[0053] The technical solutions of the present invention will be described in further detail below with reference to the accompanying drawings and embodiments.
[0054] like figure 1 As shown, it is a schematic flowchart of an embodiment of the security event correlation analysis method of the present invention. In this embodiment, the security event correlation analysis process includes:
[0055] Step 101, receiving the security event records collected by the security operation center;
[0056] Step 102: Group the devices corresponding to the security event records into groups, and form an event sequence list sorted according to the occurrence time of the security event for each device, and the current analysis pointer points to the earliest time in each event sequence list that has not yet entered the trigger. security incident records;
[0057] Step 103, sending the security event record pointed to by the current analysis pointer into the trigger to match the preset rules of the state machine, and pointing the current analysis pointer to the security event record in the next time sequence in each event sequence table;
[0058] Step 104: Perform timer timing and state jump according to the matching of the preset rules of the state machine according to the security event record in the trigger, and correspond to the security event record in the trigger according to the timeout condition of the state machine The equipment counts;
[0059] Step 105. When the counting result reaches the preset statistical threshold, send the counting result to the synchronization adjuster, so that the synchronization adjuster records the event sequence list of the corresponding device for the security event in the trigger according to the counting result Make step adjustments.
[0060] In this embodiment, after receiving the security event records collected by the security operation center, the security event records are grouped according to equipment to form an event sequence table for each device, and the sorting relationship of this event sequence table is event-triggered Based on the matching and timeout of the state machine in the trigger, the step size of the event sequence list of the corresponding device is adjusted to make it consistent with the real time sequence of the security event, and to avoid the causal relationship distortion of the security event caused by the inversion of the sequence , improve the accuracy of correlation analysis, so as to meet the accuracy requirements of security event correlation analysis in complex network environment.
[0061] In step 101, the security event records collected by the security operation center are log records containing detailed information such as event occurrence time, alarm device, related device IP (attack source, attack purpose, etc.), event type, etc. The center can generally be stored in the form of a database, and the specific content of security event records can refer to the standards and specifications of the Ministry of Industry and Information Technology.
[0062] In step 102, the security event records should be grouped according to the equipment, and each equipment will form a corresponding event sequence table, and the security event records in the event sequence table will be sorted according to the occurrence time of the security event, and its specific form can be Various existing data structures such as doubly linked lists and sequential lists. The security event record that enters the trigger is determined by the security event record pointed to by the current analysis pointer, and the current analysis pointer points to the earliest security event record that has not yet entered the trigger in each event sequence table.
[0063] In addition, when initially forming the event sequence table, the synchronization adjuster may pre-point the time pointers of the event sequence tables of each device to the earliest security event records in the table that have not yet entered the trigger.
[0064] In step 103, the security event record pointed to by the current analysis pointer will be sent to the trigger to match the preset rules of the state machine. Correspondingly, the current analysis pointer will point to the next time-ordered security event in each event sequence table Record.
[0065] Regarding the matching of the preset rules of the state machine in step 104, in addition to judging whether the security event record in the trigger matches the preset rules of the state machine, it is also necessary to judge the current state of the state machine. If the rule is matched, and the state machine is in the initial state, then the state machine of the security event record in the trigger is jumped to the alert state, and the timer is started, and then the current analysis pointer is pointed to the respective event sequence table The next chronologically sequenced security event record in is fed into the trigger for processing.
[0066] If the state machine is already in the alert state, make the state machine of the security event record in the trigger jump to the next alert state, and judge whether the state machine after the jump has reached the final alert state, and if so, send out an alarm information, the state machine returns to the initial state.
[0067] If the state machine has not reached the final alert state, it is judged whether the timer is overtime, if overtime, the state machine returns to the initial state, and counts the equipment corresponding to the security event record in the trigger, otherwise The current analysis pointer points to the security event record of the next time sequence in each event sequence table and is sent to the trigger for processing.
[0068] If the alarm is triggered normally, it means that the timing of the device is relatively normal, and if the timer times out, it means that the security event did not trigger the alarm normally, which means that there may be a timing reversal problem, and synchronization adjustment is required.
[0069] Through the counting in step 104, when the counting result reaches the preset statistical threshold in step 105, the counting result can be sent to the synchronization adjuster, so that the synchronization adjuster can record the corresponding device for the security event in the trigger according to the counting result The sequence of events table for step adjustment. This count plus step adjustment is a feedback mechanism between the trigger and the synchronous adjuster. Through this feedback mechanism, the synchronous adjuster can adjust the synchronization relationship between the event sequence tables of each device and improve the timing of security events. accuracy, and the stability of the system can also be improved through synchronous adjustment.
[0070] Specifically, the synchronous adjuster can determine the adjusted step value and adjustment direction according to the positive and negative values and the size of the counting result, and perform a time pointer on the event sequence table of the device corresponding to the counting result according to the determined step value and adjustment direction Adjustment of the pointing position.
[0071] Further, when the alarm information is sent out and the state machine returns to the initial state, it can also count the positive value of the device corresponding to the security event record in the trigger, and when the state machine times out, the security event record in the trigger The device corresponding to the event record counts negative values. By accumulating the counting results in this way, if the counting result sent to the synchronous regulator is a negative value, the synchronous regulator determines that the adjustment direction of the time pointer is to the event sequence table of the device corresponding to the counting result. Adjust the direction of the watch head (that is, adjust the pointing position of the time pointer to the earlier security event record); if the counting result is a positive value, keep the time pointer unchanged.
[0072] like figure 2 As shown, it is a schematic flowchart of another embodiment of the security event correlation analysis method of the present invention. Compared with the previous embodiment, this embodiment also includes the following operations between step 101 and step 102:
[0073] Step 101a, analyzing the information carried in the security event record collected by the security operation center according to the standard attribute field;
[0074] Step 101b, filter the events with low importance, and merge and accumulate the times of the same security events.
[0075] Steps 101a and 101b are the preprocessing process of the security event records. Through the preprocessing process, some low-importance security events can be filtered out, and some repeated security event records can be merged and counted up, thereby reducing the need for processing or unnecessary consideration. The number of security event records, to avoid the processing of these security events occupying too many system resources.
[0076] Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above-mentioned method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.
[0077] like image 3 As shown, it is a schematic structural diagram of an embodiment of the security event correlation analysis system of the present invention. In this embodiment, the security event correlation analysis system includes: an event record receiving module 1 , a sequence table forming module 2 , a current analysis pointer 3 , a trigger 4 , a counting module 5 and a synchronization adjuster 6 .
[0078] The event record receiving module 1 is used to receive the security event records collected by the security operation center. The sequence table forming module 2 is configured to group the devices corresponding to the security event records, and form an event sequence table sorted by security event occurrence time for each device.
[0079] The current analysis pointer 3 is used to point to the earliest security event record that has not entered the trigger in each event sequence table. The trigger 4 is used to receive the security event record pointed to by the current analysis pointer 3, and match the preset rules of the state machine, and time the matching of the preset rules of the state machine according to the security event record in the trigger 4 timer timing and state jump, and point the current analysis pointer 3 to the next time-ordered security event record in each event sequence table.
[0080] The counting module 5 is used to count the devices corresponding to the security event records in the trigger according to the timeout condition of the state machine, and send the counting result to the synchronization regulator 6 when the counting result reaches a preset statistical threshold. The synchronization adjuster 6 is configured to adjust the step size of the event sequence list of the device corresponding to the security event record in the trigger 5 according to the counting result. The synchronization adjuster may further group the devices corresponding to the security event records, and when forming an event sequence table sorted according to the occurrence time of security events for each device, point the time pointers of the event sequence tables of each device to point to The earliest security event record in the table that has not yet entered the trigger.
[0081] like Figure 4 As shown, it is a schematic structural diagram of another embodiment of the security event correlation analysis system of the present invention. Compared with the previous embodiment, this embodiment also includes a preprocessing module 7, which is used to analyze the information carried by the security event record collected by the security operation center according to the standard attribute field, and to analyze the information of the low importance Events are filtered, and the same security events are combined and counted up.
[0082] like Figure 5 As shown, it is a schematic structural diagram of another embodiment of the security event correlation analysis system of the present invention. Compared with the foregoing embodiments, the trigger in this embodiment specifically includes: a rule matching unit 41 , a state jump unit 42 , an initial state return unit 43 , an alarm unit 44 and a timeout judgment unit 45 .
[0083] The rule matching unit 41 is configured to receive the security event record pointed to by the current analysis pointer 3, and perform the matching of the preset rules of the state machine. The state jump unit 42 is used to make the security event record in the trigger 4 match the preset rule of the state machine, and when the state machine is in the initial state, make the security event record in the trigger 4 The state machine jumps to the alert state, and starts the timer, and then sends the current analysis pointer 3 to the security event record of the next time sequence in the each event sequence list and sends it to the trigger 4 for processing, if the state machine Already in the alert state, then make the state machine of the safety event record in the trigger 4 jump to the next alert state, and judge whether the state machine after the jump has reached the final alert state.
[0084] The initial state return unit 43 is used to restore the state machine to the initial state. The alarm unit 44 is used for sending out an alarm message and triggering the initial state return unit 43 when the state machine after jumping has reached the final alert state. The overtime judging unit 45 is used to judge whether the timer is overtime when the state machine has not reached the final alert state, if overtime, then trigger the initial state return unit 43, and trigger the counting module 5, otherwise the current The analysis pointer 3 points to the next time-sequential security event record in each event sequence table and sends it to the trigger 4 for processing.
[0085] In another embodiment, the synchronous adjuster may further specifically include:
[0086] An adjustment parameter determination unit, configured to determine an adjusted step value and an adjustment direction according to the positive or negative and the size of the counting result;
[0087] The time pointer adjustment unit is configured to adjust the pointing position of the time pointer to the event sequence table of the device corresponding to the counting result according to the determined step value and the adjustment direction.
[0088] In another embodiment, when the counting module sends out an alarm message and the state machine returns to the initial state, it can count the positive value of the device corresponding to the security event record in the trigger, and in the state machine When timeout occurs, a negative value count is performed on the device corresponding to the security event record in the trigger. Correspondingly, when the counting result is a negative value, the adjustment parameter determining unit determines that the adjustment direction of the time pointer is to adjust toward the head of the event sequence table of the device corresponding to the counting result, and when the counting result is a positive value , keep the time pointer unchanged.
[0089] Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them; although the present invention has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that: the present invention can still be Modifications to the specific implementation of the invention or equivalent replacement of some technical features; without departing from the spirit of the technical solution of the present invention, should be included in the scope of the technical solution claimed in the present invention.
