CN116074075A

CN116074075A - Security event association behavior analysis method, system and equipment based on association rule

Info

Publication number: CN116074075A
Application number: CN202310030200.0A
Authority: CN
Inventors: 薛洪亮; 张洋
Original assignee: Beijing Abt Networks Co ltd
Current assignee: Beijing Abt Networks Co ltd
Priority date: 2023-01-09
Filing date: 2023-01-09
Publication date: 2023-05-05

Abstract

The invention provides a security event association behavior analysis method, a system and equipment based on association rules, comprising the following steps: acquiring a single-dimensional alarm log generated by each network security device; screening out relevant alarm logs according to the attribute of the single-dimension alarm log; carrying out association rule modeling according to the attack behavior characteristics corresponding to the related alarm logs, and determining security event association rules; aggregation based on preset sliding time window the relevant alarm log is normalized and, and ordered in time; performing association analysis on the alarm logs in the alarm log queue based on the security event association rule, and outputting an association log data set; carrying out statistics aggregation on the associated log data set based on a preset aggregation rule to obtain an attack panoramic jigsaw; and analyzing, judging and researching according to the attack panoramic jigsaw, and determining the solution of the security event. The invention provides a security event association behavior analysis method based on association rules, which can restore a complete network attack scene and reduce judgment, research and analysis errors.

Description

Security event association behavior analysis method, system and equipment based on association rule

Technical Field

The invention relates to the technical field of network security, in particular to a security event association behavior analysis method, system and equipment based on association rules.

Background

With the increasing scale of networks, network security events grow exponentially, and there is an intricate relationship between security events.

In the prior art, the network attack behavior is filtered and blocked through the security equipment, for example, the IPS has a plurality of filters, so that various attacks can be prevented; if a new attack is found, a new filter needs to be created whose design is adept at examining the contents of the packets in the flow of network traffic between the source and destination to generate an alarm. The WAF intercepts the harmful requests and disguises the responses, and performs regular matching filtering on the received data packets. Different security devices are good at respective fields, can find attacks of the existing filtering rules of the security devices, but are limited to filtering through message content discovery causal relationship and priori knowledge reasoning; the analysis of the safety equipment depends on the structural characteristics of the message content, is limited in that the data attribute content at a certain time point does not accord with the normal message content, and is easy to cause the illusion of a leaf barrier object in the safety analysis. For example, some security events are generated by the same attack, some are causal, and some are complex attacks consisting of a series of attacks. The network security event association analysis technology needs to fully associate various complex network security events, find out the relationship between the complex network security events, give out complete event description after removing redundancy, and timely discover the invasion behavior of a network attacker. The network attack is a complex, multi-stage, continuous time period and dynamic process crossing a plurality of nodes, security analysts can not see the whole attack by using independent equipment log sources, but can only see one segment of the complete attack, and a complete evidence chain closed loop can not be formed, so that a research and judgment analysis error is caused, a client is guided to perform invalid remedial measures, the optimal blocking attack time is missed, and huge economic loss is caused for enterprises.

In summary, in the prior art, when analyzing the network attack, the complete network attack scene cannot be restored, which easily leads to error of analysis in research and judgment.

Disclosure of Invention

In view of the foregoing, it is necessary to provide a method, a system and a device for analyzing security event association behavior based on association rules, which solve the technical problem that in the prior art, a complete network attack scene cannot be restored, so that a judgment and research analysis error is easy to occur.

In order to solve the technical problem, in one aspect, the present invention provides a method for analyzing security event association behavior based on association rules, including:

1. a method for analyzing security event association behavior based on association rules, comprising:

acquiring a single-dimensional alarm log generated by each network security device;

determining the threat scene type of each single-dimensional alarm log, and screening out relevant alarm logs conforming to threat scenes according to the threat scene types;

carrying out association rule modeling according to the attack behavior characteristics corresponding to the related alarm logs, and determining security event association rules;

aggregating the related alarm logs based on a preset sliding time window for normalization, and sorting according to time to obtain an alarm log queue in a unified format;

carrying out association analysis on alarm logs in an alarm log queue one by one based on the security event association rule, and outputting associated log data to form an association log data set;

statistically aggregating the associated log data sets based on preset aggregation rules, outputting associated log data clusters which accord with a set threshold in statistical aggregation, and obtaining an attack panoramic jigsaw according to the associated log data clusters;

and analyzing, judging and researching according to the attack panoramic jigsaw, and determining the solution of the security event.

In some possible implementations, the determining the threat scene type of each single-dimensional alarm log, and screening the relevant alarm logs conforming to the threat scene according to the threat scene type includes:

threat scene modeling is respectively carried out according to each security event corresponding to the single-dimensional alarm logs, and threat scene types of each single-dimensional alarm log are determined according to the threat scene modeling;

and screening out relevant alarm logs conforming to the threat scene from the Shan Weidu alarm logs according to the threat scene type.

In some possible implementations, the performing association rule modeling according to the attack behavior feature corresponding to the relevant alarm log to determine a security event association rule includes:

analyzing log attributes of the related alarm logs, and determining attack behavior characteristics corresponding to the related alarm logs;

and establishing a corresponding log filtering rule according to the attack behavior characteristics, and determining a security event association rule according to the log filtering rule.

In some possible implementations, the attack behavior feature includes: network device type, source IP, destination IP, source port, destination port, protocol type, and time.

In some possible implementations, the establishing a corresponding log filtering rule according to the attack behavior feature, and determining a security event association rule according to the log filtering rule, includes:

any two relevant alarm logs are obtained, a first log filtering rule is established according to the first alarm log, and a second log filtering rule is established according to the second alarm log;

respectively carrying out real-time dynamic collision on the first log filtering rule and the second log filtering rule with an asset vulnerability data set, and determining a first association condition when the fact that available vulnerabilities exist in two accessed network security devices is confirmed;

when the first log filtering rule and the second log filtering rule simultaneously determine that the same available loopholes are detected by two accessed network security devices in a log connection mode, determining a second association condition;

and when the first association condition and the second association condition are determined at the same time, the first alarm log and the second alarm log are successfully associated.

In some possible implementations, the aggregating the relevant alarm logs based on a preset sliding time window for normalization and sorting according to time to obtain an alarm log queue in a unified format includes:

aggregating relevant alarm logs corresponding to each network security device in a window based on a preset sliding time window, and carrying out normalization processing to obtain relevant alarm logs in a unified format;

and sequencing the related alarm logs in the unified format according to the starting event of the security event, and obtaining an alarm log queue in the unified format in a preset sliding time window.

In some possible implementations, the performing association analysis on the alarm logs in the alarm log queue one by one based on the security event association rule, and outputting association log data includes:

and comparing and colliding alarm logs in the alarm log queue one by one based on the security event association rule to complete association analysis of any two alarm logs in the alarm log queue, and simultaneously determining that the two alarm logs of the first association condition and the second association condition are successfully associated and outputting corresponding association log data.

In some possible implementations, the performing statistical aggregation on the associated log data set based on a preset aggregation rule, outputting an associated log data cluster meeting a set threshold in the statistical aggregation, and obtaining an attack panoramic jigsaw according to the associated log data cluster, including:

carrying out statistics aggregation on the associated log data of the similar relations and the causal relations existing between the events corresponding to the associated log data set, and outputting associated log data clusters which accord with a set threshold in the statistics aggregation;

analyzing the alarm log attribute in the associated log data cluster, and restoring the attack panoramic jigsaw.

On the other hand, the invention also provides a security event association behavior analysis system based on association rules, which comprises the following steps:

the data acquisition module is used for acquiring a single-dimensional alarm log generated by each network security device;

the data screening module is used for determining the threat scene type of each single-dimensional alarm log and screening out relevant alarm logs conforming to the threat scene according to the threat scene type;

the rule building module is used for carrying out association rule modeling according to the attack behavior characteristics corresponding to the relevant alarm logs and determining security event association rules;

the data sorting module is used for aggregating the related alarm logs based on a preset sliding time window for normalization and sorting according to time to obtain an alarm log queue in a unified format;

the association analysis module is used for carrying out association analysis on the alarm logs in the alarm log queue one by one based on the security event association rule, and outputting associated log data to form an association log data set;

the clustering processing module is used for carrying out statistics aggregation on the associated log data sets based on a preset aggregation rule to obtain associated log data clusters, and obtaining attack panoramic puzzles according to the associated log data clusters;

and the judging and researching decision module is used for analyzing and judging and researching according to the attack panoramic jigsaw and determining the solution of the security event.

Finally, the invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and is characterized in that the method for analyzing the security event association behavior based on the association rule in the implementation mode is realized when the processor executes the program.

The beneficial effects of adopting the embodiment are as follows: according to the security event association behavior analysis method based on association rules, through collecting alarm logs of all network security devices, carrying out association rule modeling on real alarm events according to complex security event scenes, associating the alarm logs of various network security devices, carrying out traceability analysis on attack fragments, and obtaining an attack panoramic jigsaw. The traditional technology such as the join operator technology of the link can only solve the problem that two events are associated and more than 2 security events cannot be associated, and the method can carry out multi-association restoration on the associated events to form a more complex attack link relation and provide a correct direction for the judgment and analysis of the subsequent network attack; meanwhile, the method solves the problem of one-leaf barrier purpose limitation generated by manually analyzing single-dimension alarms, improves the accuracy of perceived network attack, reduces the workload of research and judgment and is easy to miss due to high false alarm rate, and completes the manual judgment and delivery process as much as possible through established association rules and preset aggregation rules, thereby realizing certain intelligent perception capability.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flowchart illustrating an embodiment of a method for analyzing a security event association behavior based on association rules according to the present invention;

FIG. 2 is a schematic structural diagram of an embodiment of a security event correlation behavior analysis system based on correlation rules according to the present invention;

fig. 3 is a schematic structural diagram of an embodiment of an electronic device according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

It should be understood that the schematic drawings are not drawn to scale. A flowchart, as used in this disclosure, illustrates operations implemented according to some embodiments of the present invention. It should be appreciated that the operations of the flow diagrams may be implemented out of order and that steps without logical context may be performed in reverse order or concurrently. Moreover, one or more other operations may be added to or removed from the flow diagrams by those skilled in the art under the direction of the present disclosure.

Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor systems and/or microcontroller systems.

Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.

Before describing particular embodiments, the invention will be explained with reference to specific terminology:

agent host security service (Host Security Service, HSS): for performing a detection task, scanning the host/container in full; and monitoring the safety state of the host/container in real time, and reporting the collected host/container information to a cloud protection center. The Agent is divided into Linux version and Windows version, and the corresponding version is selected to be installed according to the OS version of the host.

WAF (Web Application Firewall) Web application firewall: web application firewalls are a product that also provides protection for Web applications specifically by enforcing a series of security policies for HTTP/HTTPs. Unlike traditional fire money, WAF works at the application layer.

IPS (Intrusion Prevention System) intrusion prevention system: the IPS is a supplement to antivirus software and firewalls, and the intrusion prevention system is a computer network security device capable of monitoring network or network device's network data transmission behavior, and capable of instantaneously interrupting, adjusting or isolating some abnormal or damaging network data transmission behaviors.

IDS (Intrusion Detection System) intrusion detection system: according to a certain security policy, the running conditions of the network and the system are monitored by software, hardware, and various attack attempts, attack behaviors or attack results are discovered as far as possible so as to ensure the confidentiality, the integrity and the availability of network system resources.

Webshell command execution environment: the code execution environment exists in the form of a webpage file such as asp, php, jsp or cgi and is mainly used for operations such as website management, server management, authority management and the like. The application method is simple, and a plurality of daily operations can be performed by only uploading one code file and accessing through the website, so that the management of the website and the server by a user is greatly facilitated. For this reason, a small percentage of people use the modified code as a backdoor program to achieve the purpose of controlling the website server.

Based on the description of the nouns, in the prior art, the open source big data analysis framework can only complete the association between two events, for example, a common association rule mining can discover the relationship between items (item and item) from a data set, and the open source big data analysis framework has a plurality of application scenes in our life and is very common in network security.

The following detailed description of specific embodiments is provided, and it should be noted that the description order of the following embodiments is not to be taken as a limitation on the preferred order of the embodiments.

The embodiment of the invention provides a security event association behavior analysis method, a security event association behavior analysis system and security event association behavior analysis equipment based on association rules.

As shown in fig. 1, fig. 1 is a flow chart of an embodiment of a security event association behavior analysis method based on association rules according to the present invention, where the security event association behavior analysis method based on association rules includes:

s101, acquiring a single-dimensional alarm log generated by each network security device;

s102, determining a threat scene type of each single-dimensional alarm log, and screening out relevant alarm logs conforming to threat scenes according to the threat scene types;

s103, carrying out association rule modeling according to attack behavior characteristics corresponding to the related alarm logs, and determining security event association rules;

s104, aggregating the related alarm logs based on a preset sliding time window for normalization, and sorting according to time to obtain an alarm log queue in a unified format;

s105, carrying out association analysis on alarm logs in an alarm log queue one by one based on the security event association rule, and outputting associated log data to form an association log data set;

s106, carrying out statistics aggregation on the associated log data sets based on a preset aggregation rule, outputting associated log data clusters which accord with a set threshold in the statistics aggregation, and obtaining an attack panoramic jigsaw according to the associated log data clusters;

and S107, analyzing and judging according to the attack panoramic jigsaw to determine the solution of the security event.

Compared with the prior art, the security event association behavior analysis method based on association rules provided by the invention has the advantages that through collecting the alarm logs of each network security device, carrying out association rule modeling on real alarm events according to complex security event scenes, associating the alarm logs of various network security devices, carrying out traceability analysis on attack fragments, and obtaining the attack panoramic jigsaw. The traditional technology such as the join operator technology of the link can only solve the problem that two events are associated and more than 2 security events cannot be associated, and the method can carry out multi-association restoration on the associated events to form a more complex attack link relation and provide a correct direction for the judgment and analysis of the subsequent network attack; meanwhile, the method solves the problem of one-leaf barrier purpose limitation generated by manually analyzing single-dimension alarms, improves the accuracy of perceived network attack, reduces the workload of research and judgment and is easy to miss due to high false alarm rate, and completes the manual judgment and delivery process as much as possible through established association rules and preset aggregation rules, thereby realizing certain intelligent perception capability.

Optionally, in a specific embodiment of the present invention, in step S101, a single-dimensional alarm log generated by each network security device is obtained, where the network security device includes: web application firewalls WAFs, intrusion prevention systems IPS, intrusion detection systems IDS, host security services AGENT, and other devices.

It should be noted that, the network security device is used to monitor all computer assets (including windows computers, servers, etc.) of a certain unit or government institution, and when the computer assets are found to be abnormal, a corresponding abnormal alarm is generated on the security device.

The method is characterized in that a single-dimensional alarm log of the network security equipment is collected in real time in a log collection mode, and basic data are provided for deep association analysis.

Further, in some embodiments of the present invention, in step S102, a threat scenario type of each single-dimensional alarm log is determined, and relevant alarm logs conforming to the threat scenario are selected according to the threat scenario type, including:

In a specific embodiment of the present invention, taking an alarm log of an IDS as an example, by obtaining a destination IP of the alarm log, determining that a corresponding network security device is a host IDS, detecting whether a Webshell is invaded or abnormal, determining that the network security device is an irrelevant alarm event when the Webshell is not detected, and determining that the network security device is an relevant alarm event when the Webshell is detected.

Further, in some embodiments of the present invention, in step S103, association rule modeling is performed according to the attack behavior feature corresponding to the relevant alarm log, and determining a security event association rule includes:

An attack behavior feature comprising: network device type, source IP, destination IP, source port, destination port, protocol type, and time.

Establishing a corresponding log filtering rule according to the attack behavior characteristics, and determining a security event association rule according to the log filtering rule, wherein the method comprises the following steps:

In a specific embodiment of the present invention, taking a first alarm log and a second alarm log as a WAF alarm event and an IDS alarm event, respectively, where a first log filtering rule corresponding to the first alarm log is set as a WAF destination IP, a vulnerability table, and an asset IP, and a second log filtering rule corresponding to the second alarm log is set as an IDS destination IP, a vulnerability table, and an asset IP, where the first log filtering rule and the second log filtering rule respectively dynamically collide with an asset vulnerability dataset in real time, so that when it is confirmed that an available vulnerability exists in an accessed server (destination IP), data is effectively extracted and accords with a scene; however, it cannot be confirmed whether the attacks corresponding to the first alarm log and the second alarm log are in the same attack link at present, and when it is determined that the two security devices detect the same availability holes through the log connection (destination IP of the first log filtering rule=destination IP of the second log filtering rule), it is indicated that the data detected from the WAF dimension and the data detected from the IDS dimension are the same attack, and half of the attack panoramic jigsaw is completed at this time.

Further, in some embodiments of the present invention, in step S104, the relevant alarm logs are aggregated based on a preset sliding time window for normalization, and are ordered according to time, so as to obtain an alarm log queue in a unified format, including:

It should be noted that, because the real-time data is not available, the temporary analysis boundary range is not available for complex association processing of the data, so that the obtained various relevant alarm logs are combined and normalized, and the close analysis of the close security event is ensured in a certain time window. In the sliding window, the real-time data is possibly delayed due to network jitter, so that the analysis span of the adjacent events is overlarge, and the analysis data in the same window dimension is not framed, so that the data on the adjacent events are ordered, and the problem of disorder processing of the preprocessed data is solved.

Further, in some embodiments of the present invention, in step S105, association analysis is performed on the alarm logs in the alarm log queue one by one based on the security event association rule, and associated log data is output, including:

In a specific embodiment of the invention, the alarm log queue is obtained by selecting a time window within a time range of 5 minutes, and the alarm logs in the alarm log queue are subjected to association analysis one by one based on the security event association rule, so that the whole association processing flow is similar to the internal association of a relational database, but the relational database aims at data (offline) stored in the database, and the network security data mining aims at the association in the memory of a real-time data stream, thereby having the advantages of quick inquiry and better real-time effect and being more suitable for the real-time requirement of security events.

Further, in some embodiments of the present invention, in step S106, the statistical aggregation is performed on the associated log data set based on a preset aggregation rule, and an associated log data cluster meeting a set threshold in the statistical aggregation is output, and an attack panorama jigsaw is obtained according to the associated log data cluster, including:

The preset clustering condition is that grouping is carried out according to the source IP and the destination IP of the alarm log, the default statistical method is counting, when the counting result of the clustering statistics is more than or equal to 1, the associated log data clustering is output, after the source IP and the destination IP are aggregated through log statistics, the source IP and the destination IP of the network attack can be truly determined, what is initiated by the source of the network attack, what is the destination and what is the attack result, and the panoramic jigsaw of the attack is formed.

When the related log data sets are statistically aggregated, security events can be classified and combined according to similarity measurement of attributes (such as source IP, destination IP, source port, destination port, protocol type, time and the like) among the alarm logs, so that the simplification of alarm information is realized. The security event association behavior analysis method based on association rules provided by the invention can carry out association analysis on the network and the host in addition to the association analysis on the alarms of the network security devices, the method extracts the characteristics representing network flow and host abnormality, and the network security is monitored through the comprehensive association of common attribute characteristics. Meanwhile, the method can carry out association analysis on security events in different fields, comprehensively utilizes the internal relations among various security events from different fields, carries out association analysis on the security events, and realizes network attack detection.

According to the embodiment of the invention, the false security events and redundant security events irrelevant to a system are filtered by applying a big data processing technology to massive and continuously generated security alarm data such as host logs, firewall logs, intrusion alarms and the like, and the events are aggregated through similarity relations, causality relations and the like among the events, so that more simplified and accurate security alarms are obtained. For example, security events are classified and combined through attribute (source IP, destination IP, source port, destination port, protocol type, time and the like) similarity measurement among alarm records, so that the simplification of alarm information is realized.

Through the technical scheme, the association alarm between IDS and WAF safety equipment is realized, so that the purpose ip of network attack is analyzed and obtained, and the website on the host computer of xxxx. The patent discusses an association behavior analysis method for mining various security events in real time based on association rules by taking the attack of websites as an example, has flexible and customized design of association rules, and is not only in a scene, but also satisfies various object association, such as full-equipment alarm association analysis and security event association analysis in different fields; the configuration of the association rule is determined according to the data characteristics of actual attack, and the method has strong universality.

In order to better implement the security event association behavior analysis method based on the association rule in the embodiment of the invention, based on the security event association behavior analysis method based on the association rule, correspondingly, the embodiment of the invention also provides a security event association behavior analysis system based on association rules, as shown in fig. 2, the security event association behavior analysis system 200 based on association rules includes:

a data acquisition module 201, configured to acquire a single-dimensional alarm log generated by each network security device;

the data screening module 202 is configured to determine a threat scenario type of each single-dimensional alarm log, and screen relevant alarm logs conforming to the threat scenario according to the threat scenario type;

the rule establishing module 203 is configured to perform association rule modeling according to the attack behavior feature corresponding to the relevant alarm log, and determine a security event association rule;

the data sorting module 204 is configured to aggregate the relevant alarm logs based on a preset sliding time window for normalization, and sort the relevant alarm logs according to time, so as to obtain an alarm log queue in a unified format;

the association analysis module 205 is configured to perform association analysis on the alarm logs in the alarm log queue one by one based on the security event association rule, and output associated log data to form an association log data set;

the cluster processing module 206 is configured to perform statistical aggregation on the associated log data set based on a preset aggregation rule to obtain an associated log data cluster, and obtain an attack panoramic jigsaw according to the associated log data cluster;

and the judging and researching decision module 207 is used for analyzing and judging according to the attack panorama jigsaw and determining the solution of the security event.

The association rule-based security event association behavior analysis system 200 provided in the foregoing embodiment may implement the technical solution described in the foregoing association rule-based security event association behavior analysis method embodiment, and the specific implementation principle of each module or unit may refer to the corresponding content in the foregoing association rule-based security event association behavior analysis method embodiment, which is not described herein again.

As shown in fig. 3, the present invention further provides an electronic device 300 accordingly. The electronic device 300 comprises a processor 301, a memory 302 and a display 303. Fig. 3 shows only some of the components of the electronic device 300, but it should be understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead.

The processor 301 may in some embodiments be a central processing unit (Central Processing Unit, CPU), microprocessor or other data processing chip for executing program code or processing data stored in the memory 302, such as a security event correlation behavior analysis program based on correlation rules in the present invention.

In some embodiments, processor 301 may be a single server or a group of servers. The server farm may be centralized or distributed. In some embodiments, the processor 301 may be local or remote. In some embodiments, processor 301 may be implemented in a cloud platform. In an embodiment, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an inter-internal, multiple clouds, or the like, or any combination thereof.

The memory 302 may be an internal storage unit of the electronic device 300 in some embodiments, such as a hard disk or memory of the electronic device 300. The memory 302 may also be an external storage device of the electronic device 300 in other embodiments, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the electronic device 300.

Further, the memory 302 may also include both internal storage units and external storage devices of the electronic device 300. The memory 302 is used for storing application software and various types of data for installing the electronic device 300.

The display 303 may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch, or the like in some embodiments. The display 303 is used for displaying information at the electronic device 300 and for displaying a visual user interface. The components 301-303 of the electronic device 300 communicate with each other via a system bus.

