Multi-step attack detection method based on multi-source abnormal event correlation analysis
What is Al technical title?
Al technical title is built by PatSnap Al team. It summarizes the technical point description of the patent document.
An abnormal event and correlation analysis technology, applied in the field of network security, can solve problems such as manual dependence of detection methods, and achieve the effect of shortening discovery time, reducing system security risks, and improving overall security
Active Publication Date: 2017-05-31
THE PLA INFORMATION ENG UNIV
View PDF4 Cites 53 Cited by
Summary
Abstract
Description
Claims
Application Information
AI Technical Summary
This helps you quickly interpret patents by identifying the three key elements:
Problems solved by technology
Method used
Benefits of technology
Problems solved by technology
The long-term lag and manual dependence of existing detection methods bring great challenges to timely defense against network attacks
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more
Image
Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
Click on the blue label to locate the original text in one second.
Reading with bidirectional positioning of images and text.
Smart Image
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0038] Embodiment one, see figure 1 As shown, a multi-step attack detection method based on multi-source abnormal event correlation analysis includes the following steps:
[0039] Step 1. Generate signature-based detection data through feature detection, and generate abnormal events through abnormal scoring;
[0040] Step 2. Collect and aggregate multi-source data, identify abnormal hosts, aggregate events based on hosts, and obtain attack events and attack processes;
[0041] Step 3. Reorganize the attack process through intra-chain association, inter-chain association and feature clustering;
[0042] Step 4. Reconstruct the multi-step attack scenario and output the predicted attack event.
[0043]By correlating and aggregating scattered and isolated security events, a relatively complete multi-step attack scenario is generated, which improves the security analysis capabilities of security managers, expands security perspectives, helps effectively deal with scattered multi-...
Embodiment 2
[0044] Embodiment two, see Figure 1-7 As shown, a multi-step attack detection method based on multi-source abnormal event correlation analysis includes the following content:
[0045] 1) Generate signature-based detection data through feature detection, and generate abnormal events through abnormal scoring.
[0046] 2) Collect and aggregate multi-source data, identify abnormal hosts, aggregate events based on hosts, and obtain attack events and attack processes.
[0047] The attack chain scoring method is used to quantify the attack event and attack process to form an attack chain attack event. The attack event includes: source and destination host identification, event type, event mark, attack stage, start and end time, and security score; Event groups satisfying the logical characteristics of an attack chain form an attack process. Identify abnormal hosts, aggregate events based on victim hosts, and extract events involving the same host into the same collection.
[0048...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
PUM
Login to view more
Abstract
The invention relates to a multi-step attack detection method based on multi-source abnormal event correlation analysis. The multi-step attack detection method comprises the following steps: firstly, calculating a safety event score based on an attach chain through feature extraction and abnormal event definition and identification, identifying an abnormal host and clustering various types of events by taking an attacked host as a clue; secondly, carrying out correlated recombination on a suspected attack progress by utilizing means including intra-chain correlation, inter-chain correlation, feature clustering and the like; finally, reconstructing a multi-source attack scene and outputting a predicated attack event. According to the multi-step attack detection method provided by the invention, dispersed and isolated safety events are subjected to the correlation analysis to generate the relative complete multi-step attack scene; a safety analysis capability of safety managers can be improved and a safety view angle is expanded; distributed and scattered multi-step attack threats are effectively coped and the finding time of attack behaviors is shortened; an effective predication and defending solution is provided for high-grade attack means including APT (Advanced Persistent Threat) and the like; the safety risks of a system are reduced and the network information safety is effectively protected.
Description
technical field [0001] The invention belongs to the technical field of network security, in particular to a multi-step attack detection method based on correlation analysis of multi-source abnormal events. Background technique [0002] With the development of network technology, the ways of network security threats emerge in endlessly, and there are more and more network attack methods such as viruses, worms, backdoors, and Trojan horses. Network space security is gradually attracting people's attention. In response to various attack methods, a variety of detection and blocking defense methods have appeared correspondingly, and attack technologies are also constantly developing. It is difficult to use a single method to attack and penetrate the target, and multi-step attacks have become the mainstream attack style. , its main features are as follows: the attack behavior on a single host is multi-step, and the penetration process of multiple hosts in the target network is mul...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
Application Information
Patent Timeline
Application Date:The date an application was filed.
Publication Date:The date a patent or application was officially published.
First Publication Date:The earliest publication date of a patent with the same application number.
Issue Date:Publication date of the patent grant document.
PCT Entry Date:The Entry date of PCT National Phase.
Estimated Expiry Date:The statutory expiry date of a patent right according to the Patent Law, and it is the longest term of protection that the patent right can achieve without the termination of the patent right due to other reasons(Term extension factor has been taken into account ).
Invalid Date:Actual expiry date is based on effective date or publication date of legal transaction data of invalid patent.
Login to view more 
Login to view more