CN116668054A - Security event collaborative monitoring and early warning method, system, equipment and medium - Google Patents
Security event collaborative monitoring and early warning method, system, equipment and medium Download PDFInfo
- Publication number
- CN116668054A CN116668054A CN202310106409.0A CN202310106409A CN116668054A CN 116668054 A CN116668054 A CN 116668054A CN 202310106409 A CN202310106409 A CN 202310106409A CN 116668054 A CN116668054 A CN 116668054A
- Authority
- CN
- China
- Prior art keywords
- attack
- event
- sequence
- alarm
- attack chain
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000012544 monitoring process Methods 0.000 title claims abstract description 22
- 238000012545 processing Methods 0.000 claims description 24
- 241001377938 Yara Species 0.000 claims description 13
- 238000003860 storage Methods 0.000 claims description 10
- 230000004931 aggregating effect Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 230000002776 aggregation Effects 0.000 claims description 7
- 238000004220 aggregation Methods 0.000 claims description 7
- 230000008520 organization Effects 0.000 claims description 6
- 230000001960 triggered effect Effects 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 5
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 2
- 238000009434 installation Methods 0.000 claims description 2
- 238000004519 manufacturing process Methods 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000015572 biosynthetic process Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 239000003245 coal Substances 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
- H04L41/064—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis involving time analysis
Abstract
The application relates to a method, a system, equipment and a medium for collaborative monitoring and early warning of a security event, which comprise the steps of obtaining newly added security event characteristics and storing the newly added security event characteristics into a security event characteristic knowledge base; based on the newly added security event characteristics, the whole network historical data and the real-time data are matched according to a flow matching rule, and a matching result is obtained; forming an alarm event in the situation awareness platform based on the matching result; if the matched alarm events exist in the preset time range, the matched alarm events are aggregated to form an attack chain; forming a sequence attack chain according to the time sequence of the alarm events aggregated in the attack chain and storing the sequence attack chain into an attack image library; analyzing the sequence attack chain in the attack portrait library, acquiring the sequence attack chain information, generating high-risk event notification to corresponding enterprises involved in the attack chain, and finally, timely and accurately identifying the whole attack portrait and carrying out whole-network early warning.
Description
Technical Field
The application relates to the technical field of network information security, in particular to a security event collaborative monitoring and early warning method, a system, equipment and a medium.
Background
At present, network security gradually becomes a global problem, network space uncertainty factors are increased, network attacks aiming at national key information infrastructures are increased gradually, a security protection system formed by a security operation center (Security Operation Center) becomes a choice of more and more enterprises, but the universality of network attack sources and the automation of attack tools lead to the occurrence of a great number of attack alarms in a situation awareness platform, even if the situation awareness platform has functions of aggregation, filtration, analysis and the like of alarm logs, the situation awareness platform still cannot timely and accurately identify the whole attack portrait when facing network attacks of hacker organizations aiming at specific industries, vulnerabilities and enterprises.
At present, a safety operation center mainly relies on manual work to carry out linkage analysis on a plurality of monitoring points according to safety event characteristics, but the mode cannot cope with targeted, long-duration and wide-attack range network attacks, and when a plurality of enterprises are attacked by the same organization and the same method, if analysts responsible for safety monitoring are different, only part of analysts can discover attack behaviors and make early warning.
Therefore, how to realize the multipoint matching of the security event features discovered by single points by means of the situation awareness platform, so that the whole attack portrait can be timely and accurately identified and the whole network early warning can be carried out, and the problem to be solved is urgent.
Disclosure of Invention
The application provides a safety event collaborative monitoring and early warning method, a system, equipment and a medium, which aims at the problems that early warning is not timely and inaccurate in the safety event prediction and early warning process of the current industrial control safety energy station, and provides the safety event collaborative monitoring and early warning method based on big data and a machine learning algorithm, so that the accuracy and the effectiveness of early warning are improved as much as possible.
In a first aspect, the present application provides a method for collaborative monitoring and early warning of a security event, the method comprising: acquiring newly added security event characteristics and storing the newly added security event characteristics into a security event characteristic knowledge base; based on the newly added security event characteristics, the whole network historical data and the real-time data are matched according to a flow matching rule, and a matching result is obtained; forming an alarm event in the situation awareness platform based on the matching result; if the matched alarm events exist in the preset time range, the matched alarm events are aggregated to form an attack chain; forming a sequence attack chain according to the time sequence of the alarm events aggregated in the attack chain and storing the sequence attack chain into an attack image library; analyzing the sequence attack chain in the attack portrait library, acquiring the sequence attack chain information, and generating a high-risk event notification to a corresponding enterprise involved in the sequence attack chain; wherein the security event features include, but are not limited to: source IP address, source port, destination IP address, destination port, transport layer protocol, network traffic filtering conditions, and attack stage label; the alarm event includes, but is not limited to, alarm trigger time, alarm name, target asset, source IP address, source port, destination IP address, destination port, network protocol, threat level, traffic matching rule id, attack stage tag.
Optionally, the acquiring the newly added security event feature and storing the newly added security event feature in a security event feature knowledge base includes: acquiring a security event feature, comparing the acquired security event feature with historical information of a security event feature knowledge base, and acquiring a newly added security event feature after de-duplication aggregation; and storing the newly added safety event characteristics obtained by matching to the safety event characteristic knowledge base.
Optionally, the matching between the security event feature based on the new addition and the whole network historical data and the real-time data according to the traffic matching rule, and obtaining a matching result includes: based on the newly added security event characteristics, network traffic with threat is obtained by matching according to traffic matching rules, and normal traffic which hits the traffic matching rules but does not have threat is eliminated; wherein the traffic matching rules comprise Yara rules formed from the acquired security event features using Yara techniques.
Optionally, if the matching alarm event is found to exist in the preset time range, aggregating the matching alarm event to form an attack chain includes: combining and storing the alarm events which are triggered to be the same in attack stage within a preset time range; acquiring an attack stage label in the alarm event; based on an attack chain model, aggregating the alarm events stored by the corresponding combination according to the attack stage label to form an attack chain; the attack chain model comprises seven stages of reconnaissance target, manufacturing tool, transmitting tool, triggering tool, trojan installation, connection establishment and attack execution, and the attack stage labels are used for marking each stage of the attack chain model.
Optionally, the storing the alarm event combinations that trigger the same attack stage within a preset time range includes: acquiring the alarm event which has the same target asset and triggers an alarm rule, the source IP address and the destination IP address within the preset time; and combining and storing the acquired alarm events.
Optionally, the forming a sequence attack chain according to the time sequence of the alarm events aggregated in the attack chain and storing the sequence attack chain in an attack image library includes: acquiring alarm triggering time of the alarm event aggregated in the attack chain; forming a sequence attack chain by the attack chain according to the acquired alarm triggering time sequence; storing the sequence attack chain to the attack portrait library; the attack portraits library is used for storing formed sequence attack chains with different time sequences.
Optionally, the analyzing the sequence attack chain in the attack image library, extracting the sequence attack chain information, and generating a high-risk event notification to a corresponding enterprise involved in the attack chain includes: acquiring a plurality of source IP addresses and the flow matching rule id in a plurality of alarm events in the sequence attack chain within preset time; analyzing the country to which the attribution belongs according to a plurality of source IP addresses, and aggregating the obtained sequence attack chains which are specific to the country to which the attribution belongs and the same flow matching rule id to form a high-risk event; notifying the formed high-risk event to a corresponding enterprise through a situation awareness platform; the high-risk event comprises event occurrence date, attack source country, attack organization, target industry and using vulnerability name.
In a second aspect, the present application provides a system for a security event collaborative monitoring and early warning method, the system comprising: the acquisition module is used for acquiring the newly added security event characteristics and storing the newly added security event characteristics into the security event characteristic knowledge base; the matching module is used for matching the safety event characteristics with the whole network historical data and the real-time data according to the flow matching rule to obtain a matching result; the first processing module is used for forming an alarm event in the situation awareness platform based on the matching result; the second processing module is used for judging that if the matched alarm events exist in the preset time range, the matched alarm events are aggregated to form an attack chain; the third processing module is used for forming a sequence attack chain according to the time sequence of the alarm events aggregated in the attack chain and storing the sequence attack chain into an attack image library; and the result module is used for analyzing the sequence attack chain in the attack portrait library, acquiring the sequence attack chain information and generating a high-risk event notification to a corresponding enterprise involved in the sequence attack chain.
In a third aspect, the present application also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the above method are implemented when the processor executes the computer program.
In a fourth aspect, a computer readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method described above.
The application has at least the following advantages:
according to the technical content provided by the embodiment of the application, the situation awareness platform generates alarm events by acquiring the characteristics of the security events which are newly added, then analyzes and matches the generated massive alarm events through the stream processing engine, the alarm events are temporarily stored as attack chains, the attack chains are aggregated into a sequence attack chain according to the attack chain model and the alarm event triggering event and stored into the attack image library, finally, all the sequence attack chains in the attack image library are analyzed, and then information such as target industries or enterprises, utilization loopholes, attack organizations and the like in the sequence attack chain is extracted, high-risk events are generated and notified to the related enterprises, so that when the network attacks with pertinence, long duration and wide attack range are realized for a plurality of analysts responsible for a plurality of enterprises, the situation awareness platform can automatically issue rules as long as one person discovers the attack actions and submits the security events, and the other analysts are notified after the high-risk events are discovered through big data analysis, namely, the time between the first occurrence and average detection time is shortened, the situation awareness platform is used for realizing the complete and accurate and full-point-to-point security intrusion feature identification of the related enterprises.
Drawings
FIG. 1 is a diagram of an application environment showing a security event collaborative monitoring and early warning method in one embodiment;
FIG. 2 is a flow chart illustrating a method of collaborative monitoring and early warning of a security event in one embodiment;
FIG. 3 is a flow chart illustrating the features of a new security event in one embodiment;
FIG. 4 is a flow diagram illustrating the formation of an attack chain in one embodiment;
FIG. 5 is a flow diagram illustrating formation of a sequence attack chain in one embodiment;
FIG. 6 is a schematic flow chart showing the formation of high risk events in one embodiment;
FIG. 7 is a block diagram illustrating a security event collaborative monitoring and early warning system in accordance with one embodiment;
fig. 8 is a schematic structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present application. As used herein, the singular is also intended to include the plural unless the context clearly indicates otherwise, and furthermore, it is to be understood that the singular is "a," an, "and/or" the "when used in this specification is taken to mean" the presence of a feature, step, operation, device, component, and/or combination thereof.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in detail below with reference to the accompanying drawings. However, it will be understood by those of ordinary skill in the art that in various embodiments of the present application, numerous specific details are set forth in order to provide a thorough understanding of the present application. However, the claimed technical solution of the present application can be realized without these technical details and various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not be construed as limiting the specific implementation of the present application, and the embodiments can be combined with each other and cited with each other without contradiction.
For ease of understanding, a system to which the present application is applicable will first be described. The security event collaborative monitoring and early warning method provided by the application can be applied to a system architecture shown in fig. 1. The system comprises: a user space file server 103 and a terminal device 101, the terminal device 101 communicating with the user space file server 103 via a network. The user space file server 103 may be a file server based on nfsv3\v4 protocol, and operates in Linux environment, while NFS (network file system) is a network abstraction above the file system, and may allow a remote client running on the terminal device 101 to access through the network in a similar manner as a local file system. The terminal device 101 may be, but not limited to, various personal computers, notebook computers, smartphones, tablet computers, etc., and the user space file server 103 may be implemented as a stand-alone server or a server cluster composed of a plurality of servers.
Fig. 2 is a flow chart of a security event collaborative monitoring and early warning method according to an embodiment of the present application, where the method may be executed by a user space file server in the system shown in fig. 1. As shown in fig. 2, the method may include the steps of:
s201, acquiring newly added security event features and storing the newly added security event features in a security event feature knowledge base;
s202, matching is carried out according to a flow matching rule based on the newly added security event characteristics, the whole network historical data and the real-time data, and a matching result is obtained;
s203, forming an alarm event in the situation awareness platform based on the matching result;
s204, if the matched alarm events exist in the preset time range, the matched alarm events are aggregated to form an attack chain;
s205, forming a sequence attack chain according to the time sequence of the triggered alarm events aggregated in the attack chain and storing the sequence attack chain into an attack image library;
s206, analyzing a sequence attack chain in the attack image library, acquiring sequence attack chain information, and generating a high-risk event notification to a corresponding enterprise involved in the sequence attack chain;
among the security event features include, but are not limited to: source IP address, source port, destination IP address, destination port, transport layer protocol, network traffic filtering conditions, and attack stage label; alarm events include, but are not limited to, alarm trigger time, alarm name, target asset, source IP address, source port, destination IP address, destination port, network protocol, threat level, traffic matching rule id, attack stage tag.
Each step is specifically described in detail below:
s201, acquiring newly added security event features and storing the newly added security event features in a security event feature knowledge base;
as shown in fig. 2, in this embodiment, it should be noted that the security event features include, but are not limited to, a source IP address, a source port, a destination IP address, a destination port, a transport layer protocol, a network traffic filtering condition, and an attack stage tag. After analyzing the network flow through an expert, extracting the safety event characteristics, providing a basis for producing an alarm event, and obtaining the alarm event for subsequent analysis and processing to accurately predict the potential safety event.
S202, matching is carried out according to a flow matching rule based on the newly added security event characteristics, the whole network historical data and the real-time data, and a matching result is obtained;
in this embodiment, it should be noted that the acquired newly added security event features are matched with the whole network historical data and the real-time data according to the traffic matching rule. The flow matching rule is a preset flow matching rule obtained by summarizing and analyzing abnormal data appearing in historical flow data, and a matching result is obtained by matching and analyzing the acquired newly-added safety event characteristics with the flow matching rule. For subsequent analysis and early warning.
S203, forming an alarm event in the situation awareness platform based on the matching result;
in this embodiment, it should be noted that, the situation awareness platform is an environment-based, dynamic and overall capability of knowing security risks, and is a way of improving the discovery, recognition, understanding and analysis, response and disposal capabilities of security threats from a global perspective based on security big data, and finally, in order to make decisions and actions, make the security capabilities fall to the ground, collect traffic logs and alarms reported by enterprises, and perform multidimensional and multi-model security event analysis and research and judgment. The security event features are analyzed through the flow matching rule to obtain a matching result, the security event is formed through further analysis on the situation awareness platform, the security event comprises but is not limited to alarm triggering time, alarm name, target asset, source IP address, source port, target IP address, target port, network protocol, threat level, flow matching rule id and attack stage label, and analysis and early warning of the security event are realized through the formed alarm event.
For example, if an attack is made by the us IP address 66.117.31.255 to a coal enterprise 192.168.4.3 using the ThinkPHP command execution vulnerability, an alarm event is generated on the situation awareness platform, for example, 2023, 1, 13:01.
S204, if the matched alarm events exist in the preset time range, the matched alarm events are aggregated to form an attack chain;
as shown in fig. 2 and fig. 4, in this embodiment, it should be noted that a streaming processing engine under a big data streaming computing framework is called to analyze a huge amount of alarm events, the alarm events obtained by analysis are matched, and a plurality of matched alarm events are associated to generate an attack chain including a plurality of alarm events. The stream processing engine refers to a big data real-time intelligent processing core technology platform, and can rapidly process a large number of alarm events.
The stream processing engine analyzes the alarm event, the enterprise, the source IP address, the destination IP address and the attack stage are the same, the alarm event with the alarm triggering time within the appointed time range is aggregated, the alarm event is temporarily stored as a list, for example, the analyzed same alarm event is aggregated within the time period from 00:00:00 to 23:59:59. When a new alarm event is generated that is not eligible after a specified time period, such as 23:59:59, or after a specified time period, such as 1 hour, is exceeded, the alarm events in the list are formed into an attack chain. This process is in real time and is ongoing as long as a new alarm event is generated.
S205, forming a sequence attack chain according to the time sequence of the triggered alarm events aggregated in the attack chain and storing the sequence attack chain into an attack image library;
as shown in fig. 2 and fig. 5, in this embodiment, it should be noted that, according to the alarm trigger time sequence of the alarm event, all the attack chains for the same asset in the preset time period are integrated to generate a sequence attack chain and stored in the attack portrait library. And forming a time sequence according to the alarm triggering time, and aggregating a plurality of screened and matched attack chains with the same target assets to form a sequence attack chain, so as to realize the multipoint matching of the security event features of single-point discovery, thereby facilitating the subsequent timely and accurate identification of the whole attack portrait and realizing accurate monitoring and early warning.
S206, analyzing the sequence attack chain in the attack image library, obtaining sequence attack chain information, and generating high-risk event notification to corresponding enterprises involved in the sequence attack chain.
As shown in fig. 2 and 6, in this embodiment, it should be noted that the high-risk event includes an event occurrence date, an attack source country, an attack organization, a target industry, and a traffic matching rule name that uses a vulnerability name, that is, corresponds to the most frequent occurrence of all sequence attack chains. Extracting information of target industries or enterprises, utilization vulnerabilities, attack organizations and the like in the generated sequence attack chain, generating high-risk events, and notifying analysts related to the enterprises of the high-risk events.
Referring to fig. 2 and 3, in some embodiments, in S201, acquiring and storing the newly added security event feature in the security event feature repository includes:
s2011, acquiring security event features, comparing the acquired security event features with historical information of a security event feature knowledge base, and acquiring newly-added security event features after de-duplication aggregation;
and S2012, storing the newly added security event features obtained by matching to a security event feature knowledge base.
In this embodiment, it should be noted that, the security event features generated by expert analysis are extracted, compared with the historical information of the security event feature knowledge base after extraction, and stored in the security event feature knowledge base after de-duplication aggregation.
In some embodiments, in S202, matching is performed with the whole network historical data and the real-time data based on the newly added security event feature, so as to obtain a matching result, including: and matching the newly added security event features according to a traffic matching rule to obtain network traffic with threat, and removing normal traffic hitting the traffic matching rule but not having the threat, wherein the traffic matching rule comprises a Yara rule formed by using a Yara technology to obtain the security event features.
In this embodiment, it should be noted that YARA is an open source tool that is intended to help malware researchers identify and classify malware samples, and that using YARA can create malware family description information based on text or binary patterns, as well as other matching information. Each description or rule of YARA consists of a series of strings and a boolean expression, and sets forth its logic. YARA rules may be submitted to a file or running process to help researchers identify if they belong to a certain family of malware that has been described by the rules. The traffic matching rule is a Yara rule formed by utilizing a Yara technology to enable security event characteristics submitted by an expert to be formed, so that network traffic with threat is matched, and normal traffic with hit rules but no threat is eliminated.
Referring to fig. 2 and fig. 4, in some embodiments, in S204, if it is found that there is a matched alarm event within a preset time range, the matching alarm event is aggregated to form an attack chain, which specifically includes:
s2041, combining and storing alarm events which trigger the same attack stage within a preset time range;
s2042, obtaining an attack stage label in an alarm event;
s2043, based on the attack chain model, aggregating the corresponding combined stored alarm events according to the attack stage labels to form an attack chain.
In this embodiment, it should be noted that the attack chain model includes seven stages of reconnaissance, making tool, transmitting tool, triggering tool, mounting trojans, establishing connection and executing attack, and the attack stage labels are used to mark each stage of the attack chain model. The alarm events matched in the preset time are combined, a plurality of alarm events are based on the attack chain model according to the attack stage labels in the alarm events, and the stages in the corresponding attack chain model are further aggregated to form an attack chain for subsequent accurate analysis and early warning.
For example, 6 alarm events are newly formed in the situation awareness platform, the 6 alarm events all occur in a preset time range, for example, all occur in a time period from 00:00:00 to 23:59:59 of 22/12/31, and are matched with each other, the streaming processing engine analyzes the alarm events and associates the alarm events into 3 attack chains according to the attack stage labels, and the attack chain 1 comprises an alarm event 1 and an alarm event 2; the attack chain 2 comprises an alarm event 3 and an alarm event 4; the attack chain 3 comprises an alarm event 5 and an alarm event 6; the corresponding attack chains are respectively: attack chain 1-scout target, attack chain 2-transfer tool, attack chain 3-trigger tool.
In some embodiments, in S2041, storing the alarm event combinations that trigger the same attack phase within the preset time range includes: acquiring alarm events which have the same target asset, trigger alarm rules, source IP addresses and destination IP addresses within preset time; and combining and storing the acquired alarm events.
In this embodiment, it should be noted that, for example, 6 alarm events are newly formed in the situation awareness platform, and are respectively alarm event 1: the alarm triggering time is 22/12/31:07:45, the alarm name is directory traversal, the enterprise is A, the source IP address is 1.1.1.1, the destination IP address is 192.168.100.101, and the flow matching rule id is 10001; alarm event 2: the alarm triggering time is 22/12/31 08:25, the alarm name is port scanning, the enterprise is A, the source IP address is 1.1.1.1, the destination IP address is 192.168.100.101, and the flow matching rule id is 10002; alarm event 3: the alarm triggering time is 22/12/31 09:22, the alarm name is a file uploading vulnerability attack, the affiliated enterprise is A, the source IP address is 1.1.1.1, the destination IP address is 192.168.100.101, and the flow matching rule id is 10003; alarm event 4: the alarm triggering time is 22/12/31/10:32, the alarm name is a file uploading vulnerability attack, the affiliated enterprise is A, the source IP address is 1.1.1.1, the destination IP address is 192.168.100.101, and the flow matching rule id is 10004; alarm event 5: the alarm triggering time is 22/12/31 10:35, the alarm name is WebShell file access attempt, the affiliated enterprise is A, the source IP address is 1.1.1.1, the destination IP address is 192.168.100.101, and the flow matching rule id is 10005; alarm event 6: the alarm triggering time is 22/12/31:10:50, the alarm name is back door file scanning, the enterprise is A, the source IP address is 1.1.1.1, the destination IP address is 192.168.100.101, and the flow matching rule id is 10006.
As can be seen from the specific content of the 6 alarm events, the 6 alarm events have the same target asset, namely enterprise A, and the triggering alarm rule, namely the flow matching rule id, the source IP address and the destination IP address are the same, so that the 6 alarm events can be matched and combined, and are associated into 3 attack chains according to the attack stage labels, wherein the attack chain 1 comprises an alarm event 1 and an alarm event 2; the attack chain 2 comprises an alarm event 3 and an alarm event 4; the attack chain 3 comprises an alarm event 5 and an alarm event 6; according to the attack chain model, the attack chain corresponding to the attack chain model is formed by the following steps: attack chain 1-scout target, attack chain 2-transfer tool, attack chain 3-trigger tool.
Referring to fig. 2 and 5, in some embodiments, in S205, forming a sequence attack chain according to a time sequence in which alarm events aggregated in the attack chain are triggered and storing the sequence attack chain in an attack image library includes:
s2051, acquiring alarm triggering time of an alarm event aggregated in an attack chain;
s2052, forming a sequence attack chain by the attack chain according to the acquired alarm triggering time sequence;
s2053, storing the sequence attack chain into an attack portrait library.
In this embodiment, the attack portraits library is used to store the formed sequence attack chains with different time sequences. For example, the 6 alarm events formed above are obtained, and the attack chain 1 comprises an alarm event 1 and an alarm event 2; the attack chain 2 comprises an alarm event 3 and an alarm event 4; the attack chain 3 comprises an alarm event 5 and an alarm event 6; before and after the triggering time of the alarm event, the corresponding stages of the formed attack chain to the attack chain model according to the attack chain model are respectively as follows: attack chain 1-scout target, attack chain 2-transfer tool, attack chain 3-trigger tool. According to the alarm triggering time sequence of the alarm event and the stage in the corresponding attack chain model, a plurality of attack chains can be formed into a sequence attack chain, namely an attack chain 1-attack chain 2-attack chain 3, and the formed sequence attack chain is stored in an attack image library for subsequent accurate analysis and early warning.
Referring to fig. 2 and 6, in some embodiments, in S206, analyzing a sequence attack chain in an attack image library, extracting sequence attack chain information, and generating a high-risk event notification to a corresponding enterprise involved in the attack chain includes:
s2061, acquiring a plurality of source IP addresses and flow matching rule ids in a plurality of alarm events in a sequence attack chain within preset time;
s2062, analyzing the country to which the attribution belongs according to a plurality of source IP addresses, and aggregating the obtained specific country to which the same attribution belongs and the sequence attack chains of the same traffic matching rule id to form a high-risk event;
s2063, notifying the corresponding enterprises of the formed high-risk event through the situation awareness platform.
In this embodiment, it should be noted that, the high-risk event includes an event occurrence date, an attack source country, an attack organization, a target industry, and a use vulnerability name, where the use vulnerability name corresponds to a traffic matching rule name with the largest occurrence number in all sequence attack chains, that is, is generated after the situation awareness platform associates a plurality of alarm events. Here, through the generation of the analysis sequence attack chain, the analysis of all sequence attack chains in the attack portrait library is continuously performed through a big data stream computing framework, the country to which the attribution belongs is analyzed according to a plurality of source IP addresses in the sequence attack chain, the obtained specific country to which the attribution belongs and the sequence attack chain with the same flow matching rule id are aggregated, and then information such as a target industry or enterprise, an utilization vulnerability, an attack organization and the like in the sequence attack chain is extracted, so that a high-risk event is generated. And finally notifying the enterprise involved in the generated high-risk event through the situation awareness platform.
The flow of each step is mainly to acquire the security event characteristics generated by expert research and judgment, compare the security event characteristics with a security event characteristic library, acquire newly added security event characteristics, generate flow matching rules for the newly added security event characteristics by using YARA technology, match the flow matching rules with the whole network historical flow and the real-time flow, and generate an alarm event on a situation awareness platform. Analyzing and matching the generated massive alarm events through a stream processing engine, further temporarily storing the alarm event aggregation with the same IP address and the same attack stage as an attack chain when an attacker attacks the same target asset of an enterprise within a preset time range, and storing the attack chain aggregation into a sequence attack chain to an attack portrait library according to an attack chain model and alarm event triggering events. And continuously analyzing all sequence attack chains in the attack portrait library through a big data stream computing framework, and further extracting information of target industries or enterprises, utilization holes, attack organizations and the like in the sequence attack chains to generate high-risk events. Finally, notifying the enterprise related to the generated high-risk event through the situation awareness platform, so that the situation awareness platform is relied on to realize the multipoint matching of the security event features discovered by the single point, and further, the whole attack portrait is timely and accurately identified and the whole network early warning is carried out.
Referring to fig. 7, the present application further provides a system for collaborative monitoring and early warning of a security event, where the system may include: the device comprises an acquisition module, a matching module, a first processing module, a second processing module, a third processing module and a result module. The main functions of each component module are as follows:
the acquiring module 301 is configured to acquire the newly added security event feature and store the newly added security event feature in a security event feature knowledge base;
the matching module 302 is configured to match the current traffic matching rule with the whole network historical data and the real-time data based on the newly added security event feature, so as to obtain a matching result;
a first processing module 303, configured to form an alarm event in the situation awareness platform based on the matching result;
the second processing module 304 is configured to determine that if a matching alarm event is found to exist in a preset time range, the matching alarm event is aggregated to form an attack chain;
and a third processing module 305, configured to form a sequence attack chain according to the time sequence of the alarm events aggregated in the attack chain and store the sequence attack chain in the attack image library.
And the result module 306 is used for analyzing the sequence attack chain in the attack image library, acquiring the sequence attack chain information, and generating a high-risk event notification to the corresponding enterprise involved in the sequence attack chain.
According to an embodiment of the present application, the present application also provides a computer device, a computer-readable storage medium.
As shown in fig. 8, is a block diagram of a computer device according to an embodiment of the present application. Computer equipment is intended to represent various forms of digital computers or mobile devices. Wherein the digital computer may comprise a desktop computer, a portable computer, a workstation, a personal digital assistant, a server, a mainframe computer, and other suitable computers. The mobile device may include a tablet, a smart phone, a wearable device, etc.
As shown in fig. 8, the apparatus 600 includes a computing unit 601, a ROM 602, a RAM 603, a bus 604, and an input/output (I/O) interface 605, and the computing unit 601, the ROM 602, and the RAM 603 are connected to each other through the bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The computing unit 601 may perform various processes in the method embodiments of the present application according to computer instructions stored in a Read Only Memory (ROM) 602 or computer instructions loaded from a storage unit 608 into a Random Access Memory (RAM) 603. The computing unit 601 may be a variety of general and/or special purpose processing components having processing and computing capabilities. The computing unit 601 may include, but is not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), as well as any suitable processor, controller, microcontroller, etc. In some embodiments, the methods provided by embodiments of the present application may be implemented as a computer software program tangibly embodied on a computer-readable storage medium, such as storage unit 608.
The RAM 603 may also store various programs and data required for operation of the device 600. Part or all of the computer program may be loaded and/or installed onto the device 600 via the ROM 602 and/or the communication unit 609.
An input unit 606, an output unit 607, a storage unit 608, and a communication unit 609 in the device 600 may be connected to the I/O interface 605. Wherein the input unit 606 may be such as a keyboard, mouse, touch screen, microphone, etc.; the output unit 607 may be, for example, a display, a speaker, an indicator light, or the like. The device 600 is capable of exchanging information, data, etc. with other devices through the communication unit 609.
It should be noted that the device may also include other components necessary to achieve proper operation. It is also possible to include only the components necessary to implement the inventive arrangements, and not necessarily all the components shown in the drawings.
Various implementations of the systems and techniques described here can be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof.
Computer instructions for implementing the methods of the present application may be written in any combination of one or more programming languages. These computer instructions may be provided to a computing unit 601 such that the computer instructions, when executed by the computing unit 601, such as a processor, cause the steps involved in embodiments of the method of the present application to be performed.
The computer readable storage medium provided by the present application may be a tangible medium that may contain, or store, computer instructions for performing the steps involved in the method embodiments of the present application. The computer readable storage medium may include, but is not limited to, storage media in the form of electronic, magnetic, optical, electromagnetic, and the like.
The above embodiments do not limit the scope of the present application. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present application should be included in the scope of the present application.
Claims (10)
1. The cooperative monitoring and early warning method for the safety event is characterized by comprising the following steps of:
acquiring newly added security event characteristics and storing the newly added security event characteristics into a security event characteristic knowledge base;
based on the newly added security event characteristics, the whole network historical data and the real-time data are matched according to a flow matching rule, and a matching result is obtained;
forming an alarm event in the situation awareness platform based on the matching result;
if the matched alarm events exist in the preset time range, the matched alarm events are aggregated to form an attack chain;
forming a sequence attack chain according to the time sequence of the alarm events aggregated in the attack chain and storing the sequence attack chain into an attack image library;
analyzing the sequence attack chain in the attack portrait library, acquiring the sequence attack chain information, and generating a high-risk event notification to a corresponding enterprise involved in the sequence attack chain;
wherein the security event features include, but are not limited to: source IP address, source port, destination IP address, destination port, transport layer protocol, network traffic filtering conditions, and attack stage label; the alarm event includes, but is not limited to, alarm trigger time, alarm name, target asset, source IP address, source port, destination IP address, destination port, network protocol, threat level, traffic matching rule id, attack stage tag.
2. The method for collaborative monitoring and early warning of a security event according to claim 1, wherein the steps of obtaining and storing newly added security event features in a security event feature knowledge base include: acquiring a security event feature, comparing the acquired security event feature with historical information of a security event feature knowledge base, and acquiring a newly added security event feature after de-duplication aggregation; and storing the newly added safety event characteristics obtained by matching to the safety event characteristic knowledge base.
3. The method for collaborative monitoring and early warning of a security event according to claim 1, wherein the matching between the security event feature based on the new addition and the whole network historical data and the real-time data according to the traffic matching rule to obtain a matching result comprises:
based on the newly added security event characteristics, network traffic with threat is obtained by matching according to traffic matching rules, and normal traffic which hits the traffic matching rules but does not have threat is eliminated; wherein the traffic matching rules comprise Yara rules formed from the acquired security event features using Yara techniques.
4. The method of claim 1, wherein if the matching alarm event is found to exist in the preset time range, aggregating the matching alarm event into an attack chain, comprising:
combining and storing the alarm events which are triggered to be the same in attack stage within a preset time range;
acquiring an attack stage label in the alarm event;
based on an attack chain model, aggregating the alarm events stored by the corresponding combination according to the attack stage label to form an attack chain;
the attack chain model comprises seven stages of reconnaissance target, manufacturing tool, transmitting tool, triggering tool, trojan installation, connection establishment and attack execution, and the attack stage labels are used for marking each stage of the attack chain model.
5. The method of claim 4, wherein storing the alarm event combinations that trigger the same attack phase within a preset time comprises: acquiring the alarm event which has the same target asset and triggers an alarm rule, the source IP address and the destination IP address within the preset time;
and combining and storing the acquired alarm events.
6. The method of claim 5, wherein the forming a sequence attack chain according to the time sequence in which the alarm events aggregated in the attack chain are triggered and storing the sequence attack chain in an attack image library comprises:
acquiring alarm triggering time of the alarm event aggregated in the attack chain;
forming a sequence attack chain by the attack chain according to the acquired alarm triggering time sequence;
storing the sequence attack chain to the attack portrait library;
the attack portraits library is used for storing formed sequence attack chains with different time sequences.
7. The security event collaborative monitoring and early warning method according to claim 5, wherein the analyzing the sequence attack chain in the attack image library, extracting the sequence attack chain information, and generating a high-risk event notification to a corresponding enterprise involved in the sequence attack chain comprises: acquiring the source IP addresses of a plurality of alarm events in the sequence attack chain within preset time and the flow matching rule id;
analyzing the country to which the attribution belongs according to a plurality of source IP addresses, and aggregating the obtained sequence attack chains which are specific to the country to which the attribution belongs and the same flow matching rule id to form a high-risk event;
notifying the formed high-risk event to a corresponding enterprise through a situation awareness platform;
the high-risk event comprises event occurrence date, attack source country, attack organization, target industry and using vulnerability name.
8. A security event collaborative monitoring early warning system, the system comprising:
the acquisition module is used for acquiring the newly added security event characteristics and storing the newly added security event characteristics into the security event characteristic knowledge base; the matching module is used for matching the safety event characteristics with the whole network historical data and the real-time data according to the flow matching rule to obtain a matching result;
the first processing module is used for forming an alarm event in the situation awareness platform based on the matching result;
the second processing module is used for judging that if the matched alarm events exist in the preset time range, the matched alarm events are aggregated to form an attack chain;
the third processing module is used for forming a sequence attack chain according to the time sequence of the alarm events aggregated in the attack chain and storing the sequence attack chain into an attack image library;
and the result module is used for analyzing the sequence attack chain in the attack portrait library, acquiring the sequence attack chain information and generating a high-risk event notification to a corresponding enterprise involved in the attack chain.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 7 when the computer program is executed by the processor.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310106409.0A CN116668054A (en) | 2023-02-13 | 2023-02-13 | Security event collaborative monitoring and early warning method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310106409.0A CN116668054A (en) | 2023-02-13 | 2023-02-13 | Security event collaborative monitoring and early warning method, system, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116668054A true CN116668054A (en) | 2023-08-29 |
Family
ID=87719514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310106409.0A Pending CN116668054A (en) | 2023-02-13 | 2023-02-13 | Security event collaborative monitoring and early warning method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116668054A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117034210A (en) * | 2023-10-08 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Event image generation method and device, storage medium and electronic equipment |
-
2023
- 2023-02-13 CN CN202310106409.0A patent/CN116668054A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117034210A (en) * | 2023-10-08 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Event image generation method and device, storage medium and electronic equipment |
| CN117034210B (en) * | 2023-10-08 | 2024-01-26 | 深圳安天网络安全技术有限公司 | Event image generation method and device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gao et al. | A distributed network intrusion detection system for distributed denial of service attacks in vehicular ad hoc network | |
| CN106790256B (en) | Active machine learning system for dangerous host supervision | |
| CN109902297B (en) | Threat information generation method and device | |
| CN110213226B (en) | Network attack scene reconstruction method and system based on risk full-factor identification association | |
| CN113645232B (en) | Intelligent flow monitoring method, system and storage medium for industrial Internet | |
| US20230007042A1 (en) | A method and system for determining and acting on an email cyber threat campaign | |
| KR20130126814A (en) | Traffic flooding attack detection and in-depth analysis devices and method using data mining | |
| CN111641634B (en) | Honey net based active defense system and method for industrial control network | |
| CN115225386A (en) | Business identification and risk analysis method and system based on event sequence correlation fusion | |
| CN113904795A (en) | Rapid and accurate flow detection method based on network security probe | |
| Vinayakumar et al. | Improved DGA domain names detection and categorization using deep learning architectures with classical machine learning algorithms | |
| CN113904881A (en) | Intrusion detection rule false alarm processing method and device | |
| CN116668054A (en) | Security event collaborative monitoring and early warning method, system, equipment and medium | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| Dushimimana et al. | Bi-directional recurrent neural network for intrusion detection system (IDS) in the internet of things (IoT) | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN115795330A (en) | Medical information anomaly detection method and system based on AI algorithm | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| Liu et al. | Context2Vector: Accelerating security event triage via context representation learning | |
| CN112596984A (en) | Data security situation sensing system under weak isolation environment of service | |
| Kumbhar et al. | Advance model for ransomware attacking data classification and prediction using ai | |
| CN115589339A (en) | Network attack type identification method, device, equipment and storage medium | |
| CN115801366A (en) | Attack detection method and device, electronic equipment and computer readable storage medium | |
| CN114398887A (en) | Text classification method and device and electronic equipment | |
| Surya et al. | An Effective Machine Learning Approach for loT Intrusion Detection System based on SMOTE |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |