Security policy self-feedback method based on security log association analysis

Abstract

The invention provides a security policy self-feedback method based on security log association analysis. The security policy self-feedback method comprises the following steps: firstly, creating a security log information acquisition program, message queues and consumption services in one-to-one correspondence with the message queues; creating an event stream processing engine and various rules;associating the type of the event after registration of the security log information with a rule; packaging the original information of the security log into an event, inputting the event into an event stream processing engine, and matching a log analysis rule; inputting the analyzed log information into an event stream processing engine, matching a log association analysis rule, and generating association analysis log information; inputting the association analysis log information into an event flow processing engine, matching a security policy instruction generation rule, generating securitypolicy instruction information and outputting the security policy instruction information to a security policy issuing instruction message queue; and finally, issuing the security policy change instruction to the corresponding network security protection equipment to realize the change of the security protection policy. Compared with the prior art, the log analysis efficiency is higher, and automatic issuing of security policies is achieved.

Description

technical field [0001] The invention relates to the technical field of network information security, in particular to a security policy self-feedback method based on security log correlation analysis. Background technique [0002] In the enterprise network system, in order to ensure the safe operation of the system, a variety of security technology products are usually used for security protection, such as intrusion detection systems, anti-virus systems, firewall systems, etc. At the same time, the application service itself will also collect some security protection Relevant log information, because the log formats of various business protection systems are not uniform, and the amount of log information is very large, and the processing is not timely. This kind of information can usually only be used for post-event analysis, even if individual security protection systems achieve real-time security alarm notifications , but the alarm notification false alarm rate is high, an...

AI Technical Summary

Problems solved by technology

[0002] In the enterprise network system, in order to ensure the safe operation of the system, a variety of security technology products are usually used for security protection, such as intrusion detection systems, anti-virus systems, firewall systems, etc. At the same time, the application service itself will also collect some security protection Relevant log information, because the log formats of various business protection systems are not uniform, and the amount of log information is very large, and the processing is

Images