execute the method of each embodiment of the present application.
The above description is only a preferred embodiment of the present application, and not intended to limit the scope of the present application, and all the equivalent structures or equivalent processes that can be directly or indirectly applied to other related technical fields by using the contents of the specification and the drawings of the present application are also included in the scope of the present application.
Claims (10)
1. A method for analyzing association of network security data is characterized by comprising the following steps:
acquiring data representing the current safety condition of a network as a sample, and extracting corresponding sample information from the sample according to a preset service logic to be used as a log data label;
and matching the characteristic rules of the log data labels based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding prompt alarm event according to the alarm matching result.
2. The method of claim 1, further comprising:
and carrying out alarm notification according to the prompt alarm event.
3. The method of claim 1, wherein the step of collecting data representing the current security condition of the network as a sample, and the step of extracting corresponding sample information from the sample as a log data tag according to a preset service logic comprises:
collecting network security data, and taking log data of the network security data as a sample;
performing regular matching on the sample, and extracting sample information in the sample according to a matching result;
labeling the sample information to obtain corresponding structured data serving as a log data label;
and determining a corresponding associated event through a preset calculation model according to the log data label, and determining the event label classification through the associated event.
4. The method according to claim 3, wherein the step of performing feature rule matching on the log data tag based on a preset association analysis rule to obtain an alarm matching result, and generating a corresponding alarm prompting event according to the alarm matching result comprises:
based on a preset association analysis rule and a preset event classification library, carrying out feature rule matching on the event label classification through a preset calculation model to obtain an event alarm label conforming to the alarm association analysis rule;
and generating a corresponding prompt alarm event according to the event alarm tag.
5. The method of claim 4, wherein the preset association analysis rule comprises: a statistical class association rule and a sequence class association rule.
6. The method of claim 5, wherein the calculation model corresponding to the statistical class association rule is implemented by using a sequence count function; the calculation model corresponding to the sequence association rule is realized by adopting a windowFunnel function; the event alert tag includes: alarm ID, alarm type, alarm level, alarm description, and alarm handling suggestion.
7. A network security data association analysis apparatus, the apparatus comprising:
the data processing module is used for acquiring data representing the current safety condition of the network as a sample, and extracting corresponding sample information from the sample as a log data label according to a preset service logic;
and the association analysis module is used for matching the characteristic rules of the log data labels based on preset association analysis rules to obtain alarm matching results and generating corresponding prompt alarm events according to the alarm matching results.
8. The apparatus of claim 7, further comprising:
the rule configuration module is used for managing a label generation rule for prompting an alarm event and an alarm correlation analysis rule of an event alarm label;
and the alarm module is used for receiving the prompt alarm event generated by the correlation analysis module and carrying out alarm notification.
9. A network security data association analysis system, comprising a memory, a processor and a network security data association analysis program stored on the memory and executable on the processor, the network security data association analysis program when executed by the processor implementing the network security data association analysis method of any one of claims 1 to 6.
10. A computer-readable storage medium, wherein a network security data association parser is stored on the computer-readable storage medium, and wherein the network security data association parser, when executed by a processor, implements the network security data association parsing method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211610750.1A CN115664853A (en) | 2022-12-15 | 2022-12-15 | Network security data association analysis method, device and system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211610750.1A CN115664853A (en) | 2022-12-15 | 2022-12-15 | Network security data association analysis method, device and system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115664853A true CN115664853A (en) | 2023-01-31 |
Family
ID=85023289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211610750.1A Pending CN115664853A (en) | 2022-12-15 | 2022-12-15 | Network security data association analysis method, device and system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664853A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117560389A (en) * | 2023-10-13 | 2024-02-13 | 陕西小保当矿业有限公司 | Mine industrial Internet platform alarm fusion method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080201277A1 (en) * | 2007-02-16 | 2008-08-21 | Matsushita Electric Industrial Co., Ltd. | System architecture and process for automating intelligent surveillance center operation |
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN105843803A (en) * | 2015-01-12 | 2016-08-10 | 上海悦程信息技术有限公司 | Big data security visualization interaction analysis system and method |
| CN108021809A (en) * | 2017-12-19 | 2018-05-11 | 北京明朝万达科技股份有限公司 | A kind of data processing method and system |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
-
2022
- 2022-12-15 CN CN202211610750.1A patent/CN115664853A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080201277A1 (en) * | 2007-02-16 | 2008-08-21 | Matsushita Electric Industrial Co., Ltd. | System architecture and process for automating intelligent surveillance center operation |
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN105843803A (en) * | 2015-01-12 | 2016-08-10 | 上海悦程信息技术有限公司 | Big data security visualization interaction analysis system and method |
| CN108021809A (en) * | 2017-12-19 | 2018-05-11 | 北京明朝万达科技股份有限公司 | A kind of data processing method and system |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117560389A (en) * | 2023-10-13 | 2024-02-13 | 陕西小保当矿业有限公司 | Mine industrial Internet platform alarm fusion method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111475804B (en) | Alarm prediction method and system | |
| CN101610174B (en) | Log correlation analysis system and method | |
| CN111325463A (en) | Data quality detection method, device, equipment and computer readable storage medium | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN111680068A (en) | Verification method, device, equipment and storage medium | |
| CN111813960A (en) | Data security audit model device and method based on knowledge graph and terminal equipment | |
| CN110674479B (en) | Abnormal behavior data real-time processing method, device, equipment and storage medium | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN115664853A (en) | Network security data association analysis method, device and system and storage medium | |
| CN112487208A (en) | Network security data association analysis method, device, equipment and storage medium | |
| CN111915331A (en) | Enterprise credit investigation data management method and system based on block chain | |
| CN114742477A (en) | Enterprise order data processing method, device, equipment and storage medium | |
| CN113051308A (en) | Alarm information processing method, equipment, storage medium and device | |
| Hoßbach et al. | Anomaly management using complex event processing: Extending data base technology paper | |
| CN112817814A (en) | Abnormity monitoring method, system, storage medium and electronic device | |
| CN116956083A (en) | Data processing method and device | |
| CN115396324A (en) | Network security situation perception early warning processing system | |
| CN113704772B (en) | Safety protection processing method and system based on user behavior big data mining | |
| CN116383742B (en) | Rule chain setting processing method, system and medium based on feature classification | |
| CN112799722A (en) | Command recognition method, device, equipment and storage medium | |
| CN112732693A (en) | Intelligent internet of things data acquisition method, device, equipment and storage medium | |
| CN115514581B (en) | Data analysis method and equipment for industrial internet data security platform | |
| CN114866351B (en) | Regional medical prescription supervision method and system based on block chain | |
| CN113691524A (en) | Alarm information processing method, system, electronic equipment and storage medium | |
| CN115296892A (en) | Data information service system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230131 |
|
| RJ01 | Rejection of invention patent application after publication |