CN116451215A - Correlation analysis method and related equipment - Google Patents
Correlation analysis method and related equipment Download PDFInfo
- Publication number
- CN116451215A CN116451215A CN202210013359.7A CN202210013359A CN116451215A CN 116451215 A CN116451215 A CN 116451215A CN 202210013359 A CN202210013359 A CN 202210013359A CN 116451215 A CN116451215 A CN 116451215A
- Authority
- CN
- China
- Prior art keywords
- information
- event
- security
- network
- network security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 87
- 238000010219 correlation analysis Methods 0.000 title claims abstract description 38
- 238000012098 association analyses Methods 0.000 claims abstract description 61
- 238000012545 processing Methods 0.000 claims description 41
- 238000004458 analytical method Methods 0.000 claims description 34
- 238000000605 extraction Methods 0.000 claims description 24
- 230000000007 visual effect Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 19
- 238000012097 association analysis method Methods 0.000 description 16
- 238000004891 communication Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 12
- 238000001514 detection method Methods 0.000 description 11
- 238000013499 data model Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000012423 maintenance Methods 0.000 description 8
- 102100038367 Gremlin-1 Human genes 0.000 description 6
- 101001032872 Homo sapiens Gremlin-1 Proteins 0.000 description 6
- 230000009471 action Effects 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 230000007547 defect Effects 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000003058 natural language processing Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000002411 adverse Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000007621 cluster analysis Methods 0.000 description 2
- 230000001627 detrimental effect Effects 0.000 description 2
- 238000009792 diffusion process Methods 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 101150039322 outE gene Proteins 0.000 description 2
- 230000036961 partial effect Effects 0.000 description 2
- 230000035515 penetration Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000010225 co-occurrence analysis Methods 0.000 description 1
- 230000002354 daily effect Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000002939 deleterious effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003211 malignant effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000011524 similarity measure Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Animal Behavior & Ethology (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The method provides a correlation analysis method and related equipment, wherein the method comprises the following steps: acquiring network security event information and security association information of monitored network equipment, wherein the security association information is information associated with network security of the monitored network; establishing a security knowledge graph according to the network security event information and the security association information; and carrying out association analysis on the network security event information based on the security knowledge graph, and outputting association analysis result information, wherein the association analysis result information comprises type information of the network security event, and the type comprises a threat event or a business scene event. And establishing a security knowledge graph according to the network security event information and the security association information of the monitored network equipment, and performing type identification on the network security event by utilizing the security knowledge graph so as to accurately identify the threat event with the network security threat, thereby effectively improving the accuracy of association analysis and effectively guaranteeing the network security of the monitored network equipment.
Description
Technical Field
The embodiment of the invention relates to the field of security, in particular to a correlation analysis method and related equipment.
Background
With rapid development of computer and network technologies, the internet is affecting various fields such as daily life and industrial technologies. Hacker organizations and some network illegal molecules are using related technologies in the computer field to gain private rights through means of illegally acquiring account passwords, user sensitive data and the like, and seriously affecting information security and property security of individuals, organizations and countries.
The existing intrusion detection means mainly comprise two detection modes based on network traffic and based on host states. The host-based intrusion detector deploys a plurality of detection programs on the target host, wherein the detection programs are mainly used for recording and reporting the real-time state information of the current host, such as the utilization rate of a central processing unit (Central Processing Unit, CPU), the utilization rate of a memory and the like, and the access information of a host log, an application software log, an operating system configuration file and the like, and can accurately and rapidly find the real attack purpose of an attacker by comparing the collected host characteristics with an attack rule base. However, this detection method does not take into account data information from the network layer, and often does not work well for attacks that occur through network propagation. The network-based intrusion detector analyzes information such as network protocol, message length, source-destination internet protocol (Internet Protocol, IP) address and the like by capturing data packets in a network data stream, and discovers malicious attacks by combining the characteristics and comparing the characteristics with attack rules in a rule base. The network-based intrusion detection method can quickly sense malicious attacks from a network transmission layer from a network dimension, but cannot cope with all attack conditions because state information of a host dimension is not considered.
Due to the limitations of single-source security devices, it is desirable to collect multi-source information in a network environment by integrating multi-source network security devices to address increasingly complex and diverse network security threats. In a real environment, however, network security devices generate massive security data, and a great deal of redundancy exists among many pieces of information, so that the network security operation and maintenance personnel can hardly manually process the information by experience.
In order to solve the above problems, correlation analysis techniques for network security have been developed, however, the existing correlation analysis methods have low analysis accuracy and cannot accurately identify network threats.
How to improve the accuracy of network security association analysis is a hotspot that is being studied by those skilled in the art.
Disclosure of Invention
The association analysis method and the associated equipment can effectively improve the accuracy of association analysis, accurately identify threat events and effectively guarantee the network security of the monitored network equipment.
In a first aspect, a correlation analysis method is provided, the method comprising the steps of: acquiring network security event information and security association information of monitored network equipment, wherein the security association information is information associated with network security of the monitored network; establishing a security knowledge graph according to the network security event information and the security association information; and carrying out association analysis on the network security event information based on the security knowledge graph, and outputting association analysis result information, wherein the association analysis result information comprises type information of the network security event, and the type comprises a threat event or a business scene event.
Wherein the network security event information refers to specific information about network complete events of the monitored network device. And the traffic scenario event is a normal traffic event of the monitored network device.
It can be seen that, in this embodiment of the present application, a security knowledge graph is established according to network security event information and security association information of a monitored network device, and then association analysis is performed on the network security event information based on the security knowledge graph, so as to output association analysis result information, where the association analysis result information includes type information of a network security event, and the type includes a threat event or a service scenario event. The type identification is carried out on the network security event by utilizing the security knowledge graph so as to accurately identify the threat event with the network security threat, thereby effectively improving the accuracy of association analysis and effectively guaranteeing the network security of the monitored network equipment.
In a possible implementation manner of the first aspect, the association analysis method further includes the following steps: when the type of the network security event is determined to be a threat event, carrying out knowledge reasoning on the threat event based on the security knowledge graph and the security knowledge base to obtain a reasoning result of the threat event, wherein the reasoning result comprises one or more of an attack source, an attack link and an attacker portrait.
The security knowledge base comprises attack knowledge such as an attacker, an attack method and the like.
It can be seen that, in the embodiment of the present application, after determining that the network security event is a threat event, knowledge reasoning may be performed on the threat event based on the security knowledge graph and the security knowledge base to obtain a reasoning result of the threat event, and the user may be helped to learn one or more information of an attack source, an attack link, an attacker portrait, and the like of the threat event by using the reasoning result, so as to better perform network security protection work of the monitored network device.
In a possible implementation manner of the first aspect, the method for establishing a security knowledge graph according to the network security event and the security association information specifically includes the following steps: knowledge extraction is carried out on the network security event and the security association information, extraction information is determined, and the extraction information comprises entities, relationships among the entities, attributes of the entities and attribute values corresponding to the attributes; and establishing a safety knowledge graph according to the extracted information and the safety knowledge base, wherein the safety knowledge graph comprises a plurality of nodes and connecting edges among the nodes, the nodes are used for representing the entity and/or attribute values, and the connecting edges among the nodes are used for representing the relationship among the entities and/or the attribute of the entity.
In a possible implementation manner of the first aspect, the association analysis method further includes the following steps: acquiring an initial query statement, wherein the initial query statement is used for querying one or more of an attack link, an attacker portrait, an attack source and the like; processing the initial query statement according to a preset processing rule to generate a graph query request, wherein the graph query request comprises one or more of a link identification request, an attacker portrait query request and an attack traceability request; and responding to the graph query request, and outputting a visual query result of the graph query request according to the safety knowledge graph and the safety knowledge base.
It can be seen that, in the embodiment of the present application, based on the security knowledge graph and the security knowledge base, the query request of the user can be responded, so as to obtain a corresponding visual query result, and help the equipment operation and maintenance personnel to perform equipment maintenance.
In a possible implementation manner of the first aspect, the association analysis is performed on the network security event information based on the security knowledge graph, and the association analysis result information is output, which specifically includes the following steps: carrying out semantic analysis processing on the network security event information to determine the type information of the network security event; and if the network security event information is subjected to semantic analysis processing to determine that the network security event is a pending event, carrying out association analysis on the pending event based on a security knowledge graph so as to determine the type information of the pending event.
Therefore, in the embodiment of the application, the semantic analysis is firstly utilized to perform preliminary classification on the network security events, when the semantic analysis cannot determine the types of the network security events, the network security events of which the types cannot be determined are undetermined events, and then the association analysis is performed on the undetermined events based on the security knowledge graph so as to determine the specific types of the undetermined events. The method for determining the type of the network security event is fast in speed and high in accuracy.
In a possible implementation manner of the first aspect, the semantic analysis processing is performed on the network security event information to determine type information of the network security event, and specifically includes the following steps: matching the network security event information according to the keyword matching conditions corresponding to the threat scene, and determining the type of the network security event meeting the keyword matching conditions as a threat event; and identifying and processing the network security event which does not meet the keyword matching condition according to the access characteristics of the service scene, determining the type of the network security event which meets the access characteristics as the service scene event, and determining the network security event which does not meet the access characteristics as the undetermined event.
In the embodiment of the application, the threat event is determined by using the keyword matching condition of the threat scene, and then the type of the network security event which does not meet the keyword matching condition is determined according to the access characteristic of the service scene.
In a possible implementation manner of the first aspect, the security association information includes information of one or more of the following monitored network devices: network topology, assets, vulnerability scanning data, threat information, application service types, operating systems, network traffic, or logs.
In a second aspect, there is also provided a correlation analysis apparatus, the apparatus comprising:
the acquisition module is used for acquiring network security event information and security association information of the monitored network equipment, wherein the security association information is information associated with network security of the monitored network;
the establishing module is used for establishing a security knowledge graph according to the network security event information and the security association information;
the analysis module is used for carrying out association analysis on the network security event information based on the security knowledge graph, outputting association analysis result information, wherein the association analysis result information comprises type information of the network security event, and the type comprises a threat event or a business scene event.
In a third aspect, there is also provided a correlation analysis device comprising a processor and a memory, wherein the processor is connected to the memory, wherein the memory is for storing program code and the processor is for invoking the program code to perform the correlation analysis method according to the first aspect.
In a fourth aspect, there is also provided a computer readable storage medium storing a computer program for execution by a processor to implement the correlation analysis method of the first aspect.
In a fifth aspect, there is also provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the correlation analysis method as described in the first aspect.
In a sixth aspect, a chip is provided, where the chip includes a processor and a data interface, and the processor reads an instruction stored on a memory through the data interface, and performs the association analysis method described in the first aspect.
Optionally, as an implementation manner, the chip may further include a memory, where an instruction is stored in the memory, and the processor is configured to execute the instruction stored on the memory, where the instruction is executed, and the processor is configured to perform the association analysis method described in the first aspect.
Drawings
The drawings used in the embodiments of the present application are described below.
Fig. 1 is a schematic view of a scenario of a correlation analysis method provided in an embodiment of the present application;
FIG. 2 is a schematic flow chart of a correlation analysis method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of knowledge extraction provided by an embodiment of the present application;
fig. 4 is a schematic overall architecture of a correlation analysis device according to an embodiment of the present application;
FIG. 5a is a schematic diagram of a knowledge graph data model according to an embodiment of the present application;
FIG. 5b is a schematic diagram of another knowledge-graph data model according to an embodiment of the present application;
FIG. 5c is a schematic diagram of another knowledge-graph data model according to an embodiment of the present application;
FIG. 6 is a schematic partial flow chart of a correlation analysis method according to an embodiment of the present application;
FIG. 7a is a schematic flow chart of a semantic analysis process according to an embodiment of the present application;
FIG. 7b is a schematic flow chart of threat scene matching provided in an embodiment of the present application;
fig. 7c is a schematic flow chart of identification processing based on access characteristics of a service scenario according to an embodiment of the present application;
FIG. 7d is a schematic diagram of an IP analysis provided by an embodiment of the present application;
FIG. 8a is a schematic diagram of the results of an attacker portrayal provided by an embodiment of the present application;
FIG. 8b is a schematic diagram of the results of another attacker portrayal provided by an embodiment of the present application;
FIG. 8c is a schematic diagram of the results of an attack source provided by an embodiment of the present application;
fig. 9 is a schematic structural diagram of a correlation analysis device according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a correlation analysis device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the present application will be described below with reference to the accompanying drawings.
Since the embodiments of the present application relate to the application of artificial intelligence, for the sake of understanding, related concepts, such as related terms, related to the embodiments of the present application are described below.
(1) Network equipment
Network devices refer to devices that connect to physical entities in the network, such as computer devices (personal computers or servers, etc.), computer networks, internet of things devices, and the like.
(2) Network security event
Network security events can be largely divided into the following categories:
(one) adverse program events: detrimental program events include computer virus events, worm events, trojan events, botnet events, hybrid attack program events, web page embedded malicious code events, and other detrimental program events, etc.
(II) network attack event: the network attack event comprises a denial-of-service attack event, a backdoor attack event, a vulnerability attack event, a network scanning eavesdropping event, a phishing event, an interference event and other network attack events, which cause the homepage of a school website or a department secondary website to be maliciously tampered, and application system data to be copied, tampered, deleted and the like.
(III) information destruction event: information corruption events include information tampering events, information impersonation events, information leakage events, information theft events, information loss events, and other information corruption events, and the like.
In addition, the network security device may monitor the network device to obtain the network security event information, where the network security device includes an IP protocol crypto-engine, a security router, a line crypto-engine, a firewall, and the like.
(3) Threat information
Threat information refers to information related to cyber-space threats extracted from security data, including threat sources, attack intents, attack laws, attack objective information, and knowledge that can be used to resolve threats or deal with hazards. Threat information may include threat source, purpose of attack, object of attack, attack technique, attack feature, defensive measure, etc.
(4) Asset(s)
Assets, i.e., network assets, are primarily the various devices used in a computer (or communications) network. Mainly including hosts, network devices (routers, switches, etc.) and security devices (firewalls, etc.).
(5) Vulnerability
Vulnerabilities are flaws in the specific implementation of hardware, software, protocols, or system security policies that may enable an attacker to access or destroy the system without authorization. Further, a vulnerability refers to a vulnerability or defect or vulnerability of a system, the sensitivity of a system to a particular threat attack or dangerous event, or the likelihood of a threat effect of an attack. In other words, vulnerabilities are a known problem that enables attacks to be successfully implemented. Vulnerabilities may come from defects in the design of the application software or operating system or errors in the coding, as well as from design defects or logic flow irrational aspects of the business during the interactive process. These defects, errors, or irrational aspects may be used, either intentionally or unintentionally, to adversely affect the asset or operation of an organization, such as the information system being attacked or controlled, important data being stolen, user data being tampered with, and the system being used as a springboard for other host systems.
(6) Vulnerability scanning
Vulnerability scanning technology is an important class of network security technology. The network security detection system is matched with a firewall and an intrusion detection system, and can effectively improve network security. Through scanning the network, a network administrator can know the security setting and the running application service of the network, discover security holes in time and objectively evaluate the network risk level. The network administrator can correct network security holes and error settings in the system according to the scanned result, and can prevent the network security holes and error settings before hacking. If the firewall and the network monitoring system are passive defense means, the security scanning is an active countermeasure, so that hacking actions can be effectively avoided, and the firewall and the network monitoring system are prevented.
Vulnerability scanning refers to detecting security vulnerabilities of a specified remote or local computer system by means of scanning or the like based on a vulnerability database, and finding a security detection (penetration attack) behavior of an available vulnerability.
Depending on the scan implementation, vulnerability scanning products include scanners for networks, scanners for hosts, and scanners for databases, as well as scanners for WEB applications, middleware, etc.
Wherein, the scanner based on the network scans the loopholes in the remote computer through the network; host-based scanners have an Agent or service installed on the target system to access all files and processes, which also allows host-based scanners to scan for more vulnerabilities. The self loopholes of the main stream database are gradually exposed, so that the number is huge; database management system (Database Management System, DBMS) vulnerabilities, default configurations, privilege elevation vulnerabilities, buffer overflows, patch unenhanced, etc. of the database may be detected based on the database's leaky scan.
(7) Knowledge reasoning
Knowledge reasoning is the process of deducing unknown knowledge based on existing knowledge. From known knowledge, new facts are acquired from the acquired knowledge, or the knowledge is generalized from individual knowledge to general knowledge.
(8) Knowledge graph
The Knowledge map (knowledgegraph), called Knowledge domain visualization or Knowledge domain mapping map in book condition report, is a series of various graphs showing Knowledge development process and structural relationship, and uses visualization technology to describe Knowledge resources and their carriers, and excavate, analyze, construct, draw and display Knowledge and their interrelationships.
Knowledge graph is a modern theory which combines the theory and method of subjects such as application mathematics, graphics, information visualization technology, information science and the like with the method of introduction analysis, co-occurrence analysis and the like of metering science, and utilizes the visualized graph to vividly display the core structure, development history, leading edge field and overall knowledge architecture of subjects to achieve the aim of multi-subject fusion.
The most common representation mode of the knowledge graph is a representation mode of a triplet, and through the triplet, we can represent semantic relations among different things and attribute relations among things and attributes.
Knowledge reasoning of a knowledge graph is to infer new knowledge or identify errors of the existing knowledge on the knowledge graph based on the fact of the existing knowledge graph.
At present, the existing correlation analysis technology aiming at network security has low analysis precision and cannot accurately identify network threats.
Aiming at the technical problems, the embodiment of the application provides the association analysis method which can effectively improve the accuracy of association analysis, accurately identify threat events and effectively guarantee the network security of monitored network equipment. The execution subject of the association analysis method may be an association analysis device (a computer, a server, or the like), or may be a chip in the association analysis device.
Example 1
An application scenario of the association analysis method provided in the embodiment of the present application is described below.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of a correlation analysis method provided in an embodiment of the present application, and in fig. 1, an execution body of the correlation analysis method is taken as an example of a cloud server 101. The cloud server 101 communicates with the data center network 102 and the enterprise office network 103 through a network (such as VPN), and the cloud server 101 provides security supervision services for the data center network 102 and the enterprise office network 103, that is, the monitored security devices at this time are the data center network 102 and the enterprise office network 103. The data center network 102 includes, among other things, a plurality of data servers, terminal detection and response (Endpoint Detection and Response, EDR) devices for the data servers, and a firewall. Likewise, the enterprise office network 103 includes office computers, EDR equipment for office computers, and firewalls. The EDR device and the firewall may obtain network security events and security association information of the data center network 102 and the enterprise office network 103, and transmit the obtained various information to the cloud server 101 for processing analysis.
Further, the functions of the cloud server 101 include:
A. Tenant security service: the method comprises penetration test, vulnerability scanning and safety reinforcement;
B. secure operation service: including response orchestration, intelligent retrieval, and association analysis;
C. security posture service: including situational awareness, security reporting and log auditing.
The association analysis specifically comprises the following steps:
A. tenant security services that output events as input to association analysis, e.g., vulnerability scanning related results as content of analysis associations;
B. a security intelligence service, typically for intelligence queries of network security events;
C. asset management, wherein the asset is used as a carrier of the network security event, and association analysis not only evaluates the probability of the network security event occurring in the asset, but also provides risk evaluation for the asset;
D. EDR terminal safety protection is mainly characterized in that the information such as network, process, file, registry, user log and the like at the end side is used for further tracing analysis on the safety event.
Example two
The following describes a correlation analysis method provided in the embodiments of the present application.
Referring to fig. 2, fig. 2 is a flowchart of a correlation analysis method according to an embodiment of the present invention, and the correlation analysis method 200 includes the following steps:
201. network security event information and security association information of the monitored network equipment are acquired, wherein the security association information is information associated with network security of the monitored network.
In particular, the network security event information refers to specific information about network complete events of the monitored network device. The monitored network device may be a single network device, or may be an entire computer network, etc. And the security association information may include information for one or more of the following monitored network devices: network topology, assets, vulnerability scanning data, threat information, application service types, operating Systems (OS), network traffic, or logs. Wherein, the network topology structure refers to the topology structure of the network where the monitored network equipment is located; the application service type is a type of application service on the monitored network device, and the application service includes a file transfer protocol (File Transfer Protocol, FTP) service, a mail service, a Web (Web) application service, and the like. Network traffic refers to the amount of data transmitted on the monitored network device. The log is an event record generated by the network device during operation, and each row of log records the description of the date, time, user, action and other related operations.
202. And establishing a security knowledge graph according to the network security event information and the security association information.
203. And carrying out association analysis on the network security event information based on the security knowledge graph, and outputting association analysis result information, wherein the association analysis result information comprises type information of the network security event, and the type comprises a threat event or a business scene event.
In particular, threat events refer to events that cause an impediment to the proper functioning of the monitored network device. A traffic scenario event is a normal traffic event of the monitored network device.
In the embodiment of the application, the security knowledge graph is established according to the network security event information and the security association information of the monitored network equipment, and then the type of the network security event is identified by utilizing the security knowledge graph so as to accurately identify the threat event with the network security threat, thereby effectively improving the association analysis precision and effectively guaranteeing the network security of the monitored network equipment.
The analysis of asset configuration, vulnerability information and the like is added, multidimensional cross-correlation analysis is realized, and accurate security events are improved by correlating key multidimensional data;
in some possible implementations, referring to fig. 3 and fig. 4, fig. 3 is a schematic diagram of knowledge extraction provided by an embodiment of the present application, and fig. 4 is a schematic diagram of an overall architecture of an association analysis device provided by an embodiment of the present application; step 202 specifically includes the following steps:
2021. and carrying out knowledge extraction on the network security event and the security association information, and determining extraction information, wherein the extraction information comprises entities, relationships among the entities, attributes of the entities and attribute values corresponding to the attributes.
Specifically, the knowledge extraction includes four steps of entity extraction, relation extraction, attribute extraction and event extraction, and the triple data corresponding to the extraction information can be obtained by carrying out knowledge extraction on the network security event and the security association information. Further, at knowledge extraction, knowledge extraction is performed by the calculation engine in fig. 4, completing knowledge representation and knowledge modeling. Taking log data in the security association information as an example, value information related to different alarm classification types is analyzed from alarm log information, and corresponding IP information entities, file information entities, process information entities, domain name information entities, alarm information entities and task information entities are generated. Each entity generates triplet data of < entity, attribute value >, and each entity can have a plurality of attributes. The entity and the entity generate the triple data of the entity, the relation and the entity.
2022. And establishing a safety knowledge graph according to the extracted information and the safety knowledge base, wherein the safety knowledge graph comprises a plurality of nodes and connecting edges among the nodes, the nodes are used for representing the entity and/or attribute values, and the connecting edges among the nodes are used for representing the relationship among the entities and/or the attribute of the entity.
Specifically, the secure knowledge base includes attack knowledge of an attacker, attack techniques, and the like. For example, the security knowledge base includes the ATT & CK library, ATT & CK is commonly known as Adversarial Tactics, techniques, and Common Knowledges. A is an Adversaril, representing an attacker, an adversary; two T are respectively Tactics and Technical, namely Tactics and technology; CK is Common knowledges, common knowledge base. Further, the knowledge graph can be stored by adopting a graph database, and the graph database has the advantages that the graph database can naturally represent the structure of the knowledge graph, nodes in the graph represent objects of the knowledge graph, and edges in the graph represent the object relation of the knowledge graph; the advantage of this approach is that the database itself provides a sophisticated graph query language, supporting various graph mining algorithms. The query speed is superior to that of a relational database, and particularly, the performance of multi-hop query is better. At step 2021, the different types of data (network security events and security association information) are extracted into triples according to respective extraction logic, and the triples data are stored to vertices and edges defined by the graph database to obtain a security knowledge graph.
Referring to fig. 5a, fig. 5a is a schematic diagram of a knowledge graph data model according to an embodiment of the present application; the knowledge-graph data model design for network security events and network traffic, terminal log associations is shown in fig. 5a. The model is mainly used for tracing analysis of network security events, for example, a network side can trace to specific users and processes on a terminal after finding out a certain network security event. The entities involved therein are:
1. Processes, including parent and child processes;
2. network traffic;
3. a file;
4. a catalog;
5. a user account;
6. a mail address;
7. windows key value;
8. source addresses (including IPv4 addresses, IPv6 addresses);
9. destination addresses (including IPv4 addresses, IPv6 addresses).
And the relation involved therein is:
1. the relationship between the mail address and the user account is usage, attribution, association and the like;
2. the relation of use, attribution, association and the like exists between the Windows key value and the user account;
3. the process and the user account have association and other relations;
4. the process and the network flow have the relation of access and the like;
5. the relationship between the process and the file is read-write, loading and the like;
6. the file and the catalog have association relations;
7. the processes have relations of association, creation and the like with the father process and the child process;
8. there are relationships between network traffic and source and destination addresses, such as creation and association.
And the design of the knowledge graph data model aiming at the association of the network security event, the asset and the vulnerability is shown in fig. 5b, and fig. 5b is a schematic diagram of another knowledge graph data model provided by the embodiment of the application.
In addition, fig. 5c is designed for a knowledge graph associated with a network security event, a security knowledge base and a threat information base, and fig. 5c is a schematic diagram of another knowledge graph data model provided in an embodiment of the present application.
In some possible implementations, referring to fig. 4 and 6, fig. 6 is a partial flow schematic diagram of a correlation analysis method provided in the embodiments of the present application; step 203 specifically includes the following steps:
2031. carrying out semantic analysis processing on the network security event information to determine the type information of the network security event;
specifically, a network security association analysis technology based on cluster analysis is used for analyzing network security information and event attack characteristics triggered by homologous (same IP address or same equipment), performing similarity observation on the information, determining similarity between network security events based on event similarity of semantic characteristics, namely combining natural language processing (Natural Language Processing, NLP) technology, further determining the type of the network security events, and identifying real threat events to finish noise elimination of the network security events. In short, by using semantic analysis processing, the type corresponding to the network security event can be determined, and for the network security event for which the type information cannot be determined by the semantic analysis processing, the network security event is defined as a pending event.
2032. And if the network security event information is subjected to semantic analysis processing to determine that the network security event is a pending event, carrying out association analysis on the pending event based on a security knowledge graph so as to determine the type information of the pending event.
In the embodiment of the application, firstly, the network security events are primarily classified by utilizing semantic analysis, when the types of the network security events cannot be determined by the semantic analysis, the network security events of which the types cannot be determined are undetermined events, and then, the undetermined events are subjected to association analysis based on a security knowledge graph so as to determine the specific types of the undetermined events. The method for determining the type of the network security event is fast in speed and high in accuracy.
In some possible embodiments, step 2031 specifically includes the steps of:
s1, matching network security event information according to keyword matching conditions corresponding to threat scenes, and determining the type of the network security event meeting the keyword matching conditions as a threat event;
specifically, the network security event is exemplified By a structured query language (Structured Query Language, SQL) injection event, and the threat scene at this Time includes a boolean injection scene (i.e., a Bool scene), a column guess scene (i.e., a Union Select scene, an Order By scene, etc.), a Time injection scene (i.e., a Time scene), a fault reporting scene, a sensitive scene, etc. The method is characterized in that each threat scene has a corresponding keyword matching condition, and is not particularly limited, and various methods for measuring and determining the threat scenes in the prior art are used. Determining the type of the network security event meeting the keyword matching condition as a threat event through condition matching judgment; and for a network security event of which the type cannot be determined by the condition matching, step S2 is entered.
S2, identifying and processing the network security events which do not meet the keyword matching conditions according to the access characteristics of the service scene, determining the type of the network security events which meet the access characteristics as service scene events, and determining the network security events which do not meet the access characteristics as undetermined events.
Specifically, the access characteristics of the service scene are utilized to determine that the type of the network security event conforming to the access characteristics of the service scene is a service scene event, the network security event not conforming to the access characteristics is determined to be a pending event, and the association analysis based on the security knowledge graph is carried out to determine the type of the pending event.
The following specifically describes step 2031 by taking network security event information as an example of alarm data of an intrusion prevention system (Intrusion Prevention System, IPS):
referring to fig. 7a, fig. 7a is a schematic flow chart of a semantic analysis process according to an embodiment of the present application; the method comprises the steps of firstly carrying out threat scene identification on IPS alarm data, and outputting matched threat events to a user when the matched threat scenes are determined. And for network security events which are not matched with threat scenes, entering a service scene identification processing step, wherein the specific type of the network security event can be determined through the service scene identification processing step, and the network security event of the specific type cannot be determined to be a pending event.
The following specifically describes a threat scene matching identification process, and referring to fig. 7b, fig. 7b is a schematic flow chart of threat scene matching provided in an embodiment of the present application; the IPS alert data is exemplified by SQL alert data. Firstly, carrying out history attack keyword matching processing on each statement in SQL alarm data in a preset time period, determining an abnormal score corresponding to each statement according to the history attack keywords matched in the statement and scores corresponding to each history attack keyword, determining the statement as a malicious statement when the abnormal score of the statement exceeds a score threshold, and marking each alarm statement to locate the malicious statement. The specific time length of the preset time period and the specific numerical value of the score corresponding to each historical attack keyword can be set according to actual conditions, and the specific numerical value is not particularly limited.
And then, processing the malicious sentences to obtain service contexts and SQL keywords, extracting the contexts of the SQL keywords and the corresponding keywords in the IPS alarm log to locate evidence data of the existence key alarm words, reducing the existence sense of irrelevant information, highlighting key points and reducing the influence of irrelevant noise on main sentences. The SQL statement in the SQL alarm data is decoded, defrobulated, segmented and the like, and then the business context and the SQL keyword are obtained through window selection.
Next, according to the source IP address packet aggregation statement, a malicious statement belonging to the same source IP address is taken as one packet. And carrying out threat scene matching processing on the packets corresponding to each source IP address, determining whether each packet accords with a keyword matching condition, and when the packets accord with a certain keyword matching condition, indicating that the source IP address hits a threat scene, and outputting the source IP address and corresponding packet sentences (namely scene sentences) to a user. And when any keyword is not in the packet, the malicious sentence of the packet enters the next processing link, namely the service scene recognition processing step.
The following describes the business scenario recognition processing steps in detail. Firstly, compared with SQL attack, the service scene has the following characteristics: firstly, the business characteristics comprise less confusing means, namely whether annotation appears after SQL keywords; SQL sentences are regular, are not fragments, generally contain complete table names and fields, and generally do not contain sensitive information; from the destination IP address, the number of IPs accessed (i.e., the number of clustered IPs) and the amount of accesses (i.e., the amount of alarms) are stable over time. The SQL statements satisfying the above conditions can be considered as a class of business scenario statements in which different sources have similarities to the same business. Second, the IP angle association feature includes that the source IP address may trigger multiple clusters of traffic; the source IP address may have its own behavior, triggering the same statement each time.
Referring to fig. 7c, fig. 7c is a schematic flow chart of a process for identifying based on access characteristics of a service scenario according to an embodiment of the present application; firstly, collecting the SQL sentences remained after the threat scene judgment in a T1 time window, wherein the specific size of the T1 time window can be set according to actual conditions, for example, the time of week is set. And cleaning Payloads in the collected SQL sentences, removing stop words (namely common SQL query keywords such as white, from and the like), and determining the business context in the SQL sentences by extracting features of the Payloads. Among them, viruses often do some deleterious or malignant actions. The portion of the virus code that implements this function is called the "Payload". Then, the cluster clusters are identified by finding the aggregate feature traffic through cluster analysis (similarity measure). And when the censored SQL sentences are received subsequently, collecting the sentences in a T2 time window, extracting the characteristics of the collected sentences, and classifying the sentences in the T2 time window into corresponding clusters according to the characteristics of the clusters. It should be noted that, the specific size of the T2 time window may be set according to practical situations, as long as the size of the T2 time window is smaller than the size of the T1 time window.
Next, malicious measurement is performed on the cluster to distinguish the types of the cluster, wherein the malicious measurement can be performed according to the access characteristics of the service scene, and the first judgment method comprises: determining a first time of hit forensics (meaning hit of malicious sentences in sentences) and a second time of hit of notes (meaning notes after keywords) when hit of a time function of sentences in the cluster. When the first time number exceeds a first set threshold value and the second time number exceeds a second set threshold value, determining the type of the cluster as a malicious cluster, namely determining SQL sentences in the cluster as threat event sentences. The specific sizes of the first set threshold and the second set threshold can be set according to actual situations.
The second judging method comprises the following steps: whether the cluster is a service cluster is judged according to at least one of a certain access amount of the cluster (for example, the cluster has access and alarms every day, as shown in table 1), similarity of service existence (which means that the service exists in the same cluster), less confusion of SQL sentences in the service (which means that the number of times of hit comments is smaller than a time threshold, the specific size of the service can be set according to actual conditions), stable access of the service by a plurality of IPs (the number of stable access IPs exceeds the IP number threshold) along with time, and the like.
TABLE 1 Access IP number and alarm quantity for Cluster
The third judging method is as follows: IP analysis may also be performed, and referring to fig. 7d, fig. 7d is a schematic diagram of an IP analysis provided in an embodiment of the present application; when the number of the malicious attributes of the IP in the cluster exceeds a number threshold, the cluster is indicated to have danger. The specific size of the number threshold may be set according to the actual situation. The cluster has a plurality of IPs, that is, a plurality of IP addresses access the same cluster, and the cluster can be considered to have relevance. Similarly, the access IP number of the cluster may be compared with an IP number threshold, and when the IP number threshold is exceeded, the cluster is judged to have relevance. The specific size of the IP number threshold may be set according to the actual situation. And judging the type of the cluster according to the relevance and the risk: the cluster has relevance and miss danger (namely, the cluster has less access destination IP and less domain name), the cluster is a service cluster, and SQL sentences in the service cluster are service scene event sentences. And a cluster has relevance and hit risk, or a cluster does not have relevance and hit risk, the cluster is a malicious cluster. And when the cluster does not have relevance, the cluster is a pending cluster, and SQL sentences in the pending cluster are sentences of the pending event.
The above methods for judging the type of the network security event based on the access characteristics of the service scenario may be combined with each other.
Referring to fig. 4 and 6, a specific implementation of step 2032 is described below. And using a threat information base to discover high-risk threat events based on knowledge reasoning. Specifically, the secure reasoning business module in fig. 4 is utilized to perform knowledge reasoning in combination with the calculation engine and the task scheduling engine. And introducing multidimensional cross correlation to form a more perfect network security event correlation analysis method. It mainly comprises:
a. vulnerability association is performed by adopting an active scanning mode to find out the vulnerability (namely, vulnerability) existing in the network, so that when association analysis is performed, whether the vulnerability utilized by the attack exists on a target or not can be detected, and if the vulnerability exists, threat events can be filtered. Judging whether the loopholes utilized by the undetermined event exist truly or not, and if so, judging that the undetermined event is a threat event.
b. Asset association, on the asset which is seriously protected by a user, the possibility of successful attack (stage attack) in the asset running environment is determined by using the OS, the service type and the network topology on the asset, and the threat identification precision rate can be improved by introducing the technology. Namely judging the diffusion probability of the undetermined event, and determining the undetermined event as a threat event when the diffusion probability is larger than a probability threshold value.
c. Threat information base association, referring to fig. 5c, for an attack source, whether the reputation of the attack source is normal is determined through the threat information base, and the threat is further identified through malicious IP, malicious uniform resource locators (Uniform Resource Locator, URLs), malicious files and the like. The threat information library is a pre-stored database of various threat information, including IP reputation, URL reputation, and domain name reputation. Briefly, when at least one of the IP, URL, file of a pending event is judged to be malicious, then the pending event is a threat event.
Judging the type of the undetermined event by using at least one means of the a, the b and the c, and when the type of the undetermined event can not be judged by using the means, judging the undetermined event as a business scene event.
In some possible embodiments, referring to fig. 4 and 6, the association analysis method further comprises the steps of:
when the type of the network security event is determined to be a threat event, carrying out knowledge reasoning on the threat event based on the security knowledge graph and the security knowledge base to obtain a reasoning result of the threat event, wherein the reasoning result comprises one or more of an attack source, an attack link and an attacker portrait.
In the embodiment of the application, after the network security event is determined to be the threat event, knowledge reasoning can be performed on the threat event based on the security knowledge graph and the security knowledge base to obtain the reasoning result of the threat event, and the user can be helped to know one or more information of an attack source (refer to fig. 8 c), an attack link, an attacker portrait (refer to fig. 8a and fig. 8 b) of the threat event by using the reasoning result so as to better perform network security protection work of the monitored network device and improve security operation and maintenance efficiency. The reasoning results are output to the user in a visual mode, and the user can conveniently check the reasoning results.
In some possible embodiments, the association analysis method further comprises the steps of:
a1, acquiring an initial query statement, wherein the initial query statement is used for querying one or more of an attack link, an attack portrait, an attack source and the like.
Specifically, when the initial query statement is a query attack link, the initial query statement contains an IP address or an alarm event and the like; when the initial query statement is a query attacker portrait, the initial query statement contains an IP address, a user name and the like; when the initial query statement is a query attack source, the initial query statement contains an IP address or an alarm event and the like.
A2, processing the initial query statement according to a preset processing rule to generate a graph query request, wherein the graph query request comprises one or more of a link identification request, an attacker portrait query request and an attack traceability request. I.e., converting the initial query statement into a graph query Gremlin statement.
A3, responding to the graph query request, and outputting a visual query result of the graph query request according to the safety knowledge graph and the safety knowledge base.
In the embodiment of the application, the query request of the user can be responded based on the safety knowledge graph and the safety knowledge base to obtain the corresponding visual query result, so that equipment operation and maintenance personnel are helped to maintain the equipment.
Specific examples of queries are presented below:
first, the attacker portraits, including scenario 1 and scenario 2.
Scene 1: looking up all attacks of a given attacker IP
If the security operator needs to find all the related actions of a certain node (such as IP) and the triggered alarm and APT attack phases, a path traversing logic can be used, and the specific method is to find a subtree, find all paths from one node trigger to all leaf nodes end, and the set of paths is a subtree.
Examples: look-up slave attacker ip:10.2.5.14, the query results refer to fig. 8a.
The corresponding Gremlin statement is:
g.V().has('ip_info','ip','10.2.5.14').repeat(out()).until(outE().count().is(0)).path()
scene 2: looking up all attacks on a given attack account
If the security operator wants to investigate a certain node (a certain user or a certain IP), if the security operator finds out an association action with other nodes or triggers a directed threat attack (Advanced Persistent Threat, APT) phase, the security operator can traverse all association paths between the two points.
Examples: find all paths of vertices ('user_info', 'userName', 'laixingyu') to ATT & CK strategic nodes att_ck_tactics_info, query results refer to fig. 8b.
The corresponding Gremlin statement is:
g.V().has('user_info','userName','laixingyu').repeat(out()).until(hasLabel('att_ck_tactics_inf o')).path()
Second, attack tracing includes scenario 3, scenario 4, and scenario 5.
Scene 3: from appointed alarm inquiry attack source
The security operator, if wanting to investigate a certain alarm, or a certain APT attack phase, triggered by which IPs, users, may use reverse traversal to cause all associated events to occur for that node. The specific practice is to look up in the reverse direction until there are no nodes to go into the edge.
Examples: from the alarm query attack source specifying eventID, the query results refer to FIG. 8c.
The corresponding Gremlin statement is:
g.V().has('threat_info','eventID','19ecdf4c-f637-4e0e-b1aa-723088b2ff5f').repeat(__.in()).until(i nE().count().is(0)).path()
scene 4: querying attack paths from specified IP
In order to acquire the attack path from the appointed IP, the operation and maintenance personnel can search all the associated nodes and edges of the nodes and display the information of all the points and edges on all the paths.
Examples: query is from IP:116.66.184.192 all attack paths out.
The corresponding Gremlin statement is:
g.V().has('ip_info','ip','116.66.184.192').repeat(bothE().otherV()).path()
attack path 1 in the query result is
“1:116.66.184.192S1:1:116.66.184.192>2>>S1:10.2.6.14 1:10.2.6.14”,
Attack path 2 is
“1:116.66.184.192S2:test1>1>>S1:116.66.184.192 2:test1”。
Scene 5: alert correlation for different security products
If the security operation and maintenance personnel want to know whether the association occurs between different security products, and generating information of the association between the different security products. The method comprises the following two steps:
A. And finding out nodes with outgoing edges and no incoming edges, wherein the nodes are source nodes.
B. Traversing source nodes, finding out an alarm path generated by each source node, and if the source node has alarms crossing safety products, namely, the path end point is an alarm node, and the types of the alarm nodes are a plurality of. The full path of the node is exposed to the operation and maintenance personnel.
The corresponding Gremlin statement is:
g.V().as('test').where(__.inE().count().is(0)).where(__.outE().count().is(gt(0)))
g.V().has('ip_info','ip','192.168.30.160').repeat(out()).until(hasLabel('threat_info')).groupCo unt().by('productType')
example III
The foregoing details the method of embodiments of the present application and the apparatus of embodiments of the present application are provided below.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a correlation analysis device according to an embodiment of the present invention; the association analysis device comprises an acquisition module 901, a building module 902 and an analysis module 903, wherein:
an acquiring module 901, configured to acquire network security event information and security association information of a monitored network device, where the security association information is information associated with network security of the monitored network;
the establishing module 902 is configured to establish a security knowledge graph according to the network security event information and the security association information;
the analysis module 903 is configured to perform association analysis on the network security event information based on the security knowledge graph, and output association analysis result information, where the association analysis result information includes type information of the network security event, and the type includes a threat event or a service scenario event.
In some possible embodiments, the association analysis apparatus further comprises:
and the reasoning module is used for carrying out knowledge reasoning on the threat event based on the security knowledge graph and the security knowledge base when the type of the network security event is determined to be the threat event, so as to obtain a reasoning result of the threat event, wherein the reasoning result comprises one or more of an attack source, an attack link and an attacker.
In some possible implementations, the setup module 902 is specifically configured to:
knowledge extraction is carried out on the network security event and the security association information, extraction information is determined, and the extraction information comprises entities, relationships among the entities, attributes of the entities and attribute values corresponding to the attributes;
and establishing a safety knowledge graph according to the extracted information and the safety knowledge base, wherein the safety knowledge graph comprises a plurality of nodes and connecting edges among the nodes, the nodes are used for representing the entity and/or attribute values, and the connecting edges among the nodes are used for representing the relationship among the entities and/or the attribute of the entity.
In some possible embodiments, the obtaining module 901 is further configured to obtain an initial query statement, where the initial query statement is used to query one or more of an attack link, an attacker portrait, an attack source, and the like;
The association analysis apparatus further includes:
the generating module is used for processing the initial query statement according to a preset processing rule to generate a graph query request, wherein the graph query request comprises one or more of a link identification request, an attacker portrait query request and an attack traceability request;
and the output module is used for responding to the graph query request and outputting a visual query result of the graph query request according to the safety knowledge graph and the safety knowledge base.
In some possible implementations, the analysis module 903 is specifically configured to:
carrying out semantic analysis processing on the network security event information to determine the type information of the network security event;
and if the network security event information is subjected to semantic analysis processing to determine that the network security event is a pending event, carrying out association analysis on the pending event based on a security knowledge graph so as to determine the type information of the pending event.
In some possible embodiments, the semantic analysis processing is performed on the network security event information to determine type information of the network security event, and specifically includes the following steps:
matching the network security event information according to the keyword matching conditions corresponding to the threat scene, and determining the type of the network security event meeting the keyword matching conditions as a threat event;
And identifying and processing the network security event which does not meet the keyword matching condition according to the access characteristics of the service scene, determining the type of the network security event which meets the access characteristics as the service scene event, and determining the network security event which does not meet the access characteristics as the undetermined event.
In some possible implementations, the security association information includes information of one or more of the following monitored network devices: network topology, assets, vulnerability scanning data, threat information, application service types, operating systems, network traffic, or logs.
It should be noted that, the embodiments of the association analysis device correspond to the foregoing method embodiments, and specific descriptions and beneficial effect descriptions may refer to the method embodiments, which are not repeated. It is noted that the device embodiments may be used in conjunction with the methods described above, or may be used alone.
Referring to fig. 10, fig. 10 is a schematic structural diagram of an association analysis apparatus provided in an embodiment of the present invention, and the embodiment of the present application further provides an association analysis apparatus 1000 (the apparatus 1000 may be a computer apparatus specifically) shown in fig. 10 includes a memory 1005, a processor 1001, a user interface 1003, a communication interface 1004, and a bus 1002. The memory 1005, the processor 1001, the user interface 1003, and the communication interface 1004 are communicatively connected to each other via the bus 1002.
In addition, the user interface 1003 may include a Display (Display), a Keyboard (Keyboard), and the optional user interface 1003 may further include a standard wired interface, a wireless interface. Communication interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface).
The Memory 1005 may be a Read Only Memory (ROM), a static storage device, a dynamic storage device, or a random access Memory (Random Access Memory, RAM). The memory 1005 may store a program, and when the program stored in the memory 1005 is executed by the processor 1001, the processor 1001 and the communication interface 1004 are used to perform the respective steps of the association analysis method of the second embodiment of the present application.
The processor 1001 may employ a general-purpose central processing unit (Central Processing Unit, CPU), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), graphics processor (graphics processing unit, GPU) or one or more integrated circuits for executing associated programs to perform the functions required to be performed by the units in the association analysis apparatus described in the above embodiment, or to perform the association analysis method described in the second embodiment.
The processor 1001 may also be an integrated circuit chip with signal processing capabilities. In implementation, each step of the association analysis method of the second embodiment of the present application may be completed by an integrated logic circuit of hardware in the processor 1001 or an instruction in a software form. The processor 1001 described above may also be a general purpose processor, a digital signal processor (Digital Signal Processing, DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the association analysis method disclosed in connection with the second embodiment of the present application may be directly embodied and executed by a hardware decoding processor, or may be executed by a combination of hardware and software modules in the decoding processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in the memory 1005, and the processor 1001 reads information in the memory 1005, and combines the hardware thereof to perform the functions required to be performed by the units included in the correlation analysis apparatus described in the above embodiment, or perform the correlation analysis method of the second embodiment of the method of the present application.
The communication interface 1004 enables communication between the association analysis device 1000 and other devices or communication networks using a transceiver means such as, but not limited to, a transceiver. For example, network security event information and security association information data may be obtained through the communication interface 1004.
Bus 1002 may include a path for transferring information between components of association analysis apparatus 1000 (e.g., memory 1005, processor 1001, user interface 1003, communication interface 1004).
It should be noted that although the association analysis apparatus 1000 shown in fig. 10 only shows a memory, a processor, a user interface, a communication interface, it should be understood by those skilled in the art that the association analysis apparatus 1000 further includes other devices necessary to achieve normal operation in a specific implementation. Also, as will be appreciated by those skilled in the art, the correlation analysis device 1000 may also include hardware devices that implement other additional functions, as desired. Furthermore, it will be appreciated by those skilled in the art that the association analysis apparatus 1000 may also include only the necessary components to implement the embodiments of the present application, and not all of the components illustrated in fig. 10.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in the form of a computer program product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The embodiment of the invention also provides a chip, which comprises a processor and a data interface, wherein the processor reads the instructions stored in the memory through the data interface, and executes the association analysis method described in the second embodiment.
Optionally, as an implementation manner, the chip may further include a memory, where an instruction is stored in the memory, and the processor is configured to execute the instruction stored on the memory, where the instruction is executed, and the processor is configured to perform the association analysis method described in the second embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (11)
1. A method of association analysis, the method comprising the steps of:
acquiring network security event information and security association information of monitored network equipment, wherein the security association information is information associated with network security of the monitored network;
Establishing a security knowledge graph according to the network security event information and the security association information;
and carrying out association analysis on the network security event information based on the security knowledge graph, and outputting association analysis result information, wherein the association analysis result information comprises type information of the network security event, and the type comprises a threat event or a business scene event.
2. The method according to claim 1, characterized in that the method further comprises the steps of:
when the type of the network security event is determined to be a threat event, carrying out knowledge reasoning on the threat event based on the security knowledge graph and a security knowledge base to obtain a reasoning result of the threat event, wherein the reasoning result comprises one or more of an attack source, an attack link and an attacker portrait.
3. The method according to claim 1 or 2, wherein the establishing a security knowledge-graph according to the network security event and the security association information comprises the following steps:
knowledge extraction is carried out on the network security event and the security association information, extraction information is determined, and the extraction information comprises entities, relations among the entities, attributes of the entities and attribute values corresponding to the attributes;
And establishing the safety knowledge graph according to the extracted information and the safety knowledge base, wherein the safety knowledge graph comprises a plurality of nodes and connecting edges between the nodes, the nodes are used for representing the entities and/or the attribute values, and the connecting edges between the nodes are used for representing the relationships between the entities and/or the attributes of the entities.
4. A method according to any one of claims 1 to 3, characterized in that the method further comprises the steps of:
acquiring an initial query statement;
processing the initial query statement according to a preset processing rule to generate a graph query request, wherein the graph query request comprises one or more of a link identification request, an attacker portrait query request and an attack traceability request;
and responding to the graph query request, and outputting a visual query result of the graph query request according to the safety knowledge graph and the safety knowledge base.
5. The method according to any one of claims 1 to 4, wherein the correlation analysis is performed on the network security event information based on the security knowledge graph, and correlation analysis result information is output, specifically comprising the following steps:
performing semantic analysis processing on the network security event information to determine the type information of the network security event;
And if the network security event information is subjected to semantic analysis processing to determine that the network security event is a pending event, carrying out association analysis on the pending event based on the security knowledge graph so as to determine the type information of the pending event.
6. The method according to claim 5, wherein said semantically analyzing said network security event information to determine said type information of said network security event comprises the steps of:
matching the network security event information according to a keyword matching condition corresponding to the threat scene, and determining the type of the network security event meeting the keyword matching condition as a threat event;
and identifying the network security event which does not meet the keyword matching condition according to the access characteristics of the service scene, determining the type of the network security event which meets the access characteristics as the service scene event, and determining the network security event which does not meet the access characteristics as the undetermined event.
7. The method according to any one of claims 1 to 6, wherein the security association information comprises information of the monitored network device of one or more of: network topology, assets, vulnerability scanning data, threat information, application service types, operating systems, network traffic, or logs.
8. A correlation analysis device, the device comprising:
the system comprises an acquisition module, a monitoring module and a control module, wherein the acquisition module is used for acquiring network security event information and security association information of monitored network equipment, wherein the security association information is information associated with network security of the monitored network;
the establishing module is used for establishing a security knowledge graph according to the network security event information and the security association information;
the analysis module is used for carrying out association analysis on the network security event information based on the security knowledge graph and outputting association analysis result information, wherein the association analysis result information comprises type information of the network security event, and the type comprises a threat event or a business scene event.
9. A correlation analysis device comprising a processor and a memory, wherein the processor is coupled to the memory, wherein the memory is configured to store program code and the processor is configured to invoke the program code to perform the correlation analysis method of any of claims 1 to 7.
10. A computer readable storage medium storing a computer program that is executed by a processor to implement the correlation analysis method of any one of claims 1 to 7.
11. A computer program product comprising instructions which, when run on a computer, cause the computer to perform the correlation analysis method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210013359.7A CN116451215A (en) | 2022-01-06 | 2022-01-06 | Correlation analysis method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210013359.7A CN116451215A (en) | 2022-01-06 | 2022-01-06 | Correlation analysis method and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116451215A true CN116451215A (en) | 2023-07-18 |
Family
ID=87134252
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210013359.7A Pending CN116451215A (en) | 2022-01-06 | 2022-01-06 | Correlation analysis method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116451215A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117560223A (en) * | 2024-01-08 | 2024-02-13 | 广州大学 | Threat attribution prediction method, threat attribution prediction device, threat attribution prediction medium and electronic equipment |
| CN117574363A (en) * | 2024-01-15 | 2024-02-20 | 杭州美创科技股份有限公司 | Data security event detection method, device, computer equipment and storage medium |
| CN117610105A (en) * | 2023-12-07 | 2024-02-27 | 上海烜翊科技有限公司 | Model view structure design method for automatically generating system design result |
-
2022
- 2022-01-06 CN CN202210013359.7A patent/CN116451215A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117610105A (en) * | 2023-12-07 | 2024-02-27 | 上海烜翊科技有限公司 | Model view structure design method for automatically generating system design result |
| CN117610105B (en) * | 2023-12-07 | 2024-06-07 | 上海烜翊科技有限公司 | Model view structure design method for automatically generating system design result |
| CN117560223A (en) * | 2024-01-08 | 2024-02-13 | 广州大学 | Threat attribution prediction method, threat attribution prediction device, threat attribution prediction medium and electronic equipment |
| CN117560223B (en) * | 2024-01-08 | 2024-04-16 | 广州大学 | Threat attribution prediction method, threat attribution prediction device, threat attribution prediction medium and electronic equipment |
| CN117574363A (en) * | 2024-01-15 | 2024-02-20 | 杭州美创科技股份有限公司 | Data security event detection method, device, computer equipment and storage medium |
| CN117574363B (en) * | 2024-01-15 | 2024-04-16 | 杭州美创科技股份有限公司 | Data security event detection method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11818146B2 (en) | Framework for investigating events | |
| US11463457B2 (en) | Artificial intelligence (AI) based cyber threat analyst to support a cyber security appliance | |
| US9413777B2 (en) | Detection of network security breaches based on analysis of network record logs | |
| Bryant et al. | Improving SIEM alert metadata aggregation with a novel kill-chain based classification model | |
| CN116451215A (en) | Correlation analysis method and related equipment | |
| US11647037B2 (en) | Penetration tests of systems under test | |
| Lu et al. | A temporal correlation and traffic analysis approach for APT attacks detection | |
| US11269995B2 (en) | Chain of events representing an issue based on an enriched representation | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| Bhardwaj et al. | A framework for effective threat hunting | |
| Jiang et al. | Novel intrusion prediction mechanism based on honeypot log similarity | |
| KR20210109292A (en) | Big Data Server System for Managing Industrial Field Facilities through Multifunctional Measuring Instruments | |
| Hong et al. | Ctracer: uncover C&C in advanced persistent threats based on scalable framework for enterprise log data | |
| Bortolameotti et al. | Headprint: detecting anomalous communications through header-based application fingerprinting | |
| Tiwari et al. | Refinements in Zeek intrusion detection system | |
| Mathew et al. | Understanding multistage attacks by attack-track based visualization of heterogeneous event streams | |
| Park et al. | Prevention of malware propagation in AMI | |
| Rastogi et al. | Network anomalies detection using statistical technique: a chi-square approach | |
| US11184369B2 (en) | Malicious relay and jump-system detection using behavioral indicators of actors | |
| Garcia et al. | Towards a better labeling process for network security datasets | |
| Sourour et al. | Environmental awareness intrusion detection and prevention system toward reducing false positives and false negatives | |
| Cui et al. | Research of Snort rule extension and APT detection based on APT network behavior analysis | |
| Anashkin et al. | Implementation of Behavioral Indicators in Threat Detection and User Behavior Analysis | |
| Hsiao et al. | Detecting stepping‐stone intrusion using association rule mining | |
| Ying et al. | Anteater: Malware Injection Detection with Program Network Traffic Behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |