[go: up one dir, main page]

CN115378793A - HIDS alarm tracing method based on system audit log - Google Patents

HIDS alarm tracing method based on system audit log Download PDF

Info

Publication number
CN115378793A
CN115378793A CN202210997131.6A CN202210997131A CN115378793A CN 115378793 A CN115378793 A CN 115378793A CN 202210997131 A CN202210997131 A CN 202210997131A CN 115378793 A CN115378793 A CN 115378793A
Authority
CN
China
Prior art keywords
alarm
event
sequence
list
alarms
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210997131.6A
Other languages
Chinese (zh)
Other versions
CN115378793B (en
Inventor
李云春
赵俊杰
李巍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN202210997131.6A priority Critical patent/CN115378793B/en
Publication of CN115378793A publication Critical patent/CN115378793A/en
Application granted granted Critical
Publication of CN115378793B publication Critical patent/CN115378793B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0686Additional information in the notification, e.g. enhancement of specific meta-data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种基于系统审计日志的HIDS告警溯源方法,包括:从主机收集HIDS原始告警日志和系统审计日志并进行预处理;通过时间戳和涉及的进程、文件、网络连接或注册表等系统实体来将两种日志关联,为关联到的系统审计日志中的事件添加告警标记;在全局系统审计日志中,根据因果关系对所有带标记的事件进行因果溯源追踪,形成事件序列;对事件序列进行打分,超过一定阈值的序列转化为最终告警输出。相较于HIDS的原始告警,能够提供告警点的上下文关联信息,实现对告警的溯源,减少人工分析工作量。

Figure 202210997131

The invention discloses a HIDS alarm traceability method based on system audit logs, which includes: collecting HIDS original alarm logs and system audit logs from a host and preprocessing; The system entity associates the two logs, and adds alarm marks to the events in the associated system audit log; in the global system audit log, all marked events are traced according to the causal relationship to form an event sequence; The sequence is scored, and the sequence exceeding a certain threshold is converted into the final alarm output. Compared with the original alarm of HIDS, it can provide the context information of the alarm point, realize the traceability of the alarm, and reduce the workload of manual analysis.

Figure 202210997131

Description

一种基于系统审计日志的HIDS告警溯源方法A HIDS Alarm Traceability Method Based on System Audit Log

技术领域technical field

本发明涉及主机入侵行为分析领域,更具体的,涉及一种基于系统审计日志的HIDS告警溯源方法。The invention relates to the field of host intrusion behavior analysis, and more specifically, relates to a HIDS alarm traceability method based on system audit logs.

背景技术Background technique

以OSSEC为代表的主机入侵检测系统(简称HIDS)常常用于对主机行为的监控。这类HIDS能够进行主机日志分析、文件完整性检测以及rootkit检测等。本质上OSSEC等HIDS是根据预定义的规则,对输入的各类日志或HIDS定期执行的检测结果进行匹配,如果规则匹配到了相应的内容,则会产生对应的告警信息。而规则可以为告警设置风险等级,风险等级越高的告警意味着入侵行为越严重,或者入侵行为发生的可能性越大。Host Intrusion Detection System (HIDS for short) represented by OSSEC is often used to monitor host behavior. This type of HIDS can perform host log analysis, file integrity detection, and rootkit detection. In essence, HIDS such as OSSEC matches various input logs or detection results regularly executed by HIDS according to predefined rules. If the rules match the corresponding content, corresponding alarm information will be generated. A rule can set a risk level for an alarm, and an alarm with a higher risk level means that the intrusion behavior is more serious, or the intrusion behavior is more likely to occur.

然而这样产生的告警往往代表了孤立的事件,彼此之间缺少关联信息,提供给分析人员的告警信息价值不高,而且由于低等级告警的规则相对宽松,更容易触发,所以入侵发生时,往往会产生大量告警,既占用系统空间,也会增加分析人员的工作量,即使没有入侵行为,较低的触发条件可能会导致出现很多低风险的误报告警。However, the alarms generated in this way often represent isolated events, lack of correlation information between each other, and the value of the alarm information provided to analysts is not high, and because the rules of low-level alarms are relatively loose, they are easier to trigger, so when an intrusion occurs, often A large number of alarms will be generated, which not only takes up system space, but also increases the workload of analysts. Even if there is no intrusion, low trigger conditions may lead to many low-risk false alarms.

为了缓解这些问题,已有的技术主要是通过将系统审计日志与预先配置的规则进行匹配碰撞,找到入侵点,然后在系统审计日志中对入侵点进行溯源追踪,然后通过一系列的威胁评估方法来降低误报。然而很多方法配置的规则通常仅限于对用于构建因果关系的系统审计日志的匹配碰撞,而基于其他日志来源的告警或者通过HIDS定期执行的检测产生的告警则缺少关注。In order to alleviate these problems, the existing technologies mainly find the intrusion point by matching and colliding the system audit log with the pre-configured rules, and then trace the source of the intrusion point in the system audit log, and then pass a series of threat assessment methods to reduce false positives. However, the rules configured by many methods are usually limited to the matching collisions of the system audit logs used to build causality, and the alarms based on other log sources or the alarms generated by the detection regularly performed by HIDS lack attention.

发明内容Contents of the invention

本发明技术问题:为了克服现有技术的不足,提供一种基于系统审计日志的HIDS告警溯源方法,提高主机入侵检测告警的价值(价值可以认为是告警能够向安全人员提供的触发告警有关的事件信息的量,提供的信息量越高,安全人员越能全面的了解告警事件),使其具有更好的可解释性(可解释性含义为告警被安全人员理解的难易度,本发明提供了告警信息的来龙去脉事件信息,使得安全人员更加容易理解为什么会触发告警以及可能产生了哪些后果)、准确性,在有效减少告警数量的同时,避免漏报发生,可以有效减少人工工作量。Technical problem of the present invention: in order to overcome the deficiencies in the prior art, provide a kind of HIDS alarm traceability method based on system audit log, improve the value of host computer intrusion detection alarm (value can be considered as alarm can be provided to security personnel to trigger alarm related events The amount of information, the higher the amount of information provided, the more fully the security personnel can understand the alarm event), so that it has better interpretability (the interpretability meaning is the difficulty that the alarm is understood by the security personnel, and the present invention provides The ins and outs of the alarm information and event information make it easier for security personnel to understand why the alarm is triggered and what consequences may have occurred), accuracy, while effectively reducing the number of alarms, avoiding false positives, which can effectively reduce manual workload.

为了达到上述目的,本发明包括以下步骤:In order to achieve the above object, the present invention comprises the following steps:

本发明的一种基于系统审计日志的HIDS告警溯源方法,应用于主机入侵检测告警分析,包括如下步骤:A kind of HIDS alarm traceability method based on the system audit log of the present invention is applied to host intrusion detection alarm analysis, comprising the following steps:

(1)将HIDS告警和系统审计日志处理为包含指定内容的数据格式,得到处理后的全局告警A和全局系统审计日志E;所述系统指操作系统,比如Windows、Linux,这类日志通常在内核层记录进程行为,全局系统审计日志E意为全部,即完整记录的系统审计日志;(1) HIDS alarm and system audit log are processed into a data format containing specified content, and the global alarm A and global system audit log E after processing are obtained; the system refers to the operating system, such as Windows, Linux, and this type of log is usually in The kernel layer records the process behavior, and the global system audit log E means all, that is, the system audit log with complete records;

(2)将全局告警A中的每个告警a和全局系统审计日志E中的系统审计事件e进行关联,得到带有告警标记的事件列表matched_list;(2) Correlate each alarm a in the global alarm A with the system audit event e in the global system audit log E to obtain an event list matched_list with an alarm flag;

(3)从所述事件列表matched_list中的事件出发,在全局系统审计日志E中利用因果关系进行向前追踪和向后溯源,得到与告警相关联的事件序列,保存至序列列表seq_list中;(3) Starting from the events in the event list matched_list, use causality in the global system audit log E to trace forward and trace back to the source, obtain the event sequence associated with the alarm, and save it in the sequence list seq_list;

(4)结合事件序列中的事件所关联到的告警的信息,根据序列评分机制,为所述事件序列seq_list中的每个序列评分,得到序列评分结果;将序列评分结果超过设定阈值的序列转变为最终告警输出;(4) In combination with the information of the alarm associated with the event in the event sequence, according to the sequence scoring mechanism, score each sequence in the event sequence seq_list to obtain the sequence scoring result; the sequence scoring result exceeds the set threshold Transition to final alarm output;

其中,步骤(1)中所述数据格式包含告警格式和系统审计日志中对应的系统审计事件格式,其中:Wherein, the data format described in the step (1) includes the corresponding system audit event format in the alarm format and the system audit log, wherein:

告警格式包含{id,timestamp,data,rule}The alarm format contains {id, timestamp, data, rule}

id用来索引和标识告警;id is used to index and identify alarms;

timestamp代表了告警产生时的时间戳;timestamp represents the timestamp when the alarm is generated;

data则包含告警的具体内容,至少包含data.entity和data.description两部分:data contains the specific content of the alarm, including at least two parts: data.entity and data.description:

data.entity是触发告警的系统实体有关信息。所述系统实体包含文件、网络连接、进程,对于Windows系统,注册表也是一类系统实体。由不同类型系统实体所触发的告警中的data.entity所包含的内容不同。具体说来,对于文件类型系统实体所触发的告警,data.entity中包含文件的路径信息;对于网络连接类型系统实体触发的告警,data.entity中则包含网络连接的域名或IP、端口信息;对于进程类型系统实体触发的告警,data.entity包含进程ID和进程名信息;在Windows系统中注册表类型系统实体所产生的告警,data.entity包含对应注册表的键和值信息。data.entity is information about the system entity that triggers the alarm. The system entities include files, network connections, and processes. For the Windows system, the registry is also a type of system entity. The contents of data.entity in alarms triggered by different types of system entities are different. Specifically, for the alarm triggered by the file type system entity, data.entity contains the path information of the file; for the alarm triggered by the network connection type system entity, data.entity contains the domain name or IP and port information of the network connection; For alarms triggered by process-type system entities, data.entity contains process ID and process name information; for alarms generated by registry-type system entities in Windows systems, data.entity contains key and value information of the corresponding registry.

data.description是对告警内容的描述信息。data.description is the description information of the alarm content.

rule代表该告警相关的规则,即是产生该告警所触发的规则,是由HIDS预定义的一种模式,当系统中发生的事件匹配到这些模式后,则触发告警;rule represents the rules related to the alarm, that is, the rule triggered by the alarm, which is a pattern predefined by HIDS. When the events in the system match these patterns, the alarm is triggered;

规则至少包含以下信息{rule.id,rule.type,rule.level},其中rule.id代表规则的唯一标识,用来快速定位规则,rule.type代表该告警对应规则的类型,即实时匹配或定期检测,所述实时匹配代表该规则用于实时匹配系统中最新产生的日志,基于这类规则产生的告警会在系统中发生入侵事件时即刻产生,告警时间与入侵行为发生时间同步,基于这类规则产生的告警也就是实时告警;而所述定期检测的规则则用于匹配HIDS定期执行的检测程序的检测结果,这类规则产生的告警会在HIDS执行定期的检测任务时才会产生,告警时间与入侵行为的发生时间不同步,基于这类规则产生的告警也就是定期检测告警。rule.level代表触发该规则的事件风险的高低,所述事件风险代表了该事件为入侵行为的可能性以及发生后会造成的后果严重程度的高低。A rule contains at least the following information {rule.id, rule.type, rule.level}, where rule.id represents the unique identifier of the rule, which is used to quickly locate the rule, and rule.type represents the type of rule corresponding to the alarm, that is, real-time matching or Periodic detection, the real-time matching means that the rule is used to match the latest log generated in the system in real time, and the alarm generated based on this type of rule will be generated immediately when an intrusion event occurs in the system, and the alarm time is synchronized with the time of the intrusion behavior. Based on this The alarms generated by such rules are real-time alarms; and the regular detection rules are used to match the detection results of the detection programs that HIDS regularly executes. The alarms generated by such rules will only be generated when HIDS performs periodic detection tasks. The alarm time is not synchronized with the occurrence time of the intrusion behavior, and the alarm generated based on this type of rule is also a regular detection alarm. rule.level represents the level of the event risk that triggers the rule, and the event risk represents the level of the possibility that the event is an intrusion behavior and the severity of the consequences after it occurs.

告警中id,timestamp,以及data和rule的子字段都属于告警的属性;The id, timestamp, and subfields of data and rule in the alarm belong to the attributes of the alarm;

所有处理后的HIDS告警的集合就构成了全局告警A;The collection of all processed HIDS alarms constitutes a global alarm A;

系统审计事件格式包含{subject,object,timestamp,operation}The system audit event format contains {subject, object, timestamp, operation}

subject代表事件发生的主体,即事件中动作的发起方的系统实体;subject represents the subject of the event, that is, the system entity of the initiator of the action in the event;

object代表事件发生的客体,即动作的接收方的系统实体;object represents the object of the event, that is, the system entity of the receiver of the action;

timestamp代表事件发生的时间戳信息;timestamp represents the timestamp information of the event;

operation代表主体对客体执行的具体操作。包括进程对文件的读写、进程创建子进程、进程和远程网络连接的信息发送接收,Windows下进程对注册表的读写。以及其他记录到的系统实体之间的操作。operation represents the specific operation performed by the subject on the object. Including reading and writing of files by processes, creating sub-processes by processes, sending and receiving information of processes and remote network connections, and reading and writing of registry by processes under Windows. and other recorded operations between system entities.

所有系统审计事件构成的集合,即为全局系统审计日志E。The collection of all system audit events is the global system audit log E.

相较于已有的方法,本发明设计的方法将通用的而非特定的HIDS告警与系统审计日志进行关联(步骤1和步骤2),而基于系统审计日志对告警进行溯源时,依据的是系统审计事件之间的因果关系,可以根据所产生的事件序列追踪HIDS告警产生的根源以及受到告警影响的范围(步骤3)。而最后通过评分机制会将多个存在因果关联的原始HIDS告警聚合在同一个序列中,作为最终告警,减少了告警数量。Compared with the existing methods, the method designed by the present invention associates general and non-specific HIDS alarms with system audit logs (steps 1 and 2), and when tracing the source of alarms based on system audit logs, the basis is The causal relationship between the system audit events can trace the root cause of the HIDS alarm and the scope affected by the alarm according to the generated event sequence (step 3). Finally, through the scoring mechanism, multiple original HIDS alarms with causal correlation will be aggregated in the same sequence as the final alarm, reducing the number of alarms.

所述步骤(2)具体包含以下步骤:Described step (2) specifically comprises the following steps:

(21)针对全局告警A中的一个告警ai,首先判断ai的rule.type字段,如果告警是通过定期检测产生的,则跳转(23),如果是实时告警则继续(22);(21) For an alarm a i in the global alarm A, first judge the rule.type field of a i , if the alarm is generated by periodic detection, then jump to (23), if it is a real-time alarm, continue (22);

(22)在全局系统审计日志E中查找时间戳最接近ai.timestamp的系统审计事件记为ej,如果|ej.timestamp-ai.timestamp|>ThresholdTS,就认为匹配失败,即无法找到与ai关联的系统审计事件,然后跳转(25),否则跳转(24),ThresholdTS是一个时间戳关联阈值,时间戳的差值如果不高于该阈值则认为是同一时刻;(22) Find the system audit event whose time stamp is closest to a i .timestamp in the global system audit log E and record it as e j , if |e j .timestamp-a i .timestamp|>Threshold TS , it is considered that the matching fails, ie Unable to find the system audit event associated with a i , then jump to (25), otherwise jump to (24), Threshold TS is a timestamp association threshold, if the difference between timestamps is not higher than the threshold, it is considered to be the same moment ;

(23)对于定期检测所产生的告警,由于可能存在的处理不及时导致相同原因多次触发告警,因此需要将这些重复的告警进行合并,即在全局告警A中找到与ai重复的告警,并只保留其中一个告警作为ai,删去其余重复告警;然后分别选择全局系统审计日志E中的每一个事件作为ej,执行(24);(23) For the alarms generated by regular detection, due to the possible untimely processing, the alarms are triggered multiple times for the same reason, so these repeated alarms need to be merged, that is, the alarms that are repeated with a i are found in the global alarm A, And keep only one of the alarms as a i , delete the rest of the repeated alarms; then select each event in the global system audit log E as e j and execute (24);

(24)判断ej.subject或ej.object所涉及的系统实体与ai.data.entity所对应的系统实体是否为同一系统实体?如是,则认为ej与ai有关联,将ej和ai连接,得到ej:ai,并将其添加到matched_list中,相当于为事件ej添加了告警ai作为标记;如不是,认为ej与ai无关。(24) Determine whether the system entity involved in e j .subject or e j .object and the system entity corresponding to a i .data.entity are the same system entity? If so, consider that e j is related to a i , connect e j and a i to get e j : a i , and add it to the matched_list, which is equivalent to adding an alarm a i as a mark for event e j ; No, think that e j has nothing to do with a i .

(25)重复执行(21)至(24),直至完成对全局告警A中所有告警的关联尝试,最终得到带有告警标记的事件列表matched_list。(25) Repeat steps (21) to (24) until the association attempt of all alarms in the global alarm A is completed, and finally the event list matched_list with alarm flags is obtained.

所述matched_list保留了所有关联到告警的事件及其关联到的告警信息,因此至少包含系统审计事件events和告警alerts两列数据。选择系统审计事件events列作为索引列,由于可能存在一个系统审计事件关联到多个告警的情况,因此,在向matched_list中添加项ej:ai时,会先查找events列中是否已经有ej,如果已经存在,则仅需在ej这一行的alerts列的末尾添加ai即可,这样该行数据就由{ej,{aj1,aj2,...}}变为{ej,{aj1,aj2,...,ai}},其中aj1,aj2,...是ej已经匹配到的其他告警;而如果ej不存在,则直接将{ej,{ai}}作为新的一行添加。The matched_list retains all the events associated with the alarm and the associated alarm information, so it contains at least two columns of data, the system audit event events and the alarm alerts. Select the events column of the system audit event as the index column. Since one system audit event may be associated with multiple alarms, when adding an item e j : a i to the matched_list, it will first check whether there is already e in the events column j , if it already exists, you only need to add a i at the end of the alerts column of the row e j , so that the row data will change from {e j , {a j1 , a j2 ,...}} to { e j , {a j1 , a j2 ,..., a i }}, where a j1 , a j2 ,... are other alarms that e j has already matched; and if e j does not exist, directly set { e j , {a i }} is added as a new line.

相较于已有的方法,本发明根据告警产生逻辑将HIDS告警分为了实时检测产生的告警和定期执行检测程序所产生的告警,并根据两种告警的时间上的特性,分别设计了与系统审计日志匹配的方法。从而使得方法适用的告警范围更加全面。Compared with the existing methods, the present invention divides HIDS alarms into alarms generated by real-time detection and alarms generated by regular execution of detection programs according to the logic of alarm generation, and according to the time characteristics of the two alarms, the system and system are designed respectively. Method for audit log matching. Therefore, the alarm scope applicable to the method is more comprehensive.

所述步骤(3)具体包括以下步骤:Described step (3) specifically comprises the following steps:

(31)在全局系统审计日志E中根据因果关系对matched_list中的一个系统审计事件e进行向后溯源,直至找到没有原因事件的根原因事件er,得到一个溯源序列{er,...,eb2,eb1,e},代表了一条影响了事件e发生的事件序列,在E中最终找到的溯源序列数量记为m;(31) In the global system audit log E, trace the source of a system audit event e in the matched_list backward according to the causal relationship, until the root cause event e r with no cause event is found, and a source trace sequence {e r ,... , e b2 , e b1 , e}, represents an event sequence that affects the occurrence of event e, and the number of traceable sequences finally found in E is recorded as m;

(32)在全局系统审计日志E中对事件e进行向前追踪,直至找到没有结果事件的末端事件el,得到一个追踪序列{e,ef1,ef2,...el}的序列,代表了受到e事件影响的事件序列,在E中最终找到的追踪序列数量记为n;(32) Track the event e forward in the global system audit log E until the terminal event e l with no result event is found, and a sequence of tracking sequence {e, e f1 , e f2 , ... e l } is obtained , represents the event sequence affected by the e event, and the number of tracking sequences finally found in E is recorded as n;

(33)将找到的m个溯源序列和n个追踪序列进行组合连接,得到了关于事件e的m×n个序列,保存至序列列表seq_list中;(33) Combine and connect the found m traceability sequences and n traceability sequences to obtain m×n sequences about the event e, and save them in the sequence list seq_list;

(34)在matched_list中选择下一个没有在序列列表seq_list中出现过的事件作为e;(34) Select the next event that has not appeared in the sequence list seq_list as e in the matched_list;

(35)重复执行步骤(31)至(34)直至完成对matched_list所有涉及事件的追踪溯源,序列列表seq_list中保存所有可能与HIDS告警相关联的事件序列;(35) Repeat steps (31) to (34) until the traceability of all events involved in the matched_list is completed, and all event sequences that may be associated with the HIDS alarm are stored in the sequence list seq_list;

Figure BDA0003806043540000051
Figure BDA0003806043540000051

所述步骤(31)和(32)中的因果关系定义如下:The causality in the steps (31) and (32) is defined as follows:

因果关系:单个系统审计事件中的subject和object之间存在因果关系,但因果关系的方向取决于operation的类型,反映了信息在事件中的流向;如果事件中的信息由subject经过operation后到达了object,subject就是原因实体,object就是结果实体;反之,object是原因实体,subject是结果实体;Causality: There is a causal relationship between the subject and the object in a single system audit event, but the direction of the causal relationship depends on the type of operation, reflecting the flow of information in the event; if the information in the event arrives from the subject through the operation object, subject is the cause entity, and object is the result entity; conversely, object is the cause entity, and subject is the result entity;

在两个系统审计事件ec和ee之间存在因果关系时,如果ec的结果实体与ee的原因实体是相同的系统实体且ec发生的时间早于ee,则ec就是ee的一个原因事件,ee就是ec的一个结果事件;When there is a causal relationship between two system audit events e c and e e , if the result entity of e c and the cause entity of e e are the same system entity and e c occurs earlier than e e , then e c is A cause event of e e , e e is a result event of e c ;

所述步骤中的向前追踪,向后溯源意为:The forward tracing and backward tracing in the steps mean:

向前追踪:从一个事件e出发,寻找e的后续结果事件的操作;Forward tracking: starting from an event e, looking for the operation of the subsequent result event of e;

向后溯源:从一个事件e出发,寻找e的先前原因事件的操作。Backward tracing: Starting from an event e, the operation of finding the previous cause event of e.

相较于原始HIDS告警,此步骤实现了将告警与全局系统审计日志中系统审计事件的关联,解决了原始HIDS告警中告警彼此孤立,缺乏关联的问题。Compared with the original HIDS alarm, this step realizes the association of the alarm with the system audit event in the global system audit log, and solves the problem of the isolation and lack of association of the alarms in the original HIDS alarm.

所述步骤(4)中具体如下:Described step (4) is specifically as follows:

(41)计算每个序列的评估得分,序列seq={e1,e2,...,en}的得分S(seq),S(seq)由序列中所有事件得分相加得到,即:(41) Calculate the evaluation score of each sequence, the score S(seq) of the sequence seq={e 1 , e 2 ,...,e n }, S(seq) is obtained by summing up the scores of all events in the sequence, namely :

Figure BDA0003806043540000052
Figure BDA0003806043540000052

序列seq中包含n个事件,ei代表序列中第i个事件,其得分s(ei)的计算方法为:The sequence seq contains n events, e i represents the i-th event in the sequence, and its score s(e i ) is calculated as:

Figure BDA0003806043540000053
Figure BDA0003806043540000053

其中,f(aj)是计算告警aj对事件ei的得分贡献度的方法,即告警得分的计算方法,根据告警中各个属性attr对得分的贡献度进行设置;将aj中的各个属性attr的贡献进行线性组合,设计告警得分方法:Among them, f(a j ) is the method of calculating the score contribution of alarm a j to event e i , that is, the calculation method of the alarm score, which is set according to the contribution of each attribute attr in the alarm to the score; each of a j in The contribution of attribute attr is linearly combined, and the alarm scoring method is designed:

Figure BDA0003806043540000061
Figure BDA0003806043540000061

attr代表了告警中的属性的值,而w代表了attr属性的权值,

Figure BDA0003806043540000062
代表了第k个正贡献属性值,而
Figure BDA0003806043540000063
则代表了第l个负贡献属性值,M和N分别是告警aj的正贡献属性和负贡献属性的数量;需要注意的是,对于非数值类型的属性,
Figure BDA0003806043540000064
Figure BDA0003806043540000065
代表了属性量化后的数值(量化就是把非数值型属性转化为数值,具体量化方法不在本专利考虑的范围内),不考虑无法量化的属性。不同的实施例中,根据aj具体属性的不同,f(aj)有不同具体的计算方法。attr represents the value of the attribute in the alarm, and w represents the weight of the attr attribute,
Figure BDA0003806043540000062
represents the kth positive contribution attribute value, and
Figure BDA0003806043540000063
It represents the lth negative contribution attribute value, M and N are the number of positive contribution attributes and negative contribution attributes of alarm a j respectively; it should be noted that for non-numeric type attributes,
Figure BDA0003806043540000064
and
Figure BDA0003806043540000065
Represents the numerical value after attribute quantification (quantization is to convert non-numeric attributes into numerical values, and the specific quantification method is not within the scope of this patent), and attributes that cannot be quantified are not considered. In different embodiments, f(a j ) has different specific calculation methods according to different specific attributes of a j .

设置g(ei)为:Set g(e i ) as:

Figure BDA0003806043540000066
Figure BDA0003806043540000066

其中,c1和c2为常数,其值应根据具体情况设置,事件ef和事件eb分别为seq中从事件ei出发向前追踪和向后溯源所追踪到的第一个匹配到告警的事件,df和db分别代表事件ei在序列seq中到事件ef和事件eb的距离,即从ei出发到ef和eb所经过的事件数量;Among them, c 1 and c 2 are constants, and their values should be set according to specific situations. Event e f and event e b are the first matching traces traced forward and backward from event e i in seq to In the event of an alarm, d f and d b respectively represent the distance from event e i to event e f and event e b in the sequence seq, that is, the number of events passed from e i to e f and e b ;

(42)根据分数阈值δ,当S(seq)≥δ时,将序列seq转换为一条最终告警输出,最终告警将包含计算得到的S(seq),seq中的事件序列{e1,e2,...,en},每个事件的计算得分{s(e1),s(e2),...,s(en)},以及序列中包含的HIDS告警情况。(42) According to the score threshold δ, when S(seq)≥δ, convert the sequence seq into a final alarm output, the final alarm will contain the calculated S(seq), the event sequence {e 1 , e 2 in seq , ..., e n }, the computed score {s(e 1 ), s(e 2 ), ..., s(e n )} for each event, and the HIDS alarm conditions included in the sequence.

本发明设计的评分机制中,序列得分代表了该序列中的事件与告警事件相关联程度的概率高低,而设置阈值可以过滤掉哪些与告警关联度较低的序列,最终选择的事件序列中往往能覆盖更多个原始告警。这样能减少偶然因素导致的误报告警,相比原始告警信息也减少了告警数量。In the scoring mechanism designed by the present invention, the sequence score represents the probability of the degree of correlation between the event in the sequence and the alarm event, and setting the threshold can filter out which sequences are less correlated with the alarm, and the final selected event sequence is often More original alarms can be covered. This can reduce false alarms caused by accidental factors, and also reduce the number of alarms compared with the original alarm information.

本发明与现有技术相比的优点如下:The advantages of the present invention compared with prior art are as follows:

(1)本发明所产生新的告警具有更加丰富的内涵,每个告警不再仅对应孤立的系统事件,而是提供了告警事件的因果事件信息,能够快速找到告警点的根原因事件,以及告警事件造成的影响。(1) The new alarm generated by the present invention has richer connotations, each alarm no longer only corresponds to an isolated system event, but provides causal event information of the alarm event, and can quickly find the root cause event of the alarm point, and The impact of the alarm event.

(2)本发明能够将HIDS告警和系统审计日志都转化为较为统一的数据格式后进行关联,相较于已有的溯源方法,能够充分利用HIDS的规则匹配能力,扩大检测面,降低漏报率,避免遗漏对定期产生的告警的溯源追踪。(2) The present invention can convert HIDS alarms and system audit logs into a relatively unified data format and then correlate them. Compared with the existing traceability methods, it can make full use of the rule matching ability of HIDS, expand the detection area, and reduce false positives rate to avoid missing traceability of regularly generated alarms.

(3)本发明通过对因果事件序列打分,可以减少由偶然事件误触发的告警,从而降低误报率,而且由于每个最终告警的序列中可能包含了多个原始告警,因此,也可以降低告警数量。(3) The present invention can reduce the alarm falsely triggered by accidental events by scoring the sequence of causal events, thereby reducing the false alarm rate, and since each final alarm sequence may contain multiple original alarms, it can also reduce Number of alerts.

附图说明Description of drawings

图1为本发明的总体流程图;Fig. 1 is the general flowchart of the present invention;

图2为本发明中各模块的工作流;Fig. 2 is the workflow of each module among the present invention;

图3为预处理后的数据格式;Figure 3 is the preprocessed data format;

图4为步骤2中告警日志相关联的流程图;Fig. 4 is the flowchart associated with the alarm log in step 2;

图5为对一个事件进行因果溯源追踪产生的序列示意;Figure 5 is a schematic diagram of the sequence generated by tracing the cause and effect of an event;

图6为最终生成的告警数据格式。Figure 6 shows the final generated alarm data format.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整的描述,显然,所描述的实施例仅为本发明的一部分实施例,而不是全部的实施例,基于本发明中的实施例,本领域的普通技术人员在不付出创造性劳动的前提下所获得的所有其他实施例,都属于本发明的保护范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

本发明主要是在主机入侵检测系统(HIDS)的基础上进行。所谓主机入侵检测系统是利用预先定义好的规则,对输入的各类日志或其他信息进行匹配,如果规则匹配到了相应的内容,则会产生对应的告警信息。一般来说,所产生的告警信息中,都包含了规则触发时间,触发规则的数据来源,告警事件描述,告警严重级别等等信息。一般一条告警对应数据来源中的一条或几条连续的记录,因此,告警所包含的信息不会多于对应记录所能提供的信息,从而导致告警往往像原始日志条目一样琐碎。The present invention is mainly carried out on the basis of a host intrusion detection system (HIDS). The so-called host intrusion detection system uses pre-defined rules to match various input logs or other information. If the rules match the corresponding content, corresponding alarm information will be generated. Generally speaking, the generated alarm information includes the trigger time of the rule, the data source of the trigger rule, the description of the alarm event, the severity level of the alarm, and other information. Generally, an alarm corresponds to one or several consecutive records in the data source. Therefore, the information contained in the alarm will not be more than that provided by the corresponding record, so the alarm is often as trivial as the original log entry.

本发明的溯源关系则是基于系统审计日志信息构建,所谓系统审计日志,是在操作系统中记录系统中各种实体之间交互信息的日志,系统实体包括文件、网络连接、进程,Windows系统下的注册表等内容,而交互信息则包括读、写、创建、删除等。具有代表性的系统审计日志有Windows事件跟踪(Event Tracing for Windows,ETW)和Linux下的Auditd所产生的日志。对于其他具有相似功能的程序产生的日志,在本申请中也称为系统审计日志。The traceability relationship of the present invention is constructed based on system audit log information. The so-called system audit log is a log that records interactive information between various entities in the system in the operating system. System entities include files, network connections, and processes. Registry and other content, while interactive information includes reading, writing, creating, deleting, etc. Representative system audit logs include Windows Event Tracking (Event Tracing for Windows, ETW) and logs generated by Auditd under Linux. The logs generated by other programs with similar functions are also referred to as system audit logs in this application.

需要说明的是,本发明中提到的系统审计日志也可能作为HIDS规则匹配的输入,只需要HIDS中配置用于匹配系统审计日志的规则即可,当这种情况发生时,由于告警和溯源信息同源,因此可以直接进行简单匹配进行关联。It should be noted that the system audit log mentioned in the present invention may also be used as an input for HIDS rule matching, and only the rules for matching the system audit log need to be configured in HIDS. When this happens, due to the alarm and traceability The information is from the same source, so simple matching can be directly performed for association.

如图1所示,本发明包括以下步骤:As shown in Figure 1, the present invention comprises the following steps:

(1)将HIDS告警和系统实际日志处理为包含指定内容的数据格式,得到处理后的全局告警A和全局系统审计日志E;所述系统指操作系统,比如Windows、Linux,这类日志通常在内核层记录进程行为,全局系统审计日志E意为全部,即完整记录的系统审计日志;(1) process the HIDS alarm and the actual log of the system into a data format containing specified content, and obtain the processed global alarm A and the global system audit log E; the system refers to the operating system, such as Windows, Linux, and this type of log is usually in The kernel layer records the process behavior, and the global system audit log E means all, that is, the system audit log with complete records;

(2)将全局告警A中的每个告警a和全局系统审计日志E中的事件e进行关联,得到带有告警标记的事件列表matched_list;(2) Correlate each alarm a in the global alarm A with the event e in the global system audit log E to obtain an event list matched_list with an alarm flag;

(3)从所述事件列表matched_list中的事件出发,在全局系统审计日志E中利用因果关系进行向前追踪和向后溯源,得到与告警相关联的事件序列,保存至序列列表seq_list中;(3) Starting from the events in the event list matched_list, use causality in the global system audit log E to trace forward and trace back to the source, obtain the event sequence associated with the alarm, and save it in the sequence list seq_list;

(4)结合事件序列中的事件所关联到的告警信息,根据序列评分机制,为所述事件序列seq_list中的每个序列打分,得到序列评分;将序列评分超过设定阈值的序列转变为最终告警输出;(4) In combination with the alarm information associated with the events in the event sequence, according to the sequence scoring mechanism, score each sequence in the event sequence seq_list to obtain a sequence score; convert the sequence whose sequence score exceeds the set threshold into the final Alarm output;

如图2所示,本发明的实施例中,HIDS告警和系统审计日志作为原始输入数据,经过了预处理模块、关联匹配模块、追踪溯源模块和威胁评分模块这四个模块的处理后,将高级别的最终告警作为输出,四个模块对应了图1当中的四个步骤,具体如下:As shown in Figure 2, in the embodiment of the present invention, the HIDS alarm and the system audit log are used as the original input data. The high-level final alarm is output, and the four modules correspond to the four steps in Figure 1, as follows:

步骤1、HIDS告警和系统审计日志预处理,主要涉及对HIDS告警和系统审计日志的预处理方法:Step 1, HIDS alarm and system audit log preprocessing mainly involves the preprocessing method for HIDS alarm and system audit log:

(11)预处理收集到的基于规则的HIDS产生的原始告警日志。如图3中的a)所示,经过预处理后全局告警A由一个个的单个告警ai组成,其中每个告警ai至少包含这些内容{id,timestamp,data,rule},其中:(11) Preprocessing the collected original alarm logs generated by the rule-based HIDS. As shown in a) in Figure 3, after preprocessing, the global alarm A is composed of individual alarms a i , where each alarm a i contains at least these contents {id, timestamp, data, rule}, where:

id用来索引和标识告警;id is used to index and identify alarms;

timestamp代表了告警产生时的时间戳;timestamp represents the timestamp when the alarm is generated;

data包含告警的具体内容,至少包含data.entity和data.description两部分:data contains the specific content of the alarm, including at least two parts: data.entity and data.description:

data.entity是触发告警的系统实体有关信息。所述系统实体包含文件、网络连接、进程,对于Windows系统,注册表也是一类系统实体。由不同类型系统实体所触发的告警中的data.entity所包含的内容不同。具体说来,对于文件类型系统实体所触发的告警,data.entity中包含文件的路径信息;对于网络连接类型系统实体触发的告警,data.entity中则包含网络连接的域名或IP、端口信息;对于进程类型系统实体触发的告警,data.entity包含进程ID和进程名信息;在Windows系统中注册表类型系统实体所产生的告警,data.entity包含对应注册表的键和值信息。data.entity is information about the system entity that triggers the alarm. The system entities include files, network connections, and processes. For the Windows system, the registry is also a type of system entity. The contents of data.entity in alarms triggered by different types of system entities are different. Specifically, for the alarm triggered by the file type system entity, data.entity contains the path information of the file; for the alarm triggered by the network connection type system entity, data.entity contains the domain name or IP and port information of the network connection; For alarms triggered by process-type system entities, data.entity contains process ID and process name information; for alarms generated by registry-type system entities in Windows systems, data.entity contains key and value information of the corresponding registry.

data.description是对告警内容的描述信息。data.description is the description information of the alarm content.

rule则代表了该告警相关的规则信息,其至少包含这几种信息{rule.id,rule.type,rule.level},其中rule.id代表了规则的唯一标识,用来快速定位规则,rule.type代表了该告警对应规则的类型,本实施例中,将告警规则分为两类,一类是用来实时匹配系统日志的规则,另一类则是匹配HIDS定期执行的主动检测扫描结果的规则,所述实时匹配代表该规则用于实时匹配系统中最新产生的日志,基于这类规则产生的告警会在系统中发生入侵事件时即刻产生,告警时间与入侵行为发生时间同步,基于这类规则产生的告警也就是实时告警;而所述定期检测的规则则用于匹配HIDS定期执行的检测程序的检测结果,这类规则产生的告警会在HIDS执行定期的检测任务时才会产生,告警时间与入侵行为的发生时间不同步,基于这类规则产生的告警也就是定期检测告警。rule.level则代表了触发该规则的事件风险的高低,所述事件风险代表了该事件为入侵行为的可能性以及发生后会造成的后果严重程度的高低。rule represents the rule information related to the alarm, which contains at least these types of information {rule.id, rule.type, rule.level}, where rule.id represents the unique identifier of the rule, which is used to quickly locate the rule, rule .type represents the type of the corresponding rule for the alarm. In this embodiment, the alarm rule is divided into two types, one is used to match the system log in real time, and the other is to match the active detection scan results regularly executed by HIDS The real-time matching means that the rule is used to match the latest log generated in the system in real time, and the alarm generated based on this type of rule will be generated immediately when an intrusion event occurs in the system, and the alarm time is synchronized with the time when the intrusion behavior occurs, based on this The alarms generated by such rules are real-time alarms; and the regular detection rules are used to match the detection results of the detection programs that HIDS regularly executes. The alarms generated by such rules will only be generated when HIDS performs periodic detection tasks. The alarm time is not synchronized with the occurrence time of the intrusion behavior, and the alarm generated based on this type of rule is also a regular detection alarm. The rule.level represents the level of the event risk that triggers the rule, and the event risk represents the possibility of the event being an intrusion behavior and the severity of the consequences after it occurs.

告警所包含的字段应包含但不限于上述所描述的这些字段,本实施例中,rule字段就额外包含了一个rule.firedtimes子字段作为告警的一个属性,如图3中的a)所示,其含义为触发该规则产生告警的次数,其可以用作后续评分的参数。The fields contained in the alarm should include but not limited to the fields described above. In this embodiment, the rule field additionally includes a rule.firedtimes subfield as an attribute of the alarm, as shown in a) in Figure 3, Its meaning is the number of times the rule is triggered to generate an alarm, which can be used as a parameter for subsequent scoring.

告警中id,timestamp,以及data和rule的子字段都属于告警的属性。The id, timestamp, and subfields of data and rule in an alert are attributes of the alert.

所有处理后的HIDS告警的集合就构成了全局告警A。The collection of all processed HIDS alarms constitutes the global alarm A.

(12)预处理收集到的系统审计日志用于溯源关系的构建。系统审计日志记录了主机中文件、进程、网络连接等系统实体之间的事件信息,如图3中b)所示,预处理后的系统审计日志E由一个个系统审计事件ei(1≤i≤n,n为系统审计日志中的系统审计事件总数)构成,每个事件ei则至少包含这四方面的内容{subject,object,timestamp,operation}。其中:(12) Preprocessing The collected system audit logs are used to construct the traceability relationship. The system audit log records the event information between system entities such as files, processes, and network connections in the host, as shown in b) in Figure 3, the preprocessed system audit log E consists of system audit events e i (1≤ i≤n, n is the total number of system audit events in the system audit log), and each event e i contains at least these four aspects {subject, object, timestamp, operation}. in:

subject代表事件发生的主体,即事件中动作的发起方系统实体;subject represents the subject of the event, that is, the initiator system entity of the action in the event;

object代表事件发生的客体,即动作的接收方系统实体;object represents the object where the event occurs, that is, the receiver system entity of the action;

timestamp代表了事件发生的时间戳信息;timestamp represents the timestamp information of the event;

operation则代表主体对客体执行的具体操作。包括进程对文件的读写、进程创建子进程、进程和远程网络连接的信息发送接收,Windows下进程对注册表的读写。以及其他记录到的系统实体之间的操作。Operation represents the specific operation performed by the subject on the object. Including reading and writing of files by processes, creating sub-processes by processes, sending and receiving information of processes and remote network connections, and reading and writing of registry by processes under Windows. and other recorded operations between system entities.

步骤2、将全局告警A中的每个告警a和全局系统审计日志E中的事件e进行关联,得到带有告警标记的事件列表matched_list。流程如图4所示,具体如下:Step 2. Associate each alarm a in the global alarm A with the event e in the global system audit log E to obtain an event list matched_list with an alarm flag. The process is shown in Figure 4, and the details are as follows:

(21)针对全局告警A中的一个告警ai,首先判断ai的rule.type字段,如果告警是通过定期检测产生的,则跳转(23),如果是实时告警则继续(22);(21) For an alarm a i in the global alarm A, first judge the rule.type field of a i , if the alarm is generated by periodic detection, then jump to (23), if it is a real-time alarm, continue (22);

(22)在全局系统审计日志E中查找时间戳最接近ai.timestamp的系统审计事件记为ej,如果|ej.timestamp-ai.timestamp|>ThresholdTS,就认为匹配失败,即无法找到与ai关联的系统审计事件,然后跳转(25),否则跳转(24)。ThresholdTS是一个时间戳关联阈值,时间戳的差值如果不高于该阈值就可以认为是同一时刻;(22) Find the system audit event whose time stamp is closest to a i .timestamp in the global system audit log E and record it as e j , if |e j .timestamp-a i .timestamp|>Threshold TS , it is considered that the matching fails, ie If the system audit event associated with a i cannot be found, then jump to (25), otherwise jump to (24). Threshold TS is a timestamp association threshold, if the difference of timestamps is not higher than this threshold, it can be considered as the same moment;

(23)对于定期检测所产生的告警,由于可能存在的处理不及时导致相同原因多次触发告警,因此需要将这些重复的告警进行合并,即在A中找到与ai重复的告警,并只保留其中一个告警作为ai,删去其余重复告警;然后分别选择全局系统审计日志E中的每一个事件作为ei,执行(24);(23) For the alarms generated by regular detection, due to the possible untimely processing that may cause multiple alarms for the same reason, it is necessary to merge these repeated alarms, that is, find the alarm that is repeated with a i in A, and only Keep one of the alarms as a i , delete the rest of the repeated alarms; then select each event in the global system audit log E as e i , and execute (24);

(24)判断ej.subject或ej.object所涉及的系统实体与ai.data.entity所对应的系统实体是否为同一系统实体?如是,则认为ej与ai有关联,将ej和ai连接,得到ej:ai,并将其添加到matched_list中,相当于为事件ej添加了告警ai作为标记;如不是,认为ej与ai无关。(24) Determine whether the system entity involved in e j .subject or e j .object and the system entity corresponding to a i .data.entity are the same system entity? If so, consider that e j is related to a i , connect e j and a i to get e j : a i , and add it to the matched_list, which is equivalent to adding an alarm a i as a mark for event e j ; No, think that e j has nothing to do with a i .

(25)重复执行(21)至(24),直至完成对A中所有告警的关联尝试。最终得到带有告警标记的事件列表matched_list。(25) Repeat (21) to (24) until the association attempt of all alarms in A is completed. Finally, the event list matched_list with alarm flags is obtained.

所述matched_list保留了所有关联到告警的事件及其关联到的告警信息,因此至少包含系统审计事件events和告警alerts两列数据。选择系统审计事件events列作为索引列,由于可能存在一个系统审计事件关联到多个告警的情况,因此,在向matched_list中添加项ej:ai时,会先查找events列中是否已经有ej,如果已经存在,则仅需在ej这一行的alerts列的末尾添加ai即可,这样该行数据就由{ej,{aj1,aj2,...}}变为{ej,{aj1,aj2,...,ai}},其中aj1,aj2,...是ej已经匹配到的其他告警;而如果ej不存在,则直接将{ej,{ai}}作为新的一行添加。The matched_list retains all the events associated with the alarm and the associated alarm information, so it contains at least two columns of data, the system audit event events and the alarm alerts. Select the events column of the system audit event as the index column. Since one system audit event may be associated with multiple alarms, when adding an item e j : a i to the matched_list, it will first check whether there is already e in the events column j , if it already exists, you only need to add a i at the end of the alerts column of the e j row, so that the row data will change from {e j , {a j1 , a j2 ,...}} to { e j , {a j1 , a j2 ,..., a i }}, where a j1 , a j2 ,... are other alarms that e j has already matched; and if e j does not exist, directly set { e j , {a i }} is added as a new line.

步骤3、从事件列表matched list中的事件出发,在系统审计日志E中利用因果关系进行向前追踪和向后溯源,得到与告警相关联的事件序列,保存至序列列表seq_list中,具体如下;Step 3. Starting from the events in the event list matched list, use the causal relationship in the system audit log E to trace forward and trace back to the source, obtain the event sequence associated with the alarm, and save it in the sequence list seq_list, as follows;

(31)在全局系统审计日志E中根据因果关系对一个matched_list中的系统审计事件e进行向后溯源,直至找到没有原因事件的根原因事件er,得到一个溯源序列{er,...,eb2,eb1,e},代表了一条影响了事件e发生的事件序列,在E中最终找到的溯源序列数量记为m;(31) In the global system audit log E, trace the source of a system audit event e in a matched_list backward according to the causal relationship, until the root cause event e r with no cause event is found, and a source trace sequence {e r ,... , e b2 , e b1 , e}, represents an event sequence that affects the occurrence of event e, and the number of traceable sequences finally found in E is recorded as m;

(32)在全局系统审计日志E中根据因果关系对事件e进行向前追踪,直至找到没有结果事件的末端事件el,得到一个追踪序列{e,ef1,ef2,...el}的序列,代表了受到e事件影响的事件序列。在E中最终找到的追踪序列数量记为n;(32) In the global system audit log E, the event e is traced forward according to the causal relationship, until the end event e l with no result event is found, and a tracking sequence {e, e f1 , e f2 , ...e l is obtained } represents the sequence of events affected by the e event. The number of tracking sequences finally found in E is recorded as n;

(33)将找到的m个溯源序列和n个追踪序列进行组合连接,得到了关于事件e的m×n个序列,保存至序列列表seq_list中。如图5所示,从e出发进行向前追踪找到了n个路径,分别到达n个无法继续向前追踪的事件

Figure BDA0003806043540000111
而向后溯源则找到了m个路径,分别到达了m个无法继续向后溯源的事件eroot
Figure BDA0003806043540000112
需要说明的是,eleaf
Figure BDA0003806043540000113
中可能存在重复的事件,之所以重复是因为从e出发,可能存在不止1个路径到达相同的事件。同理eroot
Figure BDA0003806043540000114
中也可能存在重复的事件;(33) Combine and connect the found m traceability sequences and n traceability sequences to obtain m×n sequences about the event e, and save them in the sequence list seq_list. As shown in Figure 5, starting from e to trace forward, n paths are found, and n events that cannot be traced forward are respectively reached.
Figure BDA0003806043540000111
However, the backward tracing finds m paths, and respectively reaches m events e root that cannot be traced backward.
Figure BDA0003806043540000112
It should be noted that, e leaf ,
Figure BDA0003806043540000113
There may be repeated events in , because starting from e, there may be more than one path to the same event. In the same way e root ,
Figure BDA0003806043540000114
There may also be duplicate events in ;

(34)在matched_list中选择下一个没有在序列列表seq_list中出现过的事件作为e;(34) Select the next event that has not appeared in the sequence list seq_list as e in the matched_list;

(35)重复执行(31)至(34),直至完成对matched_list所有涉及事件的追踪溯源,序列列表seq_list中保存所有可能与HIDS告警相关联的事件序列;(35) Repeat (31) to (34) until the traceability of all events involved in the matched_list is completed, and all event sequences that may be associated with HIDS alarms are stored in the sequence list seq_list;

Figure BDA0003806043540000115
Figure BDA0003806043540000115

所述步骤(31)和(32)中的因果关系定义如下:The causality in the steps (31) and (32) is defined as follows:

因果关系:单个系统审计事件中的subject和object之间存在因果关系,但因果关系的方向取决于operation的类型,反映了信息在事件中的流向;如果事件中的信息由subject经过operation后到达了object,subject就是原因实体,object就是结果实体;反之,object是原因实体,subject是结果实体;Causality: There is a causal relationship between the subject and the object in a single system audit event, but the direction of the causal relationship depends on the type of operation, reflecting the flow of information in the event; if the information in the event arrives from the subject through the operation object, subject is the cause entity, and object is the result entity; conversely, object is the cause entity, and subject is the result entity;

在两个系统审计事件ec和ee之间存在因果关系时,如果ec的结果实体与ee的原因实体是相同的系统实体且ec发生的时间早于ee,则ec就是ee的一个原因事件,ee就是ec的一个结果事件;When there is a causal relationship between two system audit events e c and e e , if the result entity of e c and the cause entity of e e are the same system entity and e c occurs earlier than e e , then e c is A cause event of e e , e e is a result event of e c ;

所述步骤中的向前追踪,向后溯源为:For the forward tracing in the steps, the backward tracing is:

向前追踪:从一个事件e出发,寻找e的后续结果事件的操作;Forward tracking: starting from an event e, looking for the operation of the subsequent result event of e;

向后溯源:从一个事件e出发,寻找e的先前原因事件的操作。Backward tracing: Starting from an event e, the operation of finding the previous cause event of e.

步骤4、计算评分,产生最终告警。由于seq_list中可能包含大量的事件序列,如果均作为告警输出,则可能依然会导致告警数量多,误报率高的问题,因此,需要对这些序列有所选择。即设置评分机制,对序列进行评分。具体如下:Step 4. Calculate the score and generate the final alarm. Since seq_list may contain a large number of event sequences, if they are all output as alarms, it may still cause a large number of alarms and a high false alarm rate. Therefore, it is necessary to select these sequences. That is, set the scoring mechanism to score the sequence. details as follows:

(41)计算每个序列的评估得分,序列seq={e1,e2,...,en}的得分S(seq),S(seq),即:(41) Calculate the evaluation score of each sequence, the score S(seq), S(seq) of the sequence seq={e 1 , e 2 , . . . , e n }, namely:

Figure BDA0003806043540000121
Figure BDA0003806043540000121

序列seq中包含n个事件,ei代表序列中第i个事件,其得分s(ei)的计算方法为:The sequence seq contains n events, e i represents the i-th event in the sequence, and its score s(e i ) is calculated as:

Figure BDA0003806043540000122
Figure BDA0003806043540000122

其中,f(aj)是计算告警aj对事件ei的得分贡献度的方法,即告警得分的计算方法,根据告警中各个属性attr对得分的贡献度进行设置;将aj中的各个属性attr的贡献进行线性组合,设计告警得分方法为:Among them, f(a j ) is the method of calculating the score contribution of alarm a j to event e i , that is, the calculation method of the alarm score, which is set according to the contribution of each attribute attr in the alarm to the score; each of a j in The contribution of the attribute attr is linearly combined, and the design alarm scoring method is:

Figure BDA0003806043540000123
Figure BDA0003806043540000123

attr代表了告警中的属性的值,而w代表了attr属性的权值,

Figure BDA0003806043540000124
代表了第k个正贡献属性值,而
Figure BDA0003806043540000125
则代表了第l个负贡献属性值,M和N分别是告警aj的正贡献属性和负贡献属性的数量。需要注意的是,对于非数值类型的属性,
Figure BDA0003806043540000126
Figure BDA0003806043540000127
代表了属性量化后的数值,不考虑无法量化的属性。本实施例中,选取a.rule.firedtimes作为一个负贡献属性,a.rule.level作为一个正贡献属性,因此得到计算方法。attr represents the value of the attribute in the alarm, and w represents the weight of the attr attribute,
Figure BDA0003806043540000124
represents the kth positive contribution attribute value, and
Figure BDA0003806043540000125
It represents the lth negative contribution attribute value, and M and N are the numbers of positive contribution attributes and negative contribution attributes of alarm a j respectively. It should be noted that for attributes of non-numeric types,
Figure BDA0003806043540000126
and
Figure BDA0003806043540000127
Represents the quantified value of the attribute, regardless of the attribute that cannot be quantified. In this embodiment, a.rule.firedtimes is selected as a negative contribution attribute, and a.rule.level is selected as a positive contribution attribute, so the calculation method is obtained.

Figure BDA0003806043540000128
Figure BDA0003806043540000128

其中wlv和wft分别是告警中属性rule.level和rule.firedtimes贡献度的权重Where w lv and w ft are the weights of the contribution of the attributes rule.level and rule.firedtimes in the alarm respectively

设置g(ei)为:Set g(e i ) as:

Figure BDA0003806043540000129
Figure BDA0003806043540000129

其中,c1和c2为常数,其值应根据具体情况设置。事件ef和事件eb分别为Seq中从事件ei出发向前追踪和向后溯源所追踪到的第一个匹配到告警的事件,df和db分别代表事件ei在序列seq中到事件ef和事件eb的距离;Among them, c 1 and c 2 are constants, and their values should be set according to specific situations. Event e f and event e b are the first events that match the alarm and are traced forward and backward from event e i in Seq, respectively, and d f and d b represent event e i in sequence seq the distance to event e f and event e b ;

(42)根据分数阈值δ,当S(seq)≥δ时,将序列seq转换为一条最终告警输出。最终告警将包含计算得到的S(seq),seq中的事件序列{e1,e2,...,en},每个事件的计算得分{s(e1),s(e2),...,s(en)},以及序列中包含的HIDS告警情况。(42) According to the score threshold δ, when S(seq)≥δ, convert the sequence seq into a final alarm output. The final alert will contain the calculated S(seq), the event sequence {e 1 , e 2 , ..., e n } in seq, and the calculated score {s(e 1 ), s(e 2 ) for each event ,..., s(e n )}, and the HIDS alarm conditions contained in the sequence.

本实施例中的最终告警格式如图6所示,最终告警FA由很多单独的告警{fa1,fa2,...fai,...}组成,而每个告警则包含四个字段{id,seq,score,description},其中:The format of the final alarm in this embodiment is shown in Figure 6. The final alarm FA consists of many individual alarms {fa 1 , fa 2 ,...fa i ,...}, and each alarm contains four fields {id, seq, score, description}, where:

id用来唯一标识该告警。id is used to uniquely identify the alarm.

seq代表了对应的事件序列,序列包含3部分:seq represents the corresponding event sequence, and the sequence consists of 3 parts:

events记录了序列中的所有系统审计事件。如图6,fai对应的事件序列按照因果关系从eroot出发经过e最终到eleaf,每个事件的记录格式与图3中单个事件的格式一致;events records all system audit events in the sequence. As shown in Figure 6, the event sequence corresponding to fa i starts from e root , passes through e and finally reaches e leaf according to the causal relationship, and the record format of each event is consistent with the format of a single event in Figure 3;

alerts部分代表了事件所匹配到的告警列表,如果事件没有匹配到的告警则置空。如图6,事件e匹配到了{a1,a2,...}这些告警,而每个告警的记录格式与图3中单个告警的格式一致;The alerts part represents the list of alerts matched by the event. If the event has no matched alerts, leave it blank. As shown in Figure 6, event e matches {a 1 , a 2 ,...} these alarms, and the record format of each alarm is consistent with the format of a single alarm in Figure 3;

e_score则是代表了事件得分,具体是利用(41)中的s(ei)方法计算得来。比如图6中s(eroot),s(e),s(eleaf)分别通过将eroot,e,eleaf代入上述(41)中s(ei)的计算公式中的ei计算得来,图中省略的事件同样如此。e_score represents the event score, which is calculated using the s(e i ) method in (41). For example, s(e root ), s(e), and s(e leaf ) in Figure 6 are calculated by respectively substituting e root , e, and e leaf into e i in the calculation formula of s(e i ) in (41) above Come on, the same is true for the events omitted in the figure.

score代表了整个序列的得分。图6中fai的对应序列的得分具体值会根据(41)中S(seq)的计算方法得到,值为s(eroot)+...+s(e)+...+s(eleaf)。score represents the score of the entire sequence. The specific value of the score of the corresponding sequence of fa i in Figure 6 will be obtained according to the calculation method of S(seq) in (41), and the value is s(e root )+...+s(e)+...+s( e leaf ).

description字段则是对该告警的文字描述信息。The description field is the text description information of the alarm.

本发明提出了基于系统审计日志的HIDS告警溯源方法,从HIDS产生的告警以及主机的系统审计日志出发,通过将不同类型的HIDS告警与系统审计事件进行匹配,在全局溯源关系中定位告警点,然后从告警点事件出发,通过因果溯源追踪,实现了包含告警点的事件序列构建,通过为告警序列打分,最终得到了包含序列信息的高级别告警,相较于HIDS原始告警,能够将相同根原因的告警信息保留到同一个高级告警的序列中,因此能够降低告警数量,减少人工工作量。而相较于其他入侵溯源方法,则能够充分利用HIDS不同类型的告警规则产生的告警,从而提高了检测面,减少漏报。The present invention proposes a HIDS alarm traceability method based on the system audit log. Starting from the alarm generated by HIDS and the system audit log of the host, by matching different types of HIDS alarms with system audit events, the alarm point is located in the global traceability relationship, Then starting from the alarm point events, through causal traceability, the construction of event sequences including alarm points is realized. By scoring the alarm sequence, a high-level alarm containing sequence information is finally obtained. Compared with the original HIDS alarm, the same root The alarm information of the reason is kept in the same high-level alarm sequence, so the number of alarms can be reduced and the manual workload can be reduced. Compared with other intrusion source tracing methods, it can make full use of the alarms generated by different types of alarm rules in HIDS, thereby improving the detection surface and reducing false positives.

以上详细描述了本发明的优选实施方式,但是,本发明并不限于上述实施方式中的具体细节。在本发明的技术构思范围内,可以对本发明的技术方案进行多种等同变换,这些等同变换均属于本发明的保护范围。Preferred embodiments of the present invention have been described in detail above, however, the present invention is not limited to the specific details of the above embodiments. Within the scope of the technical concept of the present invention, various equivalent transformations can be made to the technical solutions of the present invention, and these equivalent transformations all belong to the protection scope of the present invention.

Claims (4)

1. A HIDS alarm tracing method based on system audit log is applied to host intrusion detection alarm analysis and is characterized by comprising the following steps:
(1) Processing the HIDS alarm and the system audit log into a data format containing specified contents to obtain a processed global alarm A and a processed global system audit log E;
(2) Associating each alarm a in the global alarm A with a system audit event E in a global system audit log E to obtain an event list matched _ list with an alarm mark;
(3) Proceeding from the event in the event list matched _ list, performing forward tracking and backward tracking in a global system audit log E by using a causal relationship to obtain an event sequence associated with an alarm, and storing the event sequence in a sequence list seq _ list;
(4) Scoring each sequence in the event sequence seq _ list according to a sequence scoring mechanism by combining alarm information associated with the events in the event sequence to obtain a sequence scoring result; converting the sequence with the sequence scoring result exceeding a set threshold value into a final alarm to be output;
wherein, the data format in the step (1) comprises an alarm format and a corresponding system audit event format in a system audit log, wherein:
the alarm format comprises { id, timestamp, data, rule };
id is used to index and identify alarms;
timestamp represents the timestamp of the alarm generation;
the data comprises specific content of the alarm and at least comprises two parts of data.entity and data.description:
the data is related information of a system entity triggering alarm, the system entity comprises files, network connection and processes, and for a Windows system, a registry is also a type of system entity; the data.entity in the alarms triggered by different types of system entities contains different contents, and for the alarms triggered by the file type system entities, the data.entity contains the path information of files; for the alarm triggered by the network connection type system entity, the data comprises the domain name or IP and port information of the network connection; for the alarm triggered by the process type system entity, the data comprises process ID and process name information; the data comprises key and value information of a corresponding registry in the Windows system for alarming generated by a registry type system entity;
the data description is description information of the alarm content;
rule represents the rule related to the alarm;
the rule at least comprises the following information { rule.id, rule.type and rule.level }, wherein the rule.id represents a unique identifier of the rule and is used for quickly positioning the rule; the type represents the type of the rule corresponding to the alarm, namely real-time matching or periodic detection, the real-time matching represents that the rule is used for matching the latest generated log in the system in real time, the alarm generated based on the rule can be generated immediately when an intrusion event occurs in the system, the alarm time is synchronous with the occurrence time of the intrusion behavior, and the alarm generated based on the rule is also real-time alarm; the regular detection rules are used for matching the detection results of the detection program regularly executed by the HIDS, the alarm generated by the regular detection rules is generated when the HIDS executes regular detection tasks, the alarm time is asynchronous with the occurrence time of the intrusion behavior, and the alarm generated based on the regular detection rules is the regular detection alarm; level represents the level of the risk of the event triggering the rule, and the risk represents the possibility of the event being an intrusion behavior and the severity of the consequences after the event occurs.
Subfields of id, timestamp and data and rule in the alarm belong to the attribute of the alarm;
the set of all processed HIDS alarms forms a global alarm A;
the system audit event format comprises { subject, object, timestamp, operation };
a sub represents a main body of an event occurrence, namely a system entity of an initiator of an action in the event;
the object represents an object of an event occurrence, namely a system entity of a receiver of the action;
timestamp represents timestamp information of the occurrence of the event;
the operation represents the specific operation executed by the subject on the object, and comprises the reading and writing of files by the process, the information sending and receiving of the process creation subprocess, the process and the remote network connection, the reading and writing of a registry by the process under Windows, and other recorded operations between system entities;
and a set formed by all the system audit events is a global system audit log E.
2. The HIDS alarm tracing method based on system audit log according to claim 1, wherein the step (2) specifically includes the steps of:
(21) For one alarm a in global alarm A i First, a is judged i If the alarm is generated by periodic detection, jumping to (23), if it is a real-time alarm, continuing (22);
(22) Searching a timestamp closest to a in a global system audit log E i System audit event of timeframe is noted as e j If | e j .timestamp-a i .timestamp|>Threshold TS The match is considered to fail, i.e. the match a cannot be found i The associated system audits the event and then jumps (25), otherwise jumps (24), threshold TS Is a timestamp association threshold, if the difference value of the timestamps is not higher than the threshold, the timestamps are regarded as the same time;
(23)for the alarms generated by periodic detection, because the possibly existing processing is not timely to cause that the alarms are triggered for the same reason for multiple times, the repeated alarms need to be merged, namely the alarm a and the alarm a are found in the global alarm A i Repeated alarms and only one of them is reserved as a i Deleting the rest repeated alarms; then each event in the global system audit log E is respectively selected as E j Executing (24);
(24) Judgment e j Subject or e j System entity and a to which object relates i Is the system entity corresponding to the data.entity the same system entity? If yes, then consider e j And a i Is associated with e j And a i Is connected to obtain e j :a i And adds it to the matched _ list, corresponding to event e j An alarm a is added i As a marker; if not, consider e j And a i Irrelevant;
(25) Repeatedly executing (21) to (24) until the association attempt of all alarms in the global alarm A is completed, and finally obtaining an event list matched _ list with alarm marks;
the matched _ list reserves all events related to alarms and alarm information related to the events, so that the matched _ list at least comprises two columns of data of system audit events and alarm alerts, the system audit event column is selected as an index column, and as the condition that one system audit event is related to a plurality of alarms possibly exists, an item e is added into the matched _ list j :a i When the event is detected, first, whether e exists in the events column is searched j If already present, only at e j The end of the alert column of this row adds a i So that the row of data is formed by { e } j ,{a j1 ,a j2 ,.. } into { e j ,{a j1 ,a j2 ,...,a i } in which a is j1 ,a j2 ,.. Is e j Other alarms that have been matched; if e j If not, then { e) is directly added j ,{a i } as a new line addition.
3. The HIDS alarm tracing method based on system audit log according to claim 1, wherein the step (3) specifically includes the following steps:
(31) Tracing back one event E in the matched _ list in the global system audit log E according to the cause-effect relationship until finding the root cause event E without cause event r To obtain a tracing sequence { e r ,...,e b2 ,e b1 E represents an event sequence influencing the occurrence of the event E, and the number of the finally found tracing sequences in E is marked as m;
(32) Tracking the event E forward in the global system audit log E until finding the end event E without a result event l To obtain a tracking sequence { e, e f1 ,e f2 ,...e l The sequence of E represents the event sequence influenced by the E event, and the number of the tracking sequences finally found in E is recorded as n;
(33) Combining and connecting the found m tracing sequences and n tracing sequences to obtain m multiplied by n sequences related to the event e, and storing the m multiplied by n sequences into a sequence list seq _ list;
(34) Selecting the next event which does not appear in the sequence list seq _ list from the matched _ list as the next e;
(35) Repeatedly executing the steps (31) to (34) until all tracing traces of the matched _ list related to the events are completed, and storing all event sequences possibly associated with HIDS alarms in the sequence list seq _ list;
Figure FDA0003806043530000031
the causal relationship in steps (31) and (32) is defined as follows:
cause and effect relationship: a causal relationship exists between the object and the object in the single system audit event, but the direction of the causal relationship depends on the type of operation and reflects the flow direction of information in the event; if the information in the event reaches the object after the operation from the object, the object is the reason entity, and the object is the result entity; conversely, object is a cause entity and object is a result entity;
auditing events e at two systems c And e e When there is a causal relationship between them, if e c The result of (a) and (e) e Is the same system entity and e c Occurs earlier than e e Then e is c Is e e A causal event of e e Is e c A result event of (2);
the forward tracing in the step, backward tracing means:
forward tracking: starting from an event e, searching for a subsequent result event of e;
tracing backwards: starting from an event e, the operation of finding the previous cause event of e.
4. The HIDS alarm tracing method based on system audit log according to claim 1, wherein the step (4) is as follows:
(41) Calculating an evaluation score for each sequence, the sequence seq = { e = { n } 1 ,e 2 ,...,e n The score of S (seq), S (seq) is obtained by adding all the event scores in the sequence:
Figure FDA0003806043530000041
the sequence seq contains n events, e i Represents the ith event in the sequence, with a score of s (e) i ) The calculation method comprises the following steps:
Figure FDA0003806043530000042
wherein, f (a) j ) Is to calculate an alarm a j For event e i The method for scoring the contribution degree, namely the method for calculating the alarm score, sets the contribution degree of each attribute attr in the alarm to the score, and combines a j Each attribute in (1)Linearly combining the contributions of attr, and designing an alarm score method:
Figure FDA0003806043530000043
attr represents the value of an attribute in the alarm, and w represents the weight of the attr attribute,
Figure FDA0003806043530000044
represents the kth positive contribution attribute value, and
Figure FDA0003806043530000045
then it represents the ith negative contribution attribute value, and M and N are alarms a j The number of positive and negative contributing attributes; for an attribute of a non-numeric type,
Figure FDA0003806043530000046
and
Figure FDA0003806043530000047
representing the numerical value after attribute quantization, and not considering the attribute which cannot be quantized;
set up g (e) i ) Comprises the following steps:
Figure FDA0003806043530000051
wherein, c 1 And c 2 Is a constant, the value of which is to be set on a case-by-case basis, event e f And event e b Respectively slave event e in seq i First events traced from forward tracing and backward tracing to match alarms, d f And d b Respectively represent an event e i To event e in sequence seq f And event e b From e, i.e. i Go out to f And e b The number of events passed;
(42) According to the fraction threshold value delta, when S (seq) ≧Delta, the sequence seq is converted into a final alarm output, and the final alarm comprises S (seq) obtained by calculation and an event sequence { e ] in the seq 1 ,e 2 ,...,e n Calculated score for each event s (e) 1 ),s(e 2 ),...,s(e n ) And the HIDS alarm condition contained in the sequence.
CN202210997131.6A 2022-08-19 2022-08-19 HIDS alarm tracing method based on system audit log Active CN115378793B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210997131.6A CN115378793B (en) 2022-08-19 2022-08-19 HIDS alarm tracing method based on system audit log

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210997131.6A CN115378793B (en) 2022-08-19 2022-08-19 HIDS alarm tracing method based on system audit log

Publications (2)

Publication Number Publication Date
CN115378793A true CN115378793A (en) 2022-11-22
CN115378793B CN115378793B (en) 2023-05-16

Family

ID=84064983

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210997131.6A Active CN115378793B (en) 2022-08-19 2022-08-19 HIDS alarm tracing method based on system audit log

Country Status (1)

Country Link
CN (1) CN115378793B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743556A (en) * 2023-06-06 2023-09-12 广州大学 Traceability graph construction and pruning methods, devices and media based on system audit logs

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040049693A1 (en) * 2002-09-11 2004-03-11 Enterasys Networks, Inc. Modular system for detecting, filtering and providing notice about attack events associated with network security
CN103428177A (en) * 2012-05-18 2013-12-04 中兴通讯股份有限公司 Configuration and generation method and device for cloud environment audit logs and/or security events
CN107682351A (en) * 2017-10-20 2018-02-09 携程旅游网络技术(上海)有限公司 Method, system, equipment and the storage medium of network security monitoring
CN111858482A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Attack event tracing and tracing method, system, terminal and storage medium
CN114615063A (en) * 2022-03-14 2022-06-10 清华大学 Attack tracing method and device based on log correlation analysis

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040049693A1 (en) * 2002-09-11 2004-03-11 Enterasys Networks, Inc. Modular system for detecting, filtering and providing notice about attack events associated with network security
CN103428177A (en) * 2012-05-18 2013-12-04 中兴通讯股份有限公司 Configuration and generation method and device for cloud environment audit logs and/or security events
CN107682351A (en) * 2017-10-20 2018-02-09 携程旅游网络技术(上海)有限公司 Method, system, equipment and the storage medium of network security monitoring
CN111858482A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Attack event tracing and tracing method, system, terminal and storage medium
CN114615063A (en) * 2022-03-14 2022-06-10 清华大学 Attack tracing method and device based on log correlation analysis

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
冯瑞: "基于日志分析的虚拟机安全事件追踪系统的设计与实现", 北京邮电大学 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116743556A (en) * 2023-06-06 2023-09-12 广州大学 Traceability graph construction and pruning methods, devices and media based on system audit logs

Also Published As

Publication number Publication date
CN115378793B (en) 2023-05-16

Similar Documents

Publication Publication Date Title
US11429614B2 (en) Systems and methods for data quality monitoring
US9659042B2 (en) Data lineage tracking
CN113553210A (en) Method, device, device and storage medium for processing alarm data
JPWO2016132717A1 (en) Application automatic control system, application automatic control method and program
CN116405246A (en) A vulnerability exploit chain construction technology based on the combination of attack and defense
CN109284331B (en) Certificate making information acquisition method based on service data resources, terminal equipment and medium
CN107402957A (en) The structure and user behavior method for detecting abnormality, system in user behavior pattern storehouse
CN114756401B (en) Abnormal node detection method, device, equipment and medium based on log
CN115378793A (en) HIDS alarm tracing method based on system audit log
CN117914547A (en) Security situation awareness processing method, system and device with built-in data processing unit
CN117596052A (en) An intelligent detection method and system for complex attacks on power networks
CN117312035A (en) Root cause analysis method, root cause analysis device and root cause analysis medium
CN120448161B (en) Data resource migration risk prediction method, system, terminal equipment and storage medium
CN116187423A (en) A behavior sequence anomaly detection method and system based on an unsupervised algorithm
CN119557776A (en) A method and device for alarm classification and grading based on improved decision tree algorithm
CN114157553A (en) A data processing method, device, equipment and storage medium
CN115587717A (en) Data quality detection method, device, storage medium and equipment
CN120493988B (en) Method for enhancing robustness of artificial intelligence system
CN120805200B (en) Security control methods and systems for cloud-based inventory management platforms
CN120448283B (en) Log processing method, device, electronic device, and computer-readable storage medium
CN120386768B (en) Malicious deletion tracing method of distributed file system based on blockchain
CN121009123A (en) A method, system, and terminal for business data lineage tracing based on metadata.
Lv et al. A Knowledge-Enhanced Transformer-FL Method for Fault Root Cause Localization
CN121501811A (en) A method for cascading deletion of associated data based on large model agents
CN119311458A (en) A detection method, device, equipment and medium for concealing abnormal processes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant