Real-time security early warning method based on complex event processing

Abstract

The invention discloses a real-time security early warning method based on complex event processing. The method specifically comprises the following steps: step (1), using a formalized engine to perform log field segmentation on collected security data, performing normalization on fields according to field requirements, and associating knowledge base information according to the fields that are expected to be outputted; step (2), using a data flow semantic analysis engine to perform data context analysis according to a complex event instance to be modeled as a scene, and analyzing mapping stream data based on a standardized analysis field template; and step (3), using a security analysis model calculation engine, in an analysis rule calculation module, analyzing according to scenes based on a point event, an edge event and an interval event, and generating an early warning event. The real-time security early warning method based on the complex event processing provided by the invention realizes the multi-angle association analysis of original log data through a configurable normalization rule, a semantic recognition rule and a security analysis rule, and discovers unknown threats and carries out early warning timely.

Description

technical field [0001] The invention relates to a real-time security early warning method based on complex event processing, and belongs to the technical field of big data information security monitoring and early warning. Background technique [0002] In the process of enterprise development, the network structure is constantly adjusted and changed, network security issues emerge in an endless stream, coupled with the improvement of security awareness of users in the enterprise, the preventive control decision-making analysis of internal information security in the enterprise has become an important topic. The traditional security early warning method defines specified threat analysis early warning rules for a single threat. The rules are fixed, single and separated. With the development of attack methods, the traditional method can no longer meet the joint multi-step threat early warning requirements. Moreover, most of the traditional security early warning methods are bas...

AI Technical Summary

Problems solved by technology

The traditional security early warning method defines specified threat analysis early warning rules for a single threat. The rules are fixed, single and separated. With the development of attack methods, the traditional method can no longer meet the joint multi-step threat early warning requirements. Moreover, most of the traditional security early warning methods are based on threshold analysis, which determines the analysis object within a certain fixed range, and the event processing is relatively conservative, and cannot process and warn massive data based on complex events in real time and comprehensively.

[0003] To sum up, for heterogeneous source data in different environments and different vendors, the traditional security warning processing method only targets a single, certain, and serious security log

Moreover, the traditional security early warning processing method does not form a unified set of complex event processing rules to complete data normalization, semantic conversion, rule analysis, and early warning generation, which is not conducive to multi-step security event early warning, which may easily lead to missed events. The ability to expand early warning types and analysis rules is also weak

Images