Eureka AIR delivers breakthrough ideas for toughest innovation challenges, trusted by R&D personnel around the world.

Alarm correlation analysis method based on attack scene construction

A technology of correlation analysis and attack scenarios, which is applied in the field of alarm correlation analysis based on attack scenarios, and can solve the problems of difficulty in finding attack scenarios, failure to achieve better correlation efficiency, and single role.

Active Publication Date: 2021-09-21
GUILIN UNIV OF ELECTRONIC TECH
View PDF10 Cites 3 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] In recent years, scholars at home and abroad have done a lot of research on alarm correlation methods, and have achieved certain research results, but the current alarm correlation methods are still relatively single, and there are still many shortcomings: Both methods can effectively correlate alarm data, but they do not achieve good correlation efficiency; on the other hand, most of them rely on prior knowledge and rule bases, making it difficult to discover new attack scenarios and build comprehensive attack scenarios.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Alarm correlation analysis method based on attack scene construction
  • Alarm correlation analysis method based on attack scene construction
  • Alarm correlation analysis method based on attack scene construction

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0040] Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary and are intended to explain the present invention and should not be construed as limiting the present invention.

[0041] see Figure 1 to Figure 5 , the present invention provides an alarm correlation analysis method based on attack scenarios, including:

[0042] S1 fuses the alarm data to obtain a simplified data set;

[0043] The experiment uses the honeypot data set and the laboratory collects the alarm data as the original data set by building a real intrusion detection environment. Firstly, the raw alarm data is preprocessed.

[0044] Data processing flow:

[0045] Step 1: First, the alarm data attributes need to be extracted, and t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to the field of data processing, and discloses an alarm association analysis method based on attack scene construction, which comprises the following steps: fusing alarm data to obtain a simplified data set; performing scene division on the simplified data set based on a dynamic time window method; on the basis of the divided scenes, performing association analysis on the simplified data set by using an alarm association method of causality association and Granger causality test to obtain an association result; and carrying out visual expression on the association result. The hidden logic relation between attack events is found through correlation analysis, and then a complete attack process is constructed to identify the intention behind the attack, so that security management personnel can conveniently prevent the attack in time.

Description

technical field [0001] The invention relates to the field of data processing, in particular to an alarm correlation analysis method based on attack scene construction. Background technique [0002] In actual network attacks, most attacks are not completed in one step. Intruders usually use multiple complex attack steps to achieve the purpose of intrusion, and IDS only generates corresponding alarm data for a single attack event, which cannot satisfy A macroscopic and complete display of the overall picture of multi-step attacks is required. For network security managers, it is difficult to identify attack intentions and take corresponding defense measures without knowing the complete attack process. Therefore, the alarm correlation analysis method performs correlation analysis on the alarm logs generated by the intrusion detection system. The purpose is to correlate the relevant attack steps behind a complete attack, and reconstruct the attack scene to identify the intentio...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
CPCH04L63/20H04L63/1441
Inventor 陶晓玲欧阳逸夫赵峰顾涛贾飞符廉铕
Owner GUILIN UNIV OF ELECTRONIC TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Eureka Blog
Learn More
PatSnap group products