CN117749443A - Security event processing method and device - Google Patents
Security event processing method and device Download PDFInfo
- Publication number
- CN117749443A CN117749443A CN202311668617.6A CN202311668617A CN117749443A CN 117749443 A CN117749443 A CN 117749443A CN 202311668617 A CN202311668617 A CN 202311668617A CN 117749443 A CN117749443 A CN 117749443A
- Authority
- CN
- China
- Prior art keywords
- target
- event
- category
- determining
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title abstract description 16
- 238000012545 processing Methods 0.000 claims abstract description 87
- 238000000034 method Methods 0.000 claims abstract description 47
- 238000012795 verification Methods 0.000 claims description 13
- 230000009471 action Effects 0.000 claims description 12
- 238000010606 normalization Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 4
- 230000006399 behavior Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000005855 radiation Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method and a device for processing a security event. Wherein the method comprises the following steps: obtaining various network equipment logs, and performing normative processing on the various network equipment logs to obtain a target format log, wherein the target format log at least comprises a target field for indicating the category of the target event; acquiring a target value of a target field, and determining the category of the target event according to the target value of the target field; determining threat score values of the target event according to multi-dimensional information of the target event, wherein the multi-dimensional information at least comprises categories of the target event, determining event levels of the target event according to the threat score values of the target event, and the event levels are used for indicating the risk degrees of the event; and determining a processing strategy of the target event according to the category of the target event and the event grade of the target event, and processing the target event according to the processing strategy. The method and the device solve the technical problem of low accuracy of the network security event processing method.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for processing a security event.
Background
With the increasing severity of network security environments, more and more businesses are beginning to deploy SOAR (Security Orchestration, automation and Response, security automation and response) systems for security emergency response. By the technology of security arrangement and automatic response, the handling speed and handling efficiency of the security event are improved, and the problem that the security event excessively depends on manpower in handling and analysis is solved. With the ever-changing network attack means, the network security events are layered endlessly, the types of the network security events are more and more, the enterprises are more and more in order to deal with various devices of network security deployment, and devices from different manufacturers and different technical routes can generate massive alarms every day, so that the network security of the enterprises faces a huge challenge, in the related technology, the alarm events of different technical routes and different devices can only be analyzed manually, but the event types and event grade judging standards of the devices of different technical routes for the security events are difficult to unify, and the accuracy of a treatment method for the network security events is low.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a processing method and device of a security event, which are used for at least solving the technical problem of low accuracy of a network security event processing method.
According to an aspect of an embodiment of the present application, there is provided a method for processing a security event, including: obtaining various network equipment logs, and performing normative processing on the various network equipment logs to obtain a target format log, wherein the target format log at least comprises a target field for indicating the category of the target event; acquiring a target value of a target field, and determining the category of the target event according to the target value of the target field; determining threat score values of the target event according to multi-dimensional information of the target event, wherein the multi-dimensional information at least comprises categories of the target event, determining event levels of the target event according to the threat score values of the target event, and the event levels are used for indicating the risk degrees of the event; and determining a processing strategy of the target event according to the category of the target event and the event grade of the target event, and processing the target event according to the processing strategy.
Optionally, performing a normalization process on the logs of the multiple network devices to obtain a log in a target format, including: obtaining a key field contained in the target format log, wherein the key field comprises: a first field for indicating a source address of a target event, a second field for indicating a destination address of the target event, a third field for indicating a category of the target event, the third field being a target field; extracting a source address, a destination address and an event category of a target event from various network equipment logs, and determining a target value according to a mapping relation between the predetermined event category and the target value; and sequentially filling the source address, the destination address and the target value of the target event into the first field, the second field and the third field to obtain the target format log.
Optionally, determining the category of the target event according to the target value of the target field includes: under the condition that the target value belongs to a value in a preset set, determining that the target event passes verification; and under the condition that the target event passes verification, comparing the target value with the characteristic values in the characteristic value sets in sequence, and determining the category of the target event according to the comparison result of the target value and the characteristic values in the characteristic value sets.
Optionally, determining the threat score value of the target event according to the multi-dimensional information of the target event includes: acquiring threat score values corresponding to each dimension, wherein the multidimensional information at least comprises one of the following: the method comprises the steps of determining an attack path dimension, an attack source dimension, an event category dimension and an information reputation dimension, wherein the attack path dimension is determined according to a source address and a destination address of an attack action corresponding to a target event, the attack source dimension is determined according to the source address of the attack action corresponding to the target event, the event category dimension is determined according to the category of the target event, and the information reputation dimension is determined according to the attack source of the attack action corresponding to the target event; and determining the sum of threat score values corresponding to the multidimensional information as the threat score value of the target event.
Optionally, determining the event level of the target event according to the threat score value of the target event includes: acquiring threat score value intervals corresponding to each event level, wherein a first event level corresponds to a first interval, a second event level corresponds to a second interval, a third event level corresponds to a third interval, event risk levels corresponding to the first event level, the second event level and the third event level are sequentially increased, the maximum value of the first interval is smaller than the minimum value of the second interval, and the maximum value of the second interval is smaller than the minimum value of the third interval; and determining the event level of the target event according to the threat score interval in which the threat score of the target event is located.
Optionally, determining the processing strategy of the target event according to the category of the target event and the event level of the target event includes: acquiring the category of the target event and the event grade of the target event; and selecting a processing strategy which is matched with the category of the target event and the event grade of the target event from a plurality of preset strategies.
Optionally, the method further comprises: under the condition that the category of the target event or the event level of the target event is not matched with a plurality of preset strategies, a target processing strategy is newly established according to the category of the target event and the event level of the target event; adding the target processing strategy into a plurality of preset strategies.
According to another aspect of the embodiments of the present application, there is also provided a processing apparatus for a security event, including: the system comprises an acquisition module, a target format log and a target event classification module, wherein the acquisition module is used for acquiring various network equipment logs, performing normative processing on the various network equipment logs to obtain the target format log, and the target format log at least comprises a target field for indicating the target event classification; the classification module is used for acquiring the target value of the target field and determining the class of the target event according to the target value of the target field; the grading module is used for determining threat score values of the target events according to the multi-dimensional information of the target events, wherein the multi-dimensional information at least comprises categories of the target events, and determining event grades of the target events according to the threat score values of the target events, and the event grades are used for indicating the risk degrees of the events; and the processing module is used for determining the processing strategy of the target event according to the category of the target event and the event grade of the target event and processing the target event according to the processing strategy.
According to still another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored program, and when the program runs, the device on which the nonvolatile storage medium is controlled to execute the processing method of the security event.
According to still another aspect of the embodiments of the present application, there is further provided a computer device, including a memory and a processor, where the processor is configured to execute a program, and the program executes the method for processing a security event.
In the embodiment of the application, a plurality of network equipment logs are acquired, and subjected to normative processing to obtain a target format log, wherein the target format log at least comprises a target field for indicating a target event type; acquiring a target value of a target field, and determining the category of the target event according to the target value of the target field; determining threat score values of the target event according to multi-dimensional information of the target event, wherein the multi-dimensional information at least comprises categories of the target event, determining event levels of the target event according to the threat score values of the target event, and the event levels are used for indicating the risk degrees of the event; determining a processing strategy of the target event according to the category of the target event and the event grade of the target event, and processing the target event according to the processing strategy by performing normal form processing on various network equipment logs to obtain a target format log, so that the purposes of uniformly identifying different network equipment and accurately identifying the security event are achieved, the technical effect of improving the accuracy of the security event processing method is achieved, and the technical problem of lower accuracy of the network security event processing method is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a block diagram of the hardware architecture of a computer terminal (or mobile device) for a method of processing security events according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of processing a security event according to the present application;
FIG. 3 is a flow chart of an alternative event verification method according to the present application;
FIG. 4 is a flow chart of an alternative event classification method according to the present application;
FIG. 5 is a flow chart of an alternative event ranking method according to the present application;
FIG. 6 is an alternative event processing policy matching flow diagram according to the present application;
fig. 7 is a schematic structural diagram of an alternative processing device for security events according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In accordance with embodiments of the present application, there is also provided an embodiment of a method of processing a security event, it being noted that the steps illustrated in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
The method embodiments provided in the embodiments of the present application may be executed in a mobile terminal, a computer terminal, a cloud server, or similar computing devices. Fig. 1 shows a block diagram of a hardware architecture of a computer terminal (or mobile device) for implementing a method of processing a security event. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more processors 102 (shown as 102a, 102b, … …,102 n) which may include, but are not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA, a memory 104 for storing data, and a transmission module 106 for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuits described above may be referred to generally herein as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination to interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the processing method of the security event in the embodiment of the present application, and the processor 102 executes the software programs and modules stored in the memory 104, thereby executing various functional applications and data processing, that is, implementing the processing method of the security event described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module 106 is used to receive or transmit data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission module 106 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission module 106 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
In accordance with the embodiments of the present application, there is provided an embodiment of a method of processing a security event, it being noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system, such as a set of computer executable instructions, and that although a logical order is illustrated in the flowcharts, in some cases the steps illustrated or described may be performed in an order other than that illustrated herein.
Fig. 2 is a flowchart of a method for processing a security event according to an embodiment of the present application, as shown in fig. 2, the method includes the steps of:
step S202, obtaining various network equipment logs, and carrying out normative processing on the various network equipment logs to obtain a target format log, wherein the target format log at least comprises a target field for indicating the category of a target event;
step S204, obtaining the target value of the target field, and determining the category of the target event according to the target value of the target field;
step S206, determining threat score values of the target event according to multi-dimensional information of the target event, wherein the multi-dimensional information at least comprises categories of the target event, determining event levels of the target event according to the threat score values of the target event, and the event levels are used for indicating the risk degrees of the event;
step S208, determining a processing strategy of the target event according to the category of the target event and the event level of the target event, and processing the target event according to the processing strategy.
Through the steps, the method can be realized by acquiring various network equipment logs, and carrying out normalization processing on the various network equipment logs to obtain a target format log, wherein the target format log at least comprises a target field for indicating the category of the target event; acquiring a target value of a target field, and determining the category of the target event according to the target value of the target field; determining threat score values of the target event according to multi-dimensional information of the target event, wherein the multi-dimensional information at least comprises categories of the target event, determining event levels of the target event according to the threat score values of the target event, and the event levels are used for indicating the risk degrees of the event; determining a processing strategy of the target event according to the category of the target event and the event grade of the target event, and processing the target event according to the processing strategy by performing normal form processing on various network equipment logs to obtain a target format log, so that the purposes of uniformly identifying different network equipment and accurately identifying the security event are achieved, the technical effect of improving the accuracy of the security event processing method is achieved, and the technical problem of lower accuracy of the network security event processing method is solved.
In step S202, various network device logs may be obtained by means of a message queue, syslog (a standard protocol for recording system events and messages), API (application programming interface), or the like.
In step S204, the event categories may be a harmful program event (MI), a network attack event (NAI), a data attack event (DAI), a harmful content event (HCI), a facility failure event (FFI), an offending operation event (IOI), and the like, each event category includes a plurality of sub-categories, and the sub-categories included in the harmful program event type (MI) include: computer Viruses (CV), network Worms (NW), trojan Horses (TH), BOT networks (BOT), hybrid attack programs (MA), lux software (RAN), malicious Code Embedded Web Pages (MCEWP), malicious Code Host Sites (MCHS). The sub-categories contained by the network attack event type (NAI) include: denial of service (Dos), advanced sustainability threat (APT), backdoor exploitation (EoB), exploit (EoV), network Scan Eavesdropping (NSE), interference (INF), login Attempts (LA). The sub-categories contained by the data attack event type (DAI) include: data Tampering (TWD), data impersonation (DC), data Leakage (DLE), data theft (ToD), data Interception (DIN), data Loss (DLO), data Error (DE), data lux (DB). The sub-categories contained by the harmful content event type (HCI) include: compromised national security content (ENSC), riot extreme content (ETC), obscene Pornography Content (PC), false Information Content (FIC), infringement Content (IC), misuse content (AC), network Fraud (NF). The sub-categories encompassed by the equipment facility failure event type (FFI) include: technical Fault (TF), infrastructure Fault (IF), physical damage (PHD), radiation Interference (RI). The subclass contained by the offending operation event type (IOI) includes: rights abuse (AoA), rights forgery (FoR), behavioral repudiation (DoA), malicious Operation (MO), misoperation (MISO), broken availability of people (BoPA), unauthorized use of resources (UUoR), copyright violation (BoC).
The above steps S202 to S208 are described in detail below by specific embodiments.
In step S202, the multiple network device logs are subjected to a normalization process, and the specific steps for obtaining the target format log are as follows: obtaining a key field contained in the target format log, wherein the key field comprises: a first field for indicating a source address of a target event, a second field for indicating a destination address of the target event, a third field for indicating a category of the target event, the third field being a target field; extracting a source address, a destination address and an event category of a target event from various network equipment logs, and determining a target value according to a mapping relation between the predetermined event category and the target value; and sequentially filling the source address, the destination address and the target value of the target event into the first field, the second field and the third field to obtain the target format log.
In another alternative, the target format log also includes a fourth field for indicating the event level.
The specific way of determining the category of the target event according to the target value of the target field is as follows: under the condition that the target value belongs to a value in a preset set, determining that the target event passes verification; in the case that the target event passes verification, comparing the target value with the feature values in the feature value sets in turn, determining the category of the target event according to the comparison result of the target value and the feature values in the feature value sets, taking the target field as a type as an example, fig. 3 shows an event verification method, as shown in fig. 3, receiving the event from the event repository (the target event obtained from the target format log and storing the target time in the preset event repository); extracting a target value of a type field in a target event, representing by A, judging whether A belongs to a preset set P, determining that the target event passes verification when A belongs to the preset set P, determining that the target event does not pass verification when A does not belong to the preset set P, and discarding the target event.
Fig. 4 shows a schematic event classification flow, as shown in fig. 4, for extracting a target value Y of a type field of a target event passing verification; matching Y with the characteristic value in the subset a, and if Y is consistent with a certain characteristic value in the subset a, considering that the matching is successful, and storing the matching into the category MI event category; if the Y is not successfully matched with the characteristic value in the subset a, the Y is matched with the characteristic value in the subset b, and if the Y is consistent with the characteristic value, the Y is considered to be successfully matched and is stored in the NAI event category; if the Y is not successfully matched with the characteristic value in the subset b, the Y is matched with the characteristic value in the subset c, and if the Y is consistent with the characteristic value, the Y is considered to be successfully matched and is stored in the class of the class DAI event; if the value of Y is not successfully matched with the characteristic value in the subset c, the value is matched with the characteristic value in the subset d, and if the characteristic values are consistent, the matching is considered to be successful, and the matching is stored in the HCI event category; if the matching of the value of Y and the value characteristic value in the subset d is unsuccessful, the value is matched with the characteristic value in the subset e, if the matching is successful, the value is stored in the FFI event category, and if the matching is unsuccessful, the value is stored in the category IOI event category.
It will be appreciated that subsets a, b, c, d, e and f correspond to different event categories, respectively.
In an alternative, the specific determination of threat score values for a target event is as follows: acquiring threat score values corresponding to each dimension, wherein the multidimensional information at least comprises one of the following: the method comprises the steps of determining an attack path dimension, an attack source dimension, an event category dimension and an information reputation dimension, wherein the attack path dimension is determined according to a source address and a destination address of an attack action corresponding to a target event, the attack source dimension is determined according to the source address of the attack action corresponding to the target event, the event category dimension is determined according to the category of the target event, and the information reputation dimension is determined according to the attack source of the attack action corresponding to the target event; and determining the sum of threat score values corresponding to the multidimensional information as the threat score value of the target event.
Specifically, the dimension of the attack path comprises attack behaviors of three paths, wherein the first attack behavior is the attack behavior of an attack source outside a preset area to equipment inside the preset area, the second attack behavior is the attack behavior of the attack source inside the preset area to equipment outside the preset area, and the third attack behavior is the attack behavior of the attack source inside the preset area to equipment inside the preset area; threat score values are set separately, for example: sequentially 1, 0.3 and 0.5.
The attack source dimension includes: the attack source corresponding to the target event is located in the preset area and the attack source corresponding to the target event is located outside the preset area, and threat score values are set respectively, for example: sequentially 1 and 0.5.
The event category dimensions include: harmful program events (MI), network attack events (NAI), data attack events (DAI), harmful content events (HCI), equipment failure events (FFI), offending operation events (IOI), set threat score values, respectively, such as: 0.5, 1, 0.5.
The intelligence reputation dimension includes: the first, second, and third stages, respectively, set threat score values, such as: 1. 0.5 and 0.3.
It should be noted that, the information reputation dimension may be determined according to the type of the attack source, and the type of the attack source may be called out through a preset interface.
The specific way of determining the event class of the target event according to the threat score value of the target event is as follows: acquiring threat score value intervals corresponding to each event level, wherein a first event level corresponds to a first interval, a second event level corresponds to a second interval, a third event level corresponds to a third interval, event risk levels corresponding to the first event level, the second event level and the third event level are sequentially increased, the maximum value of the first interval is smaller than the minimum value of the second interval, and the maximum value of the second interval is smaller than the minimum value of the third interval; and determining the event level of the target event according to the threat score interval in which the threat score of the target event is located.
In an actual application scenario, the first interval may be (1.6,2); the second interval may be (2, 3); the third interval may be (3, 4).
FIG. 5 illustrates an event hierarchical flow diagram, as shown in FIG. 5, accessing a target event; identifying a target event category; calculating threat score values of the target events; acquiring an original log of a target event, identifying an attack source from the original log and calculating threat score values of the attack source; identifying an address of the attacked device; confirming an attack path and calculating threat score values of the attack path; calling a preset interface to inquire the credibility of an attack source; calculating an information reputation threat score value; calculating an event threat score; judging the target event level: a first event level (low risk event), a second event level (medium risk event), and a third event level (high risk event).
In some embodiments of the present application, a category of a target event and an event level of the target event are obtained; selecting a processing strategy which is matched with the category of the target event and the event grade of the target event from a plurality of preset strategies, wherein when the category of the target event or the event grade of the target event is not matched with the plurality of preset strategies, a target processing strategy is newly established according to the category of the target event and the event grade of the target event; adding the target processing strategy into a plurality of preset strategies.
Specifically, acquiring an event class of a target event; matching is carried out according to the target event category and the event category treatment policy, if the event category treatment policy exists, event grade matching of the target event category is carried out, and if the event grade exists, the scenario is called for treatment. And if the event category does not exist, not calling the script to be disposed, carrying out the script creation and warehousing, and if the event category exists, but the event class does not exist, not calling the script to be disposed, and carrying out the event class script creation and warehousing of the event category. Fig. 6 shows a schematic diagram of an event policy matching flow.
As shown in fig. 6, defining the target event as X, then X has an event class and event class 2 variables, and the event class includes: harmful program events (MI), network attack events (NAI), data attack events (DAI), harmful content events (HCI), equipment failure events (FFI), offending operation events (IOI), defined as m, the event class contains: the first event level, the second event level, and the third event level are three levels, defined as n, and the event is expressed as (Xm n).
The method for processing the security event provided by the embodiment of the present application is also applied to a device for processing the security event provided by the embodiment of the present application, as shown in fig. 7, including: the obtaining module 70 is configured to obtain a plurality of network device logs, and perform a normalization process on the plurality of network device logs to obtain a target format log, where the target format log at least includes a target field for indicating a target event category; a classification module 72, configured to obtain a target value of the target field, and determine a class of the target event according to the target value of the target field; a ranking module 74 for determining a threat score value for a target event based on multi-dimensional information for the target event, the multi-dimensional information including at least a category of the target event, and determining an event ranking for the target event based on the threat score value for the target event, the event ranking being indicative of a risk level of the event; the processing module 76 is configured to determine a processing policy of the target event according to the category of the target event and the event class of the target event, and process the target event according to the processing policy.
The acquisition module 70 includes: fan Shizi module, configured to obtain a key field included in the target format log, where the key field includes: a first field for indicating a source address of a target event, a second field for indicating a destination address of the target event, a third field for indicating a category of the target event, the third field being a target field; extracting a source address, a destination address and an event category of a target event from various network equipment logs, and determining a target value according to a mapping relation between the predetermined event category and the target value; and sequentially filling the source address, the destination address and the target value of the target event into the first field, the second field and the third field to obtain the target format log.
Fan Shizi module includes: the classification unit is used for determining that the target event passes verification under the condition that the target value belongs to a numerical value in a preset set; and under the condition that the target event passes verification, comparing the target value with the characteristic values in the characteristic value sets in sequence, and determining the category of the target event according to the comparison result of the target value and the characteristic values in the characteristic value sets.
The ranking module 74 includes: the computing sub-module is used for acquiring threat score values corresponding to each dimension, wherein the multi-dimension information at least comprises one of the following: the method comprises the steps of determining an attack path dimension, an attack source dimension, an event category dimension and an information reputation dimension, wherein the attack path dimension is determined according to a source address and a destination address of an attack action corresponding to a target event, the attack source dimension is determined according to the source address of the attack action corresponding to the target event, the event category dimension is determined according to the category of the target event, and the information reputation dimension is determined according to the attack source of the attack action corresponding to the target event; and determining the sum of threat score values corresponding to the multidimensional information as the threat score value of the target event.
The calculation submodule comprises: the grading unit is used for acquiring threat score value intervals corresponding to each event grade, wherein the first event grade corresponds to a first interval, the second event grade corresponds to a second interval, the third event grade corresponds to a third interval, the event risk degrees corresponding to the first event grade, the second event grade and the third event grade are sequentially increased, the maximum value of the first interval is smaller than the minimum value of the second interval, and the maximum value of the second interval is smaller than the minimum value of the third interval; and determining the event level of the target event according to the threat score interval in which the threat score of the target event is located.
The processing module 76 includes: the matching sub-module is used for acquiring the category of the target event and the event grade of the target event; and selecting a processing strategy which is matched with the category of the target event and the event grade of the target event from a plurality of preset strategies.
The matching submodule comprises: the new building unit is used for building a target processing strategy according to the category of the target event and the event level of the target event under the condition that the category of the target event or the event level of the target event is not matched with a plurality of preset strategies; adding the target processing strategy into a plurality of preset strategies.
According to another aspect of the embodiments of the present application, there is further provided a nonvolatile storage medium, including a stored program, where the processing method of the above-mentioned security event is controlled by a device in which the nonvolatile storage medium is located when the program runs.
According to another aspect of the embodiments of the present application, there is also provided a computer device, including a memory and a processor, where the processor is configured to execute a program, and the program executes the method for processing a security event.
The computer equipment executes the processing method of the security event, and adopts the steps of obtaining various network equipment logs, and carrying out normalization processing on the various network equipment logs to obtain a target format log, wherein the target format log at least comprises a target field for indicating the category of the target event; acquiring a target value of a target field, and determining the category of the target event according to the target value of the target field; determining threat score values of the target event according to multi-dimensional information of the target event, wherein the multi-dimensional information at least comprises categories of the target event, determining event levels of the target event according to the threat score values of the target event, and the event levels are used for indicating the risk degrees of the event; determining a processing strategy of the target event according to the category of the target event and the event grade of the target event, and processing the target event according to the processing strategy by performing normal form processing on various network equipment logs to obtain a target format log, so that the purposes of uniformly identifying different network equipment and accurately identifying the security event are achieved, the technical effect of improving the accuracy of the security event processing method is achieved, and the technical problem of lower accuracy of the network security event processing method is solved.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of units may be a logic function division, and there may be another division manner in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.
Claims (10)
1. A method of processing a security event, comprising:
obtaining various network equipment logs, and carrying out normalization processing on the various network equipment logs to obtain a target format log, wherein the target format log at least comprises a target field for indicating the category of a target event;
acquiring a target value of the target field, and determining the category of the target event according to the target value of the target field;
determining threat score values of the target events according to the multi-dimensional information of the target events, wherein the multi-dimensional information at least comprises categories of the target events, and determining event levels of the target events according to the threat score values of the target events, and the event levels are used for indicating the risk degrees of the events;
and determining a processing strategy of the target event according to the category of the target event and the event grade of the target event, and processing the target event according to the processing strategy.
2. The method of claim 1, wherein the performing a normalization process on the plurality of network device logs to obtain a target format log comprises:
obtaining a key field contained in the target format log, wherein the key field comprises: a first field for indicating the target event source address, a second field for indicating the target event destination address, a third field for indicating the target event category, the third field being the target field;
extracting a source address, a destination address and an event category of the target event from the logs of the various network devices, and determining the target value according to a predetermined mapping relation between the event category and the target value;
and filling the source address, the destination address and the target value of the target event into the first field, the second field and the third field in sequence to obtain the target format log.
3. The method of claim 2, wherein determining the category of the target event based on the target value of the target field comprises:
under the condition that the target value belongs to a numerical value in a preset set, determining that the target event passes verification;
and under the condition that the target event passes verification, comparing the target value with the characteristic values in the characteristic value sets in sequence, and determining the category of the target event according to the comparison result of the target value and the characteristic values in the characteristic value sets.
4. The method of claim 1, wherein determining threat score values for the target event from the multi-dimensional information for the target event comprises:
acquiring threat score values corresponding to each dimension, wherein the multi-dimensional information at least comprises one of the following: an attack path dimension, an attack source dimension, an event category dimension and an information reputation dimension, wherein the attack path dimension is determined according to a source address and a destination address of an attack action corresponding to the target event, the attack source dimension is determined according to the source address of the attack action corresponding to the target event, the event category dimension is determined according to the category of the target event, and the information reputation dimension is determined according to the attack source of the attack action corresponding to the target event;
and determining the sum of threat score values corresponding to the multidimensional information as the threat score value of the target event.
5. The method of claim 4, wherein determining the event class of the target event based on the threat score value of the target event comprises:
acquiring threat score value intervals corresponding to each event level, wherein a first event level corresponds to a first interval, a second event level corresponds to a second interval, a third event level corresponds to a third interval, event risk levels corresponding to the first event level, the second event level and the third event level are sequentially increased, the maximum value of the first interval is smaller than the minimum value of the second interval, and the maximum value of the second interval is smaller than the minimum value of the third interval;
and determining the event grade of the target event according to the threat score value interval of the threat score value of the target event.
6. The method of claim 1, wherein determining the processing strategy for the target event based on the category of the target event and the event class of the target event comprises:
acquiring the category of the target event and the event grade of the target event;
and selecting a processing strategy matched with the category of the target event and the event grade of the target event from a plurality of preset strategies.
7. The method of claim 6, wherein the method further comprises:
under the condition that the category of the target event or the event level of the target event is not matched with the plurality of preset strategies, a target processing strategy is newly established according to the category of the target event and the event level of the target event;
and adding the target processing strategies into the plurality of preset strategies.
8. A security event processing apparatus, comprising:
the system comprises an acquisition module, a target format log and a processing module, wherein the acquisition module is used for acquiring various network equipment logs, performing normative processing on the various network equipment logs to obtain the target format log, and the target format log at least comprises a target field for indicating the category of a target event;
the classification module is used for acquiring the target value of the target field and determining the class of the target event according to the target value of the target field;
the grading module is used for determining threat score values of the target events according to the multi-dimensional information of the target events, wherein the multi-dimensional information at least comprises categories of the target events, and determining event grades of the target events according to the threat score values of the target events, and the event grades are used for indicating the risk degrees of the events;
and the processing module is used for determining a processing strategy of the target event according to the category of the target event and the event grade of the target event and processing the target event according to the processing strategy.
9. A non-volatile storage medium, characterized in that the non-volatile storage medium comprises a stored program, wherein the program, when run, controls a device in which the non-volatile storage medium is located to perform the method of handling a security event according to any of claims 1 to 7.
10. A computer device comprising a memory and a processor for running a program, wherein the program is run to perform the method of handling a security event according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311668617.6A CN117749443A (en) | 2023-12-06 | 2023-12-06 | Security event processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311668617.6A CN117749443A (en) | 2023-12-06 | 2023-12-06 | Security event processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117749443A true CN117749443A (en) | 2024-03-22 |
Family
ID=90276932
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311668617.6A Pending CN117749443A (en) | 2023-12-06 | 2023-12-06 | Security event processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117749443A (en) |
-
2023
- 2023-12-06 CN CN202311668617.6A patent/CN117749443A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11184401B2 (en) | AI-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220201042A1 (en) | Ai-driven defensive penetration test analysis and recommendation system | |
| US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN111178760B (en) | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium | |
| CN110933101A (en) | Security event log processing method, device and storage medium | |
| CN112637220A (en) | Industrial control system safety protection method and device | |
| CN112926048B (en) | Abnormal information detection method and device | |
| CN104580133A (en) | Malicious program protection method and system and filtering table updating method thereof | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| WO2021216163A2 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| CN111683047A (en) | Unauthorized vulnerability detection method and device, computer equipment and medium | |
| EP3172692A1 (en) | Remedial action for release of threat data | |
| US20230362142A1 (en) | Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing | |
| CN107332804A (en) | The detection method and device of webpage leak | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN113163012B (en) | Internet of things equipment management method and device based on block chain | |
| CN113098852B (en) | Log processing method and device | |
| CN116319074B (en) | Method and device for detecting collapse equipment based on multi-source log and electronic equipment | |
| CN116599747A (en) | Network and information security service system | |
| CN110378120A (en) | Application programming interfaces attack detection method, device and readable storage medium storing program for executing | |
| CN117749443A (en) | Security event processing method and device | |
| CN108040064A (en) | Data transmission method, device, electronic equipment and storage medium | |
| CN114124453A (en) | Network security information processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |