CN105100122A - Threat detection and alert method and system based on big data analysis - Google Patents
Threat detection and alert method and system based on big data analysis Download PDFInfo
- Publication number
- CN105100122A CN105100122A CN201510565278.8A CN201510565278A CN105100122A CN 105100122 A CN105100122 A CN 105100122A CN 201510565278 A CN201510565278 A CN 201510565278A CN 105100122 A CN105100122 A CN 105100122A
- Authority
- CN
- China
- Prior art keywords
- scene
- alarm
- attack
- data analysis
- threat detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a threat detection and alert method and system based on big data analysis. The system comprises an alert aggregation assembly, a scene extraction assembly, a study and detection assembly, a prediction assembly and a new attack strategy digging assembly. According to the threat detection and alert method and system, the big data technology is adopted to predict and alert network attacks to government and enterprise information systems in real time, thereby greatly covering the shortage of the existing information security alert analysis technology on one hand; and on the other hand, false alerts generated by information security equipment such as an intrusion detection system can be identified and unknown malicious attacks can be analyzed, and therefore, the accuracy and the credibility of the alerts can be improved and the security risks of the information systems can be sensed.
Description
Technical field
The present invention relates to information security technology and large data technique field, refer more particularly to the threat detection of information system and the method and system of early warning.
Background technology
The English abbreviation comprised in the present invention is as follows:
IDS:IntrusionDetectionSystems intruding detection system.
The intruding detection system of CIDS:CooperativeIntrusionDetectionSystems cooperation
EWS:EarlyWarningSystems early warning system
CCM:CausalCorrelationMatrix causalnexus matrix
DAG:directedacyclicgraph directed acyclic graph
CE:Criticalepisodes key scenes
BE:BenignEpisode good will scene
Along with the online operation that continuous progress and the various IT of technology serve, create the data of magnanimity.The significant challenge of this respect provides network protection service for full spectrum of threats exactly.Up to the present, proposed many technology and dealt with these threats, had the target that common, prevention assailant destroys the normal operation of IT business.
Nowadays, the use of IDS greatly increases the fail safe of Government and enterprise computer system.The main purpose of intruding detection system is that detection and Identification in computer system or the already present attack of network and safety problem, and may be reported to system manager.Therefore, pre-attack protection and invasion are not the responsibilities (that is: IDS does not have the function of early warning) of IDS, and it plays undeniable important function in the security hardening of computer systems and networks.
But intruding detection system self also defectiveness: rate of false alarm is high, inefficiency in application in real time, even detect the attack of which the unknown, also seems helpless and inefficiency.
Although there is above-mentioned variety of problems in intruding detection system, researcher thinks, the cooperation of IDS in distributed environment can overcome the problems referred to above.So just create Cooperative Intrusion detection system (CIDS).But, detect the threat of Government and enterprise information system in all directions, the arrival of early warning system (EWS) New Times.
Early warning system can detect unknown threat, and this detection is based on early stage event.EWS is supplementary as of IDS, and be also deal with various security threat based on a kind of passive method, the potential behavior of system is detected in early days, evaluates the coverage of this behavior, finally, takes suitable response to the security incident detected.
Another function of EWS, applies to EWS in the information system of Government and enterprise exactly.Being designed to the target of the EWS of this purposes, is exactly the security threat of earlier detection to security incident and prediction information system.EWS receives the security incident and alarm that various safety means report, and analyzes the alarm gathered, and generates early warning and warning reports in real time.
The core component of EWS is its warning association analysis engine.Warning association analysis is a process of being invaded by analysis alarm and understanding.By the alarm that process safety means produce, and find the logical relation between them, warning association analysis engine is just for system manager creates some high-level alarms.This patent gives a kind of very effective warning association analysis algorithm.This algorithm detects Attack Scenarios, and the next action of attacking is being implemented in display, produces early warning.The warning association analysis framework that this patent provides is divided into two kinds of mode of operations: off-line, with online, uses the mixed method that a kind of statistics and stream excavate.Knowledge provided in disconnection mode, can predict the next action of implementing to attack in real time for line model.
At present, existing alarm correlation analysis technology, the rule-based model of main employing.This technology by the various feature extractions of network attack out, form attack characterization storehouse, and based on description storehouse, primary network is attacked the feature of whole process from start to end, construct an automaton model analyzed, thus draw association analysis rule, and be applied in information security detection with this association analysis rule.But the related analysis technology of rule-based model mainly adopts the method for state machine, this " state machine " formula association analysis has very strong real-time and sequential, and the real sequential that must occur with event is consistent, very high to the timing requirements of trigger event.In complex network environment, by the impact of Internet Transmission time delay and front-end processing time delay, the sequential that security incident enters engine may be put upside down, and causes " state machine " to trigger, and misrepresenting deliberately or failing to report appears in association analysis engine.Therefore, the related analysis technology accuracy existing defects of existing rule-based model, is difficult to meet the association analysis demand of the big data quantity under such as information safety operation and maintenance management cloud platform environment.
For this reason, how to solve the information security events association analysis institute problems faced under information safety operation and maintenance management cloud platform environment, and design a kind of scheme analyzed based on the information security events auto-associating of information safety operation and maintenance management cloud platform, namely become the important topic that especially information safety operation and maintenance management platform design must solve.
Summary of the invention
In view of this, main purpose of the present invention is the method and system providing a kind of threat detection and early warning.Adopt large data technique, early warning is carried out to the network attack suffered.
For achieving the above object, technical scheme of the present invention is achieved in that
Provided by the invention a kind of based on the threat detection of large data analysis and the method and system of early warning, comprising: Alert aggregation assembly, scene extraction assembly, study and detection components, prediction component, the tactful excavation component of new attack.
In such scheme, described Alert aggregation assembly, is polymerized the alarm that information safety devices reports exactly, generates super alarm (or polymerization alarm).
In such scheme, described scene extraction assembly, the scene extracted at least comprises key scenes and good will scene.
In such scheme, described study and detection components, comprise off-line mode and line model, at least comprises and build Attack Tree and upgrade CCM process.
In such scheme, described prediction component, next step attack of probabilistic forecasting using described Attack Tree and occur according to next step action.
In such scheme, the tactful excavation component of described new attack, identification is the wrong report of safety means generation or new malicious attack.
Method and system provided by the present invention, detects wrong report and malicious attack the alarm sequence that can produce from safety means, and carries out early warning in real time, the impact that the IT business greatly reducing Government and enterprise suffers.
Accompanying drawing explanation
Fig. 1 is that use scenes window of the present invention realizes scene extraction schematic diagram;
Fig. 2 is alarm association framework of the present invention;
Fig. 3 is an example of continuous scene of the present invention;
Fig. 4 is a sub-scene e1 of continuous scene e2 of the present invention;
Fig. 5 is the example (at a scene window) of an alarm sequence of the present invention;
Fig. 6 is the scene classification based on CCM of the present invention;
Fig. 7 is (a) and the line model (b) of the off-line mode of study of the present invention and detection components;
Fig. 8 is example (a) the key scenes e1 of Attack Tree of the present invention, e2, e3 and e4, and (b) e2(comprises e1) be inserted in Attack Tree, (c) e2, e3 and e4 is all inserted in Attack Tree.
Fig. 9 is an example of example (a) the offline attacks tree of Attack Tree of the present invention, b () inserts scene <A>, b () inserts scene <A> and <A, D>, c () inserts scene <A>, <A, D> and <A, D, F>.
Embodiment
Here be with reference to the accompanying drawings with example to further description of the present invention:
There is many methods for alarm correlation analysis, but there is many defects in each in them.The method that this patent provides, provides a kind of real time algorithm being applicable to very much the alarm correlation analysis of EWS.
The alarm correlation analysis framework that this patent provides, it gathers the log information of the various safety means such as IDS, IPS.Because they are the log informations generated by different equipment, therefore need be normalized them and carry out alarm sequence according to time order and function order.Then, main Attack Scenarios detection algorithm plays its effect.Information safety devices creates most alarm, conveniently analyzes, and first alarm sequence is divided into batch (batches) and then batch (batches) is divided into less part, that is: scene window (episodewindows).Fig. 1 gives the schematic diagram that use scenes window realizes scene extraction.
Once receive a collection of alarm, then alarm is sorted according to the sequencing of time of origin, and so alarm sequence carries out alarm as shown in Figure 1 and gathered, and is divided into one and another scene window.Scene extraction module is used to extract suspicious scene, and this may be the part that some is implementing to attack.Other scene, such as, report scene by mistake, or the subfield scape of a new unknown attack scene, and the strategy being sent to new attack excavates module and is further processed.In the framework that this patent provides, prediction component is used to extract next step action that prediction rule predicts the attack implemented.
The warning association analysis framework that this patent provides has two kinds of patterns: off-line mode and line model.At off-line mode, first, it carries out Alert aggregation based on alarm type, and next, a scene mining algorithm, for finding possible alarm combination.Utilize learning data, create an offline attacks tree, the Attack Scenarios under systematic learning off-line mode.Under line model, based on the alarm received from safety means, create an online Attack Tree, it accurately and effectively determines the step of attack.Fig. 2 is alarm association framework of the present invention.
Before this alarm association framework of description, first will define causalnexus matrix (CCM) below.
Define the 1:CCM defined matrix strength of association of two alarm types.For alarm type, ..., CCM is defined as the matrix of nn, wherein represents the strength of association that alarm type is.
CCM is unsymmetrical matrix.If be then relevant with alarm, wherein determining the type of an alarm, is a thresholding.Table 1 gives an example of CCM, in this example, and is two diverse values.The value of the strength of association between the former two, time after alarm type occurs in; But the latter represents the value of the strength of association between two, but when must be before alarm type occurs in.
1, Alert aggregation module
Alert aggregation CMOS macro cell multiple polymerization alarm (or super alarm), reduces the quantity of original alarm.Described alarm is generally made up of several features, some important feature of alarm, is used as alarm association process, such as, and the time that alarm occurs, source IP, source port, Target IP, target port and alarm type/invasion type, the attack order of severity.
In Alert aggregation module, have the alarm of identical type, and alarm time of origin is almost identical, then the alarm meeting these conditions may be incorporated in together.Alarm after merging is by the super alarm of appellation (or polymerization alarm).Clearly, the quantity of super alarm will lower than the quantity of original alarm.Moreover if the alarm occurred within certain time interval is, their alarm type is identical, namely==...=, then these alarms are regarded as same alarm.Super alarm is like this defined as follows:
A [source IP]={ }
A [Target IP]={ }
A [source port]={ }
A [target port]={ }
a[t]=t1
A [alarm type]=
A [the attack order of severity]=
A [counter]=
2, scene is extracted
Scene is super alarm paritially ordered set, and it can be defined as a directed acyclic graph (DAG).Scene is defined as following form:
Definition 2:(scene Episode) scene is a three-dimensional array, wherein
● V is super alarm;
● determine the time sequencing of super alarm, and, form a paritially ordered set (, and if only if) of V
● g:V χ is a marker function, each super alarm in this scene is mapped to its alarm type.χ is the set of alarm type.
Such as, consider the scene of Fig. 3, V is made up of two super alarm a and b, then, and and g (a) Sadmind_Ping, g (b) Sadmind_Amslverify_Overflow.In this example, before Sadmind_Ping occurs in Sadmind_Amslverify_Overflow, so, ab.
If scene (,) is a sub-scene of scene, then.Further, if existed, and, to each v: set up, then for each v, w, if vw, so).Note that according to described definition, when determining subfield scape relation each other, the importance of the type of alarm much larger than alarm itself.Therefore, all when adopting diagrammatic representation from now on, alarm type is expressed as the node (super alarm) of figure.As the example that Fig. 4 is subfield scape.
A scene is continuous scene, if the order of whole scene meets relation (for any two, then, or).Fig. 3 is exactly an example of continuous scene.The concept of continuous scene is used from super alarm sequence, to extract various continuous scene, to determine key scenes at this patent.
Note: for simplicity, represents continuous scene by employing.Wherein, be the alarm type of alarm.
Frequent scene is continuously exactly at some scene windows, and the continuous scene extracted from alarm sequence, makes number of repetition in this scene window be greater than predefined thresholding (min-fr).If it is a key scenes, so a frequent scene continuously may be a part for a multi-step attack scene.
In order to find Attack Scenarios, vital during correlation between super alarm.This relation may be used in the action analyzed invader and implement, and such as, explains the reason of the special action of an invader, prediction event in the future.An alarm sequence as shown in Figure 5, scene is exactly a frequent scene continuously, and its duplication model is as follows:
Extract the stage in scene, continuous scene obtains to scene window as shown in Figure 1 by criticizing window sliding.
The frequent scene continuously extracted is divided into key scenes (CriticalEpisode) and good will scene (BenignEpisode).Key scenes based on CCM is defined as follows:
Definition 3:(key scenes).A frequent scene e=<> is continuously key scenes, if each strength of association <>(1in to super alarm type in scene) be equal to or greater than thresholding (such as).
A frequent scene is not continuously crucial, is defined as follows.
Definition 4:(good will scene).Good will scene is a frequent scene continuously, and make at least to exist the super alarm type that do not associate for a pair (such as, there is the subfield scape <>(1in of a binary) make), this may be the wrong report produced by safety means, or the subfield scape of a new unknown Attack Scenarios.
The key scenes extracted at each scene window is sent in study and detection components and builds Attack Tree, and good will scene is sent in the tactful excavation component of new attack and identifies new possible multi-step attack scene, as shown in Figure 6.
1, study and detection components
The major function of study and detection components builds online Attack Tree and offline attacks tree, and it is by detecting key scenes and upgrading CCM to realize online and during off-line mode.
(1) Attack Tree builds
In the line model of the associated framework that this patent provides and off-line mode, need to utilize Attack Tree simulated strike behavior, it builds based on constructed key scenes.Attack Tree is defined as follows:
Definition 5, (Attack Tree).Attack Tree is defined as, wherein:
● T represents super alarm
● the partial order (determining the time sequencing relation of super alarm) for T makes to set up each T that { T} is the orderly set (being required the feature set) of relation
● f is a marker function, for each node T, then f (a)=<A,, >, wherein, A is the type of node (super alarm), for from root node to a node form the number of times of scene, be the quantity of scene window.
Notice that node label is utilized to retrieve the prediction rule implementing next step action of attacking.Moreover empty node is considered as root node by each Attack Tree.
Originally, empty node is considered as its root node by Attack Tree.Attack Tree upgrades along with adding the key scenes that extracts.In order to reach its object, after scene window extracts key scenes, if each key scenes extracted is the subset of another key scenes, then will deleted fall (avoiding the Attack Tree of redundancy to be inserted into).Add a key scenes extracted, if the prefix matching in the prefix of key scenes and Attack Tree path (not comprising root node), then this scene is connected to Attack Tree and has mated node label renewal (except the alarm type in label remains unchanged) of prefix.Note that then this key scenes is connected to root node if Attack Tree does not have path be found the prefix of the key scenes matched with its prefix.
Such as, key scenes e1, e2, e3 and the e4(shown in Fig. 8 (a) extracts from first scene window), and, should be inserted in Attack Tree.E1 is the subfield scape of e2, should be left out in this list.Moreover Fig. 8 (b) scene e2(also comprises e1) be connected to the root node of Attack Tree.After inserting e3 and e4 (as Suo Shi Fig. 8 (C)), the label of node has been updated (such as, the label of A and D).
At off-line mode, the system offline attacks tree that used off-line Alert aggregation with regard to direct construction.But, in line model, the online Attack Tree of system constructing, and after the alarm having processed each scene window, upgrade it in real time.
Fig. 9 is a different conditions example of offline attacks tree and online Attack Tree.
(2) CCM upgrades
Estimate the causal correlation of two kinds of dissimilar alarms, extract key scenes in a scene window after, binary subfield scape is generated (such as, <>, after the alarm type of wherein super alarm appears at the alarm type of the super alarm of this scene immediately).These binary subfield scapes are used to the causalnexus estimating alarm type.In order to reach this object, first, calculate the factor of a pair super alarm and their alarm type, and the data previous based on these Summing Factor upgrade CCM.
Similitude between super alarm: determine the similitude between super alarm, relates to source IP, source port, Target IP, target port and alarm type.In order to reach this object, define the similarity measurement formula between super alarm.
IPSIM function is used to the similitude between the super alarm IP address of calculating two.In order to realize this target, ipsim=k/32 is defined as the similitude of calculating two IP addresses, and wherein k is the maximum number of two IP addresses match high-order positions.Following formula be calculating two IP(such as, and) similitude:
。
Similarly, port match function is used to the similitude between the super alarm port of calculating two.For every pair of end mouth (such as), its port match function calculates this similitude.If two port numbers are identical, then this functional value is 1; Otherwise this functional value is 0.Following formula is the similitude of calculating two ports (such as, and):
。
Based on above principle, the Similarity measures formula of two super alarms () is as follows:
Wherein, weight satisfies condition, because the similitude of the source IP address of two super alarms and object IP address is far important in their port number.
The confidence index of binary subfield scape: more useful stream method for digging is association rule mining method.In this patent, the relation that what correlation rule represented is between super alarm.In fact, each binary subfield scape of a key scenes can be regarded as a correlation rule.Binary subfield scape is used to determine the association between super alarm.In fact, the confidence index of a correlation rule represents the intensity of two binary subfield scape causalnexuses in succession.Confidence index computing formula as follows:
Wherein, alarm type, represent the frequency of scene.
Based on above principle (such as, similitude and confidence index), the weighting confidence index (wc) of two continuous super alarms in binary subfield scape can be defined in,
CCM upgrades as follows:
Wherein, be two configurable weights.=[alarm type] ,=[alarm type], and be the old value of two alarm type strength of association and new value respectively.
2, prediction component
Prediction component, next step action of prediction active attack scene, it is a part for the Attack Tree of line model.In order to reach this object, using the knowledge base of Attack Scenarios, the Attack Tree of off-line mode can be expressed as.
The Attack Tree of line model, some leaf may be thought of as next step action of Forecast attack scene.Suppose that A is the alarm type of online Attack Tree leaf node, and, be the key scenes comprising A.Moreover, suppose that the scene (from root node) that offline attacks is set makes (the sub-scene being), and, prefix match.For prediction, for each leaf node (such as A), some prediction rule just generate.The form of the prediction rule of leaf node A is: <A>, wherein.
Present hypothesis, has generated the prediction rule of leaf node A, so needs to calculate the most possible rule occurred, and namely predicts next step action of implementing to attack.Notice that the scene size appeared in sequence of rules may be 1,2 ..., n.Like this, there is onesize rule can compare and calculating probability together.
In order to calculate the such rule of such as <A> probability of happening (wherein, size be n), we construct <A> n+1 dimensional vector and n+1 dimensional vector as follows:
, wherein f<A> and f<A> is the number of times appearing at online Attack Tree node A.
If=<, ..., > then, is wherein the marker function of online Attack Tree.
Based on above-mentioned vector, the probability calculation of each prediction rule is as follows:
Below using Fig. 9 as an embodiment, the computational process of described probability is described in more detail.
45 times have been observed in continuous 30 scene windows at one batch of the scene <A> of Fig. 9 (a), and, scene <A, B> have observed 15 times in continuous 10 scene windows of batch.In Fig. 9 (b), (c) and (d), comparatively describe the online Attack Tree that line model generates in detail.For prediction, as shown in Figure 9 (b), the scene <A> that batch of continuous 10 scene window have observed 10 times is inserted into online Attack Tree.Consider the scene <A> in online Attack Tree, after attack A, attack type B is different with the contingent probability of the attack step of attack type D.Like this, two prediction rule of <A> <D, F> and <A> <D, G> just create.In this case, vector and be calculated as follows :=<> and.Therefore, the probability that <D, F> occur after A is 57%, and the probability that <D, G> occur is 59%.
3, the tactful excavation component of new attack
The good will scene with different length is sent to the tactful excavation component of new attack.This scene may be the wrong report produced by safety means, or the subfield scape of new unknown attack scene.In order to wrong report scene is separated from unknown Attack Scenarios, need from each good will scene e=<>, extract binary subfield scape (wherein, n is the alarm type of super alarm in this scene).If scene e meets following condition, then it is malice scene:
(1) in this scenario, there is some alarm types (such as) makes it not belong to CCM.In other words, this is a new alarm type,
(2)
(3)
(4)
(5)
Above-mentioned formula, average similarity between the source IP of a super alarm and the source IP of follow-up super alarm respectively, average similarity between the Target IP of a super alarm and the source IP of follow-up super alarm, average similarity between the Target IP of a super alarm and the Target IP of follow-up super alarm, and the average attack type order of severity of a scene.
In order to such unknown attack scene can be detected in the near future, need the alarm type considering unknown attack scene, new alarm is added in CCM and goes and upgrade system.CCM is by upgrading unknown attack scene (its CCM renewal process is identical with foregoing) as key scenes.
The foregoing is only preferred embodiment of the present invention, be not used for limiting practical range of the present invention; Every equivalence done according to the present invention changes and amendment, is all regarded as the scope of the claims of the present invention and contains.
Claims (7)
1. based on the threat detection of large data analysis and method and system for early warning, its feature is, comprising: Alert aggregation assembly, scene extraction assembly, study and detection components, prediction component, the tactful excavation component of new attack.
2. a kind of as claimed in claim 1 based on the threat detection of large data analysis and the method and system of early warning, its feature is, described Alert aggregation assembly, is polymerized the alarm that information safety devices reports exactly, generates super alarm (or polymerization alarm).
3. a kind of as claimed in claim 1 based on the threat detection of large data analysis and the method and system of early warning, its feature is, described scene extraction assembly, the scene extracted at least comprises key scenes and good will scene.
4. a kind of as claimed in claim 1 based on the threat detection of large data analysis and the method and system of early warning, its feature is, described study and detection components, comprise off-line mode and line model.
5. a kind of as claimed in claim 1 based on the threat detection of large data analysis and the method and system of early warning, its feature is, described prediction component, next step attack of probabilistic forecasting using described Attack Tree and occur according to action.
6. a kind of as claimed in claim 1 based on the threat detection of large data analysis and the method and system of early warning, its feature is, the tactful excavation component of described new attack, and identification is the wrong report of safety means generation or new malicious attack.
7. a kind of as claimed in claim 4 based on the threat detection of large data analysis and the method and system of early warning, its feature is, at least comprises and builds Attack Tree and upgrade CCM process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510565278.8A CN105100122A (en) | 2015-09-08 | 2015-09-08 | Threat detection and alert method and system based on big data analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510565278.8A CN105100122A (en) | 2015-09-08 | 2015-09-08 | Threat detection and alert method and system based on big data analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105100122A true CN105100122A (en) | 2015-11-25 |
Family
ID=54579667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510565278.8A Pending CN105100122A (en) | 2015-09-08 | 2015-09-08 | Threat detection and alert method and system based on big data analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105100122A (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254125A (en) * | 2016-08-18 | 2016-12-21 | 南京联成科技发展有限公司 | The method and system of security incident correlation analysiss based on big data |
| CN106384048A (en) * | 2016-08-30 | 2017-02-08 | 北京奇虎科技有限公司 | Threat message processing method and device |
| CN107438079A (en) * | 2017-08-18 | 2017-12-05 | 杭州安恒信息技术有限公司 | A kind of detection method of the unknown abnormal behaviour in website |
| CN108683687A (en) * | 2018-06-29 | 2018-10-19 | 北京奇虎科技有限公司 | A kind of network attack identification method and system |
| CN108833186A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack prediction technique and device |
| CN108833185A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack route restoring method and system |
| CN110460558A (en) * | 2018-05-07 | 2019-11-15 | 南京联成科技发展股份有限公司 | A kind of method and system based on the discovery of visual challenge model |
| CN110830441A (en) * | 2019-09-30 | 2020-02-21 | 广西科技大学 | Information safety monitoring system based on big data |
| CN111475804A (en) * | 2020-03-05 | 2020-07-31 | 浙江省北大信息技术高等研究院 | Alarm prediction method and system |
| CN112468347A (en) * | 2020-12-14 | 2021-03-09 | 中国科学院信息工程研究所 | Security management method and device for cloud platform, electronic equipment and storage medium |
| CN113438249A (en) * | 2021-06-30 | 2021-09-24 | 北京科东电力控制***有限责任公司 | Attack tracing method based on strategy |
| CN113544676A (en) * | 2019-03-12 | 2021-10-22 | 三菱电机株式会社 | Attack estimation device, attack control method, and attack estimation program |
| CN116467368A (en) * | 2023-06-13 | 2023-07-21 | 北京大众在线网络技术有限公司 | Safety monitoring method and system based on big data analysis |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242278A (en) * | 2008-02-18 | 2008-08-13 | 华中科技大学 | Online recognition method for network multi-step attack intension |
| CN102075516A (en) * | 2010-11-26 | 2011-05-25 | 哈尔滨工程大学 | Method for identifying and predicting network multi-step attacks |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
-
2015
- 2015-09-08 CN CN201510565278.8A patent/CN105100122A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101242278A (en) * | 2008-02-18 | 2008-08-13 | 华中科技大学 | Online recognition method for network multi-step attack intension |
| CN102075516A (en) * | 2010-11-26 | 2011-05-25 | 哈尔滨工程大学 | Method for identifying and predicting network multi-step attacks |
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
Non-Patent Citations (1)
| Title |
|---|
| ALI AHMADIAN RAMAKI等: "RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection", 《COMPUTERS & SECURITY》 * |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106254125A (en) * | 2016-08-18 | 2016-12-21 | 南京联成科技发展有限公司 | The method and system of security incident correlation analysiss based on big data |
| CN106384048A (en) * | 2016-08-30 | 2017-02-08 | 北京奇虎科技有限公司 | Threat message processing method and device |
| CN107438079A (en) * | 2017-08-18 | 2017-12-05 | 杭州安恒信息技术有限公司 | A kind of detection method of the unknown abnormal behaviour in website |
| CN107438079B (en) * | 2017-08-18 | 2020-05-01 | 杭州安恒信息技术股份有限公司 | Method for detecting unknown abnormal behaviors of website |
| CN110460558A (en) * | 2018-05-07 | 2019-11-15 | 南京联成科技发展股份有限公司 | A kind of method and system based on the discovery of visual challenge model |
| CN110460558B (en) * | 2018-05-07 | 2021-08-10 | 南京联成科技发展股份有限公司 | Method and system for discovering attack model based on visualization |
| CN108833185B (en) * | 2018-06-29 | 2021-01-12 | 北京奇虎科技有限公司 | Network attack route restoration method and system |
| CN108683687A (en) * | 2018-06-29 | 2018-10-19 | 北京奇虎科技有限公司 | A kind of network attack identification method and system |
| CN108833185A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack route restoring method and system |
| CN108833186B (en) * | 2018-06-29 | 2021-01-12 | 北京奇虎科技有限公司 | Network attack prediction method and device |
| CN108833186A (en) * | 2018-06-29 | 2018-11-16 | 北京奇虎科技有限公司 | A kind of network attack prediction technique and device |
| CN113544676A (en) * | 2019-03-12 | 2021-10-22 | 三菱电机株式会社 | Attack estimation device, attack control method, and attack estimation program |
| CN110830441A (en) * | 2019-09-30 | 2020-02-21 | 广西科技大学 | Information safety monitoring system based on big data |
| CN111475804A (en) * | 2020-03-05 | 2020-07-31 | 浙江省北大信息技术高等研究院 | Alarm prediction method and system |
| CN111475804B (en) * | 2020-03-05 | 2023-10-24 | 杭州未名信科科技有限公司 | Alarm prediction method and system |
| CN112468347A (en) * | 2020-12-14 | 2021-03-09 | 中国科学院信息工程研究所 | Security management method and device for cloud platform, electronic equipment and storage medium |
| CN113438249A (en) * | 2021-06-30 | 2021-09-24 | 北京科东电力控制***有限责任公司 | Attack tracing method based on strategy |
| CN113438249B (en) * | 2021-06-30 | 2023-01-31 | 北京科东电力控制***有限责任公司 | Attack tracing method based on strategy |
| CN116467368A (en) * | 2023-06-13 | 2023-07-21 | 北京大众在线网络技术有限公司 | Safety monitoring method and system based on big data analysis |
| CN116467368B (en) * | 2023-06-13 | 2023-10-24 | 北京大众在线网络技术有限公司 | Safety monitoring method and system based on big data analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105100122A (en) | Threat detection and alert method and system based on big data analysis | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| Fouladi et al. | A DDoS attack detection and defense scheme using time-series analysis for SDN | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| Maglaras et al. | Combining ensemble methods and social network metrics for improving accuracy of OCSVM on intrusion detection in SCADA systems | |
| CN110213226B (en) | Network attack scene reconstruction method and system based on risk full-factor identification association | |
| US9369484B1 (en) | Dynamic security hardening of security critical functions | |
| CN109902297A (en) | A kind of threat information generation method and device | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| CN102075516A (en) | Method for identifying and predicting network multi-step attacks | |
| CN112333195B (en) | APT attack scene reduction detection method and system based on multi-source log correlation analysis | |
| CN109241989B (en) | Method and system for restoring intelligent substation invasion scene based on space-time similarity matching | |
| CN105681286A (en) | Association analysis method and association analysis system | |
| Jadidi et al. | A threat hunting framework for industrial control systems | |
| CN109951419A (en) | A kind of APT intrusion detection method based on attack chain attack rule digging | |
| CN113422763B (en) | Alarm correlation analysis method constructed based on attack scene | |
| CN100414868C (en) | Data merging mechanism for large distributive intrusion inspecting system | |
| CN104468545A (en) | Network security correlation analysis method based on complex event processing | |
| Kajal et al. | A hybrid approach for cyber security: improved intrusion detection system using Ann-Svm | |
| Bhati et al. | A survey on hybrid intrusion detection techniques | |
| CN111191683A (en) | Network security situation assessment method based on random forest and Bayesian network | |
| CN108243169A (en) | A kind of network security finds out method and system | |
| Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
| CN115567325B (en) | Threat hunting method based on graph matching | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 210012, Nanjing high tech Zone, Jiangsu, Nanjing Software Park, No. 99 unity Road, Eagle building, block A, 14 floor Applicant after: Nanjing Liancheng science and technology development Limited by Share Ltd Address before: Thirteen, building 185, 210012 Hanzhoung Road, Qinhuai District, Jiangsu, Nanjing Applicant before: NANJING LIANCHENG TECHNOLOGY DEVELOPMENT CO., LTD. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20151125 |