Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Associative attack analysis and detection method and device based on the time sequence and event sequence

A technology of correlation analysis and time series, which is applied in the direction of secure communication devices, electrical components, digital transmission systems, etc., can solve the problem of not considering the attack time series characteristics and event sequence characteristics at the same time, the attribution relationship of attack events cannot be accurately distinguished, and the attack cannot be realized Comprehensive and accurate description of problems, to achieve the effect of accurate detection, accuracy assurance, and diversification of associations

Inactive Publication Date: 2007-09-12
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 25 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] 1. The one-dimensional correlation is too simple, and the time series characteristics of the attack and the related event sequence characteristics are not considered at the same time, so it is still impossible to achieve a comprehensive and accurate description of complex attacks
[0006] 2. The simple event sequence-based detection method cannot accurately distinguish the attribution relationship between attack events. It can only simply correlate events at a coarse-grained level through IP pairs, and cannot locate the connection between events based on four-tuples. session level of

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Associative attack analysis and detection method and device based on the time sequence and event sequence
  • Associative attack analysis and detection method and device based on the time sequence and event sequence

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0051] First define the nouns used in this patent:

[0052] Single attack event——an attack event detected by feature matching.

[0053] Single Event Sequence—A sequence of attack events consisting of a single attack event.

[0054] Correlation Analysis—Analyzes the correlation of individual attack events in a single event sequence.

[0055] Basic event - a single attack event that exists in a single event sequence and requires correlation analysis.

[0056] Session quadruple - a group composed of four elements in a TCP connection, source IP, destination IP, source port, and destination port.

[0057] The correlation analysis attack detection method based on time series and event sequence described in this embodiment, the operating principle block diagram is shown in Fig. Detection, after detecting single-step attack behaviors, analyze these attack behaviors in two dimensions, namely the time dimension and the event sequence dimension. And based on this analysis, the detect...

Embodiment 2

[0109] The correlation analysis attack detection device based on time series and event sequence, the functional block diagram is shown in Figure 2, including:

[0110] A basic event definition unit, a correlation analysis rule definition unit, a first-level event detection engine, and a correlation analysis detection engine.

[0111] Basic event definition unit: This unit mainly completes the basic events required for correlation analysis events, that is, the definition of event fragments. Basic events can be defined on any protocol level, and basic events can be defined complexly using & and | operators .

[0112] Association analysis rule definition unit: This module mainly completes the definition of association analysis events and defines the relationship between basic events. This definition needs to take two factors into account: the order of occurrence time between basic events, fragmentation events The sequence of events that occurred in between (this time may not be ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

This invention is based on the time and events sequence to analysis attacking detection methods and devices involved in exchange for the function of the network. It is a methods and devices to prevent removing data from the data transmission channel without permission .The method provides a complex text-based attack description language to make the user can amend the built-related characteristics, and add new features of related events. The present invention include: basic rules of the incident, the rules of the association, first level detection engine, correlation analysis engine. The whole process of attacking are described more comprehensive and reasonable taking into account the time factor and the order of events Such description and testing which distinct the basic incidents more carefully are more in line with the requirements of detecting attacks. The invention also describes the relation between alarm incident and not alarm incident.

Description

technical field [0001] The present invention is based on the association analysis attack detection method and device of time sequence and event sequence, which relates to the network characterized by the switching function, is a method for preventing data from being taken out from the data transmission channel without permission, and is a method for network intrusion detection system (NIDS: Network Intrusion Detection System) core key technical methods and devices. Background technique [0002] The network intrusion detection system (NIDS) is installed in the protected network segment. By setting its packet capture network card to promiscuous mode, it captures and analyzes the passing data packets, and then responds and alarms the behavior that violates the normal behavior rules. At present, NIDS generally adopts two types of technologies to detect security incidents: matching technology based on network data characteristics and abnormal detection technology based on network...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L9/00H04L12/56H04L12/26
Inventor 陈宇王洋李博王鸿鹏焦玉峰
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products