Threat early warning and monitoring system and method based on big data analysis and deployment architecture

Abstract

The invention discloses a threat early warning and monitoring system and method based on big data analysis and a deployment architecture. The system comprises a data acquisition system module, which is used for carrying out real-time data acquisition on original network traffic; a data storage system module, which is used for carrying out data merging and data cleaning on the data collected by the data acquisition system module, and then, carrying out storage management; a real-time threat intelligent analysis system module, which is used for carrying out deep analysis and mining on security data through data mining, text analysis, traffic analysis, full-text search engine and real-time processing, and identifying unknown security threats in real time by combining an intrusion detection module, a network abnormal behavior module and a device abnormal behavior module; and a situation awareness display system module, which is used for carrying out comprehensive display on security threat situations stereoscopically in real time through a data visualization tool library. The threat early warning and monitoring system and method based on big data analysis and the deployment architecture are used for network security threat situation awareness and deep analysis under a plurality of service scenarios, and realize comprehensive abilities from attack early warning, attack identification to analysis and evidence obtaining.

Description

technical field [0001] The present invention relates to the technical field of network security threat early warning, in particular to a threat early warning monitoring system, method and deployment framework based on big data analysis. Background technique [0002] At present, various government departments, enterprises and institutions in our country have increased investment in network security construction, and deployed various types of security equipment or systems, such as intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls, and antivirus software. Wait. However, these traditional security devices based on signature rules can only detect known attacks, with high false negatives and false positives. [0003] The security operation center (SOC) integrates a large number of logs of the security system, not only has a single data source, but also lacks the ability and means to provide accurate analysis. Security analysts analyze effective clue...

AI Technical Summary

Problems solved by technology

Especially in the case of the rapid expansion of the quantity, speed, and types of relevant security intelligence data, the fusion, storage, management and utilization of massive heterogeneous data pose a major challenge to traditional security analysis methods

[0005] Since network attacks are usually scattered in various places, the attack process is carried out in multiple steps and has certain complexity. The log information of a single network security device cannot completely restore the original appearance of the attack, which seriously restricts network security analysts from evaluating the entire network environment. and user activity

Images