CN114329451A - Security analysis method, device, equipment and readable storage medium - Google Patents
Security analysis method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN114329451A CN114329451A CN202111615320.4A CN202111615320A CN114329451A CN 114329451 A CN114329451 A CN 114329451A CN 202111615320 A CN202111615320 A CN 202111615320A CN 114329451 A CN114329451 A CN 114329451A
- Authority
- CN
- China
- Prior art keywords
- alarm
- log information
- log
- threshold value
- degree
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a security analysis method, a security analysis device, a security analysis equipment and a readable storage medium. According to the method and the device, based on the target log information of which the damage degree is higher than the damage degree threshold value and the alarm certainty factor is higher than the certainty factor threshold value in the alarm log, after the attacked state of the equipment is determined, the alarm log is analyzed by using the analysis strategy corresponding to the attacked state, and the alarm log can be analyzed in a targeted manner according to different analysis strategies. Such as: when the equipment is in an attacked state, performing key analysis on an alarm log generated at the current moment; when the equipment is in a controlled state, the alarm information at the current moment, before the current moment and after the current moment is subjected to key analysis, so that the current attack event is accurately analyzed based on the alarm log, and the analysis efficiency and the accuracy rate can be improved. Accordingly, the safety analysis device, the equipment and the readable storage medium provided by the application also have the technical effects.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a security analysis method, apparatus, device, and readable storage medium.
Background
Currently, the alarm log may be analyzed using association analysis rules. For example, an association rule of A-B-C is established, when A, B, C events occur in sequence within a period of time, the event is considered to be an accurate attack event, A, B, C is an accurate alarm, and the attack process of a hacker is A-B-C.
However, the association analysis rule requires a large number of association rules to be built in the device in advance, and therefore security analysts are required to analyze the attack events that have occurred to determine the association rules. The attack method is complex and changeable, so that the association rule determined based on the historical attack event is probably not suitable for the new attack event, and a large amount of false alarms are introduced because logs with low certainty degrees exist in the logs to be associated.
Therefore, how to more accurately analyze the attack event based on the alarm log is a problem to be solved by those skilled in the art.
Disclosure of Invention
In view of the above, an object of the present application is to provide a security analysis method, apparatus, device and readable storage medium, so as to more accurately analyze an attack event based on an alarm log. The specific scheme is as follows:
in a first aspect, the present application provides a security analysis method, including:
acquiring an alarm log in target equipment;
determining target log information with the harm degree higher than a harm degree threshold value and the alarm certainty factor higher than a certainty factor threshold value in the alarm log, and determining the attacked state of the target equipment based on the target log information;
and analyzing the alarm log by utilizing an analysis strategy corresponding to the attacked state.
Preferably, the determining, in the alarm log, the target log information whose degree of damage is higher than the threshold of degree of damage and whose alarm certainty factor is higher than the threshold of alarm certainty factor includes:
and determining the hazard degree and the alarm certainty factor of each piece of log information in the alarm log, and selecting the target log information from each piece of log information according to the hazard degree threshold and the certainty factor threshold.
Preferably, the method further comprises the following steps:
selecting log information to be evaluated with alarm certainty factor lower than the certainty factor threshold from all the log information according to the harm degree threshold and the certainty factor threshold;
and if the log information to be evaluated is determined to belong to the false alarm, deleting the log information to be evaluated from the alarm log.
Preferably, if the alarm frequency of the log information to be evaluated is higher than a frequency threshold value, and/or the popularity of the log information to be evaluated is higher than a popularity threshold value, determining that the log information to be evaluated belongs to a false alarm; otherwise, determining that the log information to be evaluated does not belong to the false alarm.
Preferably, if it is determined that the log information to be evaluated does not belong to the false alarm, the log information to be evaluated is retained.
Preferably, the determining the attacked state of the target device based on the target log information includes:
and determining the attacked state based on the access direction, the attack attribute and the attack result of the target log information.
Preferably, the analyzing the alarm log by using an analysis policy corresponding to the attacked state includes:
if the attacked state is the attacking state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line;
and/or
If the attacked state is an attack success state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line, marking an attack time point and a corresponding attack IP address in the time line, processing the log information which is newly generated after the current time and of which the harm degree is higher than the harm degree threshold value by using a safety control strategy, and monitoring the log information which is newly generated after the current time and of which the harm degree is lower than the harm degree threshold value;
and/or
And if the attacked state is the controlled state, displaying the alarm log according to a time line, marking an attack time point, a corresponding attack IP address, a controlled time point and a corresponding controlled behavior in the time line, and processing all log information newly generated after the current time by using a security management and control strategy.
In a second aspect, the present application provides a security analysis device comprising:
the acquisition module is used for acquiring an alarm log in the target equipment;
the determining module is used for determining target log information of which the harm degree is higher than a harm degree threshold value and the alarm certainty factor is higher than a certainty factor threshold value in the alarm log, and determining the attacked state of the target equipment based on the target log information;
and the analysis module is used for analyzing the alarm log by utilizing an analysis strategy corresponding to the attacked state.
In a third aspect, the present application provides an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the security analysis method disclosed in the foregoing.
In a fourth aspect, the present application provides a readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the security analysis method disclosed above.
According to the scheme, the application provides a safety analysis method, which comprises the following steps: acquiring an alarm log in target equipment; determining target log information with the harm degree higher than a harm degree threshold value and the alarm certainty factor higher than a certainty factor threshold value in the alarm log, and determining the attacked state of the target equipment based on the target log information; and analyzing the alarm log by utilizing an analysis strategy corresponding to the attacked state.
Therefore, the method and the device determine the attacked state of the equipment based on the target log information of which the harm degree is higher than the harm degree threshold value and the alarm certainty degree is higher than the certainty degree threshold value in the alarm log, and then analyze the alarm log by using the analysis strategy corresponding to the attacked state, so that the alarm log can be analyzed in a targeted manner according to different analysis strategies. For example: when the equipment is in an attacked state, performing key analysis on an alarm log generated at the current moment; or, when the device is in a controlled state, the alarm information at the current time, before the current time and after the current time is mainly analyzed, so that the current attack event is accurately analyzed based on the alarm log without associating with the historical attack event, and the analysis efficiency and accuracy can be improved.
Accordingly, the safety analysis device, the equipment and the readable storage medium provided by the application also have the technical effects.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flow chart of a security analysis method disclosed herein;
FIG. 2 is a flow diagram of another security analysis method disclosed herein;
FIG. 3 is a schematic view of a safety analysis device disclosed herein;
FIG. 4 is a schematic diagram of an electronic device disclosed herein;
fig. 5 is a schematic view of another electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Currently, association analysis rules require a large number of association rules to be built in the device in advance, and therefore security analysts are required to analyze the attack events that have occurred to determine the association rules. The attack method is complex and changeable, so that the association rule determined based on the historical attack event is probably not suitable for the new attack event, and a large amount of false alarms are introduced because logs with low certainty degrees exist in the logs to be associated. Therefore, the security analysis scheme is provided, and the attack event can be accurately analyzed based on the alarm log.
Referring to fig. 1, an embodiment of the present application discloses a security analysis method, including:
s101, acquiring an alarm log in the target equipment.
In this embodiment, the target device may be a server, a terminal, a gateway, or the like. Each log information in the alarm log can be marked with the degree of harm and the certainty factor, and the mark is automatically generated based on a preset marking rule when the log information is generated. For example: the preset marking rule is that the vulnerability exploitation behavior belongs to high harm and has high certainty factor, so that the related log information about the vulnerability exploitation behavior can mark the high harm and the high certainty factor. Of course, the degree of harm and certainty may be expressed in terms of a score. Such as: take one value from 0 to 1.
S102, determining target log information with the harm degree higher than a harm degree threshold value and the alarm certainty factor higher than a certainty factor threshold value in the alarm log, and determining the attacked state of the target equipment based on the target log information.
Wherein, the threshold value of the degree of harm and the threshold value of the certainty factor can be flexibly set. And assuming that the degree of damage and the certainty factor are obtained from values of 0-1, the threshold value of the degree of damage and the threshold value of the certainty factor can be 0.6. Then the target log information with the hazard degree higher than the hazard degree threshold value and the alarm certainty factor higher than the certainty factor threshold value is: log information with a degree of harm higher than 0.6 and an alarm certainty degree higher than 0.6.
Since the degree of damage of the target log information is higher than the degree of damage threshold and the alarm certainty factor is higher than the certainty factor threshold, it is considered that the possibility that an attack event is recorded in the target log information is extremely high, and the attacked state of the device can be determined based on the target log information. The attacked state is as follows: is under attack, has been successfully attacked, has been controlled, etc.
In general, it can be determined whether a device is under attack, has been successfully attacked, or has been controlled based on the access direction, attack attributes, and attack results. Therefore, in a specific embodiment, determining the attacked state of the target device based on the target log information includes: and determining the attacked state based on the access direction, the attack attribute and the attack result of the target log information.
Wherein, the access direction can be determined by the access information with directivity such as the source IP, the destination IP and the like. From the access direction: whether the current equipment actively initiates access or passively receives access can be divided into the following steps according to the difference between an internal network and an external network: inside-out access, outside-in access, inside-in access.
Attack attributes can be divided into attack and control classes. The attack classes are: other devices attack the current device. The control classes are: and controlling the current device to attack the third device by other devices.
The attack results are as follows: are under attack, have been successfully attacked, and/or have been controlled, etc. Since the attack event may occur again after the device is attacked, the attacked state of the device may not be unique.
S103, analyzing the alarm log by utilizing the analysis strategy corresponding to the attacked state.
In this embodiment, after the attacked state of the device is determined based on the target log information in the alarm log, in which the harm degree is higher than the harm degree threshold and the alarm certainty degree is higher than the certainty degree threshold, the alarm log is analyzed by using the analysis strategy corresponding to the attacked state, so that the alarm log can be analyzed in a targeted manner according to different analysis strategies.
For example: when the equipment is in an attacked state, performing key analysis on an alarm log generated at the current moment; or, when the device is in a controlled state, the alarm information at the current time, before the current time and after the current time is mainly analyzed, so that the current attack event is accurately analyzed based on the alarm log without associating with the historical attack event, and the analysis efficiency and accuracy can be improved.
Based on the foregoing embodiment, it should be noted that, in a specific implementation manner, determining, in an alarm log, target log information whose hazard level is higher than a hazard level threshold and whose alarm certainty level is higher than an alarm certainty level threshold includes: determining the hazard degree and the alarm certainty factor of each piece of log information in the alarm log, and selecting target log information from each piece of log information according to a hazard degree threshold and a certainty factor threshold, namely: and selecting log information with the hazard degree higher than a hazard degree threshold value and the alarm certainty factor higher than an alarm certainty factor threshold value.
Because each piece of log information is marked with the degree of harm and the certainty factor, the log information to be evaluated with the alarm certainty factor lower than the certainty factor threshold value can be selected from the log information according to the degree of harm threshold value and the certainty factor threshold value.
And if the log information to be evaluated is determined to belong to the false alarm, deleting the log information to be evaluated from the alarm log so as to remove the false information in the alarm log, reduce the data volume of the alarm log and provide favorable conditions for subsequent analysis.
If the log information to be evaluated is determined not to belong to the false alarm, the log information to be evaluated is reserved so as to keep the comprehensiveness of the alarm information and improve the accuracy of the alarm log. Meanwhile, the log information to be evaluated, which does not belong to the false alarm, can also indicate the state that the equipment is being attacked and controlled, and the state is recorded together with the state determined based on the target log information.
If the alarm frequency of the log information to be evaluated is higher than a frequency threshold value and/or the popularity of the log information to be evaluated is higher than a popularity threshold value, determining that the log information to be evaluated belongs to false alarm; otherwise, determining that the log information to be evaluated does not belong to the false alarm. Therefore, whether the alarm frequency based on the log information to be evaluated is higher than the frequency threshold value can be determined. Because the attack event generally belongs to the accidental event, and the normal service running in the equipment is continuously and widely generated, if the alarm frequency is higher than the frequency threshold value and/or the popularity degree is higher than the popularity degree threshold value, the log information is most likely to belong to the service false alarm, and therefore the log information can be judged to belong to the false alarm.
Based on the foregoing embodiments, it should be noted that, in a specific implementation, analyzing an alarm log by using an analysis policy corresponding to an attacked state includes: if the attacked state is the attacking state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line; and/or if the attacked state is an attack success state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line, marking an attack time point and a corresponding attack IP address in the time line, processing the newly generated log information of which the harm degree is higher than the harm degree threshold value after the current moment by using a safety control strategy, and monitoring the newly generated log information of which the harm degree is lower than the harm degree threshold value after the current moment; and/or if the attacked state is the controlled state, displaying the alarm log according to a time line, marking an attack time point, a corresponding attack IP address, a controlled time point and a corresponding controlled behavior in the time line, and processing all log information newly generated after the current time by using a security management and control strategy.
Because the attacked state of the equipment is determined based on the log information with high harm degree and high alarm certainty factor in the alarm log, after the attacked state of the equipment is determined, the fact that the attack event is recorded in the alarm log is described.
Therefore, if the equipment is attacked, the fact that information about the attack is recorded in the alarm log is indicated, and the high-hazard alarm in the alarm log is very dangerous, so that the log information of which the hazard degree is higher than the hazard degree threshold value in the alarm log is displayed according to the time line, and technicians can conveniently look up important information such as attack event initiating time.
If the equipment is successfully attacked, it indicates that important information such as attack event initiating time, the time point when the current equipment is attacked and the like is recorded in the alarm log, and the equipment is likely to perform other high-harm operations subsequently, so that the log information with the harm degree higher than the harm degree threshold value in the alarm log is displayed according to a timeline, the attack time point and a corresponding attack IP address are marked in the timeline, then the log information with the harm degree higher than the harm degree threshold value, which is newly generated after the current time, is processed by using a security control strategy, the log information with the harm degree lower than the harm degree threshold value, which is newly generated after the current time, is monitored, and the harm operation to the equipment is performed in time. Such as: the installation of unknown software, the deletion of important files, and the like are prevented. Because the device has been attacked successfully at this point, attention needs to be paid to the various alarms that are newly generated.
If the device is already in the controlled state, it indicates that important information such as attack event initiation time, time point when the current device is broken, behavior and time point when the current device attacks other devices and the like are recorded in the alarm log, and the device is likely to continue other high-risk operations subsequently. Since the device is now maliciously controlled, the newly generated various alarms can be a significant threat.
Aiming at the attacked successful state and the controlled state, the threshold values of various alarms can be adjusted, so that the equipment is more sensitive to various alarms and has lower alarm tolerance, and the equipment focuses on various alarms.
In the following embodiments, the method provided by the present application is applied to a network security detection device (e.g., a gateway), please refer to fig. 2, and the specific implementation process includes:
1. the network safety detection equipment divides the safety alarm log in a certain host of the intranet into four levels according to the hazard level and the certainty level:
a type log: high harm and high certainty factor;
b type log: high harm and low certainty factor;
class C logs: low harm and high certainty factor;
d type log: low harm and reliability.
2. When the detection time point is reached, B, D-type logs are detected.
Because the B, D-class log is less reliable, there may be a large number of false positives. And analyzing the occurrence frequency or access relation of B, D logs and the like to determine whether the logs are alarms triggered by hacker attacks or false alarms triggered by service access.
1) And judging whether the logs happen sporadically or continuously by using a time sequence identification algorithm. The sporadic character of the hacking event is strong, and the continuous character of the service access is strong. Therefore, if the log is accidental, the log is regarded as an alarm caused by a hacking event and does not belong to false alarm; if the log is continuously generated, the log is considered as false alarm triggered by service access.
2) And judging whether the logs are generated by a large number of devices or only a small number of devices by using an access relation identification algorithm. Since the service access is that a large number of hosts access one server, a many-to-one attack phenomenon can occur, so that the false alarm probability of the alarm is higher. The accidental characteristics of the hacking event are strong, so that only a few devices relate to the alarm, and the alarm caused by the hacking event can be determined, and at the moment, whether the access is from inside to outside, from outside to inside or from inside to inside is determined by means of the access relation.
And if the log is the alarm log with false alarm, deleting the related log. If a true attack is determined, the relevant log is retained.
3. For the A-type log, the security state of the host (attacked, successfully attacked and controlled) is determined by combining the access direction (external-internal attack, internal-internal access and internal-external access), the attack attribute (attack class and remote control class) and the attack result.
4. And determining an alarm log analysis strategy of the host according to the security state of the host.
(1) If the host is under attack, which means that the host is not currently controlled by a hacker, but there is an attack event, at this time, A, B logs before the current time point can be aggregated according to the attack attribute and the attacker IP, and are shown in the timeline sequence of the alarm occurrence.
(2) If the host is in a successful attack state, the host is about to be controlled by a hacker, at this time, an alarm log at the successful attack moment is highlighted, A, B logs before the moment are aggregated according to the attack attributes and the attacker IP, the aggregated logs are displayed in a time line sequence of alarm occurrence, and the alarm log corresponding to the IP which is successful in attack is highlighted. The A, B-type alarm log after the time needs to be responded and disposed in time. For example: timely blocking of the associated hazardous operation. The C, D-type attack logs in the intranet at this time are also monitored and analyzed with emphasis.
(3) If the host is already in a controlled (lost) state, A, B, C, D logs before the moment need to be aggregated according to attack attributes and attacker IP, and the aggregated logs are displayed in a time line of alarm occurrence, so that the time point of the attack on the host, the time point of the control and the behavior of the host are identified in detail. And meanwhile, all the alarm logs which are subsequently sent out externally by the controlled host computer are monitored and analyzed in a key mode.
5. And (5) performing steps 2, 3 and 4 every 5 minutes to detect the host in real time.
Therefore, the safety state of the host can be calculated in real time, the log is automatically analyzed based on the safety state of the host, and all processes of hacker attack are automatically marked according to the time line.
In the following, a security analysis device provided by an embodiment of the present application is introduced, and a security analysis device described below and a security analysis method described above may be referred to each other.
Referring to fig. 3, an embodiment of the present application discloses a security analysis apparatus, including:
an obtaining module 301, configured to obtain an alarm log in a target device;
a determining module 302, configured to determine, in the alarm log, target log information whose harm degree is higher than a harm degree threshold and whose alarm certainty degree is higher than a certainty degree threshold, and determine an attacked state of the target device based on the target log information;
and the analysis module 303 is configured to analyze the alarm log by using an analysis policy corresponding to the attacked state.
In one embodiment, the determining module comprises:
the first selection unit is used for determining the hazard degree and the alarm certainty factor of each piece of log information in the alarm log so as to select target log information from each piece of log information according to the hazard degree threshold and the certainty factor threshold.
In a specific embodiment, the determining module further includes:
the second selection unit is used for selecting the log information to be evaluated with the alarm certainty factor lower than the certainty factor threshold from all the log information according to the hazard degree threshold and the certainty factor threshold;
and the deleting unit is used for deleting the log information to be evaluated from the alarm log if the log information to be evaluated is determined to belong to the false alarm.
In a specific embodiment, the deleting unit is specifically configured to:
if the alarm frequency of the log information to be evaluated is higher than a frequency threshold value and/or the popularity of the log information to be evaluated is higher than a popularity threshold value, determining that the log information to be evaluated belongs to false alarm; otherwise, determining that the log information to be evaluated does not belong to the false alarm.
In a specific embodiment, the determining module further includes:
and the reservation unit is used for reserving the log information to be evaluated if the log information to be evaluated does not belong to the false alarm.
In a specific embodiment, the determining module is specifically configured to:
and determining the attacked state based on the access direction, the attack attribute and the attack result of the target log information.
In one embodiment, the analysis module is specifically configured to:
if the attacked state is the attacking state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line;
and/or
If the attacked state is the attack success state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line, marking an attack time point and a corresponding attack IP address in the time line, processing the log information which is newly generated after the current time and of which the harm degree is higher than the harm degree threshold value by using a safety control strategy, and monitoring the log information which is newly generated after the current time and of which the harm degree is lower than the harm degree threshold value;
and/or
And if the attacked state is the controlled state, displaying the alarm log according to a time line, marking an attack time point, a corresponding attack IP address, a controlled time point and a corresponding controlled behavior in the time line, and processing all log information newly generated after the current time by using a security management and control strategy.
For more specific working processes of each module and unit in this embodiment, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not described here again.
It can be seen that the present embodiment provides a security analysis apparatus capable of automatically analyzing a log based on a security status of a host and automatically labeling each process of a hacking attack according to a time line.
In the following, an electronic device provided by an embodiment of the present application is introduced, and an electronic device described below and a security analysis method and apparatus described above may be referred to each other.
Referring to fig. 4, an embodiment of the present application discloses an electronic device, including:
a memory 401 for storing a computer program;
a processor 402 for executing said computer program for implementing the method disclosed in any of the embodiments described above.
Referring to fig. 5, fig. 5 is a schematic diagram of another electronic device provided in this embodiment, which may have a larger difference due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, and one or more storage media 330 (e.g., one or more mass storage devices) storing an application 342 or data 344. Memory 332 and storage media 330 may be, among other things, transient storage or persistent storage. The program stored on the storage medium 330 may include one or more modules (not shown), each of which may include a series of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the storage medium 330 to execute a series of instruction operations in the storage medium 330 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341. Such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
In fig. 5, the application 342 may be a program that performs a security analysis method, and the data 344 may be data required or generated to perform the security analysis method.
The steps in the security analysis method described above may be implemented by the structure of the electronic device.
A readable storage medium provided in the embodiments of the present application is described below, and a readable storage medium described below and a security analysis method, apparatus, and device described above may be referred to each other.
A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the security analysis method disclosed in the foregoing embodiments. For the specific steps of the method, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
References in this application to "first," "second," "third," "fourth," etc., if any, are intended to distinguish between similar elements and not necessarily to describe a particular order or sequence. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprises" and "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, or apparatus.
It should be noted that the descriptions in this application referring to "first", "second", etc. are for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present application.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of readable storage medium known in the art.
The principle and the implementation of the present application are explained herein by applying specific examples, and the above description of the embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A security analysis method, comprising:
acquiring an alarm log in target equipment;
determining target log information with the harm degree higher than a harm degree threshold value and the alarm certainty factor higher than a certainty factor threshold value in the alarm log, and determining the attacked state of the target equipment based on the target log information;
and analyzing the alarm log by utilizing an analysis strategy corresponding to the attacked state.
2. The security analysis method according to claim 1, wherein the determining, in the alarm log, target log information with a degree of harm higher than a degree of harm threshold and an alarm certainty degree higher than an alarm certainty degree threshold includes:
and determining the hazard degree and the alarm certainty factor of each piece of log information in the alarm log, and selecting the target log information from each piece of log information according to the hazard degree threshold and the certainty factor threshold.
3. The security analysis method of claim 2, further comprising:
selecting log information to be evaluated with alarm certainty factor lower than the certainty factor threshold from all the log information according to the harm degree threshold and the certainty factor threshold;
and if the log information to be evaluated is determined to belong to the false alarm, deleting the log information to be evaluated from the alarm log.
4. The security analysis method of claim 3,
if the alarm frequency of the log information to be evaluated is higher than a frequency threshold value and/or the popularity of the log information to be evaluated is higher than a popularity threshold value, determining that the log information to be evaluated belongs to false alarm; otherwise, determining that the log information to be evaluated does not belong to the false alarm.
5. The security analysis method of claim 3,
and if the log information to be evaluated does not belong to the false alarm, keeping the log information to be evaluated.
6. The security analysis method of claim 1, wherein the determining the attacked state of the target device based on the target log information comprises:
and determining the attacked state based on the access direction, the attack attribute and the attack result of the target log information.
7. The security analysis method according to any one of claims 1 to 6, wherein the analyzing the alarm log by using the analysis policy corresponding to the attacked state includes:
if the attacked state is the attacking state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line;
and/or
If the attacked state is an attack success state, displaying the log information of which the harm degree is higher than the harm degree threshold value in the alarm log according to a time line, marking an attack time point and a corresponding attack IP address in the time line, processing the log information which is newly generated after the current time and of which the harm degree is higher than the harm degree threshold value by using a safety control strategy, and monitoring the log information which is newly generated after the current time and of which the harm degree is lower than the harm degree threshold value;
and/or
And if the attacked state is the controlled state, displaying the alarm log according to a time line, marking an attack time point, a corresponding attack IP address, a controlled time point and a corresponding controlled behavior in the time line, and processing all log information newly generated after the current time by using a security management and control strategy.
8. A security analysis apparatus, comprising:
the acquisition module is used for acquiring an alarm log in the target equipment;
the determining module is used for determining target log information of which the harm degree is higher than a harm degree threshold value and the alarm certainty factor is higher than a certainty factor threshold value in the alarm log, and determining the attacked state of the target equipment based on the target log information;
and the analysis module is used for analyzing the alarm log by utilizing an analysis strategy corresponding to the attacked state.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the security analysis method of any one of claims 1 to 7.
10. A readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the security analysis method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615320.4A CN114329451A (en) | 2021-12-27 | 2021-12-27 | Security analysis method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111615320.4A CN114329451A (en) | 2021-12-27 | 2021-12-27 | Security analysis method, device, equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114329451A true CN114329451A (en) | 2022-04-12 |
Family
ID=81013575
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111615320.4A Pending CN114329451A (en) | 2021-12-27 | 2021-12-27 | Security analysis method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114329451A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
-
2021
- 2021-12-27 CN CN202111615320.4A patent/CN114329451A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922075B (en) | Network security knowledge graph construction method and device and computer equipment | |
| CN111756759B (en) | Network attack tracing method, device and equipment | |
| CN110830470B (en) | Method, device and equipment for detecting defect-losing host and readable storage medium | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| EP3068095A2 (en) | Monitoring apparatus and method | |
| CN110933101A (en) | Security event log processing method, device and storage medium | |
| CN108696473A (en) | Attack path restoring method and device | |
| CN112685682B (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| KR101937325B1 (en) | Method for Detecting and Preventing Malware and Apparatus thereof | |
| CN109600362B (en) | Zombie host recognition method, device and medium based on recognition model | |
| CN111460445A (en) | Method and device for automatically identifying malicious degree of sample program | |
| CN107733725B (en) | Safety early warning method, device, equipment and storage medium | |
| CN104954188B (en) | Web log file safety analytical method based on cloud, device and system | |
| CN104901975A (en) | Web log safety analyzing method, device and gateway | |
| CN114124552A (en) | Network attack threat level obtaining method, device and storage medium | |
| CN113055407A (en) | Asset risk information determination method, device, equipment and storage medium | |
| CN106850675A (en) | A kind of determination method and device of attack | |
| CN112861132A (en) | Cooperative protection method and device | |
| CN114329451A (en) | Security analysis method, device, equipment and readable storage medium | |
| CN115426154A (en) | Method, device and equipment for monitoring ore excavation behaviors and storage medium | |
| CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
| CN112953895B (en) | Attack behavior detection method, device and equipment and readable storage medium | |
| CN111104670B (en) | APT attack identification and protection method | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |