A Redundancy Removal Method Based on Multi-source Alarm Log Security Event Characteristic Analysis
A security event and feature analysis technology, applied in the field of redundancy removal, can solve problems such as redundancy of security events, accidental deletion of alarms, dispersion, etc., to achieve the effect of ensuring the amount of data information, efficient processing, and improving judgment
Active Publication Date: 2017-07-14
STATE GRID ZHEJIANG ELECTRIC POWER +1
View PDF1 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
While these security products have improved the system security level, they have also brought new problems: the multi-source heterogeneous massive security events generated by different security products have a lot of redundancy, and the data is difficult to be efficiently processed and analyzed
[0004] 1. The attributes selected for comparison are too scattered, and some schemes do not consider the alarm time attribute, which cannot effectively aggregate alarms;
[0005] 2. Different types of alarms contain targeted information, and the same algorithm and threshold are used for alarm aggregation, and alarms may be deleted by mistake;
[0006] 3. Specific types of alarms have a strong dependence on certain specific attributes, such as DOS type and target IP port. In existing solutions, the problem of adjusting the weight distribution of similarity calculation based on attribute dependence is rarely considered.
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0039] Such as Figures 1 to 3 As shown, it is an embodiment 1 of a de-redundancy method based on multi-source alarm log security event feature analysis of the present invention, and its steps include in turn:
[0040] (1) Discretized alarm log attributes; such as figure 2 As shown, it specifically includes the following steps:
[0041] (1.1) Attribute definition: define C as a conditional attribute, including src_ip, dst_ip, src_port, dst_port, sid, which are respectively recorded as conditional attribute value C i (i=1, 2, 3, 4, 5); define D as a decision attribute, including Scan, Dos, U2R, R2L, Misc, UE six categories;
[0042] (1.2) Sample space classification: Divide the sample space into six categories according to Scan, Dos, U2R, R2L, Misc, and UE, and record them as decision attribute classes D j (j=1, 2, 3, 4, 5, 6);
[0043] (1.3) Interval construction: according to the condition attribute value C i (i=1, 2, 3, 4, 5), with C i1 As an example, for each class D...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses a redundancy removal method based on multisource alarm log security incident feature analysis, belongs to the technical field of information security, and overcomes the technical problem in the prior art that a redundancy removal scheme can not effectively cluster alarms, may delete alarms by mistake or does not consider that the weight distribution of similarity calculation is regulated according to attribute dependency. The redundancy removal method based on the multisource alarm log security incident feature analysis successively comprises the following steps: (1) discretizing alarm log attributes; (2) dynamically distributing an alarm incident attribute weight; (3) calculating an alarm security incident similarity; and (4) judging whether the alarm security incident is redundant or not.
Description
technical field [0001] The invention relates to a redundant de-redundancy method based on multi-source alarm log security event feature analysis, and belongs to the technical field of information security. Background technique [0002] With the diversification and complexity of network threats, a single-function network security product cannot guarantee the security of information systems. Therefore, we have installed security products such as firewalls, intrusion detection systems, and identity authentication systems in the network. While these security products have improved the security level of the system, they have also brought new problems: there is a large amount of redundancy in the multi-source heterogeneous massive security events generated by different security products, and the data is difficult to be efficiently processed and analyzed. [0003] The method of alarm aggregation can effectively reduce the number of alarms, so that attack events can be presented mo...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): G06F11/32G06F11/34
Inventor 姚一杨张彩友戴波叶伟静卢新岱梅峰黄慧邬秀玲高强张旭东
Owner STATE GRID ZHEJIANG ELECTRIC POWER