CN104753861A - Security event handling method and device - Google Patents
Security event handling method and device Download PDFInfo
- Publication number
- CN104753861A CN104753861A CN201310740362.XA CN201310740362A CN104753861A CN 104753861 A CN104753861 A CN 104753861A CN 201310740362 A CN201310740362 A CN 201310740362A CN 104753861 A CN104753861 A CN 104753861A
- Authority
- CN
- China
- Prior art keywords
- event
- raw security
- attribute
- merger
- raw
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a security event handling method and a device, which relate to the technical field of network security. Original security events are collected, the original security events are merged according to attribute information of the original security events and a preset merging rule, a high-quality security event better reflecting the current security conditions of the network can be formed, the number of security events can be greatly compressed, and security event handling load can be reduced.
Description
Technical field
The present invention relates to technical field of network security, particularly a kind of Security incident handling method and apparatus.
Background technology
Along with the fast development of the Internet, disparate networks safety problem emerges in an endless stream, and safety means, safety system exponentially type increase.Wrong report and irrelevant alarm is mingled with in a large amount of warning information that all kinds of safety means produce in real time, real intrusion intention is submerged in a large amount of low-quality data, cause being difficult to correctly analyze these warning information and understand, simultaneously isolated warning information can not reflect the safe condition that network is current exactly.
The processing scheme that formula is swallowed in equipment alarm not only brings serious load to equipment, how to dispose also to the security incident of magnanimity faced by enterprise administrator and brings puzzlement.Therefore, from the mass data source of all kinds of safety means, safety system, how effectively to extract the network safety event that user is concerned about become a great problem urgently to be resolved hurrily.
Summary of the invention
An embodiment of the present invention technical problem to be solved is: effective process problem of magnanimity security incident.
According to an aspect of the embodiment of the present invention, a kind of Security incident handling method is proposed, comprise: gather raw security event, the attribute information of raw security event comprises following at least one item: Case Number, event title, event type, Time To Event, source address, destination address, event level; Attribute information according to raw security event carries out merger with the merger rule pre-set to raw security event.
In one embodiment, after collection raw security event, the method also comprises: the part attribute information resetting raw security event, and wherein, reconfigurable part attribute information comprises: event title, event level.
In one embodiment, carry out merger with the merger rule pre-set to raw security event according to the attribute information of raw security event to comprise: according to Time To Event attribute, fuzzy matching is carried out to the event name attribute of simultaneous raw security event, obtains same or analogous raw security event; According to the event compacting rule pre-set and event level attribute, be the security incident of a higher priority by the same or analogous raw security event merger of different priorities.
In one embodiment, carry out merger with the merger rule pre-set to raw security event according to the attribute information of raw security event to comprise: find simultaneous at least two raw security events with inclusion relation according to event type attribute and Time To Event attribute; Event according to pre-setting comprises rule, is the security incident that an event type is larger by least two raw security events merger with inclusion relation.
In one embodiment, carry out merger with the merger rule pre-set to raw security event according to the attribute information of raw security event to comprise: find simultaneous at least two raw security events with inclusion relation according to event type attribute and Time To Event attribute; According to the event Substitution Rules pre-set, be the security incident that an event type is less by least two raw security events merger with inclusion relation.
In one embodiment, carry out merger with the merger rule pre-set to raw security event according to the attribute information of raw security event to comprise: find event occurring source or event for the identical raw security event of target according to source address attribute and destination address attribute; According to event name attribute from event occurring source or event for finding identical the identical raw security event of target or there is the raw security event of ordinal relation; According to the event sequence correlation rule pre-set and Time To Event attribute, be a new security incident by occur in certain hour section identical or the raw security event merger with ordinal relation.
In one embodiment, before carrying out merger to raw security event, the method also comprises: according to raw security event at least one attribute information, adopts the matching way preset to filter raw security event.
According to another aspect of the embodiment of the present invention, a kind of Security incident handling device is proposed, comprise: collecting unit, for gathering raw security event, the attribute information of raw security event comprises following at least one item: Case Number, event title, event type, Time To Event, source address, destination address, event level; Merging unit, carries out merger with the merger rule pre-set to the raw security event of collecting unit collection for the attribute information according to raw security event.
In one embodiment, this device also comprises: setting unit, and for after collection raw security event, reset the part attribute information of raw security event, wherein, reconfigurable part attribute information comprises: event title, event level.
In one embodiment, Merging unit comprises compacting subelement, for: according to Time To Event attribute, fuzzy matching is carried out to the event name attribute of simultaneous raw security event, obtain same or analogous raw security event; According to the event compacting rule pre-set and event level attribute, be the security incident of a higher priority by the same or analogous raw security event merger of different priorities.
In one embodiment, Merging unit comprises and comprises subelement, for: find simultaneous at least two raw security events with inclusion relation according to event type attribute and Time To Event attribute; Event according to pre-setting comprises rule, is the security incident that an event type is larger by least two raw security events merger with inclusion relation.
In one embodiment, Merging unit comprises replacement subelement, for: find simultaneous at least two raw security events with inclusion relation according to event type attribute and Time To Event attribute; According to the event Substitution Rules pre-set, be the security incident that an event type is less by least two raw security events merger with inclusion relation.
In one embodiment, Merging unit comprises order and associates subelement, for: find event occurring source or event for the identical raw security event of target according to source address attribute and destination address attribute; According to event name attribute from event occurring source or event for finding identical the identical raw security event of target or there is the raw security event of ordinal relation; According to the event sequence correlation rule pre-set and Time To Event attribute, be a new security incident by occur in certain hour section identical or the raw security event merger with ordinal relation.
In one embodiment, this device also comprises: filter element, for before carrying out merger to raw security event, according to raw security event at least one attribute information, adopts the matching way preset to filter raw security event.
The present invention at least has the following advantages:
First, by gathering raw security event, attribute information according to raw security event carries out merger with the merger rule pre-set to raw security event, the high-quality security incident that more can reflect network current safety situation can be formed, and the quantity of security incident can be greatly reduced, reduce the processing load to security incident.
And, exemplifying proposes the merger strategy such as such as event compacting, event comprises, event is replaced, event sequence association, the implication representated by many raw security events can be reflected more truely and accurately by the security incident of after merger, and greatly reduce the quantity of security incident.
Secondly, according to raw security event at least one attribute information, adopt the matching way preset to filter raw security event, can redundant data be removed, alleviate the work for the treatment of amount of follow-up work.
Again, after collection raw security event, can reset the part attribute information of raw security event as required, such as event title, event level etc., can eliminate the otherness of Event origin, for upper layer application provides unified safety support.
By referring to the detailed description of accompanying drawing to exemplary embodiment of the present invention, further feature of the present invention and advantage thereof will become clear.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the layer-stepping Cooperative Security event processing architecture schematic diagram of one embodiment of the invention.
Fig. 2 is the schematic flow sheet of a Security incident handling method of the present invention embodiment.
Fig. 3 is the schematic flow sheet of another embodiment of Security incident handling method of the present invention.
Fig. 4 is the schematic flow sheet of another embodiment of Security incident handling method of the present invention.
Fig. 5 is the structural representation of a Security incident handling device of the present invention embodiment.
Fig. 6 is the structural representation of another embodiment of Security incident handling device of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Illustrative to the description only actually of at least one exemplary embodiment below, never as any restriction to the present invention and application or use.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Unless specifically stated otherwise, otherwise positioned opposite, the numerical expression of the parts of setting forth in these embodiments and step and numerical value do not limit the scope of the invention.
Meanwhile, it should be understood that for convenience of description, the size of the various piece shown in accompanying drawing is not draw according to the proportionate relationship of reality.
May not discuss in detail for the known technology of person of ordinary skill in the relevant, method and apparatus, but in the appropriate case, described technology, method and apparatus should be regarded as a part of authorizing specification.
In all examples with discussing shown here, any occurrence should be construed as merely exemplary, instead of as restriction.Therefore, other example of exemplary embodiment can have different values.
It should be noted that: represent similar terms in similar label and letter accompanying drawing below, therefore, once be defined in an a certain Xiang Yi accompanying drawing, then do not need to be further discussed it in accompanying drawing subsequently.
