A confidence-based network security alarm processing method

Abstract

The invention proposes a method for processing network security alarms based on confidence, which includes three steps of acquiring confidence, grading and eliminating alarms, and aggregating alarms. The step of obtaining the confidence degree adopts a machine learning method, and obtains the confidence degree of the original alarm through the machine learning model. Then use the confidence level to remove and classify the original alarms. After the grading is completed, the alarms confirmed as attacks are first aggregated to obtain high-level alarms. If the obtained high-level alarms are not enough to meet the analysis requirements, alarm aggregation is performed on highly suspected alarms to obtain more high-level alarms.

Description

technical field

[0001] The invention proposes a method for processing network security alarms based on confidence, which is used to eliminate useless and redundant network security equipment alarms and improve the analysis efficiency of network security intrusion events. In the field of network security. Background technique

[0002] With the rapid development of computer information and communication technology, network security attacks occur from time to time. At this stage, enterprises and institutions basically rely on security devices and the logs generated by security devices for defense and re-analysis of security attack events. False positives and negative negatives are common in current network security devices, and there are a large number of bots on the Internet. These bots are often used by criminals as scanners to scan the entire network. Therefore, the network security device also generates a large number of useless alarms. Contents of the invention [000...

Images