Method and device for detecting security event

Abstract

The embodiment of the invention discloses a method and a device for detecting a security event. The method comprises the following steps: acquiring the occurrence probability of the current even; whenthe occurrence probability of the current event is smaller than a preset threshold value, carrying out rule matching on the current event according to an associated rule base; if the matching is successful, confirming that the current event is a known security event; and otherwise, confirming that the current event is an unknown security event. The device comprises an acquiring module and a matching module. The embodiment of the invention reduces the operation amount by just carrying out the rule matching on the event with the probability smaller than the preset threshold value, thereby ensuring the detecting instantaneity of the security event and improving the defecting efficiency.

Description

technical field [0001] The present invention relates to the communication field, in particular to a security event detection method and device. Background technique [0002] With the continuous development and popularization of information technology, the problem of information security is becoming more and more serious. In computer networks, the number of security incidents such as malicious attacks, illegal intrusions, virus Trojan horses, information leaks, sudden failures, and traffic anomalies is increasing exponentially. Security incidents pose a serious threat to computer network systems, and it is necessary to take effective measures to prevent, monitor, and deal with various security incidents to ensure the normal operation of the system. The detection of security incidents is an essential link, and the purpose of detecting security incidents is to carry out subsequent operations such as alarming and responding to security incidents. [0003] The existing security...

AI Technical Summary

Problems solved by technology

[0004] In the process of realizing the present invention, the inventors found that there are at least the following problems in the prior art: the rule association method based on security event modeling and the association method based on causality completely rely on pre-established association rules for matching, and can only Detecting known types of security events, the detection efficiency is not high, and the feature description library must be continuously updated. At the same time, because all the collected information needs to be matched with the pre-established association rules, the increasingly large association rules make the calculation amount The increase affects the real-time performance of security event detection; the clustering correlation method adopts statistical methods for processing, and the results often lack clear practical significance, and some events can only be classified into one category, but cannot be described The characteristics of this type of event make it impossible to perform subsequent response processing, and because all the collected information needs to be clustered, the amount of calculation is larger, which affects the real-time performance of security event detection

Images