CN114329451A - A security analysis method, apparatus, device and readable storage medium - Google Patents
A security analysis method, apparatus, device and readable storage medium Download PDFInfo
- Publication number
- CN114329451A CN114329451A CN202111615320.4A CN202111615320A CN114329451A CN 114329451 A CN114329451 A CN 114329451A CN 202111615320 A CN202111615320 A CN 202111615320A CN 114329451 A CN114329451 A CN 114329451A
- Authority
- CN
- China
- Prior art keywords
- alarm
- log information
- log
- degree
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 69
- 238000004590 computer program Methods 0.000 claims description 12
- 230000006399 behavior Effects 0.000 claims description 9
- 238000011217 control strategy Methods 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000000034 method Methods 0.000 abstract description 24
- 230000000694 effects Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 4
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000010219 correlation analysis Methods 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域technical field
本申请涉及计算机技术领域,特别涉及一种安全分析方法、装置、设备及可读存储介质。The present application relates to the field of computer technology, and in particular, to a security analysis method, apparatus, device, and readable storage medium.
背景技术Background technique
目前,可以用关联分析规则对告警日志进行分析。例如制定一条A-B-C这样的关联规则,当在一段时间之内,A、B、C事件依次发生的时候,则认为这是一个准确的攻击事件,A、B、C为准确的告警,黑客的攻击过程为A-B-C。At present, the alarm log can be analyzed with the correlation analysis rule. For example, to formulate an association rule such as A-B-C, when events A, B, and C occur in sequence within a period of time, it is considered an accurate attack event, and A, B, and C are accurate alarms. Hackers attack The process is A-B-C.
但是,关联分析规则需要提前在设备中内置大量的关联规则,因此需要安全分析人员针对已经发生的攻击事件进行分析来确定关联规则。而攻击方式方法复杂多变,因此基于历史攻击事件确定的关联规则很可能不适用于新攻击事件,还会因为待关联的日志中存在低确信度的日志而引入大量误报。However, correlation analysis rules need to be built in a large number of correlation rules in the device in advance, so security analysts need to analyze the attack events that have occurred to determine the correlation rules. However, the attack methods are complex and changeable. Therefore, the association rules determined based on historical attack events may not be suitable for new attack events, and a large number of false positives will be introduced due to the existence of low-confidence logs in the logs to be associated.
因此,如何基于告警日志较准确地分析攻击事件,是本领域技术人员需要解决的问题。Therefore, how to accurately analyze the attack event based on the alarm log is a problem to be solved by those skilled in the art.
发明内容SUMMARY OF THE INVENTION
有鉴于此,本申请的目的在于提供一种安全分析方法、装置、设备及可读存储介质,以基于告警日志较准确地分析攻击事件。其具体方案如下:In view of this, the purpose of the present application is to provide a security analysis method, apparatus, device and readable storage medium to more accurately analyze attack events based on alarm logs. Its specific plan is as follows:
第一方面,本申请提供了一种安全分析方法,包括:In a first aspect, the present application provides a security analysis method, including:
获取目标设备中的告警日志;Get the alarm log in the target device;
在所述告警日志中确定危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息,并基于所述目标日志信息确定所述目标设备的被攻击状态;Determine, in the alarm log, target log information whose hazard degree is higher than the hazard degree threshold and whose alarm certainty is higher than the certainty threshold, and determine the attacked state of the target device based on the target log information;
利用与所述被攻击状态对应的分析策略分析所述告警日志。The alarm log is analyzed by using an analysis policy corresponding to the attacked state.
优选地,所述在所述告警日志中确定危害程度高于危害程度阈值、且告警确信度高于告警确信度阈值的目标日志信息,包括:Preferably, the target log information determined in the alarm log that the hazard degree is higher than the hazard degree threshold and the alarm confidence degree is higher than the alarm confidence degree threshold includes:
确定所述告警日志中各条日志信息的危害程度和告警确信度,以按照所述危害程度阈值和所述确信度阈值从各条日志信息中选择所述目标日志信息。The hazard degree and the alarm certainty of each piece of log information in the alarm log are determined, so as to select the target log information from the pieces of log information according to the hazard degree threshold and the certainty threshold.
优选地,还包括:Preferably, it also includes:
按照所述危害程度阈值和所述确信度阈值从各条日志信息中选择告警确信度低于所述确信度阈值的待评估日志信息;Select log information to be evaluated whose alarm certainty is lower than the certainty threshold from various pieces of log information according to the hazard degree threshold and the certainty threshold;
若确定所述待评估日志信息属于误告警,则从所述告警日志中删除所述待评估日志信息。If it is determined that the log information to be evaluated is a false alarm, the log information to be evaluated is deleted from the alarm log.
优选地,若所述待评估日志信息的告警频率高于频率阈值,和/或所述待评估日志信息的普遍程度高于普遍程度阈值,则确定所述待评估日志信息属于误告警;否则,确定所述待评估日志信息不属于误告警。Preferably, if the alarm frequency of the log information to be evaluated is higher than a frequency threshold, and/or the common degree of the log information to be evaluated is higher than the common degree threshold, it is determined that the log information to be evaluated is a false alarm; otherwise, It is determined that the log information to be evaluated does not belong to false alarms.
优选地,若确定所述待评估日志信息不属于误告警,则保留所述待评估日志信息。Preferably, if it is determined that the log information to be evaluated does not belong to false alarms, the log information to be evaluated is retained.
优选地,所述基于所述目标日志信息确定所述目标设备的被攻击状态,包括:Preferably, the determining the attacked state of the target device based on the target log information includes:
基于所述目标日志信息的访问方向、攻击属性和攻击结果确定所述被攻击状态。The attacked state is determined based on the access direction, attack attribute and attack result of the target log information.
优选地,所述利用与所述被攻击状态对应的分析策略分析所述告警日志,包括:Preferably, analyzing the alarm log by using an analysis policy corresponding to the attacked state includes:
若所述被攻击状态为正在攻击状态,则将所述告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示;If the attacked state is the attacking state, display the log information in the alarm log with a hazard level higher than the hazard level threshold according to the timeline;
和/或and / or
若所述被攻击状态为攻击成功状态,则将所述告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示,并在所述时间线中标记攻击时间点及对应的攻击IP地址,利用安全管控策略处理当前时刻之后新生成的、危害程度高于危害程度阈值的日志信息,并对当前时刻之后新生成的、危害程度低于所述危害程度阈值的日志信息进行监控;If the attacked state is the successful attack state, the log information in the alarm log with the degree of harm higher than the threshold of the degree of harm is displayed according to the timeline, and the attack time point and the corresponding attack IP are marked in the timeline. address, using the security management and control strategy to process the log information newly generated after the current moment and whose hazard degree is higher than the hazard degree threshold, and monitor the log information newly generated after the current moment and whose hazard degree is lower than the hazard degree threshold;
和/或and / or
若所述被攻击状态为被控制状态,则将所述告警日志按照时间线进行展示,并在所述时间线中标记攻击时间点及对应的攻击IP地址、被控制时间点及对应的被控制行为,利用安全管控策略处理当前时刻之后新生成的所有日志信息。If the attacked state is the controlled state, the alarm log is displayed according to the timeline, and the attack time point and the corresponding attack IP address, the controlled time point and the corresponding controlled state are marked in the timeline. behavior, and use the security management and control policies to process all log information newly generated after the current moment.
第二方面,本申请提供了一种安全分析装置,包括:In a second aspect, the present application provides a safety analysis device, comprising:
获取模块,用于获取目标设备中的告警日志;The acquisition module is used to acquire the alarm log in the target device;
确定模块,用于在所述告警日志中确定危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息,并基于所述目标日志信息确定所述目标设备的被攻击状态;A determining module, configured to determine, in the alarm log, target log information whose hazard degree is higher than the hazard degree threshold and whose alarm certainty is higher than the certainty threshold, and determine the attacked state of the target device based on the target log information ;
分析模块,用于利用与所述被攻击状态对应的分析策略分析所述告警日志。An analysis module, configured to analyze the alarm log by using an analysis policy corresponding to the attacked state.
第三方面,本申请提供了一种电子设备,包括:In a third aspect, the present application provides an electronic device, comprising:
存储器,用于存储计算机程序;memory for storing computer programs;
处理器,用于执行所述计算机程序,以实现前述公开的安全分析方法。A processor for executing the computer program to implement the security analysis method disclosed above.
第四方面,本申请提供了一种可读存储介质,用于保存计算机程序,其中,所述计算机程序被处理器执行时实现前述公开的安全分析方法。In a fourth aspect, the present application provides a readable storage medium for storing a computer program, wherein when the computer program is executed by a processor, the security analysis method disclosed above is implemented.
通过以上方案可知,本申请提供了一种安全分析方法,包括:获取目标设备中的告警日志;在所述告警日志中确定危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息,并基于所述目标日志信息确定所述目标设备的被攻击状态;利用与所述被攻击状态对应的分析策略分析所述告警日志。It can be seen from the above solutions that the present application provides a security analysis method, which includes: obtaining an alarm log in a target device; determining in the alarm log that the degree of hazard is higher than the threshold of the degree of hazard, and the alarm certainty is higher than the certainty threshold target log information, and determine the attacked state of the target device based on the target log information; analyze the alarm log by using an analysis strategy corresponding to the attacked state.
可见,本申请先基于告警日志中危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息,确定设备的被攻击状态,然后利用与被攻击状态对应的分析策略来分析告警日志,从而可有针对性的按照不同分析策略分析告警日志。例如:当设备处于正在被攻击状态时,对当前时刻产生的告警日志进行重点分析;亦或者,当设备处于被控制状态时,对当前时刻、当前时刻之前、当前时刻之后的告警信息都要重点分析,从而基于告警日志准确地分析当前攻击事件,而无需关联历史攻击事件,还可以提高分析效率和准确率。It can be seen that this application first determines the attacked state of the device based on the target log information in the alarm log where the hazard degree is higher than the hazard degree threshold and the alarm confidence is higher than the confidence threshold, and then uses the analysis strategy corresponding to the attacked state to analyze. Alarm logs, so that alarm logs can be analyzed according to different analysis strategies. For example: when the device is under attack, focus on analyzing the alarm log generated at the current moment; or, when the device is under control, focus on the alarm information at the current moment, before the current moment, and after the current moment Analysis, so as to accurately analyze the current attack events based on the alarm log without correlating historical attack events, and also improve the analysis efficiency and accuracy.
相应地,本申请提供的一种安全分析装置、设备及可读存储介质,也同样具有上述技术效果。Correspondingly, a security analysis device, device and readable storage medium provided by the present application also have the above technical effects.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only It is an embodiment of the present application. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without any creative effort.
图1为本申请公开的一种安全分析方法流程图;1 is a flowchart of a security analysis method disclosed in the application;
图2为本申请公开的另一种安全分析方法流程图;2 is a flowchart of another security analysis method disclosed in the application;
图3为本申请公开的一种安全分析装置示意图;3 is a schematic diagram of a safety analysis device disclosed in the application;
图4为本申请公开的一种电子设备示意图;4 is a schematic diagram of an electronic device disclosed in the application;
图5为本申请公开的另一种电子设备示意图。FIG. 5 is a schematic diagram of another electronic device disclosed in this application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
目前,关联分析规则需要提前在设备中内置大量的关联规则,因此需要安全分析人员针对已经发生的攻击事件进行分析来确定关联规则。而攻击方式方法复杂多变,因此基于历史攻击事件确定的关联规则很可能不适用于新攻击事件,还会因为待关联的日志中存在低确信度的日志而引入大量误报。为此,本申请提供了一种安全分析方案,能够基于告警日志较准确地分析攻击事件。Currently, a large number of association rules need to be built into the device in advance for association analysis rules. Therefore, security analysts need to analyze the attack events that have occurred to determine the association rules. However, the attack methods are complex and changeable. Therefore, the association rules determined based on historical attack events may not be suitable for new attack events, and a large number of false positives will be introduced due to the existence of low-confidence logs in the logs to be associated. To this end, the present application provides a security analysis solution that can more accurately analyze attack events based on alarm logs.
参见图1所示,本申请实施例公开了一种安全分析方法,包括:Referring to FIG. 1 , an embodiment of the present application discloses a security analysis method, including:
S101、获取目标设备中的告警日志。S101. Obtain an alarm log in a target device.
在本实施例中,目标设备可以是服务器、终端、网关等。告警日志中的每条日志信息都可以标记有危害程度和确信度,此标记在日志信息生成时基于预设标记规则自动生成。例如:预设标记规则为漏洞利用行为属于高危害、且确信度较高,那么关于漏洞利用行为的相关日志信息就可以标记高危害、高确信度。当然,危害程度和确信度可以用分值表示。如:从0~1中取一个值。In this embodiment, the target device may be a server, a terminal, a gateway, or the like. Each log message in the alarm log can be marked with a hazard degree and a certainty degree, and this mark is automatically generated based on the preset marking rules when the log information is generated. For example, if the preset marking rule is that the exploit behavior is of high hazard and has a high degree of certainty, then the log information about the exploit behavior of the vulnerability can be marked with a high hazard and a high degree of certainty. Of course, the degree of harm and the degree of certainty can be expressed in points. Such as: take a value from 0 to 1.
S102、在告警日志中确定危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息,并基于目标日志信息确定目标设备的被攻击状态。S102. Determine target log information in the alarm log with a hazard degree higher than a hazard degree threshold and an alarm certainty degree higher than the certainty degree threshold, and determine the attacked state of the target device based on the target log information.
其中,危害程度阈值和确信度阈值可以灵活设定。假设危害程度和确信度都从0~1中取值得到,那么危害程度阈值和确信度阈值可以0.6。那么危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息即为:危害程度高于0.6、且告警确信度高于0.6的日志信息。Among them, the hazard degree threshold and the certainty threshold can be set flexibly. Assuming that both the degree of hazard and the degree of certainty are obtained from 0 to 1, the threshold of degree of hazard and the threshold of certainty can be 0.6. Then the target log information whose hazard degree is higher than the hazard degree threshold and the alarm confidence degree is higher than the confidence threshold value is the log information whose hazard degree is higher than 0.6 and the alarm confidence degree is higher than 0.6.
既然目标日志信息的危害程度高于危害程度阈值、且告警确信度高于确信度阈值,那么说明目标日志信息中记录有攻击事件的可能性极大,那么可以基于目标日志信息确定设备的被攻击状态。被攻击状态如:正在遭受攻击、已被攻击成功、已被控制等状态。Since the hazard degree of the target log information is higher than the hazard degree threshold, and the alarm confidence is higher than the confidence threshold, it means that the target log information is very likely to record an attack event, then the attacked device can be determined based on the target log information. state. The attacked state is: being attacked, successfully attacked, controlled, etc.
一般地,基于访问方向、攻击属性和攻击结果可以确定设备是正在遭受攻击、还是已被攻击成功、还是已被控制。因此在一种具体实施方式中,基于目标日志信息确定目标设备的被攻击状态,包括:基于目标日志信息的访问方向、攻击属性和攻击结果确定被攻击状态。Generally, based on the access direction, the attack attribute and the attack result, it can be determined whether the device is being attacked, or has been successfully attacked, or has been controlled. Therefore, in a specific implementation manner, determining the attacked state of the target device based on the target log information includes: determining the attacked state based on the access direction, attack attribute and attack result of the target log information.
其中,访问方向通过源IP、目的IP等具有方向性的访问信息可确定。由访问方向可知:是当前设备主动发起的访问还是被动接受访问,按照内网与外网的区别可以分为:由内至外访问,由外至内访问、由内至内访问。The access direction can be determined through directional access information such as source IP and destination IP. It can be seen from the access direction: whether the current device actively initiates the access or passively accepts the access, according to the difference between the internal network and the external network, it can be divided into: from the inside to the outside, from the outside to the inside, and from the inside to the inside.
攻击属性可以分为攻击类和控制类。攻击类即:其他设备攻击当前设备。控制类即:其他设备控制当前设备去攻击第三个设备。Attack attributes can be divided into attack classes and control classes. The attack class is: other devices attack the current device. The control class is: other devices control the current device to attack the third device.
攻击结果即:正在遭受攻击、已被攻击成功和/或已被控制等。由于设备被攻击后,还可能再次发生攻击事件,因此设备的被攻击状态可能并不唯一。The attack result is: being attacked, successfully attacked, and/or controlled, etc. After a device is attacked, another attack event may occur, so the attacked state of the device may not be unique.
S103、利用与被攻击状态对应的分析策略分析告警日志。S103: Analyze the alarm log by using an analysis strategy corresponding to the attacked state.
在本实施例中,基于告警日志中危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息,确定设备的被攻击状态后,利用与被攻击状态对应的分析策略来分析告警日志,从而可有针对性的按照不同分析策略分析告警日志。In this embodiment, after determining the attacked state of the device based on the target log information in the alarm log where the hazard degree is higher than the hazard degree threshold and the alarm certainty is higher than the certainty threshold, an analysis strategy corresponding to the attacked state is used to Analyze the alarm log, so that the alarm log can be analyzed according to different analysis strategies.
例如:当设备处于正在被攻击状态时,对当前时刻产生的告警日志进行重点分析;亦或者,当设备处于被控制状态时,对当前时刻、当前时刻之前、当前时刻之后的告警信息都要重点分析,从而基于告警日志准确地分析当前攻击事件,而无需关联历史攻击事件,还可以提高分析效率和准确率。For example: when the device is under attack, focus on analyzing the alarm log generated at the current moment; or, when the device is under control, focus on the alarm information at the current moment, before the current moment, and after the current moment Analysis, so as to accurately analyze the current attack events based on the alarm log without correlating historical attack events, and also improve the analysis efficiency and accuracy.
基于上述实施例,需要说明的是,在一种具体实施方式中,在告警日志中确定危害程度高于危害程度阈值、且告警确信度高于告警确信度阈值的目标日志信息,包括:确定告警日志中各条日志信息的危害程度和告警确信度,以按照危害程度阈值和确信度阈值从各条日志信息中选择目标日志信息,即:选择危害程度高于危害程度阈值、且告警确信度高于告警确信度阈值的日志信息。Based on the above embodiment, it should be noted that, in a specific implementation manner, determining in the alarm log the target log information whose hazard degree is higher than the hazard degree threshold and the alarm confidence degree is higher than the alarm confidence degree threshold includes: determining the alarm The hazard degree and alarm confidence degree of each log information in the log, to select the target log information from each log information according to the hazard degree threshold and the confidence threshold, that is, select the hazard degree higher than the hazard degree threshold, and the alarm confidence degree is high Log information about the alarm confidence threshold.
由于每条日志信息都标记有危害程度和确信度,因此还可以按照危害程度阈值和确信度阈值从各条日志信息中选择告警确信度低于确信度阈值的待评估日志信息。Since each log information is marked with a hazard degree and a certainty degree, the log information to be evaluated whose alarm certainty degree is lower than the certainty degree threshold value can also be selected from the various log information according to the hazard degree threshold value and the certainty degree threshold value.
若确定待评估日志信息属于误告警,则从告警日志中删除待评估日志信息,以去除告警日志中的错误信息,减少告警日志的数据量,为后续分析提供有利条件。If it is determined that the log information to be evaluated is a false alarm, the log information to be evaluated is deleted from the alarm log to remove error information in the alarm log, reduce the data volume of the alarm log, and provide favorable conditions for subsequent analysis.
若确定待评估日志信息不属于误告警,则保留待评估日志信息,以保持告警信息的全面性,提高告警日志的准确度。同时,不属于误告警的待评估日志信息也可表明设备正在被攻击、已被控制等状态,此状态与基于目标日志信息确定的状态一并记录。If it is determined that the log information to be evaluated is not a false alarm, the log information to be evaluated is retained to maintain the comprehensiveness of the alarm information and improve the accuracy of the alarm log. At the same time, the log information to be evaluated that is not a false alarm can also indicate that the device is being attacked, has been controlled, etc. This status is recorded together with the status determined based on the target log information.
其中,若待评估日志信息的告警频率高于频率阈值,和/或待评估日志信息的普遍程度高于普遍程度阈值,则确定待评估日志信息属于误告警;否则,确定待评估日志信息不属于误告警。可见,基于待评估日志信息的告警频率高于频率阈值可确定是否属于误告警。因为攻击事件一般属于偶发事件,而设备中运行的正常业务持续且大面积发生,因此若告警频率高于频率阈值,和/或普遍程度高于普遍程度阈值,则说明该条日志信息极可能属于业务误报,因此可判定属于误告警。Wherein, if the alarm frequency of the log information to be evaluated is higher than the frequency threshold, and/or the common degree of the log information to be evaluated is higher than the common degree threshold, it is determined that the log information to be evaluated is a false alarm; otherwise, it is determined that the log information to be evaluated does not belong to false alarm. It can be seen that, based on the alarm frequency of the log information to be evaluated is higher than the frequency threshold, it can be determined whether it is a false alarm. Because attack events are generally incidental events, and normal services running in the device continue and occur in a large area, if the alarm frequency is higher than the frequency threshold, and/or the prevalence is higher than the prevalence threshold, it means that the log information is very likely to belong to The service is falsely reported, so it can be determined to be a false alarm.
基于上述实施例,需要说明的是,在一种具体实施方式中,利用与被攻击状态对应的分析策略分析告警日志,包括:若被攻击状态为正在攻击状态,则将告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示;和/或若被攻击状态为攻击成功状态,则将告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示,并在时间线中标记攻击时间点及对应的攻击IP地址,利用安全管控策略处理当前时刻之后新生成的、危害程度高于危害程度阈值的日志信息,并对当前时刻之后新生成的、危害程度低于所述危害程度阈值的日志信息进行监控;和/或若被攻击状态为被控制状态,则将告警日志按照时间线进行展示,并在时间线中标记攻击时间点及对应的攻击IP地址、被控制时间点及对应的被控制行为,利用安全管控策略处理当前时刻之后新生成的所有日志信息。Based on the above-mentioned embodiment, it should be noted that, in a specific implementation, analyzing the alarm log by using the analysis strategy corresponding to the attacked state includes: if the attacked state is the attacking state, classifying the alarm log with a high degree of harm The log information below the hazard level threshold is displayed according to the timeline; and/or if the attacked state is the attack success state, the log information in the alarm log with the hazard level higher than the hazard level threshold will be displayed according to the timeline, and in the timeline Mark the attack time point and the corresponding attack IP address in the middle, use the security control strategy to process the log information newly generated after the current moment and whose damage degree is higher than the threshold Monitor the log information of the damage degree threshold; and/or if the attacked state is the controlled state, display the alarm log according to the timeline, and mark the attack time point and the corresponding attack IP address and control time in the timeline. point and the corresponding controlled behavior, and use the security control policy to process all log information newly generated after the current moment.
由于设备的被攻击状态是基于告警日志中危害程度高、告警确信度高的日志信息确定,因此在确定设备的被攻击状态后,说明告警日志中已记录有攻击事件。Since the attacked state of the device is determined based on the log information in the alarm log with a high degree of harm and high alarm certainty, after the attacked state of the device is determined, it means that an attack event has been recorded in the alarm log.
可见,若设备正在被攻击,则说明告警日志中已记录有有关攻击的信息,并且告警日志中的高危害告警非常危险,因此将告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示,以便技术人员查阅攻击事件发起时间等重要信息。It can be seen that if the device is being attacked, it means that information about the attack has been recorded in the alarm log, and the high-hazard alarms in the alarm log are very dangerous. Therefore, log information in the alarm log with a degree of damage higher than the threshold of the degree of damage in the alarm log is sorted according to the time line. It is displayed so that technicians can view important information such as the time when the attack event was initiated.
若设备已被攻击成功,则说明告警日志中已记录有攻击事件发起时间、当前设备被攻破的时间点等重要信息,并且,设备后续极有可能进行其他高危害操作,因此将告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示,并在时间线中标记攻击时间点及对应的攻击IP地址,然后利用安全管控策略处理当前时刻之后新生成的、危害程度高于危害程度阈值的日志信息,并对当前时刻之后新生成的、危害程度低于所述危害程度阈值的日志信息进行监控,以及时应对设备做出的危害性操作。如:阻止不知名软件的安装、重要文件的删除等。因为此时设备已被攻击成功,因此需要关注新产生的各种告警。If the device has been successfully attacked, it means that the alarm log has recorded important information such as the time when the attack event was initiated and the current time when the device was breached, and the device is likely to perform other high-risk operations in the future. The log information with a degree higher than the threshold of the degree of damage is displayed according to the timeline, and the attack time point and the corresponding attack IP address are marked in the timeline, and then the security control strategy is used to deal with the newly generated after the current moment, the degree of damage is higher than the degree of damage The log information of the threshold value is monitored, and the log information newly generated after the current moment and the degree of damage is lower than the threshold value of the degree of damage is monitored, and the harmful operation performed by the device is timely responded. Such as: preventing the installation of unknown software, deletion of important files, etc. Because the device has been successfully attacked at this time, you need to pay attention to various new alarms.
若设备已经是被控制状态,则说明告警日志中已记录有攻击事件发起时间、当前设备被攻破的时间点、当前设备攻击其他设备的行为及时间点等重要信息,并且,设备后续极有可能继续进行其他高危害操作,因此将告警日志按照时间线进行展示,并在时间线中标记攻击时间点及对应的攻击IP地址、被控制时间点及对应的被控制行为,利用安全管控策略处理当前时刻之后新生成的所有日志信息,以及时应对设备做出的任何危险操作。因为此时设备已被恶意控制,因此新产生的各种告警都可能有极大威胁。If the device is already under control, it means that the alarm log has recorded important information such as the time when the attack event was initiated, the time when the current device was breached, the behavior and time when the current device attacked other devices, and it is very likely that the device will follow up. Continue to perform other high-risk operations, so display the alarm log according to the timeline, and mark the attack time point and the corresponding attack IP address, the controlled time point and the corresponding controlled behavior in the timeline, and use the security control strategy to deal with the current situation. All log information newly generated after the time, timely respond to any dangerous operation made by the device. Because the device has been maliciously controlled at this time, all kinds of newly generated alarms may pose a great threat.
针对已被攻击成功状态和被控制状态,可以调整各种告警的阈值,以使设备对各种告警更为敏感,告警容忍度更低,从而使设备关注各种告警。For the successfully attacked state and the controlled state, the thresholds of various alarms can be adjusted, so that the device is more sensitive to various alarms and has a lower alarm tolerance, so that the device can pay attention to various alarms.
下述实施例将本申请提供的方法应用于网络安全检测设备(如网关),请参见图2,具体实现过程包括:The following embodiment applies the method provided by the present application to a network security detection device (such as a gateway), see FIG. 2 , and the specific implementation process includes:
1、网络安全检测设备按照危害等级、确信度等级,将内网某一主机中安全告警日志分为四个级别:1. The network security detection equipment divides the security alarm log of a host in the intranet into four levels according to the hazard level and the confidence level:
A类日志:高危害、高确信度;Class A log: high hazard, high confidence;
B类日志:高危害、低确信度;Type B logs: high hazard, low confidence;
C类日志:低危害、高确信度;Type C logs: low hazard, high confidence;
D类日志:低危害、低确信度。Class D logs: low hazard, low confidence.
2、在到达检测时间点时,对B、D类日志进行检测。2. When the detection time point is reached, the B and D logs are detected.
由于B、D类日志确信度较低,可能存在大量误报。针对B、D类日志发生的频率或访问关系等进行分析,确定此类日志是黑客攻击触发的告警,还是业务访问触发的误报。Due to the low certainty of B and D logs, there may be a large number of false positives. Analyze the frequency or access relationship of Type B and D logs to determine whether such logs are alarms triggered by hacker attacks or false positives triggered by business access.
1)利用时序识别算法判断这些日志是偶发,还是持续发生。由于黑客攻击事件偶发性特征较强,而业务访问持续性特征较强。因此若日志是偶发,则认为是黑客攻击事件引发的告警,不属于误报;若日志是持续发生,则认为是业务访问触发的误报。1) Use the time series identification algorithm to determine whether these logs are occasional or continuous. Because hacker attacks have strong sporadic characteristics, while business access has strong continuous characteristics. Therefore, if the log is occasional, it is considered to be an alarm caused by a hacker attack event, which is not a false positive; if the log occurs continuously, it is considered to be a false positive triggered by business access.
2)利用访问关系识别算法判断确定这些日志是大量设备普遍发生,还是只有少量设备发生。由于业务访问是大量主机对一个服务器进行访问,会出现多对一的攻击现象,故此类告警误报概率较高。而黑客攻击事件的偶发性特征较强,因此只有少量设备涉及此类告警,可确定是黑客攻击事件引发的告警,此时需借助访问关系确定是由内至外访问,还是由外至内访问、还是由内至内访问。2) Use the access relationship identification algorithm to determine whether these logs generally occur on a large number of devices or only on a small number of devices. Since a large number of hosts access a server for business access, there will be many-to-one attacks, so the probability of false alarms for this type of alarm is high. Hacking incidents have strong sporadic characteristics, so only a small number of devices are involved in such alarms. It can be determined that the alarms are caused by hacking incidents. At this time, it is necessary to use the access relationship to determine whether access is from the inside to the outside or from the outside to the inside. , or from the inside to the inside.
如果是误报的告警日志,则删除相关日志。如果确定是真实的攻击,则保留相关日志。If it is a false alarm log, delete the related log. If it is determined to be a real attack, keep relevant logs.
3、对于A类日志,结合访问方向(外对内攻击、内对内访问、内对外访问)、攻击属性(攻击类、远程控制类)、攻击结果确定主机的安全状态(遭受攻击、攻击成功、已被控制)。3. For Type A logs, determine the security status of the host (attacked, attacked successfully) based on the access direction (external-to-internal attack, internal-to-internal access, internal-external access), attack attributes (attack type, remote control type), and attack result. , has been controlled).
4、针对主机的安全状态,确定该主机的告警日志分析策略。4. According to the security status of the host, determine the alarm log analysis strategy of the host.
(1)如果主机正在遭受攻击,说明主机当前并未被黑客控制,但存在攻击事件,此时可以对当前时间点之前的A、B类日志按照攻击属性、攻击者IP进行聚合,并以告警发生的时间线顺序进行展示。(1) If the host is under attack, it means that the host is not currently controlled by hackers, but there is an attack event. At this time, the A and B logs before the current time point can be aggregated according to the attack attribute and the attacker's IP, and an alarm will be issued. The timeline sequence of occurrences is shown.
(2)如果主机是被攻击成功的状态,说明该主机即将被黑客控制,此时要重点标注攻击成功时刻的告警日志,将该时刻之前的A、B类日志按照攻击属性、攻击者IP进行聚合,并以告警发生的时间线顺序进行展示,同时要重点标识出攻击成功的IP对应的告警日志。在该时刻以后的A、B类告警日志要及时进行响应处置。例如:及时阻止相关危险操作。对该时刻以后的内网的C、D类攻击日志也要重点进行监控分析。(2) If the host is successfully attacked, it means that the host is about to be controlled by hackers. At this time, it is necessary to focus on the alarm log at the time of the successful attack, and the type A and B logs before the time should be processed according to the attack attribute and the attacker's IP. Aggregate, and display the alarms in the order of the time line of the alarm occurrence. At the same time, it is necessary to focus on identifying the alarm logs corresponding to the IPs that have successfully attacked. The A and B alarm logs after this time should be responded to and disposed of in time. For example: prevent relevant dangerous operations in time. Monitor and analyze the C and D attack logs of the intranet after this moment.
(3)如果主机已经处于已被控制(已失陷)状态,此时需要对该时刻之前的A、B、C、D类日志按照攻击属性、攻击者IP进行聚合,并以告警发生的时间线进行展示,详细标识出主机被攻击的时间点、被控制的时间点及其行为。同时要对该被控制主机后续对外发出的所有告警日志重点监控分析。(3) If the host is already in the state of being controlled (lost), the A, B, C, and D logs before the time need to be aggregated according to the attack attribute and the attacker's IP, and the time line of the alarm occurrence Display, identify in detail the time point when the host was attacked, the time point when it was controlled, and its behavior. At the same time, it is necessary to focus on monitoring and analysis of all alarm logs sent by the controlled host subsequently.
5、每隔5分钟执行一下步骤2、3、4,以实时对主机进行检测。5. Perform steps 2, 3, and 4 every 5 minutes to detect the host in real time.
可见,本实施例能够实时计算主机的安全状态,基于主机的安全状态自动化的对日志进行分析,并按照时间线自动化标记黑客攻击的各个过程。It can be seen that this embodiment can calculate the security state of the host in real time, automatically analyze the log based on the security state of the host, and automatically mark each process of the hacker attack according to the timeline.
下面对本申请实施例提供的一种安全分析装置进行介绍,下文描述的一种安全分析装置与上文描述的一种安全分析方法可以相互参照。The following describes a safety analysis device provided by an embodiment of the present application. The safety analysis device described below and the safety analysis method described above can be referred to each other.
参见图3所示,本申请实施例公开了一种安全分析装置,包括:Referring to FIG. 3 , an embodiment of the present application discloses a security analysis device, including:
获取模块301,用于获取目标设备中的告警日志;an obtaining
确定模块302,用于在告警日志中确定危害程度高于危害程度阈值、且告警确信度高于确信度阈值的目标日志信息,并基于目标日志信息确定目标设备的被攻击状态;A
分析模块303,用于利用与被攻击状态对应的分析策略分析告警日志。The
在一种具体实施方式中,确定模块包括:In a specific implementation, the determining module includes:
第一选择单元,用于确定告警日志中各条日志信息的危害程度和告警确信度,以按照危害程度阈值和确信度阈值从各条日志信息中选择目标日志信息。The first selection unit is configured to determine the hazard degree and alarm certainty of each piece of log information in the alarm log, so as to select target log information from the pieces of log information according to the hazard degree threshold and the certainty threshold.
在一种具体实施方式中,确定模块还包括:In a specific embodiment, the determining module further includes:
第二选择单元,用于按照危害程度阈值和确信度阈值从各条日志信息中选择告警确信度低于确信度阈值的待评估日志信息;a second selection unit, configured to select log information to be evaluated whose alarm certainty is lower than the certainty threshold from various pieces of log information according to the hazard degree threshold and the certainty threshold;
删除单元,用于若确定待评估日志信息属于误告警,则从告警日志中删除待评估日志信息。The deletion unit is configured to delete the log information to be evaluated from the alarm log if it is determined that the log information to be evaluated belongs to false alarms.
在一种具体实施方式中,删除单元具体用于:In a specific embodiment, the deletion unit is specifically used for:
若待评估日志信息的告警频率高于频率阈值,和/或待评估日志信息的普遍程度高于普遍程度阈值,则确定待评估日志信息属于误告警;否则,确定待评估日志信息不属于误告警。If the alarm frequency of the log information to be evaluated is higher than the frequency threshold, and/or the prevalence of the log information to be evaluated is higher than the prevalence threshold, it is determined that the log information to be evaluated is a false alarm; otherwise, it is determined that the log information to be evaluated is not a false alarm .
在一种具体实施方式中,确定模块还包括:In a specific embodiment, the determining module further includes:
保留单元,用于若确定待评估日志信息不属于误告警,则保留待评估日志信息。The retention unit is used to retain the log information to be evaluated if it is determined that the log information to be evaluated does not belong to false alarms.
在一种具体实施方式中,确定模块具体用于:In a specific embodiment, the determining module is specifically used for:
基于目标日志信息的访问方向、攻击属性和攻击结果确定被攻击状态。Determine the attacked state based on the access direction, attack attribute and attack result of the target log information.
在一种具体实施方式中,分析模块具体用于:In a specific embodiment, the analysis module is specifically used for:
若被攻击状态为正在攻击状态,则将告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示;If the attacked state is the attacking state, the log information in the alarm log whose damage degree is higher than the threshold of the damage degree will be displayed according to the timeline;
和/或and / or
若被攻击状态为攻击成功状态,则将告警日志中危害程度高于危害程度阈值的日志信息按照时间线进行展示,并在时间线中标记攻击时间点及对应的攻击IP地址,利用安全管控策略处理当前时刻之后新生成的、危害程度高于危害程度阈值的日志信息,并对当前时刻之后新生成的、危害程度低于所述危害程度阈值的日志信息进行监控;If the attacked state is the successful attack state, the log information in the alarm log with the damage degree higher than the damage degree threshold is displayed according to the timeline, and the attack time point and the corresponding attack IP address are marked in the timeline, and the security control strategy is used. Process the log information newly generated after the current moment and whose hazard degree is higher than the hazard degree threshold, and monitor the log information newly generated after the current moment and whose hazard degree is lower than the hazard degree threshold;
和/或and / or
若被攻击状态为被控制状态,则将告警日志按照时间线进行展示,并在时间线中标记攻击时间点及对应的攻击IP地址、被控制时间点及对应的被控制行为,利用安全管控策略处理当前时刻之后新生成的所有日志信息。If the attacked state is the controlled state, the alarm log will be displayed according to the timeline, and the attack time point and the corresponding attack IP address, the controlled time point and the corresponding controlled behavior will be marked in the timeline, and the security control strategy will be used. Process all newly generated log information after the current moment.
其中,关于本实施例中各个模块、单元更加具体的工作过程可以参考前述实施例中公开的相应内容,在此不再进行赘述。For the more specific working process of each module and unit in this embodiment, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.
可见,本实施例提供了一种安全分析装置,该装置能够基于主机的安全状态自动化的对日志进行分析,并按照时间线自动化标记黑客攻击的各个过程。It can be seen that this embodiment provides a security analysis device, which can automatically analyze the log based on the security state of the host, and automatically mark each process of the hacker attack according to the timeline.
下面对本申请实施例提供的一种电子设备进行介绍,下文描述的一种电子设备与上文描述的一种安全分析方法及装置可以相互参照。The following describes an electronic device provided by an embodiment of the present application. An electronic device described below and a security analysis method and apparatus described above can be referred to each other.
参见图4所示,本申请实施例公开了一种电子设备,包括:Referring to FIG. 4 , an embodiment of the present application discloses an electronic device, including:
存储器401,用于保存计算机程序;
处理器402,用于执行所述计算机程序,以实现上述任意实施例公开的方法。The
请参考图5,图5为本实施例提供的另一种电子设备示意图,该电子设备可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上处理器(central processingunits,CPU)322(例如,一个或一个以上处理器)和存储器332,一个或一个以上存储应用程序342或数据344的存储介质330(例如一个或一个以上海量存储设备)。其中,存储器332和存储介质330可以是短暂存储或持久存储。存储在存储介质330的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对数据处理设备中的一系列指令操作。更进一步地,中央处理器322可以设置为与存储介质330通信,在电子设备301上执行存储介质330中的一系列指令操作。Please refer to FIG. 5. FIG. 5 is a schematic diagram of another electronic device provided in this embodiment. The electronic device may vary greatly due to different configurations or performances, and may include one or more processors (central processing units, CPU) 322 (eg, one or more processors) and
电子设备301还可以包括一个或一个以上电源326,一个或一个以上有线或无线网络接口350,一个或一个以上输入输出接口358,和/或,一个或一个以上操作系统341。例如,Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等。
在图5中,应用程序342可以是执行安全分析方法的程序,数据344可以是执行安全分析方法所需的或产生的数据。In FIG. 5, the
上文所描述的安全分析方法中的步骤可以由电子设备的结构实现。The steps in the security analysis method described above can be implemented by the structure of the electronic device.
下面对本申请实施例提供的一种可读存储介质进行介绍,下文描述的一种可读存储介质与上文描述的一种安全分析方法、装置及设备可以相互参照。A readable storage medium provided by an embodiment of the present application is introduced below. A readable storage medium described below and a security analysis method, apparatus, and device described above may be referred to each other.
一种可读存储介质,用于保存计算机程序,其中,所述计算机程序被处理器执行时实现前述实施例公开的安全分析方法。关于该方法的具体步骤可以参考前述实施例中公开的相应内容,在此不再进行赘述。A readable storage medium for storing a computer program, wherein when the computer program is executed by a processor, the security analysis method disclosed in the foregoing embodiments is implemented. For the specific steps of the method, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.
本申请涉及的“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法或设备固有的其它步骤或单元。References in this application to "first", "second", "third", "fourth", etc. (if any) are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method or apparatus comprising a series of steps or elements is not necessarily limited to those steps or elements expressly listed , but may include other steps or elements not expressly listed or inherent to these processes, methods or apparatus.
需要说明的是,在本申请中涉及“第一”、“第二”等的描述仅用于描述目的,而不能理解为指示或暗示其相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。另外,各个实施例之间的技术方案可以相互结合,但是必须是以本领域普通技术人员能够实现为基础,当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在,也不在本申请要求的保护范围之内。It should be noted that the descriptions involving "first", "second", etc. in this application are only for the purpose of description, and should not be construed as indicating or implying their relative importance or implying the number of indicated technical features . Thus, a feature delimited with "first", "second" may expressly or implicitly include at least one of that feature. In addition, the technical solutions between the various embodiments can be combined with each other, but must be based on the realization by those of ordinary skill in the art. When the combination of technical solutions is contradictory or cannot be realized, it should be considered that the combination of such technical solutions does not exist. , is not within the scope of protection claimed in this application.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments may be referred to each other.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的可读存储介质中。The steps of a method or algorithm described in connection with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. The software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other form of readable storage medium that is well known.
本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The principles and implementations of the present application are described herein by using specific examples. The descriptions of the above embodiments are only used to help understand the methods and core ideas of the present application. There will be changes in the specific implementation and application scope. To sum up, the content of this specification should not be construed as a limitation on the application.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615320.4A CN114329451A (en) | 2021-12-27 | 2021-12-27 | A security analysis method, apparatus, device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615320.4A CN114329451A (en) | 2021-12-27 | 2021-12-27 | A security analysis method, apparatus, device and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114329451A true CN114329451A (en) | 2022-04-12 |
Family
ID=81013575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111615320.4A Pending CN114329451A (en) | 2021-12-27 | 2021-12-27 | A security analysis method, apparatus, device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114329451A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN112256791A (en) * | 2020-10-27 | 2021-01-22 | 北京微步在线科技有限公司 | Network attack event display method and storage medium |
-
2021
- 2021-12-27 CN CN202111615320.4A patent/CN114329451A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104539626A (en) * | 2015-01-14 | 2015-04-22 | 中国人民解放军信息工程大学 | Network attack scene generating method based on multi-source alarm logs |
| CN112256791A (en) * | 2020-10-27 | 2021-01-22 | 北京微步在线科技有限公司 | Network attack event display method and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 肖立中 等: "基于序列分析的报警综合处理研究", 计算机工程与应用, no. 8, 31 August 2006 (2006-08-31), pages 152 - 154 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12206708B2 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US12058177B2 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| JP6863969B2 (en) | Detecting security incidents with unreliable security events | |
| CN111274583A (en) | A kind of big data computer network security protection device and its control method | |
| JP7204247B2 (en) | Threat Response Automation Methods | |
| IL257849B2 (en) | Systems and methods for detecting and scoring anomalies | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| CN110830470A (en) | Method, device and equipment for detecting defect-losing host and readable storage medium | |
| CN111756759A (en) | A network attack source tracing method, device and device | |
| JP2015076863A (en) | Log analysis apparatus, method and program | |
| JP2016152594A (en) | Network attack monitoring device, network attack monitoring method, and program | |
| KR101937325B1 (en) | Method for Detecting and Preventing Malware and Apparatus thereof | |
| US20200382534A1 (en) | Visualizations representing points corresponding to events | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN112000719A (en) | Data security situation awareness system, method, device and storage medium | |
| US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
| CN113691498B (en) | Electric power internet of things terminal safety state evaluation method and device and storage medium | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| KR102267564B1 (en) | Method for Actively Detecting Security Threat to Remote Terminal | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| US10367835B1 (en) | Methods and apparatus for detecting suspicious network activity by new devices | |
| CN114329451A (en) | A security analysis method, apparatus, device and readable storage medium | |
| CN115426154A (en) | A mining behavior monitoring method, device, equipment and storage medium | |
| CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
| CN114726579A (en) | Method, apparatus, device, storage medium and program product for defending against network attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |