CN105376193B - The intelligent association analysis method and device of security incident - Google Patents
The intelligent association analysis method and device of security incident Download PDFInfo
- Publication number
- CN105376193B CN105376193B CN201410401184.2A CN201410401184A CN105376193B CN 105376193 B CN105376193 B CN 105376193B CN 201410401184 A CN201410401184 A CN 201410401184A CN 105376193 B CN105376193 B CN 105376193B
- Authority
- CN
- China
- Prior art keywords
- attack
- event
- unified
- value
- confidence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012097 association analysis method Methods 0.000 title claims abstract description 8
- 238000000034 method Methods 0.000 claims abstract description 19
- 238000012098 association analyses Methods 0.000 claims abstract description 18
- 238000000354 decomposition reaction Methods 0.000 claims abstract description 7
- 238000010219 correlation analysis Methods 0.000 claims description 21
- 238000012549 training Methods 0.000 claims description 20
- 238000002910 structure generation Methods 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 description 14
- 238000004364 calculation method Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000003066 decision tree Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000013178 mathematical model Methods 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This disclosure relates to the intelligent association analysis method and device of a kind of security incident.This method includes carrying out the decomposition of attributive character and the standardization of attributive character value to collected security incident in real time;The unified reasoning structure generated offline is traversed using the attributive character value after standardization, attacks classification to determine.The disclosure improves the efficiency of association analysis.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular, to an intelligent association analysis method and apparatus for security events.
Background
In the present day when the situation of network security becomes more severe, the management of network security becomes an important content of network operation. The SOC (Security Operations center) is a technical support platform for performing comprehensive analysis on the network, the Security devices and the system and realizing centralized management and monitoring of Security events. The SOC finds out the current security threat and potential security risk of the network by collecting security logs generated by equipment and systems in the network and analyzing and processing the security logs, so that early warning is timely sent out, and the network is prevented from bearing heavy loss. The SOC collects a large amount of security event information from the network, many of which do not have real threats, some of which may be signs of threat pre-deployment, and some of which may be only associated alarms generated by a substantial threat. The safety event correlation analysis is to extract useful information from the preprocessed safety events, and correlate an isolated safety event set into a safety event chain through correlation processing correlation, wherein the aim of the correlation analysis is to find out real threat alarms from a large number of false alarm alarms and low-level alarms and help safety operation and maintenance personnel to locate potential safety hazards in a network in time.
At present, an intelligent SOC correlation analysis engine mechanism mainly adopts an inference engine method. The working principle of the inference engine type association analysis engine is that an inference model trained in prior is preset, extracted attribute information is respectively matched with each rule feature of the inference model after a safety event is acquired, and recording is carried out when the extracted attribute information meets the requirement until the matching degree of all rule features of the inference model reaches a threshold value, and an alarm is triggered. The 'inference engine' type correlation analysis engine does not miss any security event and any information carried by the security event, the analysis precision is high, but because the analysis of the SOC on the whole network security event relates to multiple devices, multiple protocols and multiple attack types, a large number of attack models need to be built by adopting the traditional 'inference engine' correlation analysis engine, the analysis is fine and complex, and the analysis efficiency is low due to the fact that the traditional 'inference engine' correlation analysis engine occupies very much computation space and time cost. The security events in the telecommunication network environment are massive, and the efficiency of the low-efficiency inference engine type correlation analysis engine cannot be supported.
Disclosure of Invention
The present disclosure proposes a new technical solution in view of at least one of the above problems.
The present disclosure provides, in one aspect thereof, an intelligent association analysis method of security events, which improves the efficiency of association analysis.
The present disclosure provides, in another aspect thereof, an intelligent association analysis apparatus for security events, which improves the efficiency of association analysis.
According to the present disclosure, there is provided an intelligent association analysis method for security events, comprising:
decomposing attribute characteristics and standardizing attribute characteristic values of the safety events acquired in real time;
and traversing the offline generated uniform inference structure by utilizing the standardized attribute characteristic values to determine the attack category.
In some embodiments of the present disclosure, the unified inference structure is generated by:
collecting an attack model library and a security event training sample;
decomposing the safety event training sample into a feature library;
calculating the association probability of each feature and attack in the feature library;
classifying the features according to the association probability based on the tree structure to form nodes of all levels of a unified reasoning structure;
and training and calculating confidence values of nodes at all levels meeting the judgment precision requirement, and determining a classification threshold value and a classification accuracy.
In some embodiments of the present disclosure, traversing the offline generated unified inference structure with normalized attribute feature values to determine the attack category comprises:
comparing the standardized attribute characteristic values with characteristic rules of nodes at all levels in the unified reasoning structure from the root node of the unified reasoning structure;
if the standardized attribute characteristic value is matched with the characteristic rule, the confidence values from the root node to the current node are superposed to form an attack confidence value;
and after traversing the unified reasoning structure, determining the attack category according to the confidence space where the attack confidence value is located.
In some embodiments of the present disclosure, the method further comprises:
starting a timer at the root node traversal of the unified inference structure aiming at a standardized attribute characteristic value;
and if the timer is overtime, clearing the attack confidence value of the standardized attribute characteristic value.
In some embodiments of the present disclosure, the attribute characteristics of the security event include source IP address and port, destination IP address and port, event category, event name, event class, device to which the event relates, and time of event occurrence.
According to the present disclosure, there is also provided an intelligent association analysis apparatus for security events, comprising:
the event acquisition unit is used for decomposing the attribute characteristics and standardizing the attribute characteristic values of the safety events acquired in real time;
and the class judgment unit is used for traversing the offline generated unified reasoning structure by utilizing the standardized attribute characteristic value so as to determine the attack class.
In some embodiments of the present disclosure, the intelligent association analysis apparatus for security events further includes a unified inference structure generation unit, which includes:
the collecting subunit is used for collecting the attack model library and the security event training samples;
the sample decomposition subunit is used for decomposing the safety event training sample into a feature library;
the association probability calculating subunit is used for calculating the association probability of each feature and the attack in the feature library;
the structure forming subunit is used for grading each characteristic according to the association probability based on the tree structure to form each level of nodes of the unified reasoning structure;
and the confidence value determining subunit is used for training and calculating the confidence values of all levels of nodes meeting the judgment precision requirement, and determining a classification threshold value and a classification accuracy.
In some embodiments of the present disclosure, the category determination unit includes:
the comparison subunit is used for comparing the standardized attribute characteristic value with the characteristic rules of the nodes at all levels in the unified reasoning structure from the root node of the unified reasoning structure;
the attack confidence value operator unit is used for superposing the confidence values from the root node to the current node to form an attack confidence value if the standardized attribute feature value is matched with the feature rule;
and the category determining subunit is used for determining the attack category according to the confidence space where the attack confidence value is located after the unified inference structure is traversed.
In some embodiments of the present disclosure, the intelligent correlation analysis apparatus for security events further includes:
and the timer is used for starting the timer from the traversal of the root node of the unified inference structure aiming at one standardized attribute characteristic value, and clearing the attack confidence value of the standardized attribute characteristic value if the timer is overtime.
In some embodiments of the present disclosure, the attribute characteristics of the security event include source IP address and port, destination IP address and port, event category, event name, event class, device to which the event relates, and time of event occurrence.
In the technical scheme, the association analysis efficiency of the safety events collected in real time is improved through the offline generated unified reasoning structure, the calculation space and time cost are saved, and the balance between the precision and the efficiency is realized.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, are incorporated in and constitute a part of this application. In the drawings:
fig. 1 is a flowchart illustrating an intelligent association analysis method for security events according to an embodiment of the present disclosure.
FIG. 2 is a schematic diagram of a tree unified inference structure of one embodiment of the present disclosure.
Fig. 3 is a schematic structural diagram of an intelligent association analysis apparatus for security events according to an embodiment of the present disclosure.
Detailed Description
The present disclosure will be described below with reference to the accompanying drawings. It is to be noted that the following description is merely illustrative and exemplary in nature and is in no way intended to limit the disclosure, its application, or uses. Unless specifically stated otherwise, the relative arrangement of components and steps and numerical expressions and values set forth in the embodiments do not limit the scope of the present disclosure. Additionally, techniques, methods, and apparatus known to those skilled in the art may not be discussed in detail but are intended to be part of the specification where appropriate.
Fig. 1 is a flowchart illustrating an intelligent association analysis method for security events according to an embodiment of the present disclosure.
As shown in fig. 1, this embodiment may include the steps of:
s102, decomposing attribute characteristics and standardizing attribute characteristic values of the safety events collected in real time;
the attribute characteristics of the security event may include, but are not limited to, a source IP address and port, a destination IP address and port, an event category, an event name, an event level, a device to which the event relates, and a time when the event occurred.
And S104, traversing the offline generated unified inference structure by using the standardized attribute characteristic values to determine the attack category, wherein the unified inference structure can be a tree structure.
In the embodiment, the association analysis efficiency of the safety events acquired in real time is improved through the offline generated unified reasoning structure, the calculation space and time cost are saved, and the balance between the precision and the efficiency is realized.
In one example, the unified inference structure can be generated by:
collecting an attack model library and a security event training sample; decomposing the safety event training sample into a feature library; calculating the association probability of each feature and attack in the feature library; classifying the features according to the association probability based on the tree structure to form nodes of all levels of a unified reasoning structure; and training and calculating confidence values of nodes at all levels meeting the judgment precision requirement, and determining a classification threshold value and a classification accuracy.
It should be noted that the unified inference structure is a structure trained in advance in an offline state based on a security event training sample, and after real-time security event data is acquired, the attack type to which the security data belongs is analyzed directly by using the unified inference structure, so that the analysis efficiency can be remarkably improved.
In another embodiment, the step of traversing the offline-generated unified inference structure with normalized attribute feature values to determine the attack category may comprise: comparing the standardized attribute characteristic values with characteristic rules of nodes at all levels in the unified reasoning structure from the root node of the unified reasoning structure; if the standardized attribute characteristic value is matched with the characteristic rule, the confidence values from the root node to the current node are superposed to form an attack confidence value; and after traversing the unified reasoning structure, determining the attack category according to the confidence space where the attack confidence value is located.
In yet another embodiment, for a normalized attribute feature value, a timer is started starting from the root node traversal of the unified inference structure; and if the timer is overtime, clearing the attack confidence value of one standardized attribute characteristic value. This prevents the normal analysis process from being destroyed due to the long term occupancy of confidence resources by analyzing a certain standardized attribute feature value.
Next, the detailed description of a specific implementation is given to the unified inference structure if it is trained in an off-line manner. Specifically, the following steps may be included:
step one, collecting an attack model base and an original security event sample;
the security event sample refers to a security event with a standard format for analysis by an association analysis engine, and is composed of characteristic attributes such as a source IP address, a source port, a destination IP address, a destination port, an event type, an event name, an event level, a device related to the event, and an event occurrence time.
The attack model library is a set of all attack models which can be judged by the correlation analysis engine and is determined by prior knowledge. An attack model refers to a chain of security events and attack scenarios associated with a certain security attack. The safety event chain is a chain which is composed of a series of single safety events and has logical relations of cause and effect, time connection sequence and the like.
The attack model can include, but is not limited to, mathematical models of various attack events such as suspicious scanning activity, abnormal access, malicious code activity, network abnormal traffic, network service attack, device operation abnormity and the like.
Step two, decomposing the security event sample into a feature library, namely scattering all attribute elements in the security event sample to form the feature library;
the feature library refers to a set consisting of feature attributes and attribute values of the security event samples.
Thirdly, classifying the feature library in a priori mode according to various attack models in an attack model library, and removing attack irrelevant features;
in particular, since the security event includes feature attributes such as a source IP address, a source port, a destination IP address, a destination port, an event category, an event name, an event level, a device to which the event relates, a time when the event occurs, and the like, it can be classified into so many feature library elements. For example, if a certain attack mathematical model requires that a website attack event occurs within 3 minutes after an event with an event type of suspicious scanning occurs, and the destination IP addresses of the two events are consistent, the relevant feature elements point to the attack result, and the other feature attributes are features irrelevant to the attack and can be removed.
Calculating the association probability of the features and the attack, and sequencing the features in the feature library according to the association probability from large to small;
for example, a feature rule may correspond to multiple attacks. Assuming that there are a total of 100 attack models, of which 20 have a feature rule of target IP address XXX, the probability of association of the feature is 20%.
Step five, grading the characteristics according to the association probability to serve as nodes of all levels of the unified reasoning structure;
the unified inference structure is an inference structure based on a single-tree data structure and comprises multiple levels of nodes, wherein upper nodes are connected with lower nodes, and each level of nodes has a characteristic rule and a confidence value.
The feature rule refers to a condition that a certain attribute of the security event possesses, for example, a source IP address is 1.1.1.1, which is a condition that is required to possess, that is, a feature rule.
The confidence value refers to data identified by multidimensional numerical values and represents the conformity of the node with various attack models.
Specifically, a plurality of intervals are defined, for example, 50-60%, 40-50% … … 0-10%, and all feature rules with association probability within a certain interval are classified into one level. Each feature rule at each level is represented by a node, and all nodes form a tree structure, as shown in fig. 2.
Step six, calculating the classification association degree of the secondary node and the superior node, and if the association degree is less than a threshold value of 0.707, adding a new dimension;
specifically, the coincidence rate of the secondary node and the upper node belonging to the same attack model, that is, the association degree is calculated, assuming that the upper node features can point to A, B, C attacks, the association probabilities are a, b and c respectively, the secondary node points to A, B attacks, and the association probabilities are c and d respectively, then the classification association degree between the secondary node and the upper node is (c + d)/(a + b + c). The threshold value of 0.707 indicates the median of the correlation.
If the degree of association is less than the threshold value of 0.707, the degree of association between the two is small, and the vector value of one dimension can be increased.
Step seven, calculating vector values of the classification association degrees of the secondary nodes and the superior nodes on all dimensions;
in particular, the vector value in each dimension is equal to that of the secondary node I.e. a sine value equal to the correlation probability and correlation degree correlation angle (i.e. vector angle).
Step eight, calculating the confidence value of each node by increasing the unknown quantity x, y … … from 0 by a gradient of 1 according to the formula of 'confidence value x + a dimension vector quantity x + B dimension vector quantity y + … …' (wherein the a dimension vector quantity, the B dimension vector quantity and the like are obtained by calculation in the step seven);
specifically, all possible values of each unknown variable are tried from small to large, and the classification accuracy is repeatedly calculated by using various value combinations to determine the optimal variable value.
For example, the initial value of (x, y, z) of the root node is (0, 0, 0), the initial value of the secondary node of the root node is (1, 0, 0) …, and so on, if the classification accuracy calculated until the page node does not meet the requirement of the decision accuracy, the value of (x, y, z) of the root node is incremented by 1.
And step nine, superposing confidence values obtained by deducting the security event chains of the various attack models through a unified reasoning structure, and calculating a final confidence value result.
Step ten, determining a classification threshold and a classification accuracy by a median algorithm according to the clustering space of the confidence value results of various attack models;
specifically, when the classification tree is designed, the classification tree is finally converged to leaf nodes with distinct attack categories, and when the leaf nodes are reached, the confidence values are converged to a range, namely a clustering space.
For example, if there is coincidence between the clustering spaces of the two attacks, a classification error occurs. And calculating a threshold value through a median algorithm, namely taking the median of the numerical values of the overlapped parts of the two attack clustering spaces. If the threshold is calculated as a, greater than a is attack 1 and less than a is attack 2. The value range smaller than a in the clustering space of attack 1 is misjudged. In the attack 1 clustering space, the numerical range/clustering space smaller than a is the error rate, otherwise, the classification accuracy is the classification accuracy.
Step eleven, when the classification accuracy is smaller than the judgment accuracy requirement, turning to step eight, and repeating the subsequent steps; and when the classification accuracy is higher than the judgment accuracy requirement, ending the process, wherein the final confidence value of each node is the confidence value of each node of the unified reasoning structure, and generating the unified reasoning structure.
After training the unified inference structure, how to determine the attack category of a security event is described in detail by an example. Specifically, the following steps may be included:
firstly, decomposing attribute characteristics and standardizing attribute characteristic values of safety events acquired in real time;
the decomposition is to divide the security event attribute and the attribute value into: for example, an attack target is a last event scan target, and the like is a one-to-one feature. Standardization unifies the attribute descriptions of security events from different sources into one standard description.
Step two, comparing the standardized attribute characteristic value with the characteristic rule of the current level node in the unified reasoning structure;
it should be noted that the comparison is performed from the root node of the unified inference structure for the first time. If the comparison is unsuccessful, the next node of the current level node is compared.
The comparison process is to see whether the normalized attribute feature value meets the feature rule. Assume that the feature rules are: the packet loss rate is greater than 50%, and if the packet loss rate attribute characteristic value of the currently acquired security event is 66%, the comparison is performed.
Step three, if the comparison is matched, the attack confidence value is superposed with the confidence value of the current node, if the comparison is not matched, the processing is not carried out, the next level node is jumped to, and the step two is carried out; note that the initial attack confidence value takes 0.
And step four, after traversing the unified reasoning structure, according to the classification threshold value, the confidence space of which kind of attack the confidence value is placed in can be obtained, and then the judgment of which kind of attack is made correspondingly, and an alarm is sent out.
Step five, if the confidence value is not placed in any confidence space, analyzing the next attribute characteristic value, and turning to the step two;
and step six, analyzing all attribute characteristic values of the current security event, analyzing the next acquired security event, and turning to the step one.
And seventhly, starting a timer when reasoning is started from the root node in the second step, and if the timer is overtime, resetting the confidence value and resetting the timer. And timing by using a timer, and accumulating a period of time to clear the confidence value so as to prevent the isolated security event from occupying the confidence value resource for a long time and damaging the normal analysis process.
It will be understood by those skilled in the art that all or part of the steps of implementing the above method embodiments may be implemented by hardware associated with program instructions, the program may be stored in a storage medium readable by a computing device, and the program may execute the steps of the above method embodiments when executed, and the storage medium may include various media capable of storing program codes, such as ROM, RAM, magnetic disk and optical disk.
Fig. 3 is a schematic structural diagram of an intelligent association analysis apparatus for security events according to an embodiment of the present disclosure.
As shown in fig. 3, the apparatus 30 in this embodiment may include an event collecting unit 302 and a category determining unit 304. Wherein,
the event acquisition unit 302 is used for decomposing the attribute characteristics and standardizing the attribute characteristic values of the safety events acquired in real time;
and the category judgment unit 304 is configured to traverse the offline generated unified inference structure by using the normalized attribute feature values to determine the attack category.
In the embodiment, the association analysis efficiency of the safety events acquired in real time is improved through the offline generated unified reasoning structure, the calculation space and time cost are saved, and the balance between the precision and the efficiency is realized.
In one embodiment, the intelligent association analysis apparatus for security events may further include a unified inference structure generation unit, where the unified inference structure generation unit includes a collection subunit, a sample decomposition subunit, an association probability calculation subunit, a structure formation subunit, and a confidence value determination subunit. Wherein,
the collecting subunit is used for collecting the attack model library and the security event training samples; the sample decomposition subunit is used for decomposing the safety event training sample into a feature library; the association probability calculating subunit is used for calculating the association probability of each feature and the attack in the feature library; the structure forming subunit is used for grading each characteristic according to the association probability based on the tree structure to form each level of nodes of the unified reasoning structure; and the confidence value determining subunit is used for training and calculating the confidence values of all levels of nodes meeting the judgment precision requirement, and determining a classification threshold value and a classification accuracy.
In another embodiment, the class judgment unit includes a comparison subunit, an attack confidence value operator unit, and a class determination subunit. The comparison subunit is used for comparing the standardized attribute characteristic value with the characteristic rules of each level of nodes in the unified inference structure from the root node of the unified inference structure; the attack confidence value operator unit is used for superposing the confidence values from the root node to the current node to form an attack confidence value if the standardized attribute feature value is matched with the feature rule; and the category determining subunit is used for determining the attack category according to the confidence space where the attack confidence value is located after the unified inference structure is traversed.
In another embodiment, the intelligent association analysis apparatus for security events further includes a timer, configured to start the timer at the beginning of traversal of the root node of the unified inference structure for a normalized attribute feature value, and clear the attack confidence value of a normalized attribute feature value if the timer expires.
The attribute characteristics of the security event may include, but are not limited to, a source IP address and port, a destination IP address and port, an event category, an event name, an event level, a device to which the event relates, and a time when the event occurred.
In another embodiment, the association analysis engine based on the unified reasoning structure and fusing the multi-attack model comprises a unified reasoning structure generation module, a security event preprocessing module, a unified reasoning analysis decision module and an alarm module. Wherein,
the unified inference structure generation module is an information off-line processing module which generates a unified inference structure by adopting a multi-round training mode based on a security event sample library and a prior attack model. The method comprises the following steps: the system comprises a security event sample, an attack model library, a feature library and a unified reasoning structure.
The security event preprocessing module, the unified reasoning analysis decision module and the alarm module are online processing modules of the correlation analysis engine.
The security event preprocessing module is an information processing module for performing characteristic attribute decomposition and classification on the security events entering the correlation analysis engine.
The unified reasoning analysis decision module is an information processing module which is used for carrying out association analysis on the security events and deciding whether the attack occurs or not based on the unified reasoning structure. Including a unified inference structure, a confidence value space, and a timer.
The confidence value space refers to the storage space of the current confidence value and the historical confidence value in the unified reasoning analysis decision; the timer refers to a register for automatically timing the unified inference analysis decision time.
The alarm module is a system module which sends out an attack alarm.
Aiming at the problem of low efficiency of correlation analysis of massive security events in a telecommunication network environment, the embodiment provides a correlation analysis method based on a fuzzy decision tree and fusing a multi-attack model, which comprises the following steps: and identifying attack judgment conditions of different attack models by using a multi-dimensional confidence value, and training to generate a uniform multi-path fuzzy decision tree. The efficiency of the correlation analysis is improved through a unified reasoning method, the calculation space and the time cost are saved, and the multi-source information correlation analysis with balanced precision and efficiency is realized.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments can be mutually referred to. For the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the description of the method embodiment section for the relevant points.
While the present disclosure has been described with reference to exemplary embodiments, it should be understood that the present disclosure is not limited to the exemplary embodiments described above. It will be apparent to those skilled in the art that the above-described exemplary embodiments may be modified without departing from the scope and spirit of the disclosure. The scope of the following claims is to be accorded the broadest interpretation so as to encompass all such modifications and equivalent structures and functions.
Claims (6)
1. An intelligent association analysis method for security events, comprising:
decomposing attribute characteristics and standardizing attribute characteristic values of the safety events acquired in real time;
comparing the standardized attribute characteristic values with characteristic rules of nodes at all levels in the unified reasoning structure from the root node of the unified reasoning structure;
if the standardized attribute characteristic value is matched with the characteristic rule, the confidence values from the root node to the current node are superposed to form an attack confidence value;
after the unified inference structure is traversed, determining attack categories according to a confidence space where attack confidence values are located;
generating a unified inference structure by:
collecting an attack model library and a security event training sample;
decomposing the safety event training sample into a feature library;
calculating the association probability of each feature and attack in the feature library;
classifying the features according to the association probability based on the tree structure to form nodes of all levels of a unified reasoning structure;
calculating the classification association degree of a secondary node and a superior node, and adding a new dimension under the condition that the classification association degree is smaller than a threshold value;
calculating vector values of the classification relevance degrees in all dimensions, wherein the vector values are sine values of vector angles of the relevance probability and the classification relevance degrees;
calculating a confidence value of each node, wherein the confidence value is a weighted sum of vector values in each dimension, and the corresponding weight of the vector values in each dimension increases from 0 by a gradient of 1;
superposing the confidence values obtained by deducting the security event chains of the attack models through the unified reasoning structure, and calculating corresponding final confidence value results;
and determining a classification threshold and a classification accuracy by a median algorithm according to the clustering space of the final confidence value results corresponding to various attack models.
2. The intelligent correlation analysis method for security events according to claim 1, further comprising:
starting a timer at the root node traversal of the unified inference structure aiming at a standardized attribute characteristic value;
and if the timer is overtime, clearing the attack confidence value of the standardized attribute characteristic value.
3. The intelligent correlation analysis method for security events according to claim 1, wherein the attribute characteristics of the security event include source IP address and port, destination IP address and port, event category, event name, event level, device involved in the event, and time of occurrence of the event.
4. An intelligent correlation analysis device for security events, comprising:
the event acquisition unit is used for decomposing the attribute characteristics and standardizing the attribute characteristic values of the safety events acquired in real time;
the class judgment unit is used for traversing the offline generated unified reasoning structure by utilizing the standardized attribute characteristic value so as to determine the attack class;
the category determination unit includes:
the comparison subunit is used for comparing the standardized attribute characteristic value with the characteristic rules of the nodes at all levels in the unified reasoning structure from the root node of the unified reasoning structure;
the attack confidence value operator unit is used for superposing the confidence values from the root node to the current node to form an attack confidence value if the standardized attribute feature value is matched with the feature rule;
the category determining subunit is used for determining the attack category according to the confidence space where the attack confidence value is located after the unified inference structure is traversed;
the intelligent association analysis device for the security events further comprises a uniform inference structure generation unit, wherein the uniform inference structure generation unit comprises:
the collecting subunit is used for collecting the attack model library and the security event training samples;
the sample decomposition subunit is used for decomposing the safety event training sample into a feature library;
the association probability calculating subunit is used for calculating the association probability of each feature and the attack in the feature library;
the structure forming subunit is used for grading each characteristic according to the association probability based on the tree structure to form each level of nodes of the unified reasoning structure;
a confidence value determination subunit, configured to perform the following steps:
calculating the classification association degree of a secondary node and a superior node, and adding a new dimension under the condition that the classification association degree is smaller than a threshold value;
calculating vector values of the classification relevance degrees in all dimensions, wherein the vector values are sine values of vector angles of the relevance probability and the classification relevance degrees;
calculating a confidence value of each node, wherein the confidence value is a weighted sum of vector values in each dimension, and the corresponding weight of the vector values in each dimension increases from 0 by a gradient of 1;
superposing the confidence values obtained by deducting the security event chains of the attack models through the unified reasoning structure, and calculating corresponding final confidence value results;
and determining a classification threshold and a classification accuracy by a median algorithm according to the clustering space of the final confidence value results corresponding to various attack models.
5. The intelligent correlation analysis device for security events according to claim 4, further comprising:
and the timer is used for starting the timer from the traversal of the root node of the unified inference structure aiming at one standardized attribute characteristic value, and clearing the attack confidence value of the standardized attribute characteristic value if the timer is overtime.
6. The intelligent correlation analysis device for the security events according to claim 4, wherein the attribute characteristics of the security events comprise source IP address and port, destination IP address and port, event category, event name, event level, device involved in the event and time of occurrence of the event.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410401184.2A CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410401184.2A CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105376193A CN105376193A (en) | 2016-03-02 |
| CN105376193B true CN105376193B (en) | 2019-06-04 |
Family
ID=55378007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410401184.2A Active CN105376193B (en) | 2014-08-15 | 2014-08-15 | The intelligent association analysis method and device of security incident |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105376193B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106209893B (en) * | 2016-07-27 | 2019-03-19 | 中国人民解放军信息工程大学 | The inside threat detection system and its detection method excavated based on business process model |
| CN106570131A (en) * | 2016-10-27 | 2017-04-19 | 北京途美科技有限公司 | Sensitive data exception access detection method based on clustering analysis |
| CN107517216B (en) * | 2017-09-08 | 2020-02-21 | 瑞达信息安全产业股份有限公司 | Network security event correlation method |
| CN109361728B (en) * | 2018-08-30 | 2021-01-29 | 中国科学院上海微***与信息技术研究所 | Hierarchical event reporting system and method based on multi-source sensing data relevance |
| CN109218435B (en) * | 2018-09-30 | 2021-07-23 | 湖北华联博远科技有限公司 | Data uploading method and system |
| CN109446291B (en) * | 2018-10-23 | 2022-05-13 | 山东中创软件商用中间件股份有限公司 | Road network state statistical method and device and computer readable storage medium |
| CN110545276B (en) * | 2019-09-03 | 2022-06-21 | 新华三信息安全技术有限公司 | Threat event warning method and device, warning equipment and machine-readable storage medium |
| CN111343161B (en) * | 2020-02-14 | 2021-12-10 | 平安科技(深圳)有限公司 | Abnormal information processing node analysis method, abnormal information processing node analysis device, abnormal information processing node analysis medium and electronic equipment |
| CN113095625B (en) * | 2021-03-17 | 2023-04-07 | 中国民用航空总局第二研究所 | Method and system for grading unsafe events of civil aviation airport |
| CN113672913B (en) * | 2021-08-20 | 2024-06-28 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| CN1878093A (en) * | 2006-07-19 | 2006-12-13 | 华为技术有限公司 | Security event associative analysis method and system |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
-
2014
- 2014-08-15 CN CN201410401184.2A patent/CN105376193B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001084270A2 (en) * | 2000-04-28 | 2001-11-08 | Internet Security Systems, Inc. | Method and system for intrusion detection in a computer network |
| CN1529248A (en) * | 2003-10-20 | 2004-09-15 | 北京启明星辰信息技术有限公司 | Network invasion related event detecting method and system |
| CN1878093A (en) * | 2006-07-19 | 2006-12-13 | 华为技术有限公司 | Security event associative analysis method and system |
| CN101697545A (en) * | 2009-10-29 | 2010-04-21 | 成都市华为赛门铁克科技有限公司 | Security incident correlation method and device as well as network server |
| CN102571469A (en) * | 2010-12-23 | 2012-07-11 | 北京启明星辰信息技术股份有限公司 | Attack detecting method and device |
| CN103281341A (en) * | 2013-06-27 | 2013-09-04 | 福建伊时代信息科技股份有限公司 | Network event processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105376193A (en) | 2016-03-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105376193B (en) | The intelligent association analysis method and device of security incident | |
| CN110620759B (en) | Multi-dimensional association-based network security event hazard index evaluation method and system | |
| CN106790256B (en) | Active machine learning system for dangerous host supervision | |
| CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
| CN108881263B (en) | Network attack result detection method and system | |
| Lima et al. | A comparative study of use of Shannon, Rényi and Tsallis entropy for attribute selecting in network intrusion detection | |
| Wang et al. | Automatic multi-step attack pattern discovering | |
| CN115987615A (en) | Network behavior safety early warning method and system | |
| CN115021997B (en) | Network intrusion detection system based on machine learning | |
| Gonaygunta | Machine learning algorithms for detection of cyber threats using logistic regression | |
| CN117473571B (en) | Data information security processing method and system | |
| CN111934954A (en) | Broadband detection method and device, electronic equipment and storage medium | |
| CN113904881A (en) | Intrusion detection rule false alarm processing method and device | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| Harbola et al. | Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set | |
| Sen et al. | Towards an approach to contextual detection of multi-stage cyber attacks in smart grids | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN112073396A (en) | Method and device for detecting transverse movement attack behavior of intranet | |
| Othman et al. | Improving signature detection classification model using features selection based on customized features | |
| CN111209955A (en) | Airplane power supply system fault identification method based on deep neural network and random forest | |
| CN113162904B (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
| CN114372497A (en) | Multi-modal security data classification method and classification system | |
| Sabri et al. | Hybrid of rough set theory and artificial immune recognition system as a solution to decrease false alarm rate in intrusion detection system | |
| CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| Pump et al. | State of the art in artificial immune-based intrusion detection systems for smart grids |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |