Unlock instant, AI-driven research and patent intelligence for your innovation.

An event correlation alarm method and device

An event correlation and event technology, applied in the computer field, can solve problems such as low efficiency and achieve the effect of improving efficiency

Active Publication Date: 2021-10-15
BEIJING QIYI CENTURY SCI & TECH CO LTD
View PDF7 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0004] The present invention provides an event correlation alarm method and device to solve the problem of low efficiency when using a database for event correlation analysis

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • An event correlation alarm method and device
  • An event correlation alarm method and device
  • An event correlation alarm method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0062] refer to figure 1 , which shows a flow chart of an event-related alarm method in Embodiment 1 of the present invention, which may specifically include the following steps:

[0063] Step 101, receiving an event stream transmitted by a sliding time window, where the event stream is composed of multiple sub-events.

[0064] When hackers attack computer systems, a large number of events, namely information security events, will be generated. The event flow is a queue composed of a large number of events. Before the data flow processing engine receives the event flow and performs event correlation analysis on the event flow, a sliding time window is set, and the event flow is transmitted to the data flow processing engine through the sliding time window. Sliding time windows allow for control over flow data. In this embodiment of the application, each event has its own data size, and the sliding time window can determine how many data-sized events in the event stream enter...

Embodiment 2

[0095] refer to figure 2 , which shows a flow chart of an event-related alarm method in Embodiment 2 of the present invention, which may specifically include the following steps:

[0096] Step 201, creating and defining multiple attack scenarios for the data stream processing engine.

[0097] When creating multiple attack scenarios, different attack scenarios can be set according to actual experience, what kind of attack scenarios are set, and how many attack scenarios are set, which is not limited in the embodiment of the present invention. Reference attached Figure 5 , Figure a shows that multiple different attack scenarios are set in the data stream processing engine.

[0098] Step 202, based on the created multiple attack scenarios, create a plurality of attack modes in each attack scenario, wherein the preceding and subsequent attack modes in the multiple attack modes have a logical relationship, and the preceding and subsequent attack modes are connected in series th...

Embodiment 3

[0130] refer to image 3 , which shows a block flow diagram of an event-related alarm device according to Embodiment 3 of the present invention, which may specifically include the following modules:

[0131] The receiving module 301 is configured to receive the event flow transmitted by the sliding time window, the event flow is composed of multiple sub-events;

[0132] The event correlation analysis module 302 is configured to perform event correlation analysis on the event flow and each attack scenario by the data flow processing engine based on the acquired event flow, and determine the attack scenario of the event flow; the attack scenario includes multiple an attack mode;

[0133] An alarm module 303, configured to perform alarm processing based on the attack scenario;

[0134] Wherein, the event association analysis module 302 includes:

[0135] An attack pattern matching module 3021, configured to match the sub-events in the event flow with the attack pattern;

[01...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an event correlation alarm method and device. Wherein, the method includes: when the data flow processing engine associates and analyzes the event flow and the attack scenario, matches the sub-event in the event flow with the attack mode in the attack scenario, and outputs the sub-event when the matching is successful , and match the next subevent of the subevent with the next attack pattern of the attack pattern. By obtaining the first matching results of all sub-events in the event flow, the second matching result of the event flow and the attack scenario is obtained, and the second matching result of the event flow and each attack scenario is determined to determine the Attack scenarios for the event flow described above. In the present invention, for a successfully matched sub-event, the next sub-event does not need to return the matched attack pattern for repeated matching, which improves the efficiency of event correlation analysis.

Description

technical field [0001] The invention relates to the field of computer technology, in particular to an event correlation alarm method and device. Background technique [0002] In network security, when a computer security incident occurs, such as a hacker attack, the computer system will generate various events, that is, information security events. At this time, the security management platform conducts event correlation analysis on the event flow, analyzes the scene attacked by the hacker, and sends an alarm to the attacked location. [0003] When traditional security management platforms conduct event correlation analysis, they usually use databases. Various attack scenarios are pre-stored in the database, and each attack scenario has several matching conditions. Matching the event flow with each attack scenario can determine the attack scenario to which the hacker attack belongs. However, when matching sub-events in the event flow with attack scenarios, all sub-events ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L12/24H04L29/06
CPCH04L41/0631H04L63/1416H04L63/205
Inventor 翁迟迟
Owner BEIJING QIYI CENTURY SCI & TECH CO LTD