CN108270785A - Knowledge graph-based distributed security event correlation analysis method - Google Patents
Knowledge graph-based distributed security event correlation analysis method Download PDFInfo
- Publication number
- CN108270785A CN108270785A CN201810036765.9A CN201810036765A CN108270785A CN 108270785 A CN108270785 A CN 108270785A CN 201810036765 A CN201810036765 A CN 201810036765A CN 108270785 A CN108270785 A CN 108270785A
- Authority
- CN
- China
- Prior art keywords
- event
- knowledge
- scene
- illustrative plates
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a knowledge graph-based distributed network security event correlation analysis method, which specifically comprises the following steps: step 1) constructing a network security knowledge graph comprising five dimensions, namely a basic dimension, a vulnerability dimension, a threat dimension, an alarm event dimension and an attack rule dimension; step 2) designing and realizing a security event correlation analysis algorithm on the basis of the knowledge graph constructed in the step 1); and 3) constructing a real-time big data analysis platform, and applying the association analysis algorithm designed in the step 2) to the constructed big data platform to realize a distributed association analysis system. The invention fully utilizes the current big data processing and analyzing related technology to deal with large-scale data volume, parallelizes the association analysis algorithm and realizes the design of the distributed association analysis algorithm based on the knowledge graph.
Description
Technical field
The invention belongs to network security situation awareness fields, relate generally to a kind of distributed security thing of knowledge based collection of illustrative plates
Part association analysis method.
Background technology
More and more extensive with the application of computer network, scale is more and more huger, multifaceted network security threats
It is also being continuously increased with security risk, the threat and loss of the compositions such as internet worm, Dos/DDos attacks are increasing, and network is attacked
Behavior is hit towards trend developments such as distribution, scale, complications, relies solely on fire wall, intrusion detection, anti-virus, access
The single network safety guard technologies such as control have been unable to meet the demand of network security.For reply increasingly complexity, hiding
High network security threats ensure the safe operation of system, need the relevant technologies by network security situation awareness field, right
The Heterogeneous Information that multi-source safety equipment generates carries out fusion treatment, such as Firewall, IDS, vulnerability scanning system, security audit system
The safety equipments such as system realize the Situation Awareness of the whole network macroscopic view.The same of overall network situation is perceived when comprehensive multi-source safety equipment
When, at this time serious point of burden will be brought to system manager there are the problems such as warning message amount is big, rate of false alarm is high.
Alert correlation is provided a method for solving the problem above-mentioned, by analyzing by one or more intrusion detections
The alarm that system generates provides more efficient, high level a cognition to be directed to attack.In practice, most security incident
It is not isolated generation, there is certain sequential or causal relations between them.Security event associative analysis refers to combine
The running environment of security incident is associated integration, and lead to the network safety event data set of originally relatively isolated low layer
The means such as filtering, polymerization are eliminated the false and retained the true, and excavate the real connection between the event being hidden in after these data.Alert correlation
Mainly include following sub-step.Alerts aggregation is to merge the alarm for being directed to same security incident from different IDS and generating, at quickening
Speed is managed, meets the requirement of Situation Awareness real-time.Redundancy alarm can about be subtracted by alert correlation, reconstruct Attack Scenarios, hair
The true attack purpose of existing attacker, so as to there is the reparation related defects being directed to, safeguards the normal operation of network.Alert verification is known
False alarm input not from detector, if this step is likely to generate erroneous association analysis result every time.Finally attack
Scene rebuilding is hit, a usual Attack Scenarios reach final attack purpose including a series of attack activities.The step passes through
Analyze the alarm structure attack route generated, the true target of attack of Forecast attack person.In traditional Situation Awareness System
Security event associative analysis considers the information of multiple dimensions, such as basis dimension, fragile peacekeeping threaten dimension.But such system
Have that there are following some problems.
First, traditional Situation Awareness System being stored in multiple dimension independences in relevant database, in Mysql,
Real-time Association Analyzing is being done, is needing quickly to make many tables join operations, collaborative work ability is poor between each dimension, very greatly
The real-time and accuracy of the influence association analysis of degree are very severe for the high Situation Awareness System of requirement of real-time.The
Two, for the attack other informations such as rule knowledge, be usually all it is non-structured, using conventional relational data library storage not
It is enough flexible.Third, the rule-based association analysis of tradition needs to rely on expertise structure Attack Scenarios, for not in attack mould
Novel attack in plate knowledge base, generally can not automatically analyze reasoning.Most important problem is not the absence of available information, but melts
Independent message slot is closed to come to Situation Awareness there are one overall recognition.
Another outstanding problem is the algorithm that the association analysis method that more early scholar proposes all is usual unit design, still
Current generation is the big data epoch, the fast development of internet, the continuous expansion of network size, can not be met well extensive
Data analysis requirements.
Invention content
The distributed network security event that the technical problems to be solved by the invention are to provide a kind of knowledge based collection of illustrative plates is closed
Join analysis method.
It is as follows that the present invention solves the technical solution that above-mentioned technical problem is taken:
A kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, specifically includes following step
Suddenly:
Step 1) constructs one and includes basis dimension, loophole dimension, threatens peacekeeping alert event peacekeeping attack rule five dimensions of dimension
The network security knowledge collection of illustrative plates of degree;
On the basis of the knowledge mapping that step 2) is constructed in step 1), security event associative analysis algorithm is realized in design;
Step 3) builds real-time big data analysis platform, and the association analysis algorithm of step 2) design is applied to the big of structure
In data platform, a Distributed Correlation analysis system is realized.
Preferably, it in step 1), specifically includes:
The knowledge information of five dimensions is collected, respectively includes CVE loopholes knowledge, CAPEC Attack Classifications knowledge, CWE hosts
Software knowledge, Snort alert events knowledge and the regular expertise of attack;
Entity attribute information is extracted by writing xml processing routines and regular expression;
Using chart database Neo4j as knowledge mapping the build tool, above-mentioned knowledge is believed by writing Cypher sentences
Breath is inserted into knowledge mapping;
For needing the relationship for building side that all subgraphs spectrum is connected into an available figure completed between different dimensions
Spectrum.
Preferably, in step 2), including:
Step 2-1) security incident pretreatment sub-step, including:
When analyzing alert event, for the various forms generated by the safety product that is provided in different vendor alarm into
Row pretreatment;
Step 2-2) security incident verification sub-step, including:Pass through being associated between alarm and basic peacekeeping loophole dimension
It is to judge whether the alarm belongs to genuine SIDS incident;
Step 2-3) scene rebuilding sub-step, including:Find that attacker's is true by the relationship between correlating event
Attack purpose.
Preferably, step 2-1) in, it specifically includes:It is unified standard by the information pre-processing reported by distinct device
Data format.
Preferably, step 2-2) in, it further includes:
By security incident normalized, and obtain target ip addresses;
Host is quickly navigated to according to target ip addresses, by the shape that the host can be got in band or with outer acquisition
State information including cpu busy percentage, loophole, network broadband utilization rate, is believed by the characteristic for comparing security incident with the host obtained
It ceases to judge reservation or filter alert event.
Preferably, step 2-3) in, it further includes:
Classified based on target ip, then using Cypher from knowledge mapping quick-searching and the event dependent field
If the scene is not present in memory, which is buffered in memory for scape;
Then Scene case is constructed by scene static knowledge and target ip, field is changed when follow-up identical ip being waited for arrive
Correspondence event field information in scape example if the example that the scene includes all meets, exports the scene.
Preferably, it in step 3), specifically includes:Step 2) is realized based on real-time big data processing platform Strom
Association analysis process, realize during need by several non-relational databases assist realize.
Preferably, step 2-1) in, alert event includes:Attack and false noise event;Step 2-2) in,
Event validation function is carried out to above-mentioned alert event, retains real event;
Wherein, one layer of alarm layer is had on the upper strata of event, while one layer of scene layer, three are had in alarm layer last layer
Between form tree structure tissue.
Preferably, step 2-3) in, it specifically includes:
The scene for having with the event correlation is searched whether in buffering first for each event of arrival, buffers me
Realized using Mongodb non-relational databases.Judged by the field locating function of Mongdb whether in need in buffering
The event looked for;
If not going in knowledge mapping to search all scenes with the event correlation first, result is buffered to
In Mongodb;
Whether have event target ip relevant example, if representing do not have also without if if being searched in Scene case to be matched
There is the attack for the ip, create one and the relevant Scene cases of the ip at this time;
Each Scene case can include several alarms, and each alarm can include several security incidents.So association
The process of analysis is exactly that alert properties and event attribute are by 0 to 1 continuous matched process in scene, if all fields are complete
Portion is set to 1 and represents that the scene has met, and the really attack purpose for attacking this is exactly the Attack Scenarios, entire association process knot
Beam exports association results.
Preferably, knowledge mapping we realize that the lookup of database is used using Neo4j non-relational databases
The figure retrieval language Cypher that Neo4j itself is provided is shown;
The relationship that scene associated with event is a second order is searched using Cypher to search, because in event and scene
There is alarm layer centre.
One aspect of the present invention accelerates multidimensional data retrieval-by-unification speed, on the other hand improves the representation of knowledge and newer
Flexibility.In addition knowledge mapping can also provide the path searching between two entity nodes, can be used for knowledge reasoning, knowledge is tested
Self study of card and new knowledge etc..The association analysis of knowledge based collection of illustrative plates compared to conventional method have faster analyze speed and
Better scalability.And it is extensive for coping with that the present invention is also fully utilized by current big data processing analysis the relevant technologies
Data volume, by association analysis Algorithm parallelization, realize the Distributed Correlation parser design of knowledge based collection of illustrative plates.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that being understood by implementing the present invention.The purpose of the present invention and other advantages can be by the explanations write
Specifically noted structure is realized and is obtained in book, claims and attached drawing.
Description of the drawings
The present invention is described in detail below in conjunction with the accompanying drawings, so that the above-mentioned advantage of the present invention is definitely.Its
In,
Fig. 1 is based on network safety event association analysis flow chart;
Fig. 2 is the distributed network security incident management analytical framework figure of knowledge based collection of illustrative plates.
Specific embodiment
Carry out the embodiment that the present invention will be described in detail below with reference to accompanying drawings and embodiments, how the present invention is applied whereby
Technological means solves technical problem, and the realization process for reaching technique effect can fully understand and implement according to this.It needs to illustrate
As long as not forming conflict, each embodiment in the present invention and each feature in each embodiment can be combined with each other,
The technical solution formed is within protection scope of the present invention.
In addition, step shown in the flowchart of the accompanying drawings can be in the department of computer science of such as a group of computer-executable instructions
It is performed in system, although also, show logical order in flow charts, it in some cases, can be to be different from herein
Sequence perform shown or described step.
As illustrated in fig. 1 and 2, purpose to realize the present invention, the specific technical solution of the present invention are as follows:
A kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, specifically includes following step
Suddenly:
Step 1) constructs one and includes basis dimension, loophole dimension, threatens peacekeeping alert event peacekeeping attack rule five dimensions of dimension
The network security knowledge collection of illustrative plates of degree;
On the basis of the knowledge mapping that step 2) is constructed in step 1), security event associative analysis algorithm is realized in design;
Step 3) builds real-time big data analysis platform, and the association analysis algorithm of step 2) design is applied to the big of structure
In data platform, a Distributed Correlation analysis system is realized;
As the preferred of technical solution of the present invention, the step 1) specifically includes the knowledge information for collecting five dimensions, point
It Bao Kuo not CVE loopholes knowledge, CAPEC Attack Classifications knowledge, CWE host software knowledge, Snort alert events knowledge and attack
Regular expertise extracts entity attribute information by writing xml processing routines and regular expression.Use chart database
Above-mentioned knowledge information is inserted into knowledge mapping by Neo4j as knowledge mapping the build tool by writing Cypher sentences.It is right
Need the relationship for building side that all subgraphs spectrum is connected into the available collection of illustrative plates of a completion between different dimensions.
As the preferred of technical solution of the present invention, the step 2) specifically includes following steps:
Step 2-1) it is security incident pretreatment first.When analyzing alert event, first problems faced is by not
With the alarm for the various forms that the safety product provided in manufacturer generates.Therefore, in order to solve Event correlation, needing will be by difference
The information pre-processing that equipment reports is the data format of unified standard, such as IDMEF, it is by intrusion detection working group (IDWG)
Definition.
Step 2-2) it is verified followed by security incident.IDS can generate magnanimity and alarm daily, but usually most alarms
Wrong report is belonged to, alert verification judges whether the alarm belongs to by the incidence relation between alarm and basic peacekeeping loophole dimension
Genuine SIDS incident.Because target ip addresses can be easily obtained after each security incident normalized, according to target ip
Address quickly navigates to host, by that can get the status information of the host in band or with outer acquisition, is utilized including CPU
Rate, loophole, network broadband utilization rate etc., by comparing the characteristic of security incident and the host information that obtains judging to retain or
Filter alert event.
Step 2-3) it is scene rebuilding step.As the core procedure of association analysis, scene rebuilding by correlating event it
Between relationship find the true attack purpose of attacker.It is primarily based on target ip to classify, then using Cypher from knowing
Know quick-searching and the event associated scenario in collection of illustrative plates, if the scene is not present in memory, which is buffered to interior
In depositing.Then Scene case is constructed by scene static knowledge and target ip, scene is changed when follow-up identical ip being waited for arrive
Correspondence event field information in example if the example that the scene includes all meets, exports the scene.
As the preferred of technical solution of the present invention, the step 3) is real based on real-time big data processing platform Strom
The association analysis process of existing step 2) needs to assist realizing by several non-relational databases during realizing.
The advantages of 5 the invention or advantageous effect:
Compared with prior art, the advantage of the invention is that:
The present invention proposes a kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, uses knowledge graph
Spectrum form replaces traditional Relational DataBase to store network knowledge information, on the one hand accelerates multidimensional data retrieval-by-unification speed,
On the other hand the representation of knowledge and newer flexibility are improved.In addition knowledge mapping can also provide the road between two entity nodes
Diameter is searched, and can be used for self study of knowledge reasoning, knowledge verification and new knowledge etc..The association analysis phase of knowledge based collection of illustrative plates
There are faster analyze speed and better scalability compared with conventional method.And the present invention is also fully utilized by current big data
Processing analysis the relevant technologies, by association analysis Algorithm parallelization, realize knowledge based figure for coping with large-scale data volume
The Distributed Correlation parser design of spectrum.
The key problem in technology point and point to be protected of this patent:
1st, Chinese network security knowledge collection of illustrative plates is built, dimension and static report are threatened including underlying assets dimension, loophole dimension, attack
Alert information dimension;
2nd, the structure scene rule on the basis of net pacifies knowledge mapping, the security incident association point of design knowledge based collection of illustrative plates
Analysis method;
3rd, Distributed Correlation analytical framework is designed, by association analysis method distributed implementation.
The embodiment of the present invention is described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end
Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached
The embodiment of figure description is exemplary, and is only used for explaining the present invention, and is not construed as limiting the claims.
It describes to be described in detail according to embodiments of the present invention with reference to the accompanying drawings.
Fig. 1 be based on network safety event association analysis flow chart, as shown in Figure 1, in the embodiment of the present invention, the peace of input
Total event has the noise event for being really attack and falseness, it is necessary first to carry out Event validation function, retain real event.
In embodiment in order to facilitate the structure of subsequent scenario, one layer of alarm layer is had on the upper strata of event, while one on alarm layer
Layer has one layer of scene layer, and tree structure tissue is similar between three.The advantage of doing so is that support the knowledge of various granularities
Collection of illustrative plates is inquired, and scalability is more preferable, search efficiency higher.It first searches whether to deposit in buffering for each event of arrival
In the scene with the event correlation.Us are buffered to realize using Mongodb non-relational databases.It is looked by the field of Mongdb
Look for function judge buffering in whether the event in need looked for.If it does not go in knowledge mapping to search and the event correlation first
All scenes, result is buffered in Mongodb.Knowledge mapping we realized using Neo4j non-relational databases, database
The lookup figure retrieval language Cypher that is provided using Neo4j itself show.It is searched using Cypher associated with event
Scene be that the relationship of second order is searched because there is alarm layer among event and scene.Relative to relevant database
Table attended operation can be found that have great advantage here.Whether then searched in Scene case to be matched has the event target
The relevant examples of ip represent that establishment one is relevant with the ip at this time not yet for the attack of the ip if not having
Scene case.
Each Scene case can include several alarms, and each alarm can include several security incidents.So association
The process of analysis is exactly that alert properties and event attribute are by 0 to 1 continuous matched process in scene, if all fields are complete
Portion is set to 1 and represents that the scene has met, and the really attack purpose for attacking this is exactly the Attack Scenarios.Entire association process knot
Beam exports association results.
Fig. 2 is the distributed network security incident management analytical framework figure of knowledge based collection of illustrative plates, as shown in Fig. 2, of the invention
Distributed Architecture mainly includes data acquisition, tidal data recovering merger distribution, real-time data analysis and data storage in embodiment
Module.
Our distributed information log acquisition systems for being increased income using Apache tissues of data acquisition module in this embodiment
Flume, the data collection in each server is got up and is sent in the log buffer server specified by it.Use Flume
A benefit as data gathering tool is that it can be directed to being customized of different data sources configuration acquisition mode, including number
According to source position, frequency acquisition, transmission mode etc..Data collection module will be collected into data and be sent to tidal data recovering merger distribution mould
Block.
Tidal data recovering merger distribution module Core Feature in this embodiment is the mass data of cushioning collecting, and will be received
The data collected are classified according to subject information.The Kafka message-oriented middleware systems that specific implementation is increased income by Apache tissues.
Kafka is one based on distributed news release-ordering system.Similar with other news release-ordering systems, Kafka exists
The information of message is preserved in theme.Data are written to theme in the producer, and consumer reads data from theme.Due to Kafka's
Characteristic be support it is distributed, while be also based on it is distributed, so theme is also that can be partitioned and cover on multiple nodes
Lid.We are had using the main purpose of Kafka middlewares:1st, reduce coupling.We by the acquisition of safety experiment data and
Processing is kept completely separate, and the method for realizing the function is exactly to be used for transmission management number using Kafka message-oriented middlewares therebetween
According to so that two-part realization is all towards Kafka interface programmings, reduces coupling, improves the scalability of system.2、
Ensure accuracy.Since system can generate lot of experimental data simultaneously in production environment, if programming pipe manually by developer
It will be a huge engineering to manage these data, can ensure the reliability of data management using Kafka.3rd, pooling feature.By
It is inconsistent in the creation data and consumption rate of usual message, if a series of attacks of generation of a certain moment, it will peak value generates
Alert data, if association analysis component cannot quickly handle data at this time, it will the accumulation of data occurs, as event is believed
Breath continues to generate, it will leads to the loss of data.Data buffering to local disk can be waited for and subsequently be disappeared using Kafka
The consumption of breath.
Real-time Association Analyzing module in this embodiment is the nucleus module of this system, is increased income by Apache tissues
Storm real-time data analysis platform is realized.The module is responsible for pulling specified data from Kafka message systems to be based on to realize
The security event associative analysis function of knowledge mapping.Storm is a button.onrelease, can be carried out with stream data distributed
Processing.One Storm application program by
" spouts " and " bolts " is formed, they are configured to a directed acyclic graph, for representing information source and data
Processing routine.Being mainly characterized by of Storm can handle real time data, and batch processing is allowed unlike Hadoop.We use
Storm has as the main reason for real-time handling implement:1st, simple programming model.It is reduced parallel similar to MapReduce
Batch processing complexity, Storm reduce the complexity handled in real time.As long as realizing spout data receives interface,
Bolt data-processing interfaces, one Toplogy of structure can be used.2nd, horizontal extension.Calculating be multiple threads, process and
It is carried out parallel between server, ensure that the speed of service of system.3rd, local mode.There are one " local modes " by Storm, can
To simulate Storm clusters completely in processing procedure.4th, distribution process logic.Storm uses the pattern of layering, each layer
Bolt completes a function and gives next layer of processing, it is possible to entire realization process is divided into several steps, each step
Definite functions, it is easier to realize.
Data memory module in this embodiment is responsible for after storing primitive event data information and association analysis
The scene information of output.Simultaneity factor can dispose several data statistics threads to complete the statistics work(of short time and long time period
Can, statistical information also needs the support of memory module.The module uses the letter of Mysql relevant database storage organizations
Breath.Use the non-structured information of Mongodb database purchases.
In the embodiment of the present invention, operated between several modules described above by data-driven.Since above-mentioned module uses
Several relations type and non-relational database are arrived, so needing database associated specialist carries out the design of database and excellent
Change.Each module bottom all employs distributed system tool simultaneously, so needing to be carried out according to practical data processing scale
Reasonable disposition is configured including principal and subordinate, node broadband, memory configurations etc..Need related personnel's O&M of distributed deployment experience
Management.
It should be noted that for above method embodiment, in order to be briefly described, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should know, the application is not limited by described sequence of movement because
According to the application, certain steps may be used other sequences or be carried out at the same time.Secondly, those skilled in the art should also know
It knows, embodiment described in this description belongs to preferred embodiment, involved action and module not necessarily the application
It is necessary.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware can be used in the application
Apply the form of example.
It can be used moreover, the application can be used in one or more computers for wherein including computer usable program code
The computer program product that storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Form.
Finally it should be noted that:The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention,
Although the present invention is described in detail referring to the foregoing embodiments, for those skilled in the art, still may be used
To modify to the technical solution recorded in foregoing embodiments or carry out equivalent replacement to which part technical characteristic.
All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in the present invention's
Within protection domain.
Claims (10)
1. a kind of distributed network security event relation analyzing method of knowledge based collection of illustrative plates, which is characterized in that specifically include with
Under several steps:
Step 1) constructs one and is tieed up including basis, loophole dimension, the peacekeeping of peacekeeping alert event threatened to attack rule five dimensions of dimension
Network security knowledge collection of illustrative plates;
On the basis of the knowledge mapping that step 2) is constructed in step 1), security event associative analysis algorithm is realized in design;
Step 3) builds real-time big data analysis platform, and the association analysis algorithm of step 2) design is applied to the big data of structure
In platform, a Distributed Correlation analysis system is realized.
2. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature
It is, in step 1), specifically includes:
The knowledge information of five dimensions is collected, respectively includes CVE loopholes knowledge, CAPEC Attack Classifications knowledge, CWE host software
Knowledge, Snort alert events knowledge and the regular expertise of attack;
Entity attribute information is extracted by writing xml processing routines and regular expression;
For needing the relationship for building side that all subgraphs spectrum is connected into an available collection of illustrative plates completed between different dimensions.
3. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1 or 2, special
Sign is, in step 2), including:
Step 2-1) security incident pretreatment sub-step, including:
When analyzing alert event, carried out for the alarm of various forms generated by the safety product provided in different vendor pre-
Processing;
Step 2-2) security incident verification sub-step, including:By the incidence relation between alarm and basic peacekeeping loophole dimension come
Judge whether the alarm belongs to genuine SIDS incident;
Step 2-3) scene rebuilding sub-step, including:The true attack of attacker is found by the relationship between correlating event
Purpose.
4. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 3, feature
It is, step 2-1) in, it specifically includes:By the data format that the information pre-processing reported by distinct device is unified standard.
5. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 3, feature
It is, step 2-2) in, it further includes:
By security incident normalized, and obtain target ip addresses;
Host is quickly navigated to according to target ip addresses, is believed by the state that the host can be got in band or with outer acquisition
Breath, including cpu busy percentage, loophole, network broadband utilization rate, by compare the characteristic of security incident and the host information obtained come
Judgement retains or filter alert event.
6. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 3, feature
It is, step 2-3) in, it further includes:
Classified based on target ip, then using Cypher from knowledge mapping quick-searching and the event associated scenario, such as
The fruit scene is not present in memory, then the scene is buffered in memory;
Then Scene case is constructed by scene static knowledge and target ip, it is real to change scene when follow-up identical ip being waited for arrive
Correspondence event field information in example if the example that the scene includes all meets, exports the scene.
7. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature
It is, in step 3), specifically includes:The association analysis of step 2) is realized based on real-time big data processing platform Strom
Journey needs to assist realizing by several non-relational databases during realizing.
8. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature
It is, step 2-1) in, alert event includes:Attack and false noise event;Step 2-2) in, to above-mentioned alarm thing
Part carries out Event validation function, retains real event;
Wherein, it has one layer of alarm layer on the upper strata of event, while one layer of scene layer is had in alarm layer last layer, between three
Form tree structure tissue.
9. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 8, feature
It is, step 2-3) in, it specifically includes:
The scene for having with the event correlation is searched whether in buffering first for each event of arrival, buffering us makes
It is realized with Mongodb non-relational databases;
By the field locating function of Mongdb judge buffering in whether the event in need looked for;
If not going in knowledge mapping to search all scenes with the event correlation first, result is buffered in Mongodb;
Whether searched in Scene case to be matched has the relevant examples of event target ip, if represented without if not yet needle
The attack of the ip is occurred, creates one and the relevant Scene cases of the ip at this time;
Each Scene case can include several alarms, and each alarm can include several security incidents;
So the process of association analysis be exactly in scene alert properties and event attribute by 0 to 1 continuous matched process, if
All fields are all set to 1 and represent that the scene has met, and the really attack purpose for attacking this is exactly the Attack Scenarios, whole
A association process terminates, and exports association results.
10. the distributed network security event relation analyzing method of knowledge based collection of illustrative plates according to claim 1, feature
It is, knowledge mapping is realized using Neo4j non-relational databases, and the lookup of database uses the figure that Neo4j itself is provided
Retrieval language Cypher is shown;
Because there is alarm layer among event and scene, therefore it is one to search scene associated with event using Cypher
The relationship of second order is searched.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810036765.9A CN108270785B (en) | 2018-01-15 | 2018-01-15 | Knowledge graph-based distributed security event correlation analysis method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810036765.9A CN108270785B (en) | 2018-01-15 | 2018-01-15 | Knowledge graph-based distributed security event correlation analysis method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108270785A true CN108270785A (en) | 2018-07-10 |
CN108270785B CN108270785B (en) | 2020-06-30 |
Family
ID=62775447
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810036765.9A Active CN108270785B (en) | 2018-01-15 | 2018-01-15 | Knowledge graph-based distributed security event correlation analysis method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108270785B (en) |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108881316A (en) * | 2018-08-30 | 2018-11-23 | 中国人民解放军国防科技大学 | Attack backtracking method under heaven and earth integrated information network |
CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
CN109347801A (en) * | 2018-09-17 | 2019-02-15 | 武汉大学 | A kind of vulnerability exploit methods of risk assessment based on multi-source word insertion and knowledge mapping |
CN109413109A (en) * | 2018-12-18 | 2019-03-01 | 中国人民解放军国防科技大学 | Heaven and earth integrated network oriented security state analysis method based on finite-state machine |
CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
CN109726293A (en) * | 2018-11-14 | 2019-05-07 | 数据地平线(广州)科技有限公司 | A kind of causal event map construction method, system, device and storage medium |
CN109948911A (en) * | 2019-02-27 | 2019-06-28 | 北京邮电大学 | A kind of appraisal procedure calculating networking products Information Security Risk |
CN110162976A (en) * | 2019-02-20 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Methods of risk assessment, device and terminal |
CN110378126A (en) * | 2019-07-26 | 2019-10-25 | 北京中科微澜科技有限公司 | A kind of leak detection method and system |
CN110704743A (en) * | 2019-09-30 | 2020-01-17 | 北京科技大学 | Semantic search method and device based on knowledge graph |
CN110704837A (en) * | 2019-09-25 | 2020-01-17 | 南京源堡科技研究院有限公司 | Network security event statistical analysis method |
CN110807104A (en) * | 2019-11-08 | 2020-02-18 | 上海秒针网络科技有限公司 | Method and device for determining abnormal information, storage medium and electronic device |
CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
CN111010311A (en) * | 2019-11-25 | 2020-04-14 | 江苏艾佳家居用品有限公司 | Intelligent network fault diagnosis method based on knowledge graph |
CN111611409A (en) * | 2020-06-17 | 2020-09-01 | 中国人民解放军国防科技大学 | Case analysis method integrated with scene knowledge and related equipment |
CN111651591A (en) * | 2019-03-04 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Network security analysis method and device |
CN111797406A (en) * | 2020-07-15 | 2020-10-20 | 智博云信息科技(广州)有限公司 | Medical fund data analysis processing method and device and readable storage medium |
CN111813953A (en) * | 2020-06-23 | 2020-10-23 | 广州大学 | Distributed knowledge graph construction system and method based on knowledge body |
CN111988339A (en) * | 2020-09-07 | 2020-11-24 | 珠海市一知安全科技有限公司 | Network attack path discovery, extraction and association method based on DIKW model |
CN112291261A (en) * | 2020-11-13 | 2021-01-29 | 福建奇点时空数字科技有限公司 | Network security log audit analysis method driven by knowledge graph |
CN112613038A (en) * | 2020-11-27 | 2021-04-06 | 中山大学 | Security vulnerability analysis method based on knowledge graph |
CN113259364A (en) * | 2021-05-27 | 2021-08-13 | 长扬科技(北京)有限公司 | Network event correlation analysis method and device and computer equipment |
CN113312499A (en) * | 2021-06-15 | 2021-08-27 | 合肥工业大学 | Power safety early warning method and system based on knowledge graph |
CN113507486A (en) * | 2021-09-06 | 2021-10-15 | 中国人民解放军国防科技大学 | Method and device for constructing knowledge graph of important infrastructure of internet |
CN113596025A (en) * | 2021-07-28 | 2021-11-02 | 中国南方电网有限责任公司 | Power grid security event management method |
CN114039765A (en) * | 2021-11-04 | 2022-02-11 | 全球能源互联网研究院有限公司 | Safety management and control method and device for power distribution Internet of things and electronic equipment |
CN114844707A (en) * | 2022-05-07 | 2022-08-02 | 南京南瑞信息通信科技有限公司 | Graph database-based power grid network security analysis method and system |
CN116401898A (en) * | 2023-06-08 | 2023-07-07 | 中国人民解放军国防科技大学 | Simulation application combination system and method based on publishing subscription |
CN117807046A (en) * | 2023-04-25 | 2024-04-02 | 深圳市中京政通科技有限公司 | Data driving model and system based on event map analysis |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103124223A (en) * | 2011-12-21 | 2013-05-29 | 中国科学院软件研究所 | Method for automatically judging security situation of IT (information technology) system in real time |
CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
CN105119945A (en) * | 2015-09-24 | 2015-12-02 | 西安未来国际信息股份有限公司 | Log association analysis method for safety management center |
CN105681303A (en) * | 2016-01-15 | 2016-06-15 | 中国科学院计算机网络信息中心 | Big data driven network security situation monitoring and visualization method |
US20170293698A1 (en) * | 2016-04-12 | 2017-10-12 | International Business Machines Corporation | Exploring a topic for discussion through controlled navigation of a knowledge graph |
-
2018
- 2018-01-15 CN CN201810036765.9A patent/CN108270785B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103124223A (en) * | 2011-12-21 | 2013-05-29 | 中国科学院软件研究所 | Method for automatically judging security situation of IT (information technology) system in real time |
CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
CN105119945A (en) * | 2015-09-24 | 2015-12-02 | 西安未来国际信息股份有限公司 | Log association analysis method for safety management center |
CN105681303A (en) * | 2016-01-15 | 2016-06-15 | 中国科学院计算机网络信息中心 | Big data driven network security situation monitoring and visualization method |
US20170293698A1 (en) * | 2016-04-12 | 2017-10-12 | International Business Machines Corporation | Exploring a topic for discussion through controlled navigation of a knowledge graph |
Non-Patent Citations (3)
Title |
---|
NOEL S ET AL;: "CyGraph: Graph-Based Analytics and Visualization for Cybersecurity", 《HANDBOOK OF STATISTICS》 * |
WEI WANG ET AL;: "KGBIAC:Knowledge Graph Based Intelligent Alert Correlation Framework", 《INTERNATIONAL SYMPOSIUM ON CYBERSPACE SAFETY AND SECURITY》 * |
章学妙 等: "基于网络安全态势感知的网络***自防御体系", 《计算机应用与软件》 * |
Cited By (50)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
CN108933793B (en) * | 2018-07-24 | 2020-09-29 | 中国人民解放军战略支援部队信息工程大学 | Attack graph generation method and device based on knowledge graph |
CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
CN108881316A (en) * | 2018-08-30 | 2018-11-23 | 中国人民解放军国防科技大学 | Attack backtracking method under heaven and earth integrated information network |
CN109347801A (en) * | 2018-09-17 | 2019-02-15 | 武汉大学 | A kind of vulnerability exploit methods of risk assessment based on multi-source word insertion and knowledge mapping |
CN109347801B (en) * | 2018-09-17 | 2021-03-16 | 武汉大学 | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph |
CN109726293A (en) * | 2018-11-14 | 2019-05-07 | 数据地平线(广州)科技有限公司 | A kind of causal event map construction method, system, device and storage medium |
CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
CN109639670B (en) * | 2018-12-10 | 2021-04-16 | 北京威努特技术有限公司 | Knowledge graph-based industrial control network security situation quantitative evaluation method |
CN109413109B (en) * | 2018-12-18 | 2021-03-05 | 中国人民解放军国防科技大学 | Heaven and earth integrated network oriented security state analysis method based on finite-state machine |
CN109413109A (en) * | 2018-12-18 | 2019-03-01 | 中国人民解放军国防科技大学 | Heaven and earth integrated network oriented security state analysis method based on finite-state machine |
CN110162976A (en) * | 2019-02-20 | 2019-08-23 | 腾讯科技(深圳)有限公司 | Methods of risk assessment, device and terminal |
CN110162976B (en) * | 2019-02-20 | 2023-04-18 | 腾讯科技(深圳)有限公司 | Risk assessment method and device and terminal |
CN109948911A (en) * | 2019-02-27 | 2019-06-28 | 北京邮电大学 | A kind of appraisal procedure calculating networking products Information Security Risk |
CN109948911B (en) * | 2019-02-27 | 2021-03-19 | 北京邮电大学 | Evaluation method for calculating network product information security risk |
CN111651591B (en) * | 2019-03-04 | 2023-03-21 | 腾讯科技(深圳)有限公司 | Network security analysis method and device |
CN111651591A (en) * | 2019-03-04 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Network security analysis method and device |
CN110378126A (en) * | 2019-07-26 | 2019-10-25 | 北京中科微澜科技有限公司 | A kind of leak detection method and system |
CN110378126B (en) * | 2019-07-26 | 2021-03-26 | 北京中科微澜科技有限公司 | Vulnerability detection method and system |
CN110704837A (en) * | 2019-09-25 | 2020-01-17 | 南京源堡科技研究院有限公司 | Network security event statistical analysis method |
CN110704743A (en) * | 2019-09-30 | 2020-01-17 | 北京科技大学 | Semantic search method and device based on knowledge graph |
CN110704743B (en) * | 2019-09-30 | 2022-02-18 | 北京科技大学 | Semantic search method and device based on knowledge graph |
CN110807104A (en) * | 2019-11-08 | 2020-02-18 | 上海秒针网络科技有限公司 | Method and device for determining abnormal information, storage medium and electronic device |
CN110807104B (en) * | 2019-11-08 | 2023-04-14 | 上海明胜品智人工智能科技有限公司 | Method and device for determining abnormal information, storage medium and electronic device |
CN111010311B (en) * | 2019-11-25 | 2022-07-08 | 江苏艾佳家居用品有限公司 | Intelligent network fault diagnosis method based on knowledge graph |
CN111010311A (en) * | 2019-11-25 | 2020-04-14 | 江苏艾佳家居用品有限公司 | Intelligent network fault diagnosis method based on knowledge graph |
CN110933101A (en) * | 2019-12-10 | 2020-03-27 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
CN110933101B (en) * | 2019-12-10 | 2022-11-04 | 腾讯科技(深圳)有限公司 | Security event log processing method, device and storage medium |
CN111611409A (en) * | 2020-06-17 | 2020-09-01 | 中国人民解放军国防科技大学 | Case analysis method integrated with scene knowledge and related equipment |
CN111611409B (en) * | 2020-06-17 | 2023-06-02 | 中国人民解放军国防科技大学 | Case analysis method integrated with scene knowledge and related equipment |
CN111813953A (en) * | 2020-06-23 | 2020-10-23 | 广州大学 | Distributed knowledge graph construction system and method based on knowledge body |
CN111813953B (en) * | 2020-06-23 | 2023-07-07 | 广州大学 | Knowledge body-based distributed knowledge graph construction system and method |
CN111797406A (en) * | 2020-07-15 | 2020-10-20 | 智博云信息科技(广州)有限公司 | Medical fund data analysis processing method and device and readable storage medium |
CN111988339A (en) * | 2020-09-07 | 2020-11-24 | 珠海市一知安全科技有限公司 | Network attack path discovery, extraction and association method based on DIKW model |
CN112291261A (en) * | 2020-11-13 | 2021-01-29 | 福建奇点时空数字科技有限公司 | Network security log audit analysis method driven by knowledge graph |
CN112613038B (en) * | 2020-11-27 | 2023-12-08 | 中山大学 | Knowledge graph-based security vulnerability analysis method |
CN112613038A (en) * | 2020-11-27 | 2021-04-06 | 中山大学 | Security vulnerability analysis method based on knowledge graph |
CN113259364A (en) * | 2021-05-27 | 2021-08-13 | 长扬科技(北京)有限公司 | Network event correlation analysis method and device and computer equipment |
CN113259364B (en) * | 2021-05-27 | 2021-10-22 | 长扬科技(北京)有限公司 | Network event correlation analysis method and device and computer equipment |
CN113312499B (en) * | 2021-06-15 | 2022-10-04 | 合肥工业大学 | Power safety early warning method and system based on knowledge graph |
CN113312499A (en) * | 2021-06-15 | 2021-08-27 | 合肥工业大学 | Power safety early warning method and system based on knowledge graph |
CN113596025A (en) * | 2021-07-28 | 2021-11-02 | 中国南方电网有限责任公司 | Power grid security event management method |
CN113507486B (en) * | 2021-09-06 | 2021-11-19 | 中国人民解放军国防科技大学 | Method and device for constructing knowledge graph of important infrastructure of internet |
CN113507486A (en) * | 2021-09-06 | 2021-10-15 | 中国人民解放军国防科技大学 | Method and device for constructing knowledge graph of important infrastructure of internet |
CN114039765A (en) * | 2021-11-04 | 2022-02-11 | 全球能源互联网研究院有限公司 | Safety management and control method and device for power distribution Internet of things and electronic equipment |
CN114844707A (en) * | 2022-05-07 | 2022-08-02 | 南京南瑞信息通信科技有限公司 | Graph database-based power grid network security analysis method and system |
CN114844707B (en) * | 2022-05-07 | 2024-04-02 | 南京南瑞信息通信科技有限公司 | Power grid network security analysis method and system based on graph database |
CN117807046A (en) * | 2023-04-25 | 2024-04-02 | 深圳市中京政通科技有限公司 | Data driving model and system based on event map analysis |
CN116401898B (en) * | 2023-06-08 | 2023-08-22 | 中国人民解放军国防科技大学 | Simulation application combination system and method based on publishing subscription |
CN116401898A (en) * | 2023-06-08 | 2023-07-07 | 中国人民解放军国防科技大学 | Simulation application combination system and method based on publishing subscription |
Also Published As
Publication number | Publication date |
---|---|
CN108270785B (en) | 2020-06-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108270785A (en) | Knowledge graph-based distributed security event correlation analysis method | |
US11689557B2 (en) | Autonomous report composer | |
Navarro et al. | A systematic survey on multi-step attack detection | |
Wu et al. | Network attacks detection methods based on deep learning techniques: a survey | |
CN109347801B (en) | Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
Li et al. | Analysis framework of network security situational awareness and comparison of implementation methods | |
CN109922075A (en) | Network security knowledge map construction method and apparatus, computer equipment | |
US20240129327A1 (en) | Context informed abnormal endpoint behavior detection | |
CN110213226A (en) | Associated cyber attack scenarios method for reconstructing and system are recognized based on risk total factor | |
CN109670306A (en) | Electric power malicious code detecting method, server and system based on artificial intelligence | |
Las-Casas et al. | A big data architecture for security data and its application to phishing characterization | |
CN114430331A (en) | Network security situation sensing method and system based on knowledge graph | |
CN115186136A (en) | Knowledge graph structure for network attack and defense confrontation | |
CN110061854A (en) | A kind of non-boundary network intelligence operation management method and system | |
Mamun et al. | DeepTaskAPT: insider apt detection using task-tree based deep learning | |
Nathiya et al. | An effective way of cloud intrusion detection system using decision tree, support vector machine and Naïve bayes algorithm | |
Ejaz et al. | Visualizing interesting patterns in cyber threat intelligence using machine learning techniques | |
CN117220961B (en) | Intrusion detection method, device and storage medium based on association rule patterns | |
Bilakanti et al. | Anomaly detection in IoT environment using machine learning | |
Wang et al. | A novel multi-source fusion model for known and unknown attack scenarios | |
CN116074092B (en) | Attack scene reconstruction system based on heterogram attention network | |
Tayebi et al. | Organized crime structures in co-offending networks | |
Chen et al. | Research on automatic vulnerability mining model based on knowledge graph | |
CN107145599A (en) | A kind of big data asset management system | |
Lewis et al. | Enabling cyber situation awareness, impact assessment, and situation projection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |