Security event associative analysis method and system

A security event and correlation analysis technology, applied in the field of security event correlation analysis, can solve problems such as lack of practical significance, and achieve the effects of avoiding ambiguity, improving robustness, and improving detection and recognition capabilities

Inactive Publication Date: 2006-12-13
HUAWEI TECH CO LTD
View PDF0 Cites 36 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0017] The disadvantage of this method is that it is processed in a statistical way, and the results often lack clear practical significance

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Security event associative analysis method and system
  • Security event associative analysis method and system
  • Security event associative analysis method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0042] Embodiment 1, a security event correlation analysis method, the process is as follows figure 1 shown, including:

[0043]A1. Collect original alarm events; original alarm events come from various security devices or management programs, such as firewalls, IDS, antivirus software, system logs, etc. The collection of original alarm events can be centralized or distributed systems. In order to facilitate the processing of subsequent processes, it is better to cache and filter the collected raw alarm events, including:

[0044] A11. Cache the collected original alarm events; usually, the original alarm events can be stored in the form of event queues in chronological order;

[0045] A12. Filter the original alarm events according to the preset filtering rules; this step performs simple processing on the original alarm events, such as removing errors and duplicate alarms, or using some simple rules to make the collection of alarm information have a certain purpose or tende...

Embodiment 2

[0073] Embodiment 2, a security event correlation analysis method, the process is as follows Figure 4 shown, including:

[0074] B1. Collect original alarm events;

[0075] B21. Perform rule-based correlation analysis on the original alarm event;

[0076] B22. Perform statistical-based correlation analysis on the original alarm events;

[0077] B3. Arbitrate the security events generated by rule association and statistical association respectively to obtain a unique security event;

[0078] The specific execution method of the above steps is the same as the corresponding steps in the first embodiment. The difference between this embodiment and the first embodiment is that after the statistical correlation of the original alarm event is performed in step B22 and a security event is generated, the security event is also used. The association rules applicable in the rule association analysis can be obtained by the data mining of the data mining, and the following methods can ...

Embodiment 3

[0087] Embodiment 3, a security event correlation analysis system, such as Figure 5 As shown, it includes an event queue module 11, a rule association module 12, a statistics association module 13, a structure analysis module 14, and an event filtering module 15;

[0088] The event queue module 11 collects the original alarm events, and provides the original alarm events to the rule association module 12 and the statistics association module 13 respectively;

[0089] The event filtering module 15 filters the original alarm events collected by the event queue module 11 according to the preset filtering rules, and deletes the original alarm events that satisfy the filtering rules from the event queue;

[0090] The rule association module 12 performs pattern matching on the original alarm event according to a preset association rule, and generates a security event according to the matching result;

[0091] The statistical correlation module 13 counts the attribute-based distrib...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an analyzing of correlation method and system of safe affair, which is characterized by the following: adopting paralleling mechanism of regular correlation and statistic correlation; obtaining only one safe affair through arbitration; realizing advantage supplement through two correlation patterns; make up itself defect. The invention avoids fuzziness of statistic correlation and confers regular correlation for detecting ability of unknown attack, which improves self-studying ability for entire detecting system.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a security event correlation analysis method and system. Background technique [0002] With the development of computer technology and network technology, more and more attention has been paid to security issues. Common security devices include firewalls, intrusion detection systems (IDS: Intrusion Detection System), certificate authority (CA: Certificate Authority) systems, integrity check tools, and antivirus software. These safety components generate alarm messages when abnormal conditions occur. In addition, some systems and applications also generate security-related logs. These alarm messages and logs are collectively referred to as raw alarm events. The original alarm events from different sources often overlap, correlate or depend on each other, and the huge amount of data makes security management more and more complicated. Security administrators need to dea...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/24H04L29/06H04L12/26G06F17/30
Inventor 连一峰鲍旭华汪波徐君李闻冯萍慧吴强胡安平
Owner HUAWEI TECH CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap