CN112637194A - Security event detection method and device, electronic equipment and storage medium - Google Patents
Security event detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112637194A CN112637194A CN202011513791.XA CN202011513791A CN112637194A CN 112637194 A CN112637194 A CN 112637194A CN 202011513791 A CN202011513791 A CN 202011513791A CN 112637194 A CN112637194 A CN 112637194A
- Authority
- CN
- China
- Prior art keywords
- event
- false alarm
- candidate
- security
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The application provides a method and a device for detecting a security event, electronic equipment and a storage medium. The detection method of the security event comprises the following steps: the safety of a target event to be detected is scored through a preset safety analysis model, and an initial scoring value is obtained; when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event; obtaining the similarity between the candidate security event and a corresponding false alarm event in a false alarm database; judging whether the candidate security event is a false alarm event or not according to the similarity; and if the candidate security event is not a false alarm event, determining the candidate security event as a target security event. Compared with the existing detection mode, the method improves the accuracy of the detection of the security incident, improves the effectiveness of the detection of the security incident and further improves the network security.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a security event, an electronic device, and a storage medium.
Background
With the large-scale popularization, application and development of the internet, the network security problem is highlighted. And virus penetration, system loopholes, hacker attacks and the like seriously hinder the normal operation of the network.
With the increasing of the scale and complexity of the network, the attack technology of the network is continuously innovated, a great number of novel attack tools emerge, and the complexity and the number of the network threats are advanced with time. However, the existing security detection technology has a large amount of false alarms, and the accuracy of security event detection is reduced.
In view of the above problems, no effective technical solution exists at present.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for detecting a security event, an electronic device, and a storage medium, which can improve accuracy of security event detection.
In a first aspect, an embodiment of the present application provides a method for detecting a security event, including the following steps:
the safety of a target event to be detected is scored through a preset safety analysis model, and an initial scoring value is obtained;
when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event;
obtaining the similarity between the candidate security event and a corresponding false alarm event in a false alarm database;
judging whether the candidate security event is a false alarm event or not according to the similarity;
and if the candidate security event is not a false alarm event, determining the candidate security event as a target security event.
Optionally, in the method for detecting a security event according to the embodiment of the present application, the method further includes:
carrying out secondary judgment on a plurality of candidate safety events in a preset time period to obtain the false alarm rates of the plurality of candidate safety events;
and if the false alarm rate is greater than a preset false alarm threshold value, adjusting the target score threshold value until the false alarm rate is less than or equal to the preset false alarm threshold value.
Optionally, in the method for detecting a security event according to the embodiment of the present application, the step of adjusting the target score threshold until the false alarm rate is less than or equal to the preset false alarm threshold includes:
adjusting the target score threshold value up by a preset amplitude to obtain a first score threshold value;
performing secondary judgment on a plurality of candidate safety events in a preset time period based on the first score threshold so as to obtain a new false alarm rate in the plurality of candidate safety events;
if the new false alarm rate is smaller than or equal to the preset false alarm threshold, taking the first score threshold as a final target score threshold and finishing adjustment;
if the new false alarm rate is greater than the preset false alarm threshold, judging whether the first score threshold is greater than a set score threshold to obtain a judgment result, and determining a target score threshold according to the judgment result.
Optionally, in the method for detecting a security event according to the embodiment of the present application, the step of determining the target score threshold according to the determination result includes:
if the first score threshold is smaller than or equal to a set score threshold, taking the first score threshold as a target score threshold and returning to execute the step of adjusting the target score threshold by a preset amplitude to obtain the first score threshold;
and if the first score threshold is larger than a set score threshold, taking the first score threshold as a final target score threshold and finishing adjustment.
Optionally, in the method for detecting a security event according to the embodiment of the present application, the method further includes:
carrying out secondary judgment on a plurality of candidate safety events in a preset time period to obtain the false alarm rate of the plurality of candidate safety events;
if the false alarm rate is greater than a preset false alarm threshold value, extracting false alarm candidate security events from the multiple candidate security events to obtain at least one false alarm event;
and training the preset safety analysis model based on the at least one false alarm event until the false alarm rate is less than or equal to the false alarm threshold value.
Optionally, in the method for detecting a security event according to the embodiment of the present application, the step of performing secondary judgment on a plurality of candidate security events within a preset time period to obtain a false alarm rate of the plurality of candidate security events includes:
obtaining the number of false alarm events by obtaining the result of secondary analysis of the candidate security events by security researchers;
and obtaining the false alarm rate according to the number of the false alarm events and the total amount of the candidate safety events.
Optionally, in the method for detecting a security event according to the embodiment of the present application, the step of determining whether the candidate security event is a false alarm event according to the similarity includes:
when the similarity is smaller than a preset similarity threshold, determining that the candidate security event is a non-false alarm event;
and when the similarity is greater than or equal to the preset similarity threshold, determining that the candidate security event is a false alarm event.
Optionally, in the method for detecting a security event according to the embodiment of the present application, the obtaining a similarity between the candidate security event and a corresponding false alarm event in a false alarm database includes:
acquiring characteristic parameters in candidate security events, and calculating the local sensitive hash value of the characteristic parameters;
and obtaining the similarity between the candidate security event and the false alarm event of the corresponding type according to the hash value.
Optionally, in the method for detecting a security event according to the embodiment of the present application, when the candidate security event is a false alarm event, the method further includes:
and training the preset safety analysis model according to the candidate safety events so as to update the preset safety analysis model.
In a second aspect, an embodiment of the present application further provides a device for detecting a security event, including:
the scoring module is used for scoring the safety of the target event to be detected through a preset safety analysis model to obtain an initial scoring value;
a setting module, configured to set the target event as a candidate security event when the initial score value is greater than a target score threshold;
a first obtaining module, configured to obtain a similarity between the candidate security event and a corresponding false alarm event in a false alarm database;
the judging module is used for judging whether the candidate security event is a false alarm event or not according to the similarity;
and the determining module is used for determining the candidate security event as a target security event when the candidate security event is not a false alarm event.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor and a memory, where the memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the steps in the method as provided in the first aspect are executed.
In a fourth aspect, embodiments of the present application provide a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the steps in the method as provided in the first aspect.
As can be seen from the above, in the method for detecting a security event provided in the embodiment of the present application, the security of the target event to be detected is scored through the preset security analysis model, so as to obtain an initial scoring value; when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event; obtaining the similarity between the candidate security event and a corresponding false alarm event in a false alarm database; judging whether the candidate security event is a false alarm event or not according to the similarity; if the candidate security event is not a false alarm event, setting the candidate security event as a target security event; compared with the existing detection mode, the method improves the accuracy of the detection of the security incident, improves the effectiveness of the detection of the security incident and further improves the network security.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a first flowchart of a method for detecting a security event according to an embodiment of the present application.
Fig. 2 is a second flowchart of a method for detecting a security event according to an embodiment of the present application.
Fig. 3 is a third flowchart of a method for detecting a security event according to an embodiment of the present application.
Fig. 4 is a schematic structural diagram of a device for detecting a security event according to an embodiment of the present application.
Fig. 5 is a schematic structural diagram of a second security event detection apparatus according to an embodiment of the present application.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for detecting a security event according to some embodiments of the present disclosure. The detection method of the security event comprises the following steps:
s101, grading the safety of a target event to be detected through a preset safety analysis model to obtain an initial grading value;
s102, when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event;
s103, acquiring the similarity between the candidate security event and a corresponding false alarm event in a false alarm database;
s104, judging whether the candidate security event is a false alarm event or not according to the similarity;
and S105, if the event is not a false alarm event, setting the candidate security event as a target security event.
In step S101, the preset safety analysis model may be obtained by training through a preset training model in advance. The target event includes a security event, where the security event is any event that attempts to change the security state of the information system, and the security state includes changing access control measures, changing security levels, changing user passwords and malicious encrypted traffic, malicious Portable Executable (PE file), and the like. The preset safety analysis model can be a plurality of or one. In some embodiments, when there are a plurality of preset security analysis modules, each preset security analysis module corresponds to one event type; in the specific execution procedure, the event type of the target event can be judged firstly, and then the target event is scored by selecting the preset safety analysis model which is the same as the event type of the target event, so that the scoring accuracy can be improved.
In step S102, the target score threshold may be set according to a preset safety analysis model and an event type of the target event. When the preset safety analysis models are multiple, each event type corresponds to a target score threshold value. In some implementations, the target score threshold can be a fixed value. In other embodiments, the target score threshold may also be a dynamic value, for example, the target score threshold may be dynamically adjusted according to the false alarm rate of the candidate security event, so as to further improve the accuracy of the security event detection.
In step S103, a plurality of false alarm events are stored in the false alarm database, and each false alarm event may be associated with a hash value. The hash value may be a locally sensitive hash value of a characteristic parameter of a preset false positive event. The hash value can be calculated by a Locality Sensitive Hashing (Locality Sensitive Hashing) algorithm, which is the most popular one of approximate nearest neighbor search algorithms and has excellent performance in a high-dimensional data space. The method has the main function of judging the similarity between the preset false alarm event and the candidate security event, and can be particularly applied to the fields of text similarity detection, webpage search and the like. In some embodiments, the similarity between the target event and the false positive event may be obtained by comparing the hash value of the target event with the hash value of the false positive event. Of course, in other embodiments, the similarity between the target event and the false alarm event may be obtained according to the matching degree between the characteristic parameter of the target event and the characteristic parameter of the false alarm event, and the specific manner is not limited thereto.
In step S104, whether false alarm exists in the candidate security event can be determined through the similarity. In some embodiments, when the hash value of the target event is close to or equal to the hash value of the false positive event, determining the candidate security event as the false positive event; otherwise, it is a non-false positive event. In other embodiments, when the matching degree is within a preset range, the candidate security event is determined to be a false alarm event. Otherwise, it is a non-false positive event. When it is determined that the candidate security event is not a false positive event, step S105 is performed.
Wherein in this step S105, the target security event is any event that is confirmed as an attempt to change the security state of the information system. The target security event is also a security event that needs to be alerted. When the candidate security event is determined to be the target security event, timely alarming and processing such as intercepting the candidate security event are facilitated. If the event is a false alarm event, the candidate security event is an allowable normal event, and is not a target security event, the candidate security event is a false alarm event, and needs to be stored in a false alarm database.
As can be seen from the above, in the method for detecting a security event provided in the embodiment of the present application, the security of the target event to be detected is scored through the preset security analysis model, so as to obtain an initial scoring value; when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event; obtaining the similarity between the candidate security event and a corresponding false alarm event in a false alarm database; judging whether the candidate security event is a false alarm event or not according to the similarity; if the candidate security event is not a false alarm event, setting the candidate security event as a target security event; compared with the existing detection mode, the method improves the accuracy of the detection of the security incident, improves the effectiveness of the detection of the security incident and further improves the network security.
Referring to fig. 2 and 3, fig. 2 is a flowchart illustrating a method for detecting a security event according to some embodiments of the present application.
As shown in fig. 2, in some embodiments, the method for detecting a security event includes:
s201, scoring the safety of a target event to be detected through a preset safety analysis model to obtain an initial scoring value;
s202, when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event;
s203, acquiring the similarity between the candidate security event and a corresponding false alarm event in a false alarm database;
s204, judging whether the candidate security event is a false alarm event or not according to the similarity;
and S205, if the candidate security event is not a false alarm event, determining the candidate security event as a target security event.
S206, if the event is a false alarm event, storing the candidate security event into the false alarm database and/or training the preset security analysis model according to the candidate security event so as to update the preset security analysis model.
Steps S201 to S205 in this embodiment are the same as steps S101 to S205 in the first embodiment, and for details, refer to the above, and are not described herein again.
In some embodiments, the step S203 of obtaining the similarity between the candidate security event and the corresponding false alarm event in the false alarm database includes:
s2031, obtaining the event type of the target event, and inquiring a false alarm event of a corresponding type in a false alarm database based on the event type;
for example, the event types of the target event include access control, security level, user password, and encryption traffic, execution file, and the like. Various types of false positive events are also stored in the false positive database.
S2032, calculating the similarity between the candidate security event and the false alarm event of the corresponding type.
In some embodiments, the similarity between the target event and the false alarm event can be obtained according to one of euclidean distance, cosine similarity, manhattan distance and pearson correlation coefficient.
In other embodiments, the similarity may be obtained by: acquiring a characteristic parameter in a target event, and calculating a hash value of the characteristic parameter; the hash value may be a locality sensitive hash value of a characteristic parameter of the target event. And acquiring the similarity between the target event and the false alarm event in the false alarm database of the corresponding type according to the hash value.
For example, the locality sensitive hash value of the characteristic parameter of the target event may be compared with the locality sensitive hash value of a preset false positive event, and if the two are equal or approximately equal, it is determined that the target event is similar to a false positive event in the false positive database.
In this step S206, in some embodiments, a hash value of the candidate security event may be obtained, and the hash value and the candidate security event are associated and then stored in a false alarm database, and/or a training sample is generated according to the candidate security event, and a preset security analysis model is trained according to the training sample, so as to improve the accuracy of scoring.
In some embodiments, the step S204, that is, the step of determining whether the candidate security event is a false alarm event according to the similarity includes:
s2041, when the similarity is smaller than a preset similarity threshold, determining that the candidate security event is a non-false alarm event; wherein the preset similarity threshold is set according to an empirical value.
S2042, when the similarity is larger than or equal to a preset similarity threshold, determining the candidate security event as a false alarm event.
In some embodiments, as shown in fig. 3, to further improve the accuracy of the security event detection, the method further includes:
s207, carrying out secondary judgment on a plurality of candidate safety events in a preset time period to obtain the false alarm rates of the plurality of candidate safety events;
s208, if the false alarm rate is greater than a preset false alarm threshold, adjusting the target score threshold until the false alarm rate is less than or equal to the preset false alarm threshold.
Wherein, in the step S207, the false alarm rate is equal to the total number of false alarm events in a period of time divided by the total number of candidate security events. The total number of false positive events may be obtained by: and scoring the candidate security events through a security analysis model, judging whether the score value is greater than a target score threshold value, if so, determining the candidate security events as non-false-alarm events, and otherwise, determining the candidate security events as false-alarm events.
In other embodiments, step S207 includes:
s2071, obtaining the number of false alarm events by obtaining the result of secondary analysis of the candidate security events by security researchers; and obtaining the false alarm rate according to the number of the false alarm events and the total amount of the candidate safety events.
In this step S208, the preset false alarm rate threshold is set according to the requirement.
In some embodiments, the step of adjusting the target score threshold until the false positive rate is less than or equal to the preset false positive threshold comprises:
s2081, adjusting the target score threshold value up by a preset amplitude to obtain a first score threshold value;
the preset amplitude can be set according to requirements, and the preset amplitude can be set according to the event type of the candidate security event. In some embodiments, the predetermined magnitude may be a difference between the target score threshold and a set score threshold. The set score threshold may be a maximum score threshold.
S2082, performing secondary judgment on a plurality of candidate safety events in a preset time period based on the first score threshold value to judge a new false alarm rate in the plurality of candidate safety events;
for example, the first score threshold is used as a target score threshold, a more accurate security analysis model is used to score the candidate security events, the score value is compared with the first score threshold, if the score value is greater than the first score threshold, the candidate security events are determined to be non-false-alarm events, and if the score value is not greater than the first score threshold, the candidate security events are false-alarm events. Alternatively, other algorithm models are adopted to judge the candidate security events to find out the misjudged events therein, and of course, it is also feasible to obtain the misjudged events based on manual judgment. And (4) counting the total number of the false alarm events in the step S2082, wherein the new false alarm rate is equal to the total number of the false alarm events divided by the total number of the candidate security events. And if the new false alarm rate is less than or equal to the preset false alarm threshold value, executing the step S2083, otherwise, executing the step S2084.
S2083, if the new false alarm rate is smaller than or equal to the preset false alarm threshold value, taking the first score threshold value as a final target score threshold value and finishing adjustment;
s2084, if the new false alarm rate is greater than the preset false alarm threshold, judging whether the first score threshold is greater than a set score threshold, obtaining a judgment result, and determining a target score threshold according to the judgment result.
The set score threshold may be a maximum score threshold, or an upper limit of the score threshold, specifically set according to an empirical value.
In some embodiments, in order to further improve the detection accuracy, the step of determining a target score threshold according to the determination result includes:
(1) if the first score threshold is smaller than or equal to a set score threshold, taking the first score threshold as a target score threshold and returning to execute the step of adjusting the target score threshold by a preset amplitude to obtain the first score threshold;
for example, when the first score threshold is less than or equal to the set score threshold, the first score threshold is set as a new target score threshold, and the step S2081 is executed in return.
(2) And if the first score threshold is larger than a set score threshold, taking the first score threshold as a final target score threshold and finishing adjustment.
The false alarm rate of a plurality of candidate security events in the preset time period is also obtained, and the target score threshold of the preset score threshold is adjusted according to the false alarm rate, so that the false alarm rate is reduced, and the accuracy and the effectiveness of security event detection are further improved.
In some embodiments, to further improve the accuracy of the security event detection, the method further comprises:
s209, carrying out secondary judgment on a plurality of candidate safety events in a preset time period so as to judge the false alarm rate of the plurality of candidate safety events.
Specifically, the method is the same as step S207, and for details, reference is made to the above, and details are not repeated here. Wherein the false positive rate is equal to a total number of false positive events over a period of time divided by a total number of candidate security events. The way to count the total number of false positive events may include the following two: the first mode is as follows: the candidate security events can be scored through a preset security analysis model, whether the scoring value is larger than a target scoring threshold value or not is judged, if so, the candidate security events are non-false-alarm events, and if not, false-alarm events are obtained. The second way is: carrying out secondary analysis on the candidate security events through a preset false alarm model to obtain the total number of false alarm events; the preset false alarm model comprises a threat information library, a zombie host and the like, and is not limited to the above. And executing step S210 when the false alarm rate is greater than a preset false alarm threshold value, otherwise executing step S211.
S210, if the false alarm rate is greater than a preset false alarm threshold value, extracting false alarm candidate security events from the multiple candidate security events to obtain at least one false alarm event; for example, the false alarm event obtained in step S209 is extracted.
S211, training the preset safety analysis model based on the at least one false alarm event until the false alarm rate is smaller than or equal to the false alarm threshold value.
For example, the preset security analysis model is trained based on the false alarm event of S210 to obtain a new security analysis model, and then candidate security events within a preset time period are determined by the new security analysis model, and a false alarm rate is obtained. And when the false alarm rate is less than or equal to the false alarm threshold value, taking the safety analysis model as a final preset safety analysis model.
The false alarm rate of a plurality of candidate security events in the preset time period is obtained, and the preset security analysis model is trained according to the false alarm rate, so that the false alarm rate is reduced, and the accuracy and the effectiveness of security event detection are further improved.
As can be seen from the above, in the method for detecting a security event provided in the embodiment of the present application, the security of the target event to be detected is scored through the preset security analysis model, so as to obtain an initial scoring value; when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event; obtaining the similarity between the candidate security event and a corresponding false alarm event in a false alarm database; judging whether the candidate security event is a false alarm event or not according to the similarity; if the candidate security event is not a false alarm event, determining the candidate security event as a target security event; if the event is a false alarm event, storing the candidate security event into the false alarm database and/or training the preset security analysis model according to the candidate security event so as to update the preset security analysis model; on the basis of the previous embodiment; after the candidate security event is determined to be the false alarm event, the candidate security event is stored in the false alarm database and/or the preset security analysis model is trained according to the candidate security event so as to update the preset security analysis model, so that the false alarm database or the preset security analysis model can be updated, and the accuracy and the effectiveness of security event detection are further improved.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a device for detecting a security event according to an embodiment of the present application.
The device 30 comprises: a scoring module 31, a setting module 32, a first obtaining module 33, a judging module 34 and a determining module 35.
The scoring module 31 is configured to score the security of the target event to be detected through a preset security analysis model to obtain an initial scoring value. The preset safety analysis model can be obtained by training through a preset training model in advance. The target event includes a security event, where the security event is any event that attempts to change the security state of the information system, and the security state includes changing access control measures, changing security levels, changing user passwords and malicious encrypted traffic, malicious Portable Executable (PE file), and the like. The preset safety analysis model can be a plurality of or one. In some embodiments, when there are a plurality of preset security analysis modules, each preset security analysis module corresponds to one event type; in the specific execution procedure, the event type of the target event can be judged firstly, and then the target event is scored by selecting the preset safety analysis model which is the same as the event type of the target event, so that the scoring accuracy can be improved.
A setting module 32, configured to set the target event as a candidate security event when the initial score value is greater than a target score threshold; the target score threshold value can be set according to a preset safety analysis model and the event type of the target event. When the preset safety analysis models are multiple, each event type corresponds to a target score threshold value. In some implementations, the target score threshold can be a fixed value. In other embodiments, the target score threshold may also be a dynamic value, for example, the target score threshold may be dynamically adjusted according to the false alarm rate of the candidate security event, so as to further improve the accuracy of the security event detection.
A first obtaining module 33, configured to obtain a similarity between the candidate security event and a corresponding false alarm event in a false alarm database. The false alarm database stores a plurality of false alarm events, and each false alarm event can be associated with a hash value. The hash value may be a locally sensitive hash value of a characteristic parameter of a preset false positive event. The hash value can be calculated by a Locality Sensitive Hashing (Locality Sensitive Hashing) algorithm, which is the most popular one of approximate nearest neighbor search algorithms and has excellent performance in a high-dimensional data space. The method has the main function of judging the similarity between the preset false alarm event and the candidate security event, and can be particularly applied to the fields of text similarity detection, webpage search and the like. In some embodiments, the similarity between the target event and the false positive event may be obtained by comparing the hash value of the target event with the hash value of the false positive event. Of course, in other embodiments, the similarity between the target event and the false alarm event may be obtained according to the matching degree between the characteristic parameter of the target event and the characteristic parameter of the false alarm event, and the specific manner is not limited thereto.
And the judging module 34 is configured to judge whether the candidate security event is a false alarm event according to the similarity. When the hash value of the target event is close to or equal to the hash value of the false alarm event, determining the candidate security event as the false alarm event; otherwise, it is a non-false positive event. In other embodiments, when the matching degree is within a preset range, the candidate security event is determined to be a false alarm event. Otherwise, it is a non-false positive event.
A determining module 35, configured to determine the candidate security event as the target security event when the candidate security event is not a false positive event. A target security event is any event identified as an attempt to change the security state of the information system. The target security event is also a security event that needs to be alerted. When the candidate security event is determined to be the target security event, timely alarming and processing such as intercepting the candidate security event are facilitated. In some embodiments, as shown in fig. 5, the apparatus further comprises: a second acquisition module 36 and an adjustment module 37;
the second obtaining module 36 is configured to perform secondary judgment on multiple candidate security events within a preset time period to obtain a false alarm rate of the multiple candidate security events. Wherein the false positive rate is equal to a total number of false positive events over a period of time divided by a total number of candidate security events. The total number of false positive events may be obtained by: and scoring the candidate security events through a preset security analysis model, judging whether the score is greater than a target score threshold value, if so, determining the candidate security events as non-false-alarm events, and otherwise, determining the candidate security events as false-alarm events.
An adjusting module 37, configured to adjust the target score threshold value until the false alarm rate is less than or equal to a preset false alarm threshold value if the false alarm rate is greater than the preset false alarm threshold value. The preset false alarm rate threshold value is set according to requirements.
In some embodiments, the adjusting module 37 is specifically configured to: adjusting the target score threshold value up by a preset amplitude to obtain a first score threshold value; performing secondary judgment on a plurality of candidate safety events in a preset time period based on the first score threshold so as to obtain a new false alarm rate in the plurality of candidate safety events; if the new false alarm rate is smaller than or equal to the preset false alarm threshold, taking the first score threshold as a final target score threshold and finishing adjustment; if the new false alarm rate is greater than the preset false alarm threshold, judging whether the first score threshold is greater than a set score threshold to obtain a judgment result, and determining a target score threshold according to the judgment result. The preset amplitude can be set according to requirements, and the preset amplitude can be set according to the event type of the candidate security event. In some embodiments, the predetermined magnitude may be a difference between the target score threshold and a set score threshold. The set score threshold may be a maximum score threshold. For example, the first score threshold is used as a target score threshold, the candidate security events are scored, then the score is compared with the first score threshold, if the score is greater than the first score threshold, the candidate security events are judged to be non-false-alarm events, and otherwise, the candidate security events are false-alarm events. The total number of false positive events is counted, and the new false positive rate is equal to the total number of the false positive events divided by the total number of the candidate security events. The set score threshold may be a maximum score threshold, or an upper limit of the score threshold, specifically set according to an empirical value.
In some embodiments, the adjusting module 37 is further configured to: if the first score threshold is smaller than or equal to a set score threshold, taking the first score threshold as a target score threshold and returning to execute the step of adjusting the target score threshold by a preset amplitude to obtain the first score threshold; and if the first score threshold is larger than a set score threshold, taking the first score threshold as a final target score threshold and finishing adjustment.
In some embodiments, the apparatus further comprises: an extraction module 38 and a training module 39;
the second obtaining module is configured to perform secondary judgment on multiple candidate security events within a preset time period to obtain a false alarm rate of the multiple candidate security events.
An extracting module 38, configured to extract a false-positive candidate security event from the multiple candidate security events if the false-positive rate is greater than a preset false-positive threshold, so as to obtain at least one false-positive event. For example, the false alarm event obtained by the second obtaining module 36 is extracted.
A training module 39, configured to train the preset security analysis model based on the at least one false alarm event until a false alarm rate is less than or equal to the false alarm threshold. For example, the preset security analysis model is trained based on the false alarm event of the extraction module 38 to obtain a new security analysis model, and then the new security analysis model is used to determine candidate security events within a preset time period, and obtain a false alarm rate. And when the false alarm rate is less than or equal to the false alarm threshold value, taking the safety analysis model as a final preset safety analysis model.
In some embodiments, the second obtaining module 36 is specifically configured to: carrying out secondary analysis on the candidate security events through a preset false alarm model to obtain the number of false alarm events; and obtaining the false alarm rate according to the number of the false alarm events and the total amount of the candidate safety events. The preset false alarm model comprises a threat information library, a zombie host and the like, and is not limited to the above. For example, the preset false alarm model may capture feature parameters of a candidate security event, analyze the feature parameters, and determine whether the feature parameters are similar to or the same as the preset false alarm parameters, if so, determine that the event is a false alarm event, otherwise, the event is not a false alarm event.
In some embodiments, the determining module 34 is specifically configured to: when the similarity is smaller than a preset similarity threshold, determining that the candidate security event is a non-false alarm event; and when the similarity is greater than or equal to the preset similarity threshold, determining that the candidate security event is a false alarm event.
In some embodiments, the first obtaining module 33 is specifically configured to: acquiring the event type of the target event, and inquiring a false alarm event of a corresponding type in a false alarm database based on the event type; and calculating the similarity between the candidate security event and the false alarm event of the corresponding type. The event type of the target event comprises access control, security level, user password, encrypted flow, execution file and the like. A false positive database is established based on the detection results of the model and is continuously updated during use, the false positive database being specific to a single model and a single type of security event. In some embodiments, the similarity between the target event and the false alarm event can be obtained according to one of euclidean distance, cosine similarity, manhattan distance and pearson correlation coefficient.
In some embodiments, the first obtaining module 33 is specifically configured to: acquiring characteristic parameters in the candidate security events, and calculating hash values of the characteristic parameters; and obtaining the similarity between the candidate security event and the false alarm event of the corresponding type according to the hash value. The locality sensitive hash value of the characteristic parameter of the target event can be compared with a locality sensitive hash value of a preset false alarm event, and if the locality sensitive hash value of the characteristic parameter of the target event is equal or approximately equal to the locality sensitive hash value of the preset false alarm event, the similarity between the target event and the false alarm event in the false alarm database is determined.
In some embodiments, the apparatus further comprises: a storage module 40 and an update module 41.
A storage module 40 for: and when the candidate security event is a non-false alarm event, storing the candidate security event into the false alarm database. In some embodiments, a hash value of the candidate security event may be obtained and stored in a false positive database after being associated with the candidate security event.
An update module 41, configured to: and when the candidate security event is a false alarm event, training the preset security analysis model according to the candidate security event so as to update the preset security analysis model. In some embodiments, a training sample may be generated according to the candidate security event, and the preset security analysis model may be trained according to the training sample, so as to improve the accuracy of the scoring.
As can be seen from the above, the detection apparatus for a security event provided in the embodiment of the present application scores the security of a target event to be detected through a preset security analysis model, so as to obtain an initial score value; when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event; obtaining the similarity between the candidate security event and a corresponding false alarm event in a false alarm database; judging whether the candidate security event is a false alarm event or not according to the similarity; if the candidate security event is not a false alarm event, setting the candidate security event as a target security event; compared with the existing detection mode, the method improves the accuracy of the detection of the security incident, improves the effectiveness of the detection of the security incident and further improves the network security.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application, in which an electronic device 3 includes: the processor 301 and the memory 302, the processor 301 and the memory 302 being interconnected and communicating with each other via a communication bus 303 and/or other form of connection mechanism (not shown), the memory 302 storing a computer program executable by the processor 301, the processor 301 executing the computer program when the computing device is running to perform the method of any of the alternative implementations of the embodiments described above.
The embodiment of the present application provides a storage medium, and when being executed by a processor, the computer program performs the method in any optional implementation manner of the above embodiment. The storage medium may be implemented by any type of volatile or nonvolatile storage device or combination thereof, such as a Static Random Access Memory (SRAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), an Erasable Programmable Read-Only Memory (EPROM), a Programmable Read-Only Memory (PROM), a Read-Only Memory (ROM), a magnetic Memory, a flash Memory, a magnetic disk, or an optical disk.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (12)
1. A method for detecting a security event, comprising the steps of:
the safety of a target event to be detected is scored through a preset safety analysis model, and an initial scoring value is obtained;
when the initial score value is larger than a target score threshold value, setting the target event as a candidate safety event;
obtaining the similarity between the candidate security event and a corresponding false alarm event in a false alarm database;
judging whether the candidate security event is a false alarm event or not according to the similarity;
and if the candidate security event is not a false alarm event, determining the candidate security event as a target security event.
2. The method of detecting a security event of claim 1, further comprising:
carrying out secondary judgment on a plurality of candidate safety events in a preset time period to obtain the false alarm rates of the plurality of candidate safety events;
and if the false alarm rate is greater than a preset false alarm threshold value, adjusting the target score threshold value until the false alarm rate is less than or equal to the preset false alarm threshold value.
3. The method of claim 2, wherein the step of adjusting the target score threshold until the false positive rate is less than or equal to the preset false positive threshold comprises:
adjusting the target score threshold value up by a preset amplitude to obtain a first score threshold value;
performing secondary judgment on a plurality of candidate safety events in a preset time period based on the first score threshold so as to obtain a new false alarm rate in the plurality of candidate safety events;
if the new false alarm rate is smaller than or equal to the preset false alarm threshold, taking the first score threshold as a final target score threshold and finishing adjustment;
if the new false alarm rate is greater than the preset false alarm threshold, judging whether the first score threshold is greater than a set score threshold to obtain a judgment result, and determining a target score threshold according to the judgment result.
4. The method of claim 3, wherein the step of determining a target score threshold according to the determination result comprises:
if the first score threshold is smaller than or equal to a set score threshold, taking the first score threshold as a target score threshold and returning to execute the step of adjusting the target score threshold by a preset amplitude to obtain the first score threshold;
and if the first score threshold is larger than a set score threshold, taking the first score threshold as a final target score threshold and finishing adjustment.
5. The method of detecting a security event of claim 1, further comprising:
carrying out secondary judgment on a plurality of candidate safety events in a preset time period to obtain the false alarm rate of the plurality of candidate safety events;
if the false alarm rate is greater than a preset false alarm threshold value, extracting false alarm candidate security events from the multiple candidate security events to obtain at least one false alarm event;
and training the preset safety analysis model based on the at least one false alarm event until the false alarm rate is less than or equal to the false alarm threshold value.
6. The method for detecting a security event according to claim 5, wherein the step of performing secondary judgment on a plurality of candidate security events within a preset time period to obtain the false alarm rates of the plurality of candidate security events comprises:
obtaining the number of false alarm events by obtaining the result of secondary analysis of the candidate security events by security researchers;
and obtaining the false alarm rate according to the number of the false alarm events and the total amount of the candidate safety events.
7. The method of claim 1, wherein the step of determining whether the candidate security event is a false positive event according to the similarity comprises:
when the similarity is smaller than a preset similarity threshold, determining that the candidate security event is a non-false alarm event;
and when the similarity is greater than or equal to the preset similarity threshold, determining that the candidate security event is a false alarm event.
8. The method of claim 7, wherein the step of obtaining the similarity between the candidate security event and the corresponding false positive event in a false positive database comprises:
acquiring characteristic parameters in candidate security events, and calculating the local sensitive hash value of the characteristic parameters;
and obtaining the similarity between the candidate security event and the false alarm event of the corresponding type according to the hash value.
9. The method of detecting a security event of claim 1, wherein when the candidate security event is a false positive event, the method further comprises:
and training the preset safety analysis model according to the candidate safety events so as to update the preset safety analysis model.
10. An apparatus for detecting a security event, comprising:
the scoring module is used for scoring the safety of the target event to be detected through a preset safety analysis model to obtain an initial scoring value;
a setting module, configured to set the target event as a candidate security event when the initial score value is greater than a target score threshold;
a first obtaining module, configured to obtain a similarity between the candidate security event and a corresponding false alarm event in a false alarm database;
the judging module is used for judging whether the candidate security event is a false alarm event or not according to the similarity;
and the determining module is used for determining the candidate security event as a target security event when the candidate security event is not a false alarm event.
11. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 1-9.
12. A storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, performs the method according to any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011513791.XA CN112637194A (en) | 2020-12-18 | 2020-12-18 | Security event detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011513791.XA CN112637194A (en) | 2020-12-18 | 2020-12-18 | Security event detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112637194A true CN112637194A (en) | 2021-04-09 |
Family
ID=75317793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011513791.XA Pending CN112637194A (en) | 2020-12-18 | 2020-12-18 | Security event detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112637194A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113343228A (en) * | 2021-06-30 | 2021-09-03 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
| CN113422785A (en) * | 2021-08-20 | 2021-09-21 | 北京生泰尔科技股份有限公司 | Malicious attack detection method and system based on network traffic and readable storage medium |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
| CN113783891A (en) * | 2021-09-26 | 2021-12-10 | 新华三信息安全技术有限公司 | Event identification method and device |
| WO2024022450A1 (en) * | 2022-07-27 | 2024-02-01 | 杭州海康威视数字技术股份有限公司 | Scene adaptability improvement method and apparatus for object detection, and object detection system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
| CN106991072A (en) * | 2016-01-21 | 2017-07-28 | 杭州海康威视数字技术股份有限公司 | Automatic measure on line event detection model update method and device |
| CN108629316A (en) * | 2018-05-08 | 2018-10-09 | 东北师范大学人文学院 | A kind of video accident detection method of various visual angles |
| US20180337836A1 (en) * | 2011-11-07 | 2018-11-22 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
| CN109815697A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Wrong report behavior processing method and processing device |
| CN110086767A (en) * | 2019-03-11 | 2019-08-02 | 中国电子科技集团公司电子科学研究院 | A kind of hybrid intrusion detection system and method |
-
2020
- 2020-12-18 CN CN202011513791.XA patent/CN112637194A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180337836A1 (en) * | 2011-11-07 | 2018-11-22 | Netflow Logic Corporation | Method and system for confident anomaly detection in computer network traffic |
| CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
| CN106991072A (en) * | 2016-01-21 | 2017-07-28 | 杭州海康威视数字技术股份有限公司 | Automatic measure on line event detection model update method and device |
| CN108629316A (en) * | 2018-05-08 | 2018-10-09 | 东北师范大学人文学院 | A kind of video accident detection method of various visual angles |
| CN109815697A (en) * | 2018-12-29 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | Wrong report behavior processing method and processing device |
| CN110086767A (en) * | 2019-03-11 | 2019-08-02 | 中国电子科技集团公司电子科学研究院 | A kind of hybrid intrusion detection system and method |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113343228A (en) * | 2021-06-30 | 2021-09-03 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
| CN113343228B (en) * | 2021-06-30 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Event credibility analysis method and device, electronic equipment and readable storage medium |
| CN113422785A (en) * | 2021-08-20 | 2021-09-21 | 北京生泰尔科技股份有限公司 | Malicious attack detection method and system based on network traffic and readable storage medium |
| CN113422785B (en) * | 2021-08-20 | 2021-11-09 | 北京生泰尔科技股份有限公司 | Malicious attack detection method and system based on network traffic and readable storage medium |
| CN113672913A (en) * | 2021-08-20 | 2021-11-19 | 绿盟科技集团股份有限公司 | Security event processing method and device and electronic equipment |
| CN113783891A (en) * | 2021-09-26 | 2021-12-10 | 新华三信息安全技术有限公司 | Event identification method and device |
| WO2024022450A1 (en) * | 2022-07-27 | 2024-02-01 | 杭州海康威视数字技术股份有限公司 | Scene adaptability improvement method and apparatus for object detection, and object detection system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112637194A (en) | Security event detection method and device, electronic equipment and storage medium | |
| CN111428231B (en) | Safety processing method, device and equipment based on user behaviors | |
| Vidal et al. | A novel pattern recognition system for detecting Android malware by analyzing suspicious boot sequences | |
| US9692771B2 (en) | System and method for estimating typicality of names and textual data | |
| CN109922065B (en) | Quick identification method for malicious website | |
| US20200012784A1 (en) | Profile generation device, attack detection device, profile generation method, and profile generation computer program | |
| KR102120214B1 (en) | Cyber targeted attack detect system and method using ensemble learning | |
| Vidal et al. | Online masquerade detection resistant to mimicry | |
| CN111783132A (en) | SQL sentence security detection method, device, equipment and medium based on machine learning | |
| CN110855716B (en) | Self-adaptive security threat analysis method and system for counterfeit domain names | |
| CN106845217B (en) | Detection method for malicious behaviors of android application | |
| Mythreya et al. | Prediction and prevention of malicious URL using ML and LR techniques for network security: machine learning | |
| Park et al. | Antibot: Clustering common semantic patterns for bot detection | |
| Stiawan et al. | Ransomware detection based on opcode behavior using k-nearest neighbors algorithm | |
| CN111488621A (en) | Method and system for detecting falsified webpage, electronic equipment and storage medium | |
| Cole et al. | A new facial authentication pitfall and remedy in web services | |
| CN110430199A (en) | Identify the method and system of Internet of Things Botnet attack source | |
| Xu et al. | A fast detection method of network crime based on user portrait | |
| Qiao et al. | Behavior analysis-based learning framework for host level intrusion detection | |
| Catherine | An intelligent rule based phishing website detection model | |
| Al-Ofeishat | Enhancing Android Security: Network-Driven Machine Learning Approach For Malware Detection | |
| Neal et al. | Mobile biometrics, replay attacks, and behavior profiling: An empirical analysis of impostor detection | |
| Vidal et al. | Adversarial Communication Networks Modeling for Intrusion Detection Strengthened against Mimicry | |
| Xiong et al. | Research on Detection and Defense of Malicious Code under Network Security | |
| CN115941361B (en) | Malicious traffic identification method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210409 |