Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Multi-step attack detection method based on multi-source abnormal event correlation analysis

An abnormal event and correlation analysis technology, applied in the field of network security, can solve problems such as manual dependence of detection methods, and achieve the effect of shortening discovery time, reducing system security risks, and improving overall security

Active Publication Date: 2017-05-31
THE PLA INFORMATION ENG UNIV
View PDF4 Cites 53 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The long-term lag and manual dependence of existing detection methods bring great challenges to timely defense against network attacks

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Multi-step attack detection method based on multi-source abnormal event correlation analysis
  • Multi-step attack detection method based on multi-source abnormal event correlation analysis
  • Multi-step attack detection method based on multi-source abnormal event correlation analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0038] Embodiment one, see figure 1 As shown, a multi-step attack detection method based on multi-source abnormal event correlation analysis includes the following steps:

[0039] Step 1. Generate signature-based detection data through feature detection, and generate abnormal events through abnormal scoring;

[0040] Step 2. Collect and aggregate multi-source data, identify abnormal hosts, aggregate events based on hosts, and obtain attack events and attack processes;

[0041] Step 3. Reorganize the attack process through intra-chain association, inter-chain association and feature clustering;

[0042] Step 4. Reconstruct the multi-step attack scenario and output the predicted attack event.

[0043]By correlating and aggregating scattered and isolated security events, a relatively complete multi-step attack scenario is generated, which improves the security analysis capabilities of security managers, expands security perspectives, helps effectively deal with scattered multi-...

Embodiment 2

[0044] Embodiment two, see Figure 1-7 As shown, a multi-step attack detection method based on multi-source abnormal event correlation analysis includes the following content:

[0045] 1) Generate signature-based detection data through feature detection, and generate abnormal events through abnormal scoring.

[0046] 2) Collect and aggregate multi-source data, identify abnormal hosts, aggregate events based on hosts, and obtain attack events and attack processes.

[0047] The attack chain scoring method is used to quantify the attack event and attack process to form an attack chain attack event. The attack event includes: source and destination host identification, event type, event mark, attack stage, start and end time, and security score; Event groups satisfying the logical characteristics of an attack chain form an attack process. Identify abnormal hosts, aggregate events based on victim hosts, and extract events involving the same host into the same collection.

[0048...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a multi-step attack detection method based on multi-source abnormal event correlation analysis. The multi-step attack detection method comprises the following steps: firstly, calculating a safety event score based on an attach chain through feature extraction and abnormal event definition and identification, identifying an abnormal host and clustering various types of events by taking an attacked host as a clue; secondly, carrying out correlated recombination on a suspected attack progress by utilizing means including intra-chain correlation, inter-chain correlation, feature clustering and the like; finally, reconstructing a multi-source attack scene and outputting a predicated attack event. According to the multi-step attack detection method provided by the invention, dispersed and isolated safety events are subjected to the correlation analysis to generate the relative complete multi-step attack scene; a safety analysis capability of safety managers can be improved and a safety view angle is expanded; distributed and scattered multi-step attack threats are effectively coped and the finding time of attack behaviors is shortened; an effective predication and defending solution is provided for high-grade attack means including APT (Advanced Persistent Threat) and the like; the safety risks of a system are reduced and the network information safety is effectively protected.

Description

technical field [0001] The invention belongs to the technical field of network security, in particular to a multi-step attack detection method based on correlation analysis of multi-source abnormal events. Background technique [0002] With the development of network technology, the ways of network security threats emerge in endlessly, and there are more and more network attack methods such as viruses, worms, backdoors, and Trojan horses. Network space security is gradually attracting people's attention. In response to various attack methods, a variety of detection and blocking defense methods have appeared correspondingly, and attack technologies are also constantly developing. It is difficult to use a single method to attack and penetrate the target, and multi-step attacks have become the mainstream attack style. , its main features are as follows: the attack behavior on a single host is multi-step, and the penetration process of multiple hosts in the target network is mul...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/1416
Inventor 郭渊博琚安康马骏朱泰铭张琦王宸东丁文博
Owner THE PLA INFORMATION ENG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com