In order to solve effective process problem of magnanimity security incident, the present invention proposes a kind of Security incident handling scheme, by the such as method such as merger, filtration, realizing the effective process to magnanimity security incident.
Fig. 1 is the layer-stepping Cooperative Security event processing architecture schematic diagram of one embodiment of the invention.
As shown in Figure 1, the layer-stepping Cooperative Security event processing architecture of the present embodiment comprises: resource layer, standardization layer, communication layers, core processing layer.Resource layer comprises: to syslog(system journal), SNMP TRAP(simple network management protocol trap), Socket(socket), ODBC/JDBC(Open Database Connection/java DataBase combining), the object such as control desk carries out security event information collection.Standardization layer realizes the distributed capture of raw security event by agency's (agent) technology, and carries out standardization parsing to raw security event, employing is filtered, conflation algorithm realizes data filtration, merger function.Communication layers coordinates the information communication of whole system, such as, resolves script and is issued by WEB mode.Agent communication, by Server/Client(client-server paradigm, is called for short C/S mode) mode realizes.Core processing layer carries out upper strata process to standardized security event information, as: association analysis, provides response action, audit analysis, data retrieval, data tracing etc.
Wherein, resource layer should provide the support to main flow acquisition protocols or interface mode, includes but not limited to Syslog: gather the fire compartment wall of Unix and various support Syslog agreement, router, switch, anti-virus and IDS(intruding detection system) etc. system or equipment; SNMP, SNMPTrapV1, V2, V3: gather the system or equipments such as the fire compartment wall of various support snmp protocol, router, switch, anti-virus, terminal patches, IDS and application system; FTP(file transfer protocol (FTP)): the journal file gathering the application system of open F TP download service, the journal file of such as Apache; OPSEC(Open Platform for Security): the daily record gathering CheckPoint fire compartment wall; ODBC/JDBC: gather the daily record being stored into the application system of relevant database; General file: support the log collection based on file, as by FTP, NFS(NFS) or SMB(SMB agreement) etc. obtain the mode of journal file, and the format of log recording can be completed by template configuration; Dedicated log acquisition interface: to the system only supporting dedicated management interface, multiple special API acquisition interface and general collection scheduling ability can be supported, the WMI of Database API, Windows of the API of such as vulnerability scanning system or interface XML file, Lotus Domino system; Master agent: responsible collection is not supported public communications protocol or needed the daily record of application system of special parsing.
Fig. 2 is the schematic flow sheet of a Security incident handling method of the present invention embodiment.
As shown in Figure 2, the Security incident handling method of the present embodiment comprises the following steps:
Step S201, gather raw security event, the attribute information of raw security event comprises following at least one item: Case Number, event title, event type, Time To Event, source address, destination address, event level.
It should be noted that, the attribute information of raw security event is not limited to above-mentioned cited item of information, can also comprise other attribute informations, such as, and device type, collector numbering etc.
Wherein, raw security event from network host, Network Security Device (as fire compartment wall, intruding detection system IDS, intrusion prevention system IPS etc.), web-transporting device (as router, switch etc.) etc., but can be not limited thereto, and will not enumerate.
Step S202, the attribute information according to raw security event carries out merger with the merger rule pre-set to raw security event.
Because raw security event acquisition comes from plurality of devices, primitive event attribute disunity, the such as naming method of often kind of equipment are different, event level is inconsistent, therefore as shown in Figure 3, in one embodiment, after step S201 gathers raw security event, this Security incident handling method also comprises:
Step S303, resets the part attribute information of raw security event, and wherein, reconfigurable part attribute information comprises: event title, event level etc., thus eliminates the otherness of Event origin, for upper layer application provides unified safety support.
For above-mentioned steps S202, the merger strategy such as exemplifying proposition such as event compacting, event comprises, event is replaced, event sequence association, the implication representated by many raw security events can be reflected more truely and accurately by the security incident of after merger, and greatly reduce the quantity of security incident.The example of merger strategy is described below respectively.
Step S202 utilizes event to suppress rule, and to carry out the method for merger as follows:
According to Time To Event attribute, fuzzy matching is carried out to the event name attribute of simultaneous raw security event, obtain same or analogous raw security event; According to the event compacting rule pre-set and event level attribute, be the security incident of a higher priority by the same or analogous raw security event merger of different priorities.
Utilize event to suppress strategy and carry out merger, if same or analogous raw security event 1 and event 2 occur simultaneously, merger result is mapped as high priority security incident 1, eliminates low priority security incident 2, complete security incident compacting.Such as SQL Injection – Exploit event and SQL Injection-Exploit IV event occur simultaneously, IV represents the degree of depth of injection, because SQL Injection-Exploit IV event alarm priority is high, utilize event to suppress alarm that regular merger obtains SQL Injection-Exploit IV security incident.
Step S202 utilizes event to comprise rule, and to carry out the method for merger as follows:
Simultaneous at least two raw security events with inclusion relation are found according to event type attribute and Time To Event attribute; Event according to pre-setting comprises rule, is the security incident that an event type is larger by least two raw security events merger with inclusion relation.Wherein, the event type with inclusion relation can be pre-set, such as, pre-set web and inject event and comprise Sql and inject event, Cookie and inject event.
Utilize event to comprise rule and carry out merger, if event 2 comprises event l, when event l or event 2 occur simultaneously, event l and event 2 can be mapped as event 2, the event of completing comprises.Such as event 1 is that web injects event for Sql injection event, event 2, if Sql injects event and web injection event occurs simultaneously, then event can be utilized to comprise regular merger and become web to inject event.
It is as follows that step S202 utilizes event Substitution Rules to carry out the method for merger:
Carry out merger with the merger rule pre-set to raw security event according to the attribute information of raw security event to comprise: find simultaneous at least two raw security events with inclusion relation according to event type attribute and Time To Event attribute; According to the event Substitution Rules pre-set, be the security incident that an event type is less by least two raw security events merger with inclusion relation.
The event Substitution Rules of utilization carry out merger, if event l comprises event 2, when event l or event 2 occur simultaneously, event l and event 2 can be mapped as event 2, and the event that completes is replaced.Such as event 1 is network attack alarm event, and event 2 is DDOS attack alarm event, if network attack alarm event and DDOS attack alarm event occur simultaneously, utilizes the merger of event Substitution Rules for DDOS attack alarm event.
It is as follows that step S202 utilizes event sequence correlation rule to carry out the method for merger:
Carry out merger with the merger rule pre-set to raw security event according to the attribute information of raw security event to comprise: find event occurring source or event for the identical raw security event of target according to source address attribute and destination address attribute; According to event name attribute from event occurring source or event for finding identical the identical raw security event of target or there is the raw security event of ordinal relation; According to the event sequence correlation rule pre-set and Time To Event attribute, be a new security incident by occur in certain hour section identical or the raw security event merger with ordinal relation.
Utilize event sequence correlation rule to carry out merger, if event 1 and event 2 successively occur, correlating event 1 and event 2 can be mapped as event 3, complete the association process of alarm ordinal relation.Such as within certain time period, event 1 logs in turkey continuously for equipment, and event 2 logs in success events for equipment, and two times have ordinal relation, then the merger of event sequence correlation rule can be utilized to suffer Brute Force event for event 3 equipment.Again such as, first hacker carries out sql injection attacks from web page, continue to produce event name to be called: SQL Injection, the events such as CRLFInjection, then hacker carries out again command-execution operation generation OS Command Execution Unix event after taking webshell, hacker carries out next step carrying power operation generation Attempt to Read Password File, the events such as Microsoft IIS hit-highlighting RemoteSecurity Bypass, in this series of event (amount to 71 primitive events) address, attack source and target of attack address constant, then we are according to source address and these 71 primitive events of destination address merger, obtain 1 hacker attack event.
In addition, can also arrange the merger time, i.e. the time window of merger event, specify how long carry out a merger, the homology such as continuing to initiate for 10 minutes carries out merger with a lot of DDOS attack event of object.
In one embodiment, as shown in Figure 4, before carrying out merger to raw security event, this Security incident handling method also comprises:
Step S404, according to raw security event at least one attribute information, adopts the matching way preset to filter raw security event.
In one embodiment, fuzzy matching (comprise, equal) can be carried out to attribute informations such as event title, event types; Matching addresses (equaling) can be carried out to the attribute information such as source address, destination address; Numeral coupling (comprise, equal, be greater than, be less than) can be carried out to attribute informations such as source port, destination interface, Time To Events.
Utilize the filter method of the present embodiment, the redundant safety event filtering of repetition can be fallen, such as, unnecessary event filtering all identical to event title, event type, Time To Event, source address, destination address, event level is fallen, only retain a security incident.
Again such as, system receives magnanimity raw security event from large number quipments every day, if find that a core router up link is congested suddenly, doubtful network suffers DDOS attack, first all DDOS attack events can be obtained according to comprising " DDOS " keyword fuzzy matching filtration primitive event in security incident title, the IP address of secondly externally issuing according to core router as destination address scope carry out matching addresses filter obtain this router under which IP address attacked, for subsequent analysis provides foundation.
The Security incident handling method that the present embodiment provides, can greatly reduce the quantity of security incident by merger and filtration.Such as, the security incident number of certain systematic collection exceedes 400,000, and quantity amount is about 300M, can reduce to 20M after filtration, about presents 20,000 after event number merger.
Fig. 5 is the structural representation of a Security incident handling device of the present invention embodiment.
As shown in Figure 5, the Security incident handling device 50 of the present embodiment comprises:
Collecting unit 51, for gathering raw security event, the attribute information of raw security event comprises following at least one item: Case Number, event title, event type, Time To Event, source address, destination address, event level;
Merging unit 52, carries out merger with the merger rule pre-set to the raw security event of collecting unit collection for the attribute information according to raw security event.
In one embodiment, as shown in Figure 6, this device also comprises: setting unit 63, for after collection raw security event, reset the part attribute information of raw security event, wherein, reconfigurable part attribute information comprises: event title, event level.
In one embodiment, as shown in Figure 6, Merging unit 52 comprises compacting subelement 521, for: according to Time To Event attribute, fuzzy matching is carried out to the event name attribute of simultaneous raw security event, obtains same or analogous raw security event; According to the event compacting rule pre-set and event level attribute, be the security incident of a higher priority by the same or analogous raw security event merger of different priorities.
In one embodiment, as shown in Figure 6, Merging unit 52 comprises and comprises subelement 522, for: find simultaneous at least two raw security events with inclusion relation according to event type attribute and Time To Event attribute; Event according to pre-setting comprises rule, is the security incident that an event type is larger by least two raw security events merger with inclusion relation.
In one embodiment, as shown in Figure 6, Merging unit 52 comprises replaces subelement 523, for: find simultaneous at least two raw security events with inclusion relation according to event type attribute and Time To Event attribute; According to the event Substitution Rules pre-set, be the security incident that an event type is less by least two raw security events merger with inclusion relation.
In one embodiment, as shown in Figure 6, Merging unit 52 comprises order association subelement 524, for: find event occurring source or event for the identical raw security event of target according to source address attribute and destination address attribute; According to event name attribute from event occurring source or event for finding identical the identical raw security event of target or there is the raw security event of ordinal relation; According to the event sequence correlation rule pre-set and Time To Event attribute, be a new security incident by occur in certain hour section identical or the raw security event merger with ordinal relation.
In one embodiment, as shown in Figure 6, this Security incident handling device 50 also comprises: filter element 64, for before carrying out merger to raw security event, according to raw security event at least one attribute information, the matching way preset is adopted to filter raw security event.
Security incident handling method and apparatus provided by the invention at least has the following advantages:
First, by gathering raw security event, attribute information according to raw security event carries out merger with the merger rule pre-set to raw security event, the high-quality security incident that more can reflect network current safety situation can be formed, and the quantity of security incident can be greatly reduced, reduce the processing load to security incident.
And, exemplifying proposes the merger strategy such as such as event compacting, event comprises, event is replaced, event sequence association, the implication representated by many raw security events can be reflected more truely and accurately by the security incident of after merger, and greatly reduce the quantity of security incident.
Secondly, according to raw security event at least one attribute information, adopt the matching way preset to filter raw security event, can redundant data be removed, alleviate the work for the treatment of amount of follow-up work.
Again, after collection raw security event, can reset the part attribute information of raw security event as required, such as event title, event level etc., can eliminate the otherness of Event origin, for upper layer application provides unified safety support.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can have been come by hardware, the hardware that also can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (14)
1. a Security incident handling method, comprising:
Gather raw security event, the attribute information of raw security event comprises following at least one item: Case Number, event title, event type, Time To Event, source address, destination address, event level;
Attribute information according to raw security event carries out merger with the merger rule pre-set to raw security event.
2. method according to claim 1, is characterized in that, after collection raw security event, the method also comprises:
Reset the part attribute information of raw security event, wherein, reconfigurable part attribute information comprises: event title, event level.
3. method according to claim 1 and 2, is characterized in that, the described attribute information according to raw security event and the merger rule pre-set are carried out merger to raw security event and comprised:
According to Time To Event attribute, fuzzy matching is carried out to the event name attribute of simultaneous raw security event, obtain same or analogous raw security event;
According to the event compacting rule pre-set and event level attribute, be the security incident of a higher priority by the same or analogous raw security event merger of different priorities.
4. method according to claim 1 and 2, is characterized in that, the described attribute information according to raw security event and the merger rule pre-set are carried out merger to raw security event and comprised:
Simultaneous at least two raw security events with inclusion relation are found according to event type attribute and Time To Event attribute;
Event according to pre-setting comprises rule, is the security incident that an event type is larger by least two raw security events merger with inclusion relation.
5. method according to claim 1 and 2, is characterized in that, the described attribute information according to raw security event and the merger rule pre-set are carried out merger to raw security event and comprised:
Simultaneous at least two raw security events with inclusion relation are found according to event type attribute and Time To Event attribute;
According to the event Substitution Rules pre-set, be the security incident that an event type is less by least two raw security events merger with inclusion relation.
6. method according to claim 1 and 2, is characterized in that, the described attribute information according to raw security event and the merger rule pre-set are carried out merger to raw security event and comprised:
Event occurring source or event is found for the identical raw security event of target according to source address attribute and destination address attribute;
According to event name attribute from event occurring source or event for finding identical the identical raw security event of target or there is the raw security event of ordinal relation;
According to the event sequence correlation rule pre-set and Time To Event attribute, be a new security incident by occur in certain hour section identical or the raw security event merger with ordinal relation.
7. method according to claim 1 and 2, it is characterized in that, before carrying out merger to raw security event, the method also comprises: according to raw security event at least one attribute information, adopts the matching way preset to filter raw security event.
8. a Security incident handling device, comprising:
Collecting unit, for gathering raw security event, the attribute information of raw security event comprises following at least one item: Case Number, event title, event type, Time To Event, source address, destination address, event level;
Merging unit, carries out merger with the merger rule pre-set to the raw security event of collecting unit collection for the attribute information according to raw security event.
9. device according to claim 8, is characterized in that, this device also comprises:
Setting unit, for after collection raw security event, reset the part attribute information of raw security event, wherein, reconfigurable part attribute information comprises: event title, event level.
10. device according to claim 8 or claim 9, it is characterized in that, described Merging unit comprises compacting subelement, for:
According to Time To Event attribute, fuzzy matching is carried out to the event name attribute of simultaneous raw security event, obtain same or analogous raw security event;
According to the event compacting rule pre-set and event level attribute, be the security incident of a higher priority by the same or analogous raw security event merger of different priorities.
11. devices according to claim 8 or claim 9, it is characterized in that, described Merging unit comprises and comprises subelement, for:
Simultaneous at least two raw security events with inclusion relation are found according to event type attribute and Time To Event attribute;
Event according to pre-setting comprises rule, is the security incident that an event type is larger by least two raw security events merger with inclusion relation.
12. devices according to claim 8 or claim 9, it is characterized in that, described Merging unit comprises replacement subelement, for:
Simultaneous at least two raw security events with inclusion relation are found according to event type attribute and Time To Event attribute;
According to the event Substitution Rules pre-set, be the security incident that an event type is less by least two raw security events merger with inclusion relation.
13. devices according to claim 8 or claim 9, is characterized in that, described Merging unit comprises order and associates subelement, for:
Event occurring source or event is found for the identical raw security event of target according to source address attribute and destination address attribute;
According to event name attribute from event occurring source or event for finding identical the identical raw security event of target or there is the raw security event of ordinal relation;
According to the event sequence correlation rule pre-set and Time To Event attribute, be a new security incident by occur in certain hour section identical or the raw security event merger with ordinal relation.
14. devices according to claim 8 or claim 9, it is characterized in that, this device also comprises: filter element, for before carrying out merger to raw security event, according to raw security event at least one attribute information, the matching way preset is adopted to filter raw security event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310740362.XA CN104753861A (en) | 2013-12-27 | 2013-12-27 | Security event handling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310740362.XA CN104753861A (en) | 2013-12-27 | 2013-12-27 | Security event handling method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104753861A true CN104753861A (en) | 2015-07-01 |
Family
ID=53592981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310740362.XA Pending CN104753861A (en) | 2013-12-27 | 2013-12-27 | Security event handling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104753861A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105450459A (en) * | 2015-12-30 | 2016-03-30 | 中电长城网际***应用有限公司 | System message processing method and collector |
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN106713331A (en) * | 2016-12-30 | 2017-05-24 | 中电长城网际***应用有限公司 | Attack event filtering method and system |
| CN107592309A (en) * | 2017-09-14 | 2018-01-16 | 携程旅游信息技术(上海)有限公司 | Security incident detection and processing method, system, equipment and storage medium |
| CN108259202A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems |
| CN109374053A (en) * | 2018-11-13 | 2019-02-22 | 深圳市中广控信息科技有限公司 | A kind of Internet of Things computer lab management platform based on event-driven response |
| CN112269990A (en) * | 2020-10-15 | 2021-01-26 | 深信服科技股份有限公司 | Method, device and system for determining type of security event and storage medium |
| CN113326505A (en) * | 2021-05-19 | 2021-08-31 | 中国联合网络通信集团有限公司 | Data processing method and device |
| CN113709153A (en) * | 2021-08-27 | 2021-11-26 | 绿盟科技集团股份有限公司 | Log merging method and device and electronic equipment |
| CN113992447A (en) * | 2021-12-28 | 2022-01-28 | 北京未来智安科技有限公司 | SQL injection alarm processing method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070222576A1 (en) * | 2006-03-14 | 2007-09-27 | Miller Frank D | Method and apparatus for dynamically prioritize network faults based on real-time service degradation |
| CN101047556A (en) * | 2006-06-01 | 2007-10-03 | 华为技术有限公司 | Integral maintaining method and system for multi-equipment |
| CN101222725A (en) * | 2007-01-08 | 2008-07-16 | 中兴通讯股份有限公司 | Method for reducing north interface alarm amount by merging alarms |
| CN101562826A (en) * | 2008-04-15 | 2009-10-21 | 中兴通讯股份有限公司 | Alarm merging method |
| CN101877648A (en) * | 2009-11-30 | 2010-11-03 | 英业达股份有限公司 | Event management system of server and method thereof |
| CN101997709A (en) * | 2009-08-10 | 2011-03-30 | 中兴通讯股份有限公司 | Root alarm data analysis method and system |
| CN102118275A (en) * | 2009-12-30 | 2011-07-06 | 大唐移动通信设备有限公司 | Alarm storm processing method and processing device |
| CN102625349A (en) * | 2012-03-09 | 2012-08-01 | 浪潮通信信息***有限公司 | Method for processing data under alarm storm |
-
2013
- 2013-12-27 CN CN201310740362.XA patent/CN104753861A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070222576A1 (en) * | 2006-03-14 | 2007-09-27 | Miller Frank D | Method and apparatus for dynamically prioritize network faults based on real-time service degradation |
| CN101047556A (en) * | 2006-06-01 | 2007-10-03 | 华为技术有限公司 | Integral maintaining method and system for multi-equipment |
| CN101222725A (en) * | 2007-01-08 | 2008-07-16 | 中兴通讯股份有限公司 | Method for reducing north interface alarm amount by merging alarms |
| CN101562826A (en) * | 2008-04-15 | 2009-10-21 | 中兴通讯股份有限公司 | Alarm merging method |
| CN101997709A (en) * | 2009-08-10 | 2011-03-30 | 中兴通讯股份有限公司 | Root alarm data analysis method and system |
| CN101877648A (en) * | 2009-11-30 | 2010-11-03 | 英业达股份有限公司 | Event management system of server and method thereof |
| CN102118275A (en) * | 2009-12-30 | 2011-07-06 | 大唐移动通信设备有限公司 | Alarm storm processing method and processing device |
| CN102625349A (en) * | 2012-03-09 | 2012-08-01 | 浪潮通信信息***有限公司 | Method for processing data under alarm storm |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105471882A (en) * | 2015-12-08 | 2016-04-06 | 中国电子科技集团公司第三十研究所 | Behavior characteristics-based network attack detection method and device |
| CN105450459B (en) * | 2015-12-30 | 2019-06-07 | 中电长城网际***应用有限公司 | A kind of system message processing method and collector |
| CN105450459A (en) * | 2015-12-30 | 2016-03-30 | 中电长城网际***应用有限公司 | System message processing method and collector |
| CN108259202A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems |
| CN106713331A (en) * | 2016-12-30 | 2017-05-24 | 中电长城网际***应用有限公司 | Attack event filtering method and system |
| CN107592309A (en) * | 2017-09-14 | 2018-01-16 | 携程旅游信息技术(上海)有限公司 | Security incident detection and processing method, system, equipment and storage medium |
| CN107592309B (en) * | 2017-09-14 | 2019-09-17 | 携程旅游信息技术(上海)有限公司 | Security incident detection and processing method, system, equipment and storage medium |
| CN109374053A (en) * | 2018-11-13 | 2019-02-22 | 深圳市中广控信息科技有限公司 | A kind of Internet of Things computer lab management platform based on event-driven response |
| CN112269990A (en) * | 2020-10-15 | 2021-01-26 | 深信服科技股份有限公司 | Method, device and system for determining type of security event and storage medium |
| CN113326505A (en) * | 2021-05-19 | 2021-08-31 | 中国联合网络通信集团有限公司 | Data processing method and device |
| CN113326505B (en) * | 2021-05-19 | 2023-06-02 | 中国联合网络通信集团有限公司 | Data processing method and device |
| CN113709153A (en) * | 2021-08-27 | 2021-11-26 | 绿盟科技集团股份有限公司 | Log merging method and device and electronic equipment |
| CN113992447A (en) * | 2021-12-28 | 2022-01-28 | 北京未来智安科技有限公司 | SQL injection alarm processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104753861A (en) | Security event handling method and device | |
| CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
| CN111752799A (en) | Service link tracking method, device, equipment and storage medium | |
| CN102281540B (en) | Method and system for searching and killing mobile phone malicious software | |
| CN105207826A (en) | Security attack alarm positioning system based on Spark big data platform of Tachyou | |
| CN109379390B (en) | Network security baseline generation method based on full flow | |
| CN111581397A (en) | Network attack tracing method, device and equipment based on knowledge graph | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| CN103827810A (en) | Asset model import connector | |
| CN110474870B (en) | Block chain-based network active defense method and system and computer readable storage medium | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| CN114006748A (en) | Network security comprehensive monitoring method, system, equipment and storage medium | |
| CN114006771A (en) | Flow detection method and device | |
| CN103561018A (en) | Intrusion detection real-time analysis system for big data application platform | |
| CN112084154B (en) | Cross-platform multi-host combined log compression method | |
| US10083070B2 (en) | Log file reduction according to problem-space network topology | |
| CN113570274A (en) | Asset whole-process management system | |
| CN108833442A (en) | A kind of distributed network security monitoring device and its method | |
| KR101658456B1 (en) | Security device using transaction information obtained from web application server | |
| KR101658450B1 (en) | Security device using transaction information obtained from web application server and proper session id | |
| CN107770153B (en) | General electric power information acquisition system based on collaborative safety protection model | |
| CN115712646A (en) | Alarm strategy generation method, device and storage medium | |
| CN109542913B (en) | Network asset safety management method in complex environment | |
| CN114338175B (en) | Data collection management system and data collection management method | |
| CN111092886A (en) | Terminal defense method, system, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150701 |
|
| RJ01 | Rejection of invention patent application after publication |