In one embodiment, when the processor 301 executes the association rule based security event association behavior analysis program in the memory 302, the following steps may be implemented:

carrying out statistics aggregation on the associated log data set based on a preset aggregation rule, outputting associated log data clusters which accord with a set threshold in the statistics aggregation, and obtaining an attack panoramic jigsaw according to the associated log data clusters;

It should be understood that: the processor 301 may perform other functions in addition to the above functions when executing the association rule based security event association behavior analysis program in the memory 302, see in particular the description of the corresponding method embodiments above.

Further, the type of the electronic device 300 is not particularly limited, and the electronic device 300 may be a mobile phone, a tablet computer, a personal digital assistant (personal digital assistant, PDA), a wearable device, a laptop (laptop), or other portable electronic devices. Exemplary embodiments of portable electronic devices include, but are not limited to, portable electronic devices that carry IOS, android, microsoft or other operating systems. The portable electronic device described above may also be other portable electronic devices, such as a laptop computer (laptop) or the like having a touch-sensitive surface, e.g. a touch panel. It should also be appreciated that in other embodiments of the invention, the electronic device 300 may not be a portable electronic device, but rather a desktop computer having a touch-sensitive surface (e.g., a touch panel).

Accordingly, the embodiments of the present application further provide a computer readable storage medium, where the computer readable storage medium is used to store a computer readable program or instruction, and when the program or instruction is executed by a processor, the steps or functions in the security event association behavior analysis method based on association rules provided in the foregoing method embodiments can be implemented.

Those skilled in the art will appreciate that all or part of the flow of the methods of the embodiments described above may be accomplished by way of a computer program stored in a computer readable storage medium to instruct related hardware (e.g., a processor, a controller, etc.). The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.

The above description of the present invention provides a method, a system, a device and a storage medium for analyzing security event association behavior based on association rules, and specific examples are applied to describe the principles and embodiments of the present invention, where the description of the above examples is only used to help understand the method and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present invention, the present description should not be construed as limiting the present invention.

Claims

2. The method for analyzing security event association behavior based on association rules according to claim 1, wherein determining a threat scene type of each single-dimensional alarm log, and screening out relevant alarm logs conforming to a threat scene according to the threat scene type, comprises:

3. The method for analyzing the association behavior of the security event based on the association rule according to claim 1, wherein the performing association rule modeling according to the attack behavior feature corresponding to the relevant alarm log to determine the association rule of the security event comprises:

corresponding log filtering rules are established according to the attack behavior characteristics, and determining a security event association rule according to the log filtering rule.

4. A method of association rule-based security event association behavior analysis according to claim 3, wherein the attack behavior feature comprises: network device type, source IP, destination IP, source port, destination port, protocol type, and time.

5. The method for analyzing security event association behavior based on association rules according to claim 4, wherein the establishing a corresponding log filtering rule according to the attack behavior feature, and determining the security event association rule according to the log filtering rule, comprises:

6. The method for analyzing the association behavior of the security event based on the association rule according to claim 1, wherein the aggregating the relevant alarm logs based on the preset sliding time window normalizes and sorts the relevant alarm logs according to time, so as to obtain an alarm log queue with a uniform format, and the method comprises the following steps:

7. The method for analyzing the association behavior of security events based on association rules according to claim 5, wherein the performing association analysis on the alarm logs in the alarm log queue one by one based on the association rules of the security events, and outputting association log data, comprises:

8. The method for analyzing the association behavior of the security event based on the association rule according to claim 1, wherein the statistical aggregation is performed on the association log data set based on the preset aggregation rule, an association log data cluster meeting a set threshold in the statistical aggregation is output, and an attack panoramic jigsaw is obtained according to the association log data cluster, and the method comprises the following steps:

9. A security event association behavior analysis system based on association rules, comprising:

10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the association rule based security event association behavior analysis method according to any of claims 1 to 8 when executing the program.