Abnormal behavior recognition system

Abstract

The present invention provides an abnormal behavior recognition system. The system comprises a data collection layer and a behavior analysis engine, and the data collection layer collects all authorized behavior data, and collects all server-side accounts of a data center, asset data and changes of the asset data; a white list is established according to the authorized behavior data; the change ofthe asset data is taken as an abnormal event, the data of the data acquisition layer is summarized to a behavior analysis engine, each abnormal event is compared with a white list by the behavior analysis engine, it is judged whether the content of the abnormal event belongs to the white list or not, and the abnormal event is made as an abnormal behavior if the content of the abnormal event doesnot belong to the white list; and the behavior analysis engine only gives an alarm for abnormal behaviors. The system has the advantages that the collection layer, the analysis layer and the application layer are transversely extensible, the application modules of the application layer longitudinally integrate the collection layer and the analysis layer, and various safety applications can be continuously and quickly developed according to user requirements.

Description

technical field [0001] The invention relates to the field of information security, in particular to an abnormal behavior identification system. Background technique [0002] This section is only for the convenience of understanding the content of the present invention, and should not be regarded as prior art. [0003] According to the different users of the network, the network can be divided into extranet (Internet) and intranet (local area network). The intranet can be divided into office network and production network. The network behavior of office Internet access is relatively open, and virus and network intrusion incidents are prone to occur. If office users and production users are on the same network, viruses and intrusion events on the office network will almost quickly spread to the production network, posing a great threat to production security. Therefore, the office network and production network are also required to be isolated. The production network is al...

AI Technical Summary

Problems solved by technology

3. WWW deception, the webpage being visited has been tampered with by hackers, and the information on the webpage is false! For example, the hacker rewrites the URL of the webpage that the user wants to browse to point to the hacker's own server. When the user browses the target webpage, it actually sends a request to the hacker's server.

4. Node attack, after the attacker breaks through a device, he often uses this device as a base to attack other devices

The problems of this abnormal event alarm mechanism are: 1. The fixed rules are rigid and unable to keep pace with the times

However, it is possible that the account needs to enter the data center for a temporary work task, and has been approved by the workflow engine to form an allowed operation, but the allowed operation is not a fixed rule, therefore, a legally allowed operation When the account logs in to the data center during the valid period specified by the non-fixed rules, the account dimension will send out an account abnormal event alarm

2. Alarms are only issued from a single dimension, and abnormal events in a single dimension cannot constitute abnormal behavior or attack behavior

The problems caused by these reasons mainly include: 1. High false positive rate. 2. Single-dimension abnormal event alarm. There is no information in other dimensions other than the information in this dimension. Therefore, it is impossible to judge whether the abnormal event is caused by an attack behavior. Abnormal event alarm low reference value

The high rate of false alarms and the low reference value of alarms lead to operation and maintenance personnel habitually ignoring abnormal event alarms, resulting in the alarm being useless

Images