CN101771582B - Safety monitoring correlation analysis method based on state machine - Google Patents
Safety monitoring correlation analysis method based on state machine Download PDFInfo
- Publication number
- CN101771582B CN101771582B CN200910243576XA CN200910243576A CN101771582B CN 101771582 B CN101771582 B CN 101771582B CN 200910243576X A CN200910243576X A CN 200910243576XA CN 200910243576 A CN200910243576 A CN 200910243576A CN 101771582 B CN101771582 B CN 101771582B
- Authority
- CN
- China
- Prior art keywords
- safe condition
- security incident
- goal systems
- attack
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a safety monitoring correlation analysis method based on a state machine, which comprises the following steps: determining the safety state corresponding to attack phases of an attack scenario of a target system, the attack scenario is a safety event set which is generated when interdependent interactive behaviors with time order occur; categorizing the safety events which are inspected by a monitoring program of the target system and relative to the attack scenario and establishing a comparison table of the safety state and the safety events; and inspecting and recording the safety state of the target system according to the comparison table. In the condition of guaranteeing the sustainable system running speed, the method can store the safety state of assets for a longer time; the method can inspect distributed system attacks; in the condition of not defining an accurate attack scenario, the method can determine the safety state of the system; and the method can analyze the attacked track of the system and provide evidence for investigation and evidence collection.
Description
Technical field
The present invention relates to the network security technology field, particularly a kind of safety monitoring correlation analysis method and system based on state machine.
Background technology
In the method for the attack scene reconstruction of traditional solution multi-step attack, mainly use the method for sequential correlation.
The main implementation procedure of traditional attack scene reconstruction is as follows:
(1) self-defined attack scene, the attack process of needs inspection with the rule representing.
(2) to being checked through to such an extent that security incident and rule are mated, if meet rule then produce alarm.
The shortcoming of prior art one:
(1) needs the attack scene of definition accurately.
(2) when defining too much security attack scene, need to carry out each and attack scene coupling security incident, cause the checking efficiency of system obviously to descend.
(3) when the assailant carries out concerted attack, need the too much safe condition of maintenance, cause the checking efficiency of system to reduce.
Summary of the invention
(1) goal of the invention
The purpose of this invention is to provide a kind of safety monitoring correlation analysis method based on state machine, solve by multistep form suddenly incident inspection, utilize multi-source data to judge the state of system and the problem that network cooperating is attacked.
(2) summary of the invention
A kind of safety monitoring correlation analysis method based on state machine may further comprise the steps:
S1: determine the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
S2: the supervisory programme security incident that be checked through, relevant with described attack scene to goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
S3: according to the safe condition of described table of comparisons inspection and record object system.
Wherein, described step S3 comprises:
When goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy, then the safe condition of described goal systems is changed into the safe condition of security incident correspondence in the alarm, otherwise search the security incident whether goal systems has correspondence previous stage, if find, then the safe condition of described goal systems is changed into the safe condition of security incident correspondence in the alarm, otherwise change the safe condition of goal systems the safe condition of security incident correspondence in the alarm into, and this safe condition of mark is a nondeterministic statement.
Wherein, described safe condition comprises: target system information is collected, authority is acquired, be placed into the back door and daily record is cleared up.
A kind of safety monitoring correlation analysis system based on state machine comprises:
Attack the scene determination module, be used for determining the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
The table of comparisons is set up module, is used for the supervisory programme security incident that be checked through, relevant with described attack scene of goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
The safe condition logging modle is used for the safe condition according to described table of comparisons inspection and record object system.
Wherein, described safe condition logging modle comprises:
The previous state judge module, be used for when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy, then carry out current safe state module is set, search module previous stage otherwise carry out;
Current safe state is provided with module, is used for the safe condition of described goal systems is changed into the safe condition of alarm security incident correspondence;
Search module previous stage, whether previous stage have corresponding security incident, if find, then carry out current safe state module is set if being used to search goal systems, otherwise carry out uncertain safe condition module is set;
Uncertain safe condition is provided with module, is used for the safe condition of goal systems is changed into the safe condition of alarm security incident correspondence, and this safe condition of mark is a nondeterministic statement.
(3) beneficial effect
Safety monitoring correlation analysis method based on state machine of the present invention has following beneficial effect:
(1) can be under the certain situation of the safeguards system speed of service, to the safe condition storage long period of assets;
(2) can check the distributed systems attack;
(3) there not being definition accurately to attack under the situation of scene, can determine the safe condition of system;
(4) can analyze system's track under attack, for investigation and evidence collection provides foundation.
Description of drawings
Fig. 1 is the flow chart according to the safety monitoring correlation analysis method based on state machine of the present invention.
Embodiment
The safety monitoring correlation analysis method based on state machine that the present invention proposes is described as follows in conjunction with the accompanying drawings and embodiments.
As shown in Figure 1, step S1 determines the safe condition of each phase of the attack correspondence of the attack scene of goal systems, wherein attacking scene is meant when complementary, as to have time sequencing interbehavior takes place, the security incident collection that produces, make up to attack scene by rule and can discern next step action that real attack, prediction are attacked, safe condition generally includes that target system information is collected, authority is acquired, be placed into back door and daily record is cleared up etc.
That among the step S2 each supervisory programme is checked through, relevant with described attack scene security incident is classified, and sets up the table of comparisons of safe condition and security incident, i.e. the table of comparisons of each phase of the attack and security incident is as shown in table 1:
The table of comparisons of each phase of the attack of table 1 and security incident
Each stage of attack in the table, security incident was for causing reaching certain safe condition time institute event corresponding to each safe condition.
Step S3 is according to the safe condition of above-mentioned table of comparisons inspection and record assets place goal systems.Particularly, when alarm Alert_new of supervisory programme receives in system, check among the step S31 whether the safe condition in the table of comparisons of goal systems is the previous state that satisfies the corresponding safe condition of security incident among the described alarm Alert_new, if satisfy, then the safe condition with goal systems changes corresponding states into, be step S32, finish then, for example: receive an alarm Alert_new, the corresponding safe condition of security incident in this warning (as: flooding) is " obtaining authority ", whether the safe condition of then checking the corresponding system table of comparisons is denoted as " system information is collected " state, if then the safe condition of this system is changed into the state of " authority is acquired "; Whether if do not satisfy, then searching goal systems in step S33 has corresponding security incident previous stage, if find, then the safe condition of goal systems is changed into the safe condition of security incident correspondence among the alarm Alert_new, finishes then; Otherwise change the safe condition of this system the safe condition of security incident correspondence in the alarm into, and this safe condition of mark is a nondeterministic statement.
A kind of safety monitoring correlation analysis system based on state machine comprises:
Attack the scene determination module, be used for determining the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation; The table of comparisons is set up module, is used for the supervisory programme security incident that be checked through, relevant with described attack scene of goal systems is classified, and sets up the table of comparisons of described safe condition and security incident; The safe condition logging modle is used for the safe condition according to described table of comparisons inspection and record object system.
Wherein, described safe condition logging modle comprises:
The previous state judge module, be used for when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy, then carry out current safe state module is set, search module previous stage otherwise carry out; Current safe state is provided with module, is used for the safe condition of described goal systems is changed into the safe condition of alarm security incident correspondence; Search module previous stage, whether previous stage have corresponding security incident, if find, then carry out current safe state module is set if being used to search goal systems, otherwise carry out uncertain safe condition module is set; Uncertain safe condition is provided with module, is used for the safe condition of goal systems is changed into the safe condition of alarm security incident correspondence, and this safe condition of mark is a nondeterministic statement.
Above execution mode only is used to illustrate the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; under the situation that does not break away from the spirit and scope of the present invention; can also make various variations and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (3)
1. the safety monitoring correlation analysis method based on state machine is characterized in that, may further comprise the steps:
S1: determine the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
S2: the supervisory programme security incident that be checked through, relevant with described attack scene to goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
S3: the safe condition according to described table of comparisons inspection and record object system specifically comprises:
When goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy, then the safe condition of described goal systems is changed into the safe condition of security incident correspondence in the alarm, otherwise search the security incident whether goal systems has correspondence previous stage, if find, then the safe condition of described goal systems is changed into the safe condition of security incident correspondence in the alarm, otherwise change the safe condition of goal systems the safe condition of security incident correspondence in the alarm into, and this safe condition of mark is a nondeterministic statement.
2. the safety monitoring correlation analysis method based on state machine as claimed in claim 1 is characterized in that, described safe condition comprises: target system information is collected, authority is acquired, be placed into the back door and daily record is cleared up.
3. the safety monitoring correlation analysis system based on state machine is characterized in that, comprising:
Attack the scene determination module, be used for determining the safe condition of each phase of the attack correspondence of the attack scene of goal systems, described attack scene is complementary, as to have time sequencing interbehavior when taking place, the security incident collection of generation;
The table of comparisons is set up module, is used for the supervisory programme security incident that be checked through, relevant with described attack scene of goal systems is classified, and sets up the table of comparisons of described safe condition and security incident;
The safe condition logging modle is used for the safe condition according to described table of comparisons inspection and record object system, specifically comprises:
The previous state judge module, be used for when goal systems is received the alarm of supervisory programme, check whether the safe condition in the table of comparisons of described goal systems is the previous state that satisfies the corresponding safe condition of security incident in the described alarm, if satisfy, then carry out current safe state module is set, search module previous stage otherwise carry out;
Current safe state is provided with module, is used for the safe condition of described goal systems is changed into the safe condition of alarm security incident correspondence;
Search module previous stage, whether previous stage have corresponding security incident, if find, then carry out current safe state module is set if being used to search goal systems, otherwise carry out uncertain safe condition module is set;
Uncertain safe condition is provided with module, is used for the safe condition of goal systems is changed into the safe condition of alarm security incident correspondence, and this safe condition of mark is a nondeterministic statement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910243576XA CN101771582B (en) | 2009-12-28 | 2009-12-28 | Safety monitoring correlation analysis method based on state machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910243576XA CN101771582B (en) | 2009-12-28 | 2009-12-28 | Safety monitoring correlation analysis method based on state machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101771582A CN101771582A (en) | 2010-07-07 |
| CN101771582B true CN101771582B (en) | 2011-12-14 |
Family
ID=42504198
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910243576XA Active CN101771582B (en) | 2009-12-28 | 2009-12-28 | Safety monitoring correlation analysis method based on state machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101771582B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101958897B (en) * | 2010-09-27 | 2013-10-09 | 北京系统工程研究所 | Correlation analysis method of security incident and system |
| CN102685095A (en) * | 2011-12-26 | 2012-09-19 | 北京安天电子设备有限公司 | Event processing method and system based on risk level |
| CN103580900B (en) * | 2012-08-01 | 2016-12-21 | 上海宝信软件股份有限公司 | A kind of correlation analysis system based on event chain |
| CN103269290B (en) * | 2013-04-18 | 2016-04-13 | 中国移动通信集团陕西有限公司 | The method and apparatus of Design case based storehouse intellectual analysis Network Abnormal |
| CN103269337B (en) * | 2013-04-27 | 2016-08-10 | 中国科学院信息工程研究所 | Data processing method and device |
| CN104219193B (en) * | 2013-05-29 | 2017-08-08 | 中国电信股份有限公司 | Security event associative analysis method and system |
| CN103561012B (en) * | 2013-10-28 | 2017-01-25 | 中国科学院信息工程研究所 | WEB backdoor detection method and system based on relevance tree |
| CN103746991B (en) * | 2014-01-02 | 2017-03-15 | 曙光云计算技术有限公司 | Safety case investigation method and system in system for cloud computing |
| CN106330909B (en) * | 2016-08-24 | 2019-07-26 | 华青融天(北京)技术股份有限公司 | Security incident handling method |
| CN107483425B (en) * | 2017-08-08 | 2020-12-18 | 北京盛华安信息技术有限公司 | Composite attack detection method based on attack chain |
| CN112866220B (en) * | 2021-01-07 | 2022-08-23 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
| CN1447263A (en) * | 2003-03-17 | 2003-10-08 | 上海金诺网络安全技术发展股份有限公司 | Method for handling computer network information security events |
| CN101047542A (en) * | 2006-03-31 | 2007-10-03 | 中国科学院软件研究所 | Method for analysing large scale network safety |
-
2009
- 2009-12-28 CN CN200910243576XA patent/CN101771582B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5414833A (en) * | 1993-10-27 | 1995-05-09 | International Business Machines Corporation | Network security system and method using a parallel finite state machine adaptive active monitor and responder |
| CN1447263A (en) * | 2003-03-17 | 2003-10-08 | 上海金诺网络安全技术发展股份有限公司 | Method for handling computer network information security events |
| CN101047542A (en) * | 2006-03-31 | 2007-10-03 | 中国科学院软件研究所 | Method for analysing large scale network safety |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101771582A (en) | 2010-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101771582B (en) | Safety monitoring correlation analysis method based on state machine | |
| CN106341414B (en) | A kind of multi-step attack safety situation evaluation method based on Bayesian network | |
| CN106888205A (en) | A kind of non-intrusion type is based on the PLC method for detecting abnormality of power consumption analysis | |
| CN109981328A (en) | A kind of fault early warning method and device | |
| CN109886475B (en) | Information security situation perception system of measurement automation system based on AI | |
| CN105681286A (en) | Association analysis method and association analysis system | |
| CN102881125A (en) | Alarm monitoring system based on multi-information fusion centralized processing platform | |
| CN101556679A (en) | Method for processing failures in integrated front-end system and computer equipment | |
| CN101272286A (en) | Network inbreak event association detecting method | |
| CN103208049B (en) | Abnormality alarming quick accident analysis method and system | |
| CN108880901A (en) | A kind of network equipment and server failure diagnosis and the system and method repaired | |
| CN104219193A (en) | Method and system for correlation analysis of security events | |
| KR101444250B1 (en) | System for monitoring access to personal information and method therefor | |
| CN115664703A (en) | Attack tracing method based on multi-dimensional information | |
| CN110933083A (en) | Vulnerability grade evaluation device and method based on word segmentation and attack matching | |
| Sen et al. | Towards an approach to contextual detection of multi-stage cyber attacks in smart grids | |
| CN112348306A (en) | TitanOS artificial intelligence development method and device for power distribution operation inspection | |
| CN102073930A (en) | Virtual machine-based security risk evaluation method for power dispatching automation system | |
| CN116346405A (en) | Network security operation and maintenance capability evaluation system and method based on data statistics | |
| CN110515365B (en) | Industrial control system abnormal behavior analysis method based on process mining | |
| CN101833695A (en) | Executed person property early-warning method and system | |
| CN100367230C (en) | Action control method based on LSM programme | |
| CN104933357A (en) | Flooding attack detection system based on data mining | |
| Qiu et al. | Attack detection for spoofed synchrophasor measurements using segmentation network | |
| CN110674193A (en) | Intelligent substation relay protection fault information modeling method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: Room 818, 8 / F, 34 Haidian Street, Haidian District, Beijing 100080 Patentee after: BEIJING ULTRAPOWER SOFTWARE Co.,Ltd. Address before: No. 28 building, 100089 Beijing Wanliu new city Haidian District wanquanzhuang Road 5 layer Patentee before: BEIJING ULTRAPOWER SOFTWARE Co.,Ltd. |