Complex event processing method based on parallel distributed architecture

Abstract

The invention discloses a complex event processing method based on a parallel distributed architecture and belongs to the network safety field. The correlation analysis inquire statement is divided into the operation sequence composed of the stateful operation and stateless operation, the operation sequence is divided according to the principle that each subquery at least has and only has one stateful query, the cluster is equally divided several sub clusters according to the dividing number and the subquery is deployed to the corresponding sub cluster. The different sub operation sequences deployed to the different sub clusters can be calculated in a parallel mode, the same operation deployed to different machines of the same sub cluster can be calculated in a parallel mode. Different queries are parallel (parallel mode between queries), the same query is also parallel (parallel mode in the query); the parallel mode in the query not only comprises the parallel mode between different operations and the same operation is parallel. Each operation is parallel for solving the node performance bottleneck problem during the query calculation process.

Description

technical field [0001] The invention belongs to the technical field of network security, in particular to a method for implementing a real-time correlation analysis engine of network security events based on a distributed parallel architecture. Background technique [0002] Security information and event management system technology provides an integrated view of security-related information. The security information and event management system is the final summary of security information and events, and it is analyzed in real time, and its location is at the core of the entire security defense system. The current security information and event management system has extensively expanded event monitoring capabilities, including active security incident monitoring and management, and passive log automatic collection and management. [0003] The correlation analysis engine of the current security information and event management system is a centralized solution. With the incre...

AI Technical Summary

Problems solved by technology

[0005] Adopt complex event processing technology to enhance the technical capabilities of the correlation analysis engine of the security information and event management system. Compared with the past, a certain correlation analysis computing capacity has been increased, but this increase cannot catch up with the increase in computing data and cannot be completely improved. The computing power of the correlation analysis engine;

[0006] Using caching technology can ensure that security information and events will not be discarded, and ensure the comprehensiveness of analysis, but it cannot meet the timeliness of security discovery, and the delayed analysis results are hardly useful for security disposal;

[0007] Adopting a QoS policy can ensure real-time correlation analysis of security information and events, and make immediate responses. However, the discarded event rules are formulated by humans based on existing knowledge, and key security events may be missed, resulting in incomplete analysis results.

Images