[go: up one dir, main page]

CN106446720A - IDS rule optimization system and optimization method - Google Patents

IDS rule optimization system and optimization method Download PDF

Info

Publication number
CN106446720A
CN106446720A CN201610815708.1A CN201610815708A CN106446720A CN 106446720 A CN106446720 A CN 106446720A CN 201610815708 A CN201610815708 A CN 201610815708A CN 106446720 A CN106446720 A CN 106446720A
Authority
CN
China
Prior art keywords
ids
rule
alarm
history
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610815708.1A
Other languages
Chinese (zh)
Other versions
CN106446720B (en
Inventor
朱志博
张昊峥
吴善鹏
张晓强
雷兵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Ctrip Business Co Ltd
Original Assignee
Shanghai Ctrip Business Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Ctrip Business Co Ltd filed Critical Shanghai Ctrip Business Co Ltd
Priority to CN201610815708.1A priority Critical patent/CN106446720B/en
Publication of CN106446720A publication Critical patent/CN106446720A/en
Application granted granted Critical
Publication of CN106446720B publication Critical patent/CN106446720B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an IDS rule optimization system and optimization method. The optimization system comprises an alarm log processing module which collects IDS alarm logs, generates unique identification codes and obtains a date of that day, a historical alarm database which stores historical IDS alarm logs, a query module which queries whether the collected IDS alarm logs are stored in the historical alarm database or not and performs storage if the collected IDS alarm logs are not stored in the historical alarm database, a rule statistics module which performs statistics on the historical alarm database of the past M days and generates M historical alarm lists, a scanning module which scans each historical alarm list and performs a query, an extraction module which extracts historical alarm logs, of which a statistic frequency is higher than a first threshold, and obtains an IDS rule name, an address statistics module which performs statistics on an address quantity according to a flow direction, a false alarm rule identification module which identifies an IDS rule, in which the address quantity subjected to the statistics is greater than a second threshold, as a false alarm rule, and a processing module which deletes the false alarm rule. According to the system and the method, the alarm quantity is reduced, so that the alarm accuracy is improved.

Description

The optimization system of IDS rule and optimization method
Technical field
The present invention relates to a kind of technical field of network security, more particularly to a kind of optimization system of IDS rule and optimization Method.
Background technology
With the development of the Internet, network security is increasingly taken seriously, IDS (Intrusion Detection Systems, intruding detection system) it is by the widely used system of enterprise, it is used for monitoring network operation conditions, sends out as much as possible Existing attack attempt, behavior, to ensure the safety of network system with this.But there is substantial amounts of wrong report situation in itself in IDS system, Lead to create substantial amounts of warning, safety engineer cannot obtain real threat from the warning message of magnanimity, greatly drops The low availability of IDS system.
Content of the invention
The technical problem to be solved in the present invention is to overcome IDS in prior art to there is substantial amounts of wrong report situation in itself, Lead to create the defect of substantial amounts of warning, a kind of optimization system of IDS rule and optimization method are provided.
The present invention is to solve above-mentioned technical problem by following technical proposals:
The invention provides a kind of optimization system of IDS rule, its feature is, including:
Alarm log processing module, for collecting IDS alarm log, described IDS alarm log includes IDS rule name Title, source IP (agreement of interconnection between network) address and purpose IP address, and according to described IDS rule name, source IP address And purpose IP address generate the unique identifier of described IDS alarm log, and obtain described IDS alarm log work as light Phase;
History alarm database, for storing the corresponding unique identifier of history IDS alarm log and date on the same day;
Enquiry module, for inquiring about the corresponding unique identification of IDS alarm log that described alarm log processing module is collected Whether code and date on the same day are stored in described history alarm database, and will be corresponding for described alarm log when being judged as NO Unique identifier and same day date storage are in described history alarm database;
Rule-statistical module, for the statistics history alarm database of M days in the past, and the history warning number according to every day Generate a history alarm list according to storehouse, each history alarm list all records all in the history alarm database on the same day The corresponding unique identifier of history alarm log and date on the same day;Wherein M is positive integer;
Scan module, for scanning each history alarm list successively and being inquired about according to unique identifier, if a mesh Mark unique identifier does not exist, then by described target unique identifier and corresponding IDS rule name, source IP address, purpose IP Address, date on the same day preserve to a statistics list, and the statistics number of described target unique identifier is set to 1 time;If Described target unique identifier exists, then add 1 by the statistics number of the described target unique identifier in the list of described statistics;
Extraction module, for, after described scan module completes scanning, extracting the history that statistics number is more than first threshold Alarm log simultaneously obtains corresponding IDS rule name;
Address statistical module, counts number of addresses for the direction of the traffic according to IDS rule name;
Wrong report rule assert module, and the IDS rule for the number of addresses of statistics is more than Second Threshold is regarded as reporting by mistake Rule;
Processing module, for deleting wrong report rule.
It is preferred that described processing module is additionally operable to delete the corresponding all history alert datas of wrong report rule.
It is preferred that described unique identifier is MD5 (Message Digest Algorithm 5) value.
It is preferred that described address statistical module is used for when described direction of the traffic is positive counting source IP address quantity, Purpose IP address quantity is counted when described direction of the traffic is reverse.
It is an object of the invention to additionally providing a kind of optimization method of IDS rule, its feature is, it utilizes above-mentioned The optimization system of IDS rule is realized, and described optimization method comprises the following steps:
S1, described alarm log processing module collect IDS alarm log, described IDS alarm log includes IDS rule name Title, source IP address and purpose IP address, and generate institute according to described IDS rule name, source IP address and purpose IP address State the unique identifier of IDS alarm log, and obtain the date on the same day of described IDS alarm log;
S2, the corresponding unique identifier of described history alert data library storage history IDS alarm log and date on the same day;
S3, the corresponding unique knowledge of IDS alarm log collected of the described alarm log processing module of described enquiry module inquiry Whether other code and date on the same day are stored in described history alarm database, and correspond to described alarm log when being judged as NO Unique identifier and same day date storage in described history alarm database;
S4, the described rule-statistical module statistics history alarm database of M days in the past, and reported to the police according to the history of every day Data base generates a history alarm list, and each history alarm list all records the institute in the history alarm database on the same day There are the corresponding unique identifier of history alarm log and date on the same day;Wherein M is positive integer;
S5, described scan module scan each history alarm list successively and inquired about according to unique identifier, if one When target unique identifier does not exist, then by described target unique identifier and corresponding IDS rule name, source IP address, mesh IP address, the date on the same day preserve to a statistics list, and the statistics number of described target unique identifier is set to 1 Secondary;If in the presence of described target unique identifier, by the statistics time of the described target unique identifier in the list of described statistics Number Jia 1;
S6, described extraction module after described scan module completes scanning, extract statistics number and be more than the going through of first threshold History alarm log simultaneously obtains corresponding IDS rule name;
S7, described address statistical module number of addresses is counted according to the direction of the traffic of IDS rule name;
S8, described wrong report rule assert that the IDS rule that the number of addresses of statistics is more than Second Threshold is regarded as by mistake by module Report rule;
S9, described processing module delete wrong report rule.
It is preferred that step S9Also include:Described processing module also deletes the corresponding all history alert datas of wrong report rule.
It is preferred that described unique identifier is MD5 value.
It is preferred that step S7Described in address statistical module count source IP address number when described direction of the traffic is positive Amount, counts purpose IP address quantity when described direction of the traffic is reverse.
The positive effect of the present invention is:By the way of the present invention is calculated and is counted using reporting to the police to all IDS IDS rule is analyzed, and identify the IDS rule of wrong report according to analysis result, and when confirming as reporting by mistake rule Automatically carry out the operation such as Policy Updates, directly eliminating wrong report rule, thus fundamentally decreasing warning quantity, improve report Alert accuracy, optimizes IDS rule, reduces the rate of false alarm of IDS system, improve the availability of IDS system.
Brief description
Fig. 1 is the module diagram of the optimization system of IDS rule of presently preferred embodiments of the present invention.
Fig. 2 is the flow chart of the optimization method of IDS rule of presently preferred embodiments of the present invention.
Specific embodiment
Further illustrate the present invention below by the mode of embodiment, but therefore do not limit the present invention to described reality Apply among a scope.
As shown in figure 1, the optimization system of the IDS rule of the present invention includes alarm log processing module 1, history alert data Storehouse 2, enquiry module 3, rule-statistical module 4, scan module 5, extraction module 6, address statistical module 7, wrong report rule assert mould Block 8 and processing module 9.
Wherein, described alarm log processing module 1 collects IDS alarm log first, and described IDS alarm log includes IDS rule name, source IP address and purpose IP address, and according to described IDS rule name, source IP address and purpose IP ground Location generates the unique identifier of described IDS alarm log, and obtains the date on the same day of described IDS alarm log;
Wherein, described unique identifier concretely MD5 value;
Described history alarm database 2 is then used for storing the corresponding unique identifier of history IDS alarm log and works as light Phase;
Described enquiry module 3 can inquire about the corresponding unique knowledge of IDS alarm log that described alarm log processing module 1 is collected Whether other code and date on the same day are stored in described history alarm database 2, and when being judged as NO by described alarm log pair The unique identifier answered and same day date storage are in described history alarm database 2 (it is, of course, also possible to store described warning day Will corresponding IDS rule, source IP address and purpose IP address), if being judged as YES, do not process;
Described rule-statistical module 4 is used for the history alarm database in past M days of statistics, and the history report according to every day Alert data base generates a history alarm list (i.e. symbiosis becomes M history alarm list), and each history alarm list all records There is the corresponding unique identifier of all history alarm log and the date on the same day in the history alarm database on the same day;Wherein M is Positive integer;
Described rule-statistical module 4 preferably can be run once daily;
Described scan module 5 is used for scanning each history alarm list successively and being inquired about according to unique identifier, if One target unique identifier does not exist, then by described target unique identifier and corresponding IDS rule name, source IP address, mesh IP address, the date on the same day preserve to a statistics list, and the statistics number of described target unique identifier is set to 1 Secondary;If described target unique identifier exists, by the statistics number of the described target unique identifier in the list of described statistics Plus 1;
Preferably, described scan module 5 after the scan is complete, can generate final statistics list it is possible to will count Number of times is converted:Number of times=statistics number * 100/M;
Described extraction module 6, then after described scan module 5 completes scanning, extracts statistics number (or number of times) and is more than the The history alarm log of one threshold value simultaneously obtains corresponding IDS rule name;
The direction of the traffic that described address statistical module 7 is used for according to IDS rule name counts number of addresses;Specifically, institute State address statistical module 7 for counting source IP address quantity when described direction of the traffic is positive, be anti-in described direction of the traffic To when count purpose IP address quantity;
Described wrong report rule assert that the IDS rule that module 8 is then used for for the number of addresses of statistics being more than Second Threshold is assert For wrong report rule;Wherein said Second Threshold can be set according to the IP quantity of intranet host;
Described processing module 9 can delete wrong report rule, and deletes the corresponding all history alert datas of wrong report rule.
As shown in Fig. 2 present invention also offers a kind of optimization method of IDS rule, it utilizes the excellent of above-mentioned IDS rule Change system is realized, and the optimization method of described IDS rule comprises the following steps:
Step 101, described alarm log processing module collect IDS alarm log, and described IDS alarm log includes IDS Rule name, source IP address and purpose IP address, and according to described IDS rule name, source IP address and purpose IP address Generate the unique identifier of described IDS alarm log, and obtain the date on the same day of described IDS alarm log;
Step 102, the corresponding unique identifier of described history alert data library storage history IDS alarm log and work as light Phase;
The IDS alarm log that step 103, the described alarm log processing module of described enquiry module inquiry are collected is corresponding only Whether one identification code and date on the same day are stored in described history alarm database, and when being judged as NO by described alarm log Corresponding unique identifier and same day date storage are in described history alarm database;
Step 104, the described rule-statistical module statistics history alarm database of M days in the past, and going through according to every day History alarm database generates a history alarm list, and each history alarm list all records the history alarm database on the same day In the corresponding unique identifier of all history alarm log and the date on the same day;Wherein M is positive integer;
Step 105, described scan module scan each history alarm list successively and are inquired about according to unique identifier, If a target unique identifier does not exist, by described target unique identifier and corresponding IDS rule name, source IP ground Location, purpose IP address, date on the same day preserve to a statistics list, and the statistics number setting by described target unique identifier For 1 time;If in the presence of described target unique identifier, by the statistics of the described target unique identifier in the list of described statistics Number of times adds 1;
Step 106, described extraction module, after described scan module completes scanning, extract statistics number and are more than first threshold History alarm log and obtain corresponding IDS rule name;
Step 107, described address statistical module count number of addresses according to the direction of the traffic of IDS rule name;
Step 108, described wrong report rule assert that the IDS rule that the number of addresses counting is more than Second Threshold is assert by module For wrong report rule;
Step 109, described processing module delete wrong report rule, and delete the corresponding all history warning numbers of wrong report rule According to.
Wherein, described unique identifier is preferably MD5 value, and address statistical module described in step 107 is specifically in described stream Amount direction counts source IP address quantity when being positive, counts purpose IP address quantity when described direction of the traffic is reverse.
Although the foregoing describing the specific embodiment of the present invention, it will be appreciated by those of skill in the art that these It is merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back On the premise of the principle and essence of the present invention, various changes or modifications can be made to these embodiments, but these changes Each fall within protection scope of the present invention with modification.

Claims (8)

1. a kind of optimization system of IDS rule is it is characterised in that include:
Alarm log processing module, for collecting IDS alarm log, described IDS alarm log includes IDS rule name, source IP address and purpose IP address, and generate described IDS according to described IDS rule name, source IP address and purpose IP address The unique identifier of alarm log, and obtain the date on the same day of described IDS alarm log;
History alarm database, for storing the corresponding unique identifier of history IDS alarm log and date on the same day;
Enquiry module, for inquire about the corresponding unique identifier of IDS alarm log that described alarm log processing module collects and Whether the date on the same day is stored in described history alarm database, and will be corresponding for described alarm log unique when being judged as NO Identification code and same day date storage are in described history alarm database;
Rule-statistical module, for the statistics history alarm database of M days in the past, and the history alarm database according to every day Generate a history alarm list, each history alarm list all records all history in the history alarm database on the same day The corresponding unique identifier of alarm log and date on the same day;Wherein M is positive integer;
Scan module, for scanning each history alarm list successively and being inquired about according to unique identifier, if a target is only One identification code does not exist, then by described target unique identifier and corresponding IDS rule name, source IP address, purpose IP address, Date on the same day preserves to a statistics list, and the statistics number of described target unique identifier is set to 1 time;If described mesh Mark unique identifier exists, then add 1 by the statistics number of the described target unique identifier in the list of described statistics;
Extraction module, the history being more than first threshold for after described scan module completes scanning, extracting statistics number is reported to the police Daily record simultaneously obtains corresponding IDS rule name;
Address statistical module, counts number of addresses for the direction of the traffic according to IDS rule name;
Wrong report rule assert module, and the IDS rule for the number of addresses of statistics is more than Second Threshold regards as wrong report rule;
Processing module, for deleting wrong report rule.
2. the optimization system of IDS rule as claimed in claim 1 is it is characterised in that described processing module is additionally operable to delete by mistake The corresponding all history alert datas of report rule.
3. the optimization system of IDS rule as claimed in claim 1 is it is characterised in that described unique identifier is MD5 value.
4. the optimization system of IDS rule as claimed in claim 1 is it is characterised in that described address statistical module is used in institute State when direction of the traffic is positive and count source IP address quantity, count purpose IP address quantity when described direction of the traffic is reverse.
5. a kind of optimization method of IDS rule is it is characterised in that it utilizes the optimization system of IDS rule as claimed in claim 1 System is realized, and described optimization method comprises the following steps:
S1, described alarm log processing module collect IDS alarm log, described IDS alarm log includes IDS rule name, source IP address and purpose IP address, and generate described IDS according to described IDS rule name, source IP address and purpose IP address The unique identifier of alarm log, and obtain the date on the same day of described IDS alarm log;
S2, the corresponding unique identifier of described history alert data library storage history IDS alarm log and date on the same day;
S3, the corresponding unique identifier of IDS alarm log collected of the described alarm log processing module of described enquiry module inquiry and Whether the date on the same day is stored in described history alarm database, and will be corresponding for described alarm log unique when being judged as NO Identification code and same day date storage are in described history alarm database;
S4, the described rule-statistical module statistics history alarm database of M days in the past, and the history alert data according to every day Storehouse generates a history alarm list, and what each history alarm list all recorded in the history alarm database on the same day all goes through The corresponding unique identifier of history alarm log and date on the same day;Wherein M is positive integer;
S5, described scan module scans each history alarm list successively and inquired about according to unique identifier, if a target is only When one identification code does not exist, then by described target unique identifier and corresponding IDS rule name, source IP address, purpose IP ground Location, date on the same day preserve to a statistics list, and the statistics number of described target unique identifier is set to 1 time;If institute In the presence of stating target unique identifier, then the statistics number of the described target unique identifier in the list of described statistics is added 1;
S6, described extraction module described scan module complete scanning after, extract statistics number be more than first threshold history report to the police Daily record simultaneously obtains corresponding IDS rule name;
S7, described address statistical module number of addresses is counted according to the direction of the traffic of IDS rule name;
S8, described wrong report rule assert module by the number of addresses of statistics be more than Second Threshold IDS rule regard as wrong report rule Then;
S9, described processing module delete wrong report rule.
6. the optimization method of IDS as claimed in claim 5 rule is it is characterised in that step S9Also include:Described processing module Also delete the corresponding all history alert datas of wrong report rule.
7. the optimization method of IDS rule as claimed in claim 5 is it is characterised in that described unique identifier is MD5 value.
8. the optimization method of IDS as claimed in claim 5 rule is it is characterised in that step S7Described in address statistical module exist Count source IP address quantity when described direction of the traffic is positive, count purpose IP address number when described direction of the traffic is reverse Amount.
CN201610815708.1A 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule Active CN106446720B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610815708.1A CN106446720B (en) 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610815708.1A CN106446720B (en) 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule

Publications (2)

Publication Number Publication Date
CN106446720A true CN106446720A (en) 2017-02-22
CN106446720B CN106446720B (en) 2019-02-01

Family

ID=58168582

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610815708.1A Active CN106446720B (en) 2016-09-08 2016-09-08 The optimization system and optimization method of IDS rule

Country Status (1)

Country Link
CN (1) CN106446720B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109815697A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 False positive behavior processing method and device
CN112527609A (en) * 2021-02-18 2021-03-19 成都新希望金融信息有限公司 Early warning information pushing method and device, electronic equipment and storage medium
CN112699169A (en) * 2020-12-30 2021-04-23 北京顺达同行科技有限公司 Slow log-based hidden danger mining method and device, computer equipment and medium
CN112800356A (en) * 2021-03-22 2021-05-14 南京怡晟安全技术研究院有限公司 Identification method based on abnormal access behavior of polymorphic URL (Uniform resource locator)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
CN1450757A (en) * 2002-10-11 2003-10-22 北京启明星辰信息技术有限公司 Method and system for monitoring network intrusion
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101902456A (en) * 2010-02-09 2010-12-01 北京启明星辰信息技术股份有限公司 Safety defense system of Website
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405318B1 (en) * 1999-03-12 2002-06-11 Psionic Software, Inc. Intrusion detection system
CN1450757A (en) * 2002-10-11 2003-10-22 北京启明星辰信息技术有限公司 Method and system for monitoring network intrusion
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101902456A (en) * 2010-02-09 2010-12-01 北京启明星辰信息技术股份有限公司 Safety defense system of Website
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109815697A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 False positive behavior processing method and device
CN112699169A (en) * 2020-12-30 2021-04-23 北京顺达同行科技有限公司 Slow log-based hidden danger mining method and device, computer equipment and medium
CN112527609A (en) * 2021-02-18 2021-03-19 成都新希望金融信息有限公司 Early warning information pushing method and device, electronic equipment and storage medium
CN112800356A (en) * 2021-03-22 2021-05-14 南京怡晟安全技术研究院有限公司 Identification method based on abnormal access behavior of polymorphic URL (Uniform resource locator)

Also Published As

Publication number Publication date
CN106446720B (en) 2019-02-01

Similar Documents

Publication Publication Date Title
CN108881265B (en) Network attack detection method and system based on artificial intelligence
CN101610174B (en) Log correlation analysis system and method
CN110149350A (en) A kind of associated assault analysis method of alarm log and device
CN113676464A (en) Network security log alarm processing method based on big data analysis technology
CN107360118B (en) Advanced persistent threat attack protection method and device
CN105376193B (en) The intelligent association analysis method and device of security incident
CN106446720B (en) The optimization system and optimization method of IDS rule
CN112416872A (en) Cloud platform log management system based on big data
CN104067281A (en) Clustering event data by multiple time dimensions
CN107733693B (en) Network security operation and maintenance capability evaluation method and system based on security event statistics
CN106878038B (en) Fault positioning method and device in communication network
CN113032824B (en) Low-frequency data leakage detection method and system based on database flow logs
CN110708296B (en) VPN account number collapse intelligent detection model based on long-time behavior analysis
CN113806370B (en) Environmental data supervision method, device, equipment and storage medium based on big data
CN108540473A (en) A kind of data analysing method and data analysis set-up
CN116859804A (en) Safety situation monitoring and early warning system for ship manufacturing workshop
CN102521378A (en) Real-time intrusion detection method based on data mining
CN111865951A (en) Network data flow abnormity detection method based on data packet feature extraction
CN114707145A (en) Legiong software detection method based on Fanotify mechanism
CN115706669A (en) Network security situation prediction method and system
CN113032774B (en) Training method, device and equipment of anomaly detection model and computer storage medium
CN110912753B (en) Cloud security event real-time detection system and method based on machine learning
CN111625700A (en) Anti-grabbing method, device, equipment and computer storage medium
CN117725575A (en) Asset management method based on middleware access log
CN114205146B (en) Processing method and device for multi-source heterogeneous security log

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant