CN108270785A - Knowledge graph-based distributed security event correlation analysis method - Google Patents

Knowledge graph-based distributed security event correlation analysis method Download PDF

Info

Publication number
CN108270785A
CN108270785A CN201810036765.9A CN201810036765A CN108270785A CN 108270785 A CN108270785 A CN 108270785A CN 201810036765 A CN201810036765 A CN 201810036765A CN 108270785 A CN108270785 A CN 108270785A
Authority
CN
China
Prior art keywords
event
knowledge
scene
illustrative plates
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810036765.9A
Other languages
Chinese (zh)
Other versions
CN108270785B (en
Inventor
王伟
江荣
贾焰
周斌
李爱平
杨树强
韩伟红
李润恒
徐镜湖
安伦
亓玉璐
杨行
马凯
林佳
尚怀军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sichuan Yilan Situation Technology Co ltd
National University of Defense Technology
Original Assignee
Sichuan Yilan Situation Technology Co ltd
National University of Defense Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sichuan Yilan Situation Technology Co ltd, National University of Defense Technology filed Critical Sichuan Yilan Situation Technology Co ltd
Priority to CN201810036765.9A priority Critical patent/CN108270785B/en
Publication of CN108270785A publication Critical patent/CN108270785A/en
Application granted granted Critical
Publication of CN108270785B publication Critical patent/CN108270785B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a knowledge graph-based distributed network security event correlation analysis method, which specifically comprises the following steps: step 1) constructing a network security knowledge graph comprising five dimensions, namely a basic dimension, a vulnerability dimension, a threat dimension, an alarm event dimension and an attack rule dimension; step 2) designing and realizing a security event correlation analysis algorithm on the basis of the knowledge graph constructed in the step 1); and 3) constructing a real-time big data analysis platform, and applying the association analysis algorithm designed in the step 2) to the constructed big data platform to realize a distributed association analysis system. The invention fully utilizes the current big data processing and analyzing related technology to deal with large-scale data volume, parallelizes the association analysis algorithm and realizes the design of the distributed association analysis algorithm based on the knowledge graph.

Description

A kind of distributed security event relation analyzing method of knowledge based collection of illustrative plates
Technical field
The invention belongs to network security situation awareness fields, relate generally to a kind of distributed security thing of knowledge based collection of illustrative plates Part association analysis method.
Background technology
More and more extensive with the application of computer network, scale is more and more huger, multifaceted network security threats It is also being continuously increased with security risk, the threat and loss of the compositions such as internet worm, Dos/DDos attacks are increasing, and network is attacked Behavior is hit towards trend developments such as distribution, scale, complications, relies solely on fire wall, intrusion detection, anti-virus, access The single network safety guard technologies such as control have been unable to meet the demand of network security.For reply increasingly complexity, hiding High network security threats ensure the safe operation of system, need the relevant technologies by network security situation awareness field, right The Heterogeneous Information that multi-source safety equipment generates carries out fusion treatment, such as Firewall, IDS, vulnerability scanning system, security audit system The safety equipments such as system realize the Situation Awareness of the whole network macroscopic view.The same of overall network situation is perceived when comprehensive multi-source safety equipment When, at this time serious point of burden will be brought to system manager there are the problems such as warning message amount is big, rate of false alarm is high.
Alert correlation is provided a method for solving the problem above-mentioned, by analyzing by one or more intrusion detections The alarm that system generates provides more efficient, high level a cognition to be directed to attack.In practice, most security incident It is not isolated generation, there is certain sequential or causal relations between them.Security event associative analysis refers to combine The running environment of security incident is associated integration, and lead to the network safety event data set of originally relatively isolated low layer The means such as filtering, polymerization are eliminated the false and retained the true, and excavate the real connection between the event being hidden in after these data.Alert correlation Mainly include following sub-step.Alerts aggregation is to merge the alarm for being directed to same security incident from different IDS and generating, at quickening Speed is managed, meets the requirement of Situation Awareness real-time.Redundancy alarm can about be subtracted by alert correlation, reconstruct Attack Scenarios, hair The true attack purpose of existing attacker, so as to there is the reparation related defects being directed to, safeguards the normal operation of network.Alert verification is known False alarm input not from detector, if this step is likely to generate erroneous association analysis result every time.Finally attack Scene rebuilding is hit, a usual Attack Scenarios reach final attack purpose including a series of attack activities.The step passes through Analyze the alarm structure attack route generated, the true target of attack of Forecast attack person.In traditional Situation Awareness System Security event associative analysis considers the information of multiple dimensions, such as basis dimension, fragile peacekeeping threaten dimension.But such system Have that there are following some problems.
First, traditional Situation Awareness System being stored in multiple dimension independences in relevant database, in Mysql, Real-time Association Analyzing is being done, is needing quickly to make many tables join operations, collaborative work ability is poor between each dimension, very greatly The real-time and accuracy of the influence association analysis of degree are very severe for the high Situation Awareness System of requirement of real-time.The Two, for the attack other informations such as rule knowledge, be usually all it is non-structured, using conventional relational data library storage not It is enough flexible.Third, the rule-based association analysis of tradition needs to rely on expertise structure Attack Scenarios, for not in attack mould Novel attack in plate knowledge base, generally can not automatically analyze reasoning.Most important problem is not the absence of available information, but melts Independent message slot is closed to come to Situation Awareness there are one overall recognition.
Another outstanding problem is the algorithm that the association analysis method that more early scholar proposes all is usual unit design, still Current generation is the big data epoch, the fast development of internet, the continuous expansion of network size, can not be met well extensive Data analysis requirements.
Invention content
The distributed network security event that the technical problems to be solved by the invention are to provide a kind of knowledge based collection of illustrative plates is closed Join analysis method.
It is as follows that the present invention solves the technical solution that above-mentioned technical problem is taken:
A kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, specifically includes following step Suddenly:
Step 1) constructs one and includes basis dimension, loophole dimension, threatens peacekeeping alert event peacekeeping attack rule five dimensions of dimension The network security knowledge collection of illustrative plates of degree;
On the basis of the knowledge mapping that step 2) is constructed in step 1), security event associative analysis algorithm is realized in design;
Step 3) builds real-time big data analysis platform, and the association analysis algorithm of step 2) design is applied to the big of structure In data platform, a Distributed Correlation analysis system is realized.
Preferably, it in step 1), specifically includes:
The knowledge information of five dimensions is collected, respectively includes CVE loopholes knowledge, CAPEC Attack Classifications knowledge, CWE hosts Software knowledge, Snort alert events knowledge and the regular expertise of attack;
Entity attribute information is extracted by writing xml processing routines and regular expression;
Using chart database Neo4j as knowledge mapping the build tool, above-mentioned knowledge is believed by writing Cypher sentences Breath is inserted into knowledge mapping;
For needing the relationship for building side that all subgraphs spectrum is connected into an available figure completed between different dimensions Spectrum.
Preferably, in step 2), including:
Step 2-1) security incident pretreatment sub-step, including:
When analyzing alert event, for the various forms generated by the safety product that is provided in different vendor alarm into Row pretreatment;
Step 2-2) security incident verification sub-step, including:Pass through being associated between alarm and basic peacekeeping loophole dimension It is to judge whether the alarm belongs to genuine SIDS incident;
Step 2-3) scene rebuilding sub-step, including:Find that attacker's is true by the relationship between correlating event Attack purpose.
Preferably, step 2-1) in, it specifically includes:It is unified standard by the information pre-processing reported by distinct device Data format.
Preferably, step 2-2) in, it further includes:
By security incident normalized, and obtain target ip addresses;
Host is quickly navigated to according to target ip addresses, by the shape that the host can be got in band or with outer acquisition State information including cpu busy percentage, loophole, network broadband utilization rate, is believed by the characteristic for comparing security incident with the host obtained It ceases to judge reservation or filter alert event.
Preferably, step 2-3) in, it further includes:
Classified based on target ip, then using Cypher from knowledge mapping quick-searching and the event dependent field If the scene is not present in memory, which is buffered in memory for scape;
Then Scene case is constructed by scene static knowledge and target ip, field is changed when follow-up identical ip being waited for arrive Correspondence event field information in scape example if the example that the scene includes all meets, exports the scene.
Preferably, it in step 3), specifically includes:Step 2) is realized based on real-time big data processing platform Strom Association analysis process, realize during need by several non-relational databases assist realize.
Preferably, step 2-1) in, alert event includes:Attack and false noise event;Step 2-2) in, Event validation function is carried out to above-mentioned alert event, retains real event;
Wherein, one layer of alarm layer is had on the upper strata of event, while one layer of scene layer, three are had in alarm layer last layer Between form tree structure tissue.
Preferably, step 2-3) in, it specifically includes:
The scene for having with the event correlation is searched whether in buffering first for each event of arrival, buffers me Realized using Mongodb non-relational databases.Judged by the field locating function of Mongdb whether in need in buffering The event looked for;
If not going in knowledge mapping to search all scenes with the event correlation first, result is buffered to In Mongodb;
Whether have event target ip relevant example, if representing do not have also without if if being searched in Scene case to be matched There is the attack for the ip, create one and the relevant Scene cases of the ip at this time;
Each Scene case can include several alarms, and each alarm can include several security incidents.So association The process of analysis is exactly that alert properties and event attribute are by 0 to 1 continuous matched process in scene, if all fields are complete Portion is set to 1 and represents that the scene has met, and the really attack purpose for attacking this is exactly the Attack Scenarios, entire association process knot Beam exports association results.
Preferably, knowledge mapping we realize that the lookup of database is used using Neo4j non-relational databases The figure retrieval language Cypher that Neo4j itself is provided is shown;
The relationship that scene associated with event is a second order is searched using Cypher to search, because in event and scene There is alarm layer centre.
One aspect of the present invention accelerates multidimensional data retrieval-by-unification speed, on the other hand improves the representation of knowledge and newer Flexibility.In addition knowledge mapping can also provide the path searching between two entity nodes, can be used for knowledge reasoning, knowledge is tested Self study of card and new knowledge etc..The association analysis of knowledge based collection of illustrative plates compared to conventional method have faster analyze speed and Better scalability.And it is extensive for coping with that the present invention is also fully utilized by current big data processing analysis the relevant technologies Data volume, by association analysis Algorithm parallelization, realize the Distributed Correlation parser design of knowledge based collection of illustrative plates.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification It obtains it is clear that being understood by implementing the present invention.The purpose of the present invention and other advantages can be by the explanations write Specifically noted structure is realized and is obtained in book, claims and attached drawing.
Description of the drawings
The present invention is described in detail below in conjunction with the accompanying drawings, so that the above-mentioned advantage of the present invention is definitely.Its In,
Fig. 1 is based on network safety event association analysis flow chart;
Fig. 2 is the distributed network security incident management analytical framework figure of knowledge based collection of illustrative plates.
Specific embodiment
Carry out the embodiment that the present invention will be described in detail below with reference to accompanying drawings and embodiments, how the present invention is applied whereby Technological means solves technical problem, and the realization process for reaching technique effect can fully understand and implement according to this.It needs to illustrate As long as not forming conflict, each embodiment in the present invention and each feature in each embodiment can be combined with each other, The technical solution formed is within protection scope of the present invention.
In addition, step shown in the flowchart of the accompanying drawings can be in the department of computer science of such as a group of computer-executable instructions It is performed in system, although also, show logical order in flow charts, it in some cases, can be to be different from herein Sequence perform shown or described step.
As illustrated in fig. 1 and 2, purpose to realize the present invention, the specific technical solution of the present invention are as follows:
A kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, specifically includes following step Suddenly:
Step 1) constructs one and includes basis dimension, loophole dimension, threatens peacekeeping alert event peacekeeping attack rule five dimensions of dimension The network security knowledge collection of illustrative plates of degree;
On the basis of the knowledge mapping that step 2) is constructed in step 1), security event associative analysis algorithm is realized in design;
Step 3) builds real-time big data analysis platform, and the association analysis algorithm of step 2) design is applied to the big of structure In data platform, a Distributed Correlation analysis system is realized;
As the preferred of technical solution of the present invention, the step 1) specifically includes the knowledge information for collecting five dimensions, point It Bao Kuo not CVE loopholes knowledge, CAPEC Attack Classifications knowledge, CWE host software knowledge, Snort alert events knowledge and attack Regular expertise extracts entity attribute information by writing xml processing routines and regular expression.Use chart database Above-mentioned knowledge information is inserted into knowledge mapping by Neo4j as knowledge mapping the build tool by writing Cypher sentences.It is right Need the relationship for building side that all subgraphs spectrum is connected into the available collection of illustrative plates of a completion between different dimensions.
As the preferred of technical solution of the present invention, the step 2) specifically includes following steps:
Step 2-1) it is security incident pretreatment first.When analyzing alert event, first problems faced is by not With the alarm for the various forms that the safety product provided in manufacturer generates.Therefore, in order to solve Event correlation, needing will be by difference The information pre-processing that equipment reports is the data format of unified standard, such as IDMEF, it is by intrusion detection working group (IDWG) Definition.
Step 2-2) it is verified followed by security incident.IDS can generate magnanimity and alarm daily, but usually most alarms Wrong report is belonged to, alert verification judges whether the alarm belongs to by the incidence relation between alarm and basic peacekeeping loophole dimension Genuine SIDS incident.Because target ip addresses can be easily obtained after each security incident normalized, according to target ip Address quickly navigates to host, by that can get the status information of the host in band or with outer acquisition, is utilized including CPU Rate, loophole, network broadband utilization rate etc., by comparing the characteristic of security incident and the host information that obtains judging to retain or Filter alert event.
Step 2-3) it is scene rebuilding step.As the core procedure of association analysis, scene rebuilding by correlating event it Between relationship find the true attack purpose of attacker.It is primarily based on target ip to classify, then using Cypher from knowing Know quick-searching and the event associated scenario in collection of illustrative plates, if the scene is not present in memory, which is buffered to interior In depositing.Then Scene case is constructed by scene static knowledge and target ip, scene is changed when follow-up identical ip being waited for arrive Correspondence event field information in example if the example that the scene includes all meets, exports the scene.
As the preferred of technical solution of the present invention, the step 3) is real based on real-time big data processing platform Strom The association analysis process of existing step 2) needs to assist realizing by several non-relational databases during realizing.
The advantages of 5 the invention or advantageous effect:
Compared with prior art, the advantage of the invention is that:
The present invention proposes a kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, uses knowledge graph Spectrum form replaces traditional Relational DataBase to store network knowledge information, on the one hand accelerates multidimensional data retrieval-by-unification speed, On the other hand the representation of knowledge and newer flexibility are improved.In addition knowledge mapping can also provide the road between two entity nodes Diameter is searched, and can be used for self study of knowledge reasoning, knowledge verification and new knowledge etc..The association analysis phase of knowledge based collection of illustrative plates There are faster analyze speed and better scalability compared with conventional method.And the present invention is also fully utilized by current big data Processing analysis the relevant technologies, by association analysis Algorithm parallelization, realize knowledge based figure for coping with large-scale data volume The Distributed Correlation parser design of spectrum.
The key problem in technology point and point to be protected of this patent:
1st, Chinese network security knowledge collection of illustrative plates is built, dimension and static report are threatened including underlying assets dimension, loophole dimension, attack Alert information dimension;
2nd, the structure scene rule on the basis of net pacifies knowledge mapping, the security incident association point of design knowledge based collection of illustrative plates Analysis method;
3rd, Distributed Correlation analytical framework is designed, by association analysis method distributed implementation.
The embodiment of the present invention is described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached The embodiment of figure description is exemplary, and is only used for explaining the present invention, and is not construed as limiting the claims.
It describes to be described in detail according to embodiments of the present invention with reference to the accompanying drawings.
Fig. 1 be based on network safety event association analysis flow chart, as shown in Figure 1, in the embodiment of the present invention, the peace of input Total event has the noise event for being really attack and falseness, it is necessary first to carry out Event validation function, retain real event. In embodiment in order to facilitate the structure of subsequent scenario, one layer of alarm layer is had on the upper strata of event, while one on alarm layer Layer has one layer of scene layer, and tree structure tissue is similar between three.The advantage of doing so is that support the knowledge of various granularities Collection of illustrative plates is inquired, and scalability is more preferable, search efficiency higher.It first searches whether to deposit in buffering for each event of arrival In the scene with the event correlation.Us are buffered to realize using Mongodb non-relational databases.It is looked by the field of Mongdb Look for function judge buffering in whether the event in need looked for.If it does not go in knowledge mapping to search and the event correlation first All scenes, result is buffered in Mongodb.Knowledge mapping we realized using Neo4j non-relational databases, database The lookup figure retrieval language Cypher that is provided using Neo4j itself show.It is searched using Cypher associated with event Scene be that the relationship of second order is searched because there is alarm layer among event and scene.Relative to relevant database Table attended operation can be found that have great advantage here.Whether then searched in Scene case to be matched has the event target The relevant examples of ip represent that establishment one is relevant with the ip at this time not yet for the attack of the ip if not having Scene case.
Each Scene case can include several alarms, and each alarm can include several security incidents.So association The process of analysis is exactly that alert properties and event attribute are by 0 to 1 continuous matched process in scene, if all fields are complete Portion is set to 1 and represents that the scene has met, and the really attack purpose for attacking this is exactly the Attack Scenarios.Entire association process knot Beam exports association results.
Fig. 2 is the distributed network security incident management analytical framework figure of knowledge based collection of illustrative plates, as shown in Fig. 2, of the invention Distributed Architecture mainly includes data acquisition, tidal data recovering merger distribution, real-time data analysis and data storage in embodiment Module.
Our distributed information log acquisition systems for being increased income using Apache tissues of data acquisition module in this embodiment Flume, the data collection in each server is got up and is sent in the log buffer server specified by it.Use Flume A benefit as data gathering tool is that it can be directed to being customized of different data sources configuration acquisition mode, including number According to source position, frequency acquisition, transmission mode etc..Data collection module will be collected into data and be sent to tidal data recovering merger distribution mould Block.
Tidal data recovering merger distribution module Core Feature in this embodiment is the mass data of cushioning collecting, and will be received The data collected are classified according to subject information.The Kafka message-oriented middleware systems that specific implementation is increased income by Apache tissues. Kafka is one based on distributed news release-ordering system.Similar with other news release-ordering systems, Kafka exists The information of message is preserved in theme.Data are written to theme in the producer, and consumer reads data from theme.Due to Kafka's Characteristic be support it is distributed, while be also based on it is distributed, so theme is also that can be partitioned and cover on multiple nodes Lid.We are had using the main purpose of Kafka middlewares:1st, reduce coupling.We by the acquisition of safety experiment data and Processing is kept completely separate, and the method for realizing the function is exactly to be used for transmission management number using Kafka message-oriented middlewares therebetween According to so that two-part realization is all towards Kafka interface programmings, reduces coupling, improves the scalability of system.2、 Ensure accuracy.Since system can generate lot of experimental data simultaneously in production environment, if programming pipe manually by developer It will be a huge engineering to manage these data, can ensure the reliability of data management using Kafka.3rd, pooling feature.By It is inconsistent in the creation data and consumption rate of usual message, if a series of attacks of generation of a certain moment, it will peak value generates Alert data, if association analysis component cannot quickly handle data at this time, it will the accumulation of data occurs, as event is believed Breath continues to generate, it will leads to the loss of data.Data buffering to local disk can be waited for and subsequently be disappeared using Kafka The consumption of breath.
Real-time Association Analyzing module in this embodiment is the nucleus module of this system, is increased income by Apache tissues Storm real-time data analysis platform is realized.The module is responsible for pulling specified data from Kafka message systems to be based on to realize The security event associative analysis function of knowledge mapping.Storm is a button.onrelease, can be carried out with stream data distributed Processing.One Storm application program by
" spouts " and " bolts " is formed, they are configured to a directed acyclic graph, for representing information source and data Processing routine.Being mainly characterized by of Storm can handle real time data, and batch processing is allowed unlike Hadoop.We use Storm has as the main reason for real-time handling implement:1st, simple programming model.It is reduced parallel similar to MapReduce Batch processing complexity, Storm reduce the complexity handled in real time.As long as realizing spout data receives interface, Bolt data-processing interfaces, one Toplogy of structure can be used.2nd, horizontal extension.Calculating be multiple threads, process and It is carried out parallel between server, ensure that the speed of service of system.3rd, local mode.There are one " local modes " by Storm, can To simulate Storm clusters completely in processing procedure.4th, distribution process logic.Storm uses the pattern of layering, each layer Bolt completes a function and gives next layer of processing, it is possible to entire realization process is divided into several steps, each step Definite functions, it is easier to realize.
Data memory module in this embodiment is responsible for after storing primitive event data information and association analysis The scene information of output.Simultaneity factor can dispose several data statistics threads to complete the statistics work(of short time and long time period Can, statistical information also needs the support of memory module.The module uses the letter of Mysql relevant database storage organizations Breath.Use the non-structured information of Mongodb database purchases.
In the embodiment of the present invention, operated between several modules described above by data-driven.Since above-mentioned module uses Several relations type and non-relational database are arrived, so needing database associated specialist carries out the design of database and excellent Change.Each module bottom all employs distributed system tool simultaneously, so needing to be carried out according to practical data processing scale Reasonable disposition is configured including principal and subordinate, node broadband, memory configurations etc..Need related personnel's O&M of distributed deployment experience Management.
It should be noted that for above method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the application is not limited by described sequence of movement because According to the application, certain steps may be used other sequences or be carried out at the same time.Secondly, those skilled in the art should also know It knows, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily the application It is necessary.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware can be used in the application Apply the form of example.
It can be used moreover, the application can be used in one or more computers for wherein including computer usable program code The computer program product that storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) Form.
Finally it should be noted that:The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, Although the present invention is described in detail referring to the foregoing embodiments, for those skilled in the art, still may be used To modify to the technical solution recorded in foregoing embodiments or carry out equivalent replacement to which part technical characteristic. All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in the present invention's Within protection domain.

Claims (10)

1. a kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, which is characterized in that specifically include with Under several steps:
Step 1) constructs one and is tieed up including basis, loophole dimension, the peacekeeping of peacekeeping alert event threatened to attack rule five dimensions of dimension Network security knowledge collection of illustrative plates;
On the basis of the knowledge mapping that step 2) is constructed in step 1), security event associative analysis algorithm is realized in design;
Step 3) builds real-time big data analysis platform, and the association analysis algorithm of step 2) design is applied to the big data of structure In platform, a Distributed Correlation analysis system is realized.
2. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature It is, in step 1), specifically includes:
The knowledge information of five dimensions is collected, respectively includes CVE loopholes knowledge, CAPEC Attack Classifications knowledge, CWE host software Knowledge, Snort alert events knowledge and the regular expertise of attack;
Entity attribute information is extracted by writing xml processing routines and regular expression;
For needing the relationship for building side that all subgraphs spectrum is connected into an available collection of illustrative plates completed between different dimensions.
3. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1 or 2, special Sign is, in step 2), including:
Step 2-1) security incident pretreatment sub-step, including:
When analyzing alert event, carried out for the alarm of various forms generated by the safety product provided in different vendor pre- Processing;
Step 2-2) security incident verification sub-step, including:By the incidence relation between alarm and basic peacekeeping loophole dimension come Judge whether the alarm belongs to genuine SIDS incident;
Step 2-3) scene rebuilding sub-step, including:The true attack of attacker is found by the relationship between correlating event Purpose.
4. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 3, feature It is, step 2-1) in, it specifically includes:By the data format that the information pre-processing reported by distinct device is unified standard.
5. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 3, feature It is, step 2-2) in, it further includes:
By security incident normalized, and obtain target ip addresses;
Host is quickly navigated to according to target ip addresses, is believed by the state that the host can be got in band or with outer acquisition Breath, including cpu busy percentage, loophole, network broadband utilization rate, by compare the characteristic of security incident and the host information obtained come Judgement retains or filter alert event.
6. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 3, feature It is, step 2-3) in, it further includes:
Classified based on target ip, then using Cypher from knowledge mapping quick-searching and the event associated scenario, such as The fruit scene is not present in memory, then the scene is buffered in memory;
Then Scene case is constructed by scene static knowledge and target ip, it is real to change scene when follow-up identical ip being waited for arrive Correspondence event field information in example if the example that the scene includes all meets, exports the scene.
7. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature It is, in step 3), specifically includes:The association analysis of step 2) is realized based on real-time big data processing platform Strom Journey needs to assist realizing by several non-relational databases during realizing.
8. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature It is, step 2-1) in, alert event includes:Attack and false noise event;Step 2-2) in, to above-mentioned alarm thing Part carries out Event validation function, retains real event;
Wherein, it has one layer of alarm layer on the upper strata of event, while one layer of scene layer is had in alarm layer last layer, between three Form tree structure tissue.
9. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 8, feature It is, step 2-3) in, it specifically includes:
The scene for having with the event correlation is searched whether in buffering first for each event of arrival, buffering us makes It is realized with Mongodb non-relational databases;
By the field locating function of Mongdb judge buffering in whether the event in need looked for;
If not going in knowledge mapping to search all scenes with the event correlation first, result is buffered in Mongodb;
Whether searched in Scene case to be matched has the relevant examples of event target ip, if represented without if not yet needle The attack of the ip is occurred, creates one and the relevant Scene cases of the ip at this time;
Each Scene case can include several alarms, and each alarm can include several security incidents;
So the process of association analysis be exactly in scene alert properties and event attribute by 0 to 1 continuous matched process, if All fields are all set to 1 and represent that the scene has met, and the really attack purpose for attacking this is exactly the Attack Scenarios, whole A association process terminates, and exports association results.
10. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature It is, knowledge mapping is realized using Neo4j non-relational databases, and the lookup of database uses the figure that Neo4j itself is provided Retrieval language Cypher is shown;
Because there is alarm layer among event and scene, therefore it is one to search scene associated with event using Cypher The relationship of second order is searched.
CN201810036765.9A 2018-01-15 2018-01-15 Knowledge graph-based distributed security event correlation analysis method Active CN108270785B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810036765.9A CN108270785B (en) 2018-01-15 2018-01-15 Knowledge graph-based distributed security event correlation analysis method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810036765.9A CN108270785B (en) 2018-01-15 2018-01-15 Knowledge graph-based distributed security event correlation analysis method

Publications (2)

Publication Number Publication Date
CN108270785A true CN108270785A (en) 2018-07-10
CN108270785B CN108270785B (en) 2020-06-30

Family

ID=62775447

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810036765.9A Active CN108270785B (en) 2018-01-15 2018-01-15 Knowledge graph-based distributed security event correlation analysis method

Country Status (1)

Country Link
CN (1) CN108270785B (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108881316A (en) * 2018-08-30 2018-11-23 中国人民解放军国防科技大学 Attack backtracking method under heaven and earth integrated information network
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN109347801A (en) * 2018-09-17 2019-02-15 武汉大学 A kind of vulnerability exploit methods of risk assessment based on multi-source word insertion and knowledge mapping
CN109413109A (en) * 2018-12-18 2019-03-01 中国人民解放军国防科技大学 Heaven and earth integrated network oriented security state analysis method based on finite-state machine
CN109639670A (en) * 2018-12-10 2019-04-16 北京威努特技术有限公司 A kind of industry control network security postures quantitative estimation method of knowledge based map
CN109726293A (en) * 2018-11-14 2019-05-07 数据地平线(广州)科技有限公司 A kind of causal event map construction method, system, device and storage medium
CN109948911A (en) * 2019-02-27 2019-06-28 北京邮电大学 A kind of appraisal procedure calculating networking products Information Security Risk
CN110162976A (en) * 2019-02-20 2019-08-23 腾讯科技(深圳)有限公司 Methods of risk assessment, device and terminal
CN110378126A (en) * 2019-07-26 2019-10-25 北京中科微澜科技有限公司 A kind of leak detection method and system
CN110704743A (en) * 2019-09-30 2020-01-17 北京科技大学 Semantic search method and device based on knowledge graph
CN110704837A (en) * 2019-09-25 2020-01-17 南京源堡科技研究院有限公司 Network security event statistical analysis method
CN110807104A (en) * 2019-11-08 2020-02-18 上海秒针网络科技有限公司 Method and device for determining abnormal information, storage medium and electronic device
CN110933101A (en) * 2019-12-10 2020-03-27 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN111010311A (en) * 2019-11-25 2020-04-14 江苏艾佳家居用品有限公司 Intelligent network fault diagnosis method based on knowledge graph
CN111611409A (en) * 2020-06-17 2020-09-01 中国人民解放军国防科技大学 Case analysis method integrated with scene knowledge and related equipment
CN111651591A (en) * 2019-03-04 2020-09-11 腾讯科技(深圳)有限公司 Network security analysis method and device
CN111797406A (en) * 2020-07-15 2020-10-20 智博云信息科技(广州)有限公司 Medical fund data analysis processing method and device and readable storage medium
CN111813953A (en) * 2020-06-23 2020-10-23 广州大学 Distributed knowledge graph construction system and method based on knowledge body
CN111988339A (en) * 2020-09-07 2020-11-24 珠海市一知安全科技有限公司 Network attack path discovery, extraction and association method based on DIKW model
CN112291261A (en) * 2020-11-13 2021-01-29 福建奇点时空数字科技有限公司 Network security log audit analysis method driven by knowledge graph
CN112613038A (en) * 2020-11-27 2021-04-06 中山大学 Security vulnerability analysis method based on knowledge graph
CN113259364A (en) * 2021-05-27 2021-08-13 长扬科技(北京)有限公司 Network event correlation analysis method and device and computer equipment
CN113312499A (en) * 2021-06-15 2021-08-27 合肥工业大学 Power safety early warning method and system based on knowledge graph
CN113507486A (en) * 2021-09-06 2021-10-15 中国人民解放军国防科技大学 Method and device for constructing knowledge graph of important infrastructure of internet
CN113596025A (en) * 2021-07-28 2021-11-02 中国南方电网有限责任公司 Power grid security event management method
CN114039765A (en) * 2021-11-04 2022-02-11 全球能源互联网研究院有限公司 Safety management and control method and device for power distribution Internet of things and electronic equipment
CN114844707A (en) * 2022-05-07 2022-08-02 南京南瑞信息通信科技有限公司 Graph database-based power grid network security analysis method and system
CN116401898A (en) * 2023-06-08 2023-07-07 中国人民解放军国防科技大学 Simulation application combination system and method based on publishing subscription
CN117807046A (en) * 2023-04-25 2024-04-02 深圳市中京政通科技有限公司 Data driving model and system based on event map analysis

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103124223A (en) * 2011-12-21 2013-05-29 中国科学院软件研究所 Method for automatically judging security situation of IT (information technology) system in real time
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN105119945A (en) * 2015-09-24 2015-12-02 西安未来国际信息股份有限公司 Log association analysis method for safety management center
CN105681303A (en) * 2016-01-15 2016-06-15 中国科学院计算机网络信息中心 Big data driven network security situation monitoring and visualization method
US20170293698A1 (en) * 2016-04-12 2017-10-12 International Business Machines Corporation Exploring a topic for discussion through controlled navigation of a knowledge graph

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103124223A (en) * 2011-12-21 2013-05-29 中国科学院软件研究所 Method for automatically judging security situation of IT (information technology) system in real time
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN105119945A (en) * 2015-09-24 2015-12-02 西安未来国际信息股份有限公司 Log association analysis method for safety management center
CN105681303A (en) * 2016-01-15 2016-06-15 中国科学院计算机网络信息中心 Big data driven network security situation monitoring and visualization method
US20170293698A1 (en) * 2016-04-12 2017-10-12 International Business Machines Corporation Exploring a topic for discussion through controlled navigation of a knowledge graph

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
NOEL S ET AL;: "CyGraph: Graph-Based Analytics and Visualization for Cybersecurity", 《HANDBOOK OF STATISTICS》 *
WEI WANG ET AL;: "KGBIAC:Knowledge Graph Based Intelligent Alert Correlation Framework", 《INTERNATIONAL SYMPOSIUM ON CYBERSPACE SAFETY AND SECURITY》 *
章学妙 等: "基于网络安全态势感知的网络***自防御体系", 《计算机应用与软件》 *

Cited By (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN108933793B (en) * 2018-07-24 2020-09-29 中国人民解放军战略支援部队信息工程大学 Attack graph generation method and device based on knowledge graph
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN108881316A (en) * 2018-08-30 2018-11-23 中国人民解放军国防科技大学 Attack backtracking method under heaven and earth integrated information network
CN109347801A (en) * 2018-09-17 2019-02-15 武汉大学 A kind of vulnerability exploit methods of risk assessment based on multi-source word insertion and knowledge mapping
CN109347801B (en) * 2018-09-17 2021-03-16 武汉大学 Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
CN109726293A (en) * 2018-11-14 2019-05-07 数据地平线(广州)科技有限公司 A kind of causal event map construction method, system, device and storage medium
CN109639670A (en) * 2018-12-10 2019-04-16 北京威努特技术有限公司 A kind of industry control network security postures quantitative estimation method of knowledge based map
CN109639670B (en) * 2018-12-10 2021-04-16 北京威努特技术有限公司 Knowledge graph-based industrial control network security situation quantitative evaluation method
CN109413109B (en) * 2018-12-18 2021-03-05 中国人民解放军国防科技大学 Heaven and earth integrated network oriented security state analysis method based on finite-state machine
CN109413109A (en) * 2018-12-18 2019-03-01 中国人民解放军国防科技大学 Heaven and earth integrated network oriented security state analysis method based on finite-state machine
CN110162976A (en) * 2019-02-20 2019-08-23 腾讯科技(深圳)有限公司 Methods of risk assessment, device and terminal
CN110162976B (en) * 2019-02-20 2023-04-18 腾讯科技(深圳)有限公司 Risk assessment method and device and terminal
CN109948911A (en) * 2019-02-27 2019-06-28 北京邮电大学 A kind of appraisal procedure calculating networking products Information Security Risk
CN109948911B (en) * 2019-02-27 2021-03-19 北京邮电大学 Evaluation method for calculating network product information security risk
CN111651591B (en) * 2019-03-04 2023-03-21 腾讯科技(深圳)有限公司 Network security analysis method and device
CN111651591A (en) * 2019-03-04 2020-09-11 腾讯科技(深圳)有限公司 Network security analysis method and device
CN110378126A (en) * 2019-07-26 2019-10-25 北京中科微澜科技有限公司 A kind of leak detection method and system
CN110378126B (en) * 2019-07-26 2021-03-26 北京中科微澜科技有限公司 Vulnerability detection method and system
CN110704837A (en) * 2019-09-25 2020-01-17 南京源堡科技研究院有限公司 Network security event statistical analysis method
CN110704743A (en) * 2019-09-30 2020-01-17 北京科技大学 Semantic search method and device based on knowledge graph
CN110704743B (en) * 2019-09-30 2022-02-18 北京科技大学 Semantic search method and device based on knowledge graph
CN110807104A (en) * 2019-11-08 2020-02-18 上海秒针网络科技有限公司 Method and device for determining abnormal information, storage medium and electronic device
CN110807104B (en) * 2019-11-08 2023-04-14 上海明胜品智人工智能科技有限公司 Method and device for determining abnormal information, storage medium and electronic device
CN111010311B (en) * 2019-11-25 2022-07-08 江苏艾佳家居用品有限公司 Intelligent network fault diagnosis method based on knowledge graph
CN111010311A (en) * 2019-11-25 2020-04-14 江苏艾佳家居用品有限公司 Intelligent network fault diagnosis method based on knowledge graph
CN110933101A (en) * 2019-12-10 2020-03-27 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN110933101B (en) * 2019-12-10 2022-11-04 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN111611409A (en) * 2020-06-17 2020-09-01 中国人民解放军国防科技大学 Case analysis method integrated with scene knowledge and related equipment
CN111611409B (en) * 2020-06-17 2023-06-02 中国人民解放军国防科技大学 Case analysis method integrated with scene knowledge and related equipment
CN111813953A (en) * 2020-06-23 2020-10-23 广州大学 Distributed knowledge graph construction system and method based on knowledge body
CN111813953B (en) * 2020-06-23 2023-07-07 广州大学 Knowledge body-based distributed knowledge graph construction system and method
CN111797406A (en) * 2020-07-15 2020-10-20 智博云信息科技(广州)有限公司 Medical fund data analysis processing method and device and readable storage medium
CN111988339A (en) * 2020-09-07 2020-11-24 珠海市一知安全科技有限公司 Network attack path discovery, extraction and association method based on DIKW model
CN112291261A (en) * 2020-11-13 2021-01-29 福建奇点时空数字科技有限公司 Network security log audit analysis method driven by knowledge graph
CN112613038B (en) * 2020-11-27 2023-12-08 中山大学 Knowledge graph-based security vulnerability analysis method
CN112613038A (en) * 2020-11-27 2021-04-06 中山大学 Security vulnerability analysis method based on knowledge graph
CN113259364A (en) * 2021-05-27 2021-08-13 长扬科技(北京)有限公司 Network event correlation analysis method and device and computer equipment
CN113259364B (en) * 2021-05-27 2021-10-22 长扬科技(北京)有限公司 Network event correlation analysis method and device and computer equipment
CN113312499B (en) * 2021-06-15 2022-10-04 合肥工业大学 Power safety early warning method and system based on knowledge graph
CN113312499A (en) * 2021-06-15 2021-08-27 合肥工业大学 Power safety early warning method and system based on knowledge graph
CN113596025A (en) * 2021-07-28 2021-11-02 中国南方电网有限责任公司 Power grid security event management method
CN113507486B (en) * 2021-09-06 2021-11-19 中国人民解放军国防科技大学 Method and device for constructing knowledge graph of important infrastructure of internet
CN113507486A (en) * 2021-09-06 2021-10-15 中国人民解放军国防科技大学 Method and device for constructing knowledge graph of important infrastructure of internet
CN114039765A (en) * 2021-11-04 2022-02-11 全球能源互联网研究院有限公司 Safety management and control method and device for power distribution Internet of things and electronic equipment
CN114844707A (en) * 2022-05-07 2022-08-02 南京南瑞信息通信科技有限公司 Graph database-based power grid network security analysis method and system
CN114844707B (en) * 2022-05-07 2024-04-02 南京南瑞信息通信科技有限公司 Power grid network security analysis method and system based on graph database
CN117807046A (en) * 2023-04-25 2024-04-02 深圳市中京政通科技有限公司 Data driving model and system based on event map analysis
CN116401898B (en) * 2023-06-08 2023-08-22 中国人民解放军国防科技大学 Simulation application combination system and method based on publishing subscription
CN116401898A (en) * 2023-06-08 2023-07-07 中国人民解放军国防科技大学 Simulation application combination system and method based on publishing subscription

Also Published As

Publication number Publication date
CN108270785B (en) 2020-06-30

Similar Documents

Publication Publication Date Title
CN108270785A (en) Knowledge graph-based distributed security event correlation analysis method
US11689557B2 (en) Autonomous report composer
Navarro et al. A systematic survey on multi-step attack detection
Wu et al. Network attacks detection methods based on deep learning techniques: a survey
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
Li et al. Analysis framework of network security situational awareness and comparison of implementation methods
CN109922075A (en) Network security knowledge map construction method and apparatus, computer equipment
US20240129327A1 (en) Context informed abnormal endpoint behavior detection
CN110213226A (en) Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor
CN109670306A (en) Electric power malicious code detecting method, server and system based on artificial intelligence
Las-Casas et al. A big data architecture for security data and its application to phishing characterization
CN114430331A (en) Network security situation sensing method and system based on knowledge graph
CN115186136A (en) Knowledge graph structure for network attack and defense confrontation
CN110061854A (en) A kind of non-boundary network intelligence operation management method and system
Mamun et al. DeepTaskAPT: insider apt detection using task-tree based deep learning
Nathiya et al. An effective way of cloud intrusion detection system using decision tree, support vector machine and Naïve bayes algorithm
Ejaz et al. Visualizing interesting patterns in cyber threat intelligence using machine learning techniques
CN117220961B (en) Intrusion detection method, device and storage medium based on association rule patterns
Bilakanti et al. Anomaly detection in IoT environment using machine learning
Wang et al. A novel multi-source fusion model for known and unknown attack scenarios
CN116074092B (en) Attack scene reconstruction system based on heterogram attention network
Tayebi et al. Organized crime structures in co-offending networks
Chen et al. Research on automatic vulnerability mining model based on knowledge graph
CN107145599A (en) A kind of big data asset management system
Lewis et al. Enabling cyber situation awareness, impact assessment, and situation projection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant