CN113965356A - Security event analysis method, device, equipment and machine-readable storage medium - Google Patents
Security event analysis method, device, equipment and machine-readable storage medium Download PDFInfo
- Publication number
- CN113965356A CN113965356A CN202111142145.1A CN202111142145A CN113965356A CN 113965356 A CN113965356 A CN 113965356A CN 202111142145 A CN202111142145 A CN 202111142145A CN 113965356 A CN113965356 A CN 113965356A
- Authority
- CN
- China
- Prior art keywords
- address
- value
- victim
- target address
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 22
- 238000000034 method Methods 0.000 claims abstract description 16
- 238000004364 calculation method Methods 0.000 claims description 9
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 238000011835 investigation Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 6
- 238000013024 troubleshooting Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 210000004556 brain Anatomy 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000006116 polymerization reaction Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a security event analysis method, apparatus, device and machine-readable storage medium, the method comprising: establishing an incidence relation between a source address, a destination address and an event according to an occurring security event; calculating an attack value of a target address, wherein the attack value of the target address is related to the victim value of the destination address of all security events taking the target address as a source address; calculating a victim value of a target address, wherein the victim value of the target address is related to attack values of source addresses of all security events taking the target address as a destination address; and setting a checking sequence for each address according to the attack value of each address. According to the technical scheme, the address corresponding to the risk asset is utilized, the attack value and the damage value of the address corresponding to the risk asset are obtained according to the damage value and the attack value of other associated addresses, then the addresses corresponding to the risk assets are sorted according to the quantifiable numerical value, the checking sequence of the risk assets is obtained, and the operation and maintenance efficiency is improved.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method, an apparatus, a device, and a machine-readable storage medium for security event analysis.
Background
The security management platform (including but not limited to situation awareness, SOC, SIME and the like) is based on security big data, and is used for acquiring, understanding, evaluating and presenting elements capable of causing network situation changes and predicting future development trends. The capabilities of discovery, identification, comprehension, analysis and response handling of security threats are improved through a global view, and closed-loop decision of a safety brain is promoted through intelligent analysis and linkage response in combination with machine learning and artificial intelligence, so that the falling practice of the security capability is realized.
The safety alarm reported to the safety management platform is the basis of analysis of the safety management platform, and if thousands of safety alarms are reported, huge working pressure is brought to troubleshooting and disposal of safety operation and maintenance personnel. The current safety operation and maintenance personnel can check the assets with higher failure level through qualitative methods such as threat level, failed failure, high suspicion, low suspicion and the like of the risk assets. However, if a large number of risk assets with the same threat level appear, the safety operation and maintenance personnel only need to conduct investigation and analysis one by one, and therefore investigation efficiency is low.
Disclosure of Invention
In view of the above, the present disclosure provides a security event analysis method, device, electronic device, and machine-readable storage medium to solve the problem of low efficiency of troubleshooting when there are a large number of risk assets with the same threat level.
The specific technical scheme is as follows:
the present disclosure provides a security event analysis method, applied to a network security device, the method including: establishing an incidence relation among a source address, a destination address and an event according to an occurring security event, wherein the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value; calculating an attack value of a target address, wherein the attack value of the target address is related to the victim value of the destination address of all security events taking the target address as a source address; calculating a victim value of a target address, wherein the victim value of the target address is related to attack values of source addresses of all security events taking the target address as a destination address; and setting a checking sequence for each address according to the attack value of each address.
As a technical scheme, according to the associated damage value, a checking sequence is set for the addresses with the same attack value.
As a technical solution, the calculating an attack value of a target address, where the attack value of the target address is associated with victim values of destination addresses of all security events having the target address as a source address, and calculating a victim value of the target address, where the victim value of the target address is associated with attack values of source addresses of all security events having the target address as a destination address, includes: and each iteration is carried out, the attack value is recalculated according to the updated associated attack value, the damage value is recalculated according to the updated associated attack value, and the iteration is stopped after the iteration times reach the preset times.
As a technical solution, the establishing an association relationship between a source address, a destination address and an event according to an occurring security event, wherein the source address is used as an attacker having an attack value, and the destination address is used as a victim having a victim value, includes: establishing an incidence relation of a source address, a destination address and an event weight according to an occurring security event; the calculating of the attack value of the target address, which is associated with the victim value of the destination address of all security events with the target address as the source address, includes: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, which is associated with attack values of source addresses of all security events with the target address as a destination address, includes: the victim value of the target address is related to the attack value of the source address of all the security events taking the target address as the destination address and the weight corresponding to the security events.
The present disclosure also provides a security event analysis apparatus, which is applied to network security devices, and the apparatus includes: the correlation module is used for establishing a correlation relation among a source address, a destination address and an event according to an occurring security event, wherein the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value; the calculation module is used for calculating an attack value of a target address, wherein the attack value of the target address is related to a victim value of a target address of all security events taking the target address as a source address; the calculation module is further used for calculating a victim value of the target address, wherein the victim value of the target address is related to attack values of source addresses of all security events taking the target address as a destination address; and the sequencing module is used for setting a checking sequence for each address according to the attack value of each address.
As a technical scheme, according to the associated damage value, a checking sequence is set for the addresses with the same attack value.
As a technical solution, the calculating an attack value of a target address, where the attack value of the target address is associated with victim values of destination addresses of all security events having the target address as a source address, and calculating a victim value of the target address, where the victim value of the target address is associated with attack values of source addresses of all security events having the target address as a destination address, includes: and each iteration is carried out, the attack value is recalculated according to the updated associated attack value, the damage value is recalculated according to the updated associated attack value, and the iteration is stopped after the iteration times reach the preset times.
As a technical solution, the establishing an association relationship between a source address, a destination address and an event according to an occurring security event, wherein the source address is used as an attacker having an attack value, and the destination address is used as a victim having a victim value, includes: establishing an incidence relation of a source address, a destination address and an event weight according to an occurring security event; the calculating of the attack value of the target address, which is associated with the victim value of the destination address of all security events with the target address as the source address, includes: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, which is associated with attack values of source addresses of all security events with the target address as a destination address, includes: the victim value of the target address is related to the attack value of the source address of all the security events taking the target address as the destination address and the weight corresponding to the security events.
The present disclosure also provides an electronic device including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor executing the machine-executable instructions to implement the aforementioned security event analysis method.
The present disclosure also provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned security event analysis method.
The technical scheme provided by the disclosure at least brings the following beneficial effects:
and obtaining the attack value and the damage value of the address corresponding to the risk asset according to the damage value and the attack value of the other associated addresses by using the address corresponding to the risk asset, and then sequencing the addresses corresponding to the risk assets according to the quantifiable numerical value to obtain the troubleshooting sequence of the risk asset, thereby improving the operation and maintenance efficiency.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present disclosure or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and other drawings can be obtained by those skilled in the art according to the drawings of the embodiments of the present disclosure.
FIG. 1 is a flow diagram of a security event analysis method in one embodiment of the present disclosure;
fig. 2 is a block diagram of a security event analysis device in an embodiment of the present disclosure;
fig. 3 is a hardware configuration diagram of an electronic device in an embodiment of the present disclosure.
Detailed Description
The terminology used in the embodiments of the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information in the embodiments of the present disclosure, such information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present disclosure. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
The present disclosure provides a security event analysis method, device, electronic device, and machine-readable storage medium, so as to improve the problem of low troubleshooting efficiency when there are a large number of risk assets with the same threat level.
Specifically, the technical scheme is as follows.
In one embodiment, the present disclosure provides a security event analysis method applied to a network security device, the method including: establishing an incidence relation among a source address, a destination address and an event according to an occurring security event, wherein the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value; calculating an attack value of a target address, wherein the attack value of the target address is related to the victim value of the destination address of all security events taking the target address as a source address; calculating a victim value of a target address, wherein the victim value of the target address is related to attack values of source addresses of all security events taking the target address as a destination address; and setting a checking sequence for each address according to the attack value of each address.
Specifically, as shown in fig. 1, the method comprises the following steps:
step S11, according to the safety event, establishing the incidence relation of source address, destination address and event;
with the source address as the attacker having the attack value and the destination address as the victim having the victim value.
Step S12, calculating the attack value of the target address and the damage value of the target address;
the attack value of the target address is related to the victim value of the destination address of all the security events with the target address as the source address, and the victim value of the target address is related to the attack value of the source address of all the security events with the target address as the destination address.
And step S13, setting a checking sequence for each address according to the attack value of each address.
And obtaining the attack value and the damage value of the address corresponding to the risk asset according to the damage value and the attack value of the other associated addresses by using the address corresponding to the risk asset, and then sequencing the addresses corresponding to the risk assets according to the quantifiable numerical value to obtain the troubleshooting sequence of the risk asset, thereby improving the operation and maintenance efficiency.
In one embodiment, a lookup order is set for addresses with the same attack value according to the associated victim value.
In one embodiment, the calculating an attack value of a target address, the attack value of the target address being associated with a victim value of a destination address of all security events having the target address as a source address, the calculating a victim value of the target address being associated with an attack value of a source address of all security events having the target address as a destination address, includes: and each iteration is carried out, the attack value is recalculated according to the updated associated attack value, the damage value is recalculated according to the updated associated attack value, and the iteration is stopped after the iteration times reach the preset times.
In one embodiment, the establishing, according to an occurring security event, an association relationship between a source address, a destination address and the event, where the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value, includes: establishing an incidence relation of a source address, a destination address and an event weight according to an occurring security event; the calculating of the attack value of the target address, which is associated with the victim value of the destination address of all security events with the target address as the source address, includes: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, which is associated with attack values of source addresses of all security events with the target address as a destination address, includes: the victim value of the target address is related to the attack value of the source address of all the security events taking the target address as the destination address and the weight corresponding to the security events.
In one embodiment, a graph computation engine, such as a spark graph, adds trusted security events to the graph, points being source and destination IP addresses, edges connecting the source and destination IP addresses being event weights. Wherein the event weight is associated with the most recent occurrence time of the event, the number of times the event occurred, and the threat level of the event, and other desirable attributes may also be added.
For a special event, if multiple events are aggregated into one event, the source IP address or the destination IP address is converted into [ source IP ═ 0.0.0 ] and [ destination IP ═ 255.255.255 ]. Many-to-one aggregate events such as an outer network DDoS attacking inner network assets, the source IP is denoted as 0.0.0.0. A pair of multi-polymerization events, such as worm intranets, propagate with a destination IP denoted 255.255.255.255.
The address of any node (corresponding to a risk asset) has two attributes, an attack value HUB associated with the sum of the victim values of all nodes having the address as the source address and a victim value AUT associated with the sum of the attack values of all nodes having the address as the destination address. In the calculation method, when the HUB is calculated according to AUT, the weight values associated with all events are added, and after each AUT is multiplied by each associated weight value, the sum is obtained to obtain the HUB; in the calculation method, when the AUT is calculated according to the HUBs, the weight values associated with all events are added, and the AUT is obtained by summing after all HUBs multiply the associated weight values respectively. The weight value of the event is related to a pre-configured threat level, the occurrence frequency and the latest occurrence time of the event, the higher the threat level is, the larger the weight value is, the more the occurrence frequency is, the larger the weight value is, and the closer the latest occurrence time is, the larger the weight value is.
Since the change of the HUB of an address causes the change of the AUT of the address associated with the address, and the HUB of the address changes with the change of the AUT of the address associated with the address, the iterative calculation is performed here. The iteration number sets an upper limit, such as 100 times, and under normal conditions, each HUB and AUT reaches a steady state before the iteration number reaches the upper limit. To prevent iterative overfitting, the iteration should be stopped when the second highest HUB is 40% or higher of the highest HUB.
And sorting each address according to the associated HUB value, preferentially checking the risk assets with high associated address sorting, and performing secondary sorting by using the AUT value when the HUB values are the same.
In one embodiment, the present disclosure also provides a security event analysis apparatus, as shown in fig. 2, applied to a network security device, the apparatus including: the association module 21 is configured to establish an association relationship between a source address, a destination address and an event according to an occurring security event, where the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value; a calculation module 22, configured to calculate an attack value of a target address, where the attack value of the target address is associated with a victim value of a destination address of all security events with the target address as a source address; the calculation module is further used for calculating a victim value of the target address, wherein the victim value of the target address is related to attack values of source addresses of all security events taking the target address as a destination address; and the sorting module 23 is configured to set a checking sequence for each address according to the attack value of each address.
In one embodiment, a lookup order is set for addresses with the same attack value according to the associated victim value.
In one embodiment, the calculating an attack value of a target address, the attack value of the target address being associated with a victim value of a destination address of all security events having the target address as a source address, the calculating a victim value of the target address being associated with an attack value of a source address of all security events having the target address as a destination address, includes: and each iteration is carried out, the attack value is recalculated according to the updated associated attack value, the damage value is recalculated according to the updated associated attack value, and the iteration is stopped after the iteration times reach the preset times.
In one embodiment, the establishing, according to an occurring security event, an association relationship between a source address, a destination address and the event, where the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value, includes: establishing an incidence relation of a source address, a destination address and an event weight according to an occurring security event; the calculating of the attack value of the target address, which is associated with the victim value of the destination address of all security events with the target address as the source address, includes: the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events; the calculating a victim value of the target address, which is associated with attack values of source addresses of all security events with the target address as a destination address, includes: the victim value of the target address is related to the attack value of the source address of all the security events taking the target address as the destination address and the weight corresponding to the security events.
The device embodiments are the same or similar to the corresponding method embodiments and are not described herein again.
In one embodiment, the present disclosure provides an electronic device, which includes a processor and a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions capable of being executed by the processor, and the processor executes the machine-executable instructions to implement the foregoing security event analysis method, and from a hardware level, a hardware architecture diagram may be shown in fig. 3.
In one embodiment, the present disclosure provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the aforementioned security event analysis method.
Here, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and so forth. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The systems, devices, modules or units described in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in practicing the disclosure.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (which may include, but is not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an embodiment of the present disclosure, and is not intended to limit the present disclosure. Various modifications and variations of this disclosure will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the scope of the claims of the present disclosure.
Claims (10)
1. A security event analysis method is applied to a network security device, and comprises the following steps:
establishing an incidence relation among a source address, a destination address and an event according to an occurring security event, wherein the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value;
calculating an attack value of a target address, wherein the attack value of the target address is related to the victim value of the destination address of all security events taking the target address as a source address;
calculating a victim value of a target address, wherein the victim value of the target address is related to attack values of source addresses of all security events taking the target address as a destination address;
and setting a checking sequence for each address according to the attack value of each address.
2. Method according to claim 1, characterized in that the order of investigation is set for addresses with the same attack value according to the associated victim value.
3. The method of claim 1, wherein the computing the attack value of the target address, the attack value of the target address being associated with a victim value of a destination address of all security events having the target address as a source address, the computing the victim value of the target address, the victim value of the target address being associated with an attack value of a source address of all security events having the target address as a destination address, comprises:
and each iteration is carried out, the attack value is recalculated according to the updated associated attack value, the damage value is recalculated according to the updated associated attack value, and the iteration is stopped after the iteration times reach the preset times.
4. The method of claim 1,
the establishing of the incidence relation of the source address, the destination address and the event according to the generated security event, wherein the source address is used as an attacker with an attack value, and the destination address is used as a victim with a victim value, comprises:
establishing an incidence relation of a source address, a destination address and an event weight according to an occurring security event;
the calculating of the attack value of the target address, which is associated with the victim value of the destination address of all security events with the target address as the source address, includes:
the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events;
the calculating a victim value of the target address, which is associated with attack values of source addresses of all security events with the target address as a destination address, includes:
the victim value of the target address is related to the attack value of the source address of all the security events taking the target address as the destination address and the weight corresponding to the security events.
5. A security event analysis apparatus, applied to a network security device, the apparatus comprising:
the correlation module is used for establishing a correlation relation among a source address, a destination address and an event according to an occurring security event, wherein the source address is used as an attacker and has an attack value, and the destination address is used as a victim and has a victim value;
the calculation module is used for calculating an attack value of a target address, wherein the attack value of the target address is related to a victim value of a target address of all security events taking the target address as a source address;
the calculation module is further used for calculating a victim value of the target address, wherein the victim value of the target address is related to attack values of source addresses of all security events taking the target address as a destination address;
and the sequencing module is used for setting a checking sequence for each address according to the attack value of each address.
6. The apparatus of claim 5, wherein a checking order is set for addresses with the same attack value according to the associated victim value.
7. The apparatus of claim 5, wherein the computing the attack value of the target address, the attack value of the target address being associated with a victim value of a destination address of all security events having the target address as a source address, the computing the victim value of the target address being associated with an attack value of a source address of all security events having the target address as a destination address comprises:
and each iteration is carried out, the attack value is recalculated according to the updated associated attack value, the damage value is recalculated according to the updated associated attack value, and the iteration is stopped after the iteration times reach the preset times.
8. The apparatus of claim 5,
the establishing of the incidence relation of the source address, the destination address and the event according to the generated security event, wherein the source address is used as an attacker with an attack value, and the destination address is used as a victim with a victim value, comprises:
establishing an incidence relation of a source address, a destination address and an event weight according to an occurring security event;
the calculating of the attack value of the target address, which is associated with the victim value of the destination address of all security events with the target address as the source address, includes:
the attack value of the target address is related to the victim value of the target address of all the security events taking the target address as the source address and the weight corresponding to the security events;
the calculating a victim value of the target address, which is associated with attack values of source addresses of all security events with the target address as a destination address, includes:
the victim value of the target address is related to the attack value of the source address of all the security events taking the target address as the destination address and the weight corresponding to the security events.
9. An electronic device, comprising: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor to perform the method of any one of claims 1 to 4.
10. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111142145.1A CN113965356B (en) | 2021-09-28 | 2021-09-28 | Security event analysis method, device, equipment and machine-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111142145.1A CN113965356B (en) | 2021-09-28 | 2021-09-28 | Security event analysis method, device, equipment and machine-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113965356A true CN113965356A (en) | 2022-01-21 |
| CN113965356B CN113965356B (en) | 2023-12-26 |
Family
ID=79462648
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111142145.1A Active CN113965356B (en) | 2021-09-28 | 2021-09-28 | Security event analysis method, device, equipment and machine-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965356B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006071985A2 (en) * | 2004-12-29 | 2006-07-06 | Alert Logic, Inc. | Threat scoring system and method for intrusion detection security networks |
| CN109861985A (en) * | 2019-01-02 | 2019-06-07 | 平安科技(深圳)有限公司 | IP air control method, apparatus, equipment and the storage medium divided based on risk class |
| CN110598404A (en) * | 2019-09-17 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Security risk monitoring method, monitoring device, server and storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
-
2021
- 2021-09-28 CN CN202111142145.1A patent/CN113965356B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006071985A2 (en) * | 2004-12-29 | 2006-07-06 | Alert Logic, Inc. | Threat scoring system and method for intrusion detection security networks |
| CN109861985A (en) * | 2019-01-02 | 2019-06-07 | 平安科技(深圳)有限公司 | IP air control method, apparatus, equipment and the storage medium divided based on risk class |
| CN110598404A (en) * | 2019-09-17 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Security risk monitoring method, monitoring device, server and storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113965356B (en) | 2023-12-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11087329B2 (en) | Method and apparatus of identifying a transaction risk | |
| CN110535702B (en) | Alarm information processing method and device | |
| CN110417721B (en) | Security risk assessment method, device, equipment and computer readable storage medium | |
| US20180309770A1 (en) | An anomaly detection method for the virtual machines in a cloud system | |
| CN107423883B (en) | Risk identification method and device for to-be-processed service and electronic equipment | |
| CN112995236B (en) | Internet of things equipment safety management and control method, device and system | |
| EP4049433B1 (en) | User impact potential for security alert management | |
| CN106095532A (en) | A kind of virtual machine load balancing sacurity dispatching method in cloud environment | |
| CN114615016A (en) | Enterprise network security assessment method and device, mobile terminal and storage medium | |
| US11405413B2 (en) | Anomaly lookup for cyber security hunting | |
| CN111159702B (en) | Process list generation method and device | |
| CN111191683A (en) | Network security situation assessment method based on random forest and Bayesian network | |
| CN113965356A (en) | Security event analysis method, device, equipment and machine-readable storage medium | |
| CN118175059A (en) | Network link quality analysis method, device and related equipment | |
| CN117035374B (en) | Force cooperative scheduling method, system and medium for coping with emergency | |
| CN110138778B (en) | Game theory-based network attack risk control method and system | |
| CN117390545A (en) | Risk assessment method | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN115442262B (en) | Resource evaluation method and device, electronic equipment and storage medium | |
| CN113992355A (en) | Attack prediction method, device, equipment and machine readable storage medium | |
| CN112491820B (en) | Abnormity detection method, device and equipment | |
| KR101872406B1 (en) | Method and apparatus for quantitavely determining risks of malicious code | |
| CN118350004B (en) | Vulnerability scanning method and system based on load library | |
| CN112966002B (en) | Security management method, device, equipment and machine readable storage medium | |
| CN118590310B (en) | User attack behavior recognition method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |