A Method of Complex Event Processing Based on Parallel Distributed Architecture
A technology of complex event processing and distributed architecture, applied in the field of network security, can solve the problems of not being able to meet the timeliness of security discovery, missing security events, and not being able to fully improve the computing power of the correlation analysis engine, etc.
Active Publication Date: 2017-12-12
706 INST SECOND RES INST OF CHINAAEROSPACE SCI & IND
View PDF4 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
[0005] Adopt complex event processing technology to enhance the technical capabilities of the correlation analysis engine of the security information and event management system. Compared with the past, a certain correlation analysis computing capacity has been increased, but this increase cannot catch up with the increase in computing data and cannot be completely improved. The computing power of the correlation analysis engine;
[0006] Using caching technology can ensure that security information and events will not be discarded, and ensure the comprehensiveness of analysis, but it cannot meet the timeliness of security discovery, and the delayed analysis results are hardly useful for security disposal;
[0007] Adopting a QoS policy can ensure real-time correlation analysis of security information and events, and make immediate responses. However, the discarded event rules are formulated by humans based on existing knowledge, and key security events may be missed, resulting in incomplete analysis results.
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment Construction
[0021] The preferred embodiments will be described in detail below in conjunction with the flow charts. It should be emphasized that the following descriptions are only illustrative, not intended to limit the scope of the present invention and its application.
[0022] First, combine the event flow definition to define complex event flow element operations:
[0023] The mapping operation Map is defined as follows:
[0024]
[0025] Given an input event stream S, according to a user-defined set of ordered transformation expressions, such as Perform attribute conversion on input events and output conversion result events.
[0026] Filter operation Filter, which is defined as follows:
[0027] Filter{(P 1 ,O 1 ),...,(P m ,O m ),O m+1}(S)
[0028] Given an input event stream S, according to a user-defined set of ordered assertion sets {(P 1 ,O 1 ),...,(P m ,O m ),O m+1}, each input event is forwarded to the output corresponding to the first assertion that the even...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses a complex event processing method based on a parallel distributed architecture and belongs to the network safety field. The correlation analysis inquire statement is divided into the operation sequence composed of the stateful operation and stateless operation, the operation sequence is divided according to the principle that each subquery at least has and only has one stateful query, the cluster is equally divided several sub clusters according to the dividing number and the subquery is deployed to the corresponding sub cluster. The different sub operation sequences deployed to the different sub clusters can be calculated in a parallel mode, the same operation deployed to different machines of the same sub cluster can be calculated in a parallel mode. Different queries are parallel (parallel mode between queries), the same query is also parallel (parallel mode in the query); the parallel mode in the query not only comprises the parallel mode between different operations and the same operation is parallel. Each operation is parallel for solving the node performance bottleneck problem during the query calculation process.
Description
technical field [0001] The invention belongs to the technical field of network security, in particular to a method for implementing a real-time correlation analysis engine of network security events based on a distributed parallel architecture. Background technique [0002] Security information and event management system technology provides an integrated view of security-related information. The security information and event management system is the final summary of security information and events, and it is analyzed in real time, and its location is at the core of the entire security defense system. The current security information and event management system has extensively expanded event monitoring capabilities, including active security incident monitoring and management, and passive log automatic collection and management. [0003] The correlation analysis engine of the current security information and event management system is a centralized solution. With the incre...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L29/08
CPCH04L67/10
Inventor 廉海明郭旭东谢小明胡佳胡大正郭江沈艳林石波沈德峰吴朝雄王红艳
Owner 706 INST SECOND RES INST OF CHINAAEROSPACE SCI & IND