计算机工程 ›› 2008, Vol. 34 ›› Issue (17): 173-175,.doi: 10.3969/j.issn.1000-3428.2008.17.061

• 安全技术 • 上一篇    下一篇

安全事件综合分析系统框架及关键技术

李洪江,周保群,赵 彬   

  1. (解放军信息工程大学电子技术学院,郑州 450004)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2008-09-05 发布日期:2008-09-05

Framework and Key Technology for Security Event Synthetically Analysis System

LI Hong-jiang, ZHOU Bao-qun, ZHAO Bin   

  1. (Institute of Electronic Technology, PLA Information Engineering University, Zhengzhou 450004)
  • Received:1900-01-01 Revised:1900-01-01 Online:2008-09-05 Published:2008-09-05

摘要: 为保证网络安全,布置入侵检测系统、防火墙、防病毒软件等安全产品易造成入侵检测系统的漏报和误报、防火墙的日志信息过于庞大等问题,导致整个系统的安全难以保证。该文提出一种安全事件综合分析处理系统,经过系统的事件收集与预处理、告警压制与聚合、攻击重构和关联结果分析及处理等过程,在一定程度上解决了入侵告警的误报和漏报问题,同时使得管理员更容易获得系统的整体安全状况。对系统中2种核心技术——压制聚合和攻击重构进行了描述。

关键词: 日志和告警, 系统框架, 聚合, 攻击重构

Abstract: It is necessary to install some security equipment or system, such as IDS, firewall, integrality check system etc. to ensure network security. But, in this situation, not only would actual alerts be mixed with false alerts, but the amount of alerts would also be too much to manage. This paper presents a framework for security events, which is mainly composed of following steps: event collection, event preprocess, event condensation, event aggregation, attacks reconstruction and the result analysis. Through this process, the rate of false and miss alert to some extent can be reduced. The aggregation algorithm and attack reconstruction technology are described simply.

Key words: log and alert, system framework, aggregation, attack reconstruction

中图分类号: