[go: up one dir, main page]

CN116633695B - Security rule base management method, device, computer equipment and storage medium - Google Patents

Security rule base management method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116633695B
CN116633695B CN202310906721.8A CN202310906721A CN116633695B CN 116633695 B CN116633695 B CN 116633695B CN 202310906721 A CN202310906721 A CN 202310906721A CN 116633695 B CN116633695 B CN 116633695B
Authority
CN
China
Prior art keywords
rule
security
event
group
liveness
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310906721.8A
Other languages
Chinese (zh)
Other versions
CN116633695A (en
Inventor
邓博仁
汪来富
刘东鑫
谢泳
吴波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202310906721.8A priority Critical patent/CN116633695B/en
Publication of CN116633695A publication Critical patent/CN116633695A/en
Application granted granted Critical
Publication of CN116633695B publication Critical patent/CN116633695B/en
Priority to PCT/CN2023/140249 priority patent/WO2025020439A1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Alarm Systems (AREA)

Abstract

The application relates to a security rule base management method, a security rule base management device, computer equipment and a storage medium. The method comprises the following steps: acquiring a security event data set; the security event data set comprises event data of a plurality of security events detected by a network security system based on a security rule base in a preset history period; determining the liveness parameter of each security rule in the security rule base based on the security event data set; and controlling the opening or closing of each safety rule in the safety rule base according to the activity degree parameter of each safety rule. By adopting the method, the detection efficiency of the network security system can be improved.

Description

Security rule base management method, device, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and apparatus for managing a security rule base, a computer device, and a storage medium.
Background
Network security systems for detecting or protecting against malicious attacks, such as IDS (Intrusion Detection Systems, intrusion detection system), WAF (Web Application Firewall, website application level intrusion prevention system), security gateway, etc., rely mainly on feature detection techniques to detect attacks, while feature detection-based attack detection relies on rule bases.
To maintain the ability to detect the attack, the network security system must maintain a broad and comprehensive rule base. With the endless layering of loopholes and the continuous expansion of the rule base scale, the detection efficiency is gradually reduced.
Disclosure of Invention
The embodiment of the application provides a safety rule base management method, a safety rule base management device, computer equipment and a storage medium, which can improve the detection efficiency of a network safety system.
In a first aspect, an embodiment of the present application provides a method for managing a security rule base, where the method includes:
acquiring a security event data set; the network security system comprises a security rule base, a security event data set and a security event data set, wherein the security event data set comprises event data of a plurality of security events detected by the network security system based on the security rule base in a preset history period;
determining the liveness parameter of each security rule in the security rule base based on the security event data set;
and controlling each safety rule in the safety rule library to be opened or closed according to the activity degree parameters of each safety rule.
In one embodiment, determining the activity parameter of each security rule in the security rule base based on the security event data set includes:
determining a local activity set and a global maximum activity set based on the security event data set; the local liveness set comprises the local liveness of each security rule, and the global maximum liveness set comprises the global maximum liveness of each security rule;
And determining the liveness parameters of each security rule according to the pre-acquired historical liveness set, the local liveness set and the global maximum liveness set.
In one embodiment, the determining the local activity set based on the security event data set includes:
determining a rule set based on the security event data set and a preset time window size; the rule set comprises a plurality of rule sets, each rule set comprising a plurality of security rules;
and determining the local liveness of each security rule according to the total event amount of the target rule group to which the security rule belongs, and forming a local liveness set by the local liveness of a plurality of security rules.
In one embodiment, the event data includes event time, source address and rule identifier, and the determining the rule group set based on the security event data set and the preset time window size includes:
determining a plurality of time windows according to the event time and the time window size of each security event in the security event data set;
for each time window, extracting the security events in the time window from the security event data set, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set; the initial event group set comprises a plurality of initial event groups, wherein each initial event group comprises a plurality of security events with the same source address and the same rule identification;
Filtering the initial event group set to obtain a target event group set corresponding to the time window; the target event group set comprises a plurality of target event groups, and each target event group comprises a plurality of rule groups divided according to source addresses;
and merging the target event group sets corresponding to the time windows according to the source address to obtain a rule group set.
In one embodiment, the filtering the initial event group to obtain a target event group set corresponding to the time window includes:
normalizing each initial event group according to the number of the events to obtain event group parameters of each initial event group;
and filtering the initial event group set according to the event group parameters of each initial event group and a preset event threshold value to obtain a target event group set.
In one embodiment, the normalizing processing is performed on each initial event group according to the number of events to obtain event group parameters of each initial event group, including:
carrying out normalization processing according to the event number of the initial event group and a preset constant to obtain normalized event number;
carrying out normalization processing according to the number of the events in the initial event group and the number of the events requesting the success events to obtain the normalized number of the success events;
And determining event group parameters of the initial event group according to the normalized event number and the normalized success event number.
In one embodiment, the filtering the initial event group set according to the event group parameters of each initial event group and the preset event threshold to obtain a target event group set includes:
for each initial event group in the initial event group set, if the event group parameter is smaller than a preset event threshold value, filtering the initial event group;
and obtaining a target event group set according to unfiltered initial event groups in the initial event group set.
In one embodiment, determining a plurality of time windows according to the event time and the time window size of each security event in the security event data set includes:
determining the starting time of a first time window according to the event time of each security event in the security event data set;
a plurality of time windows are determined based on a start time of the first time window and a time window size.
In one embodiment, the determining the global maximum activity set includes:
the local activity sets are sent to a preset server, so that the preset server can determine the global maximum activity of each safety rule according to the local activity sets, and the global maximum activity of the safety rules forms the global maximum activity set;
And receiving a global liveness set fed back by a preset server.
In one embodiment, the controlling the opening or closing of each security rule in the security rule base according to the activity parameter of each security rule includes:
determining the opening probability of each security rule according to the liveness parameter and the operation load data of the network security system;
and controlling the opening or closing of each safety rule in the safety rule base according to the opening probability of each safety rule.
In one embodiment, determining the opening probability of each security rule according to the liveness parameter and the operation load data of the network security system includes:
determining a target load interval in which the operation load data is located from a plurality of preset load intervals;
for each security rule in the security rule base, determining the rule category of the security rule according to the liveness parameter;
and determining the opening probability of each safety rule according to the operation load data, the class parameters corresponding to the rule classes of the safety rules and the preset relational expression corresponding to the target load interval.
In one embodiment, the controlling the opening or closing of each security rule in the security rule base according to the opening probability of each security rule includes:
Acquiring random numbers corresponding to all security rules;
and controlling the opening or closing of each security rule according to the random number and the opening probability of each security rule.
In a second aspect, an embodiment of the present application provides a security rule base management apparatus, including:
the data acquisition module is used for acquiring a security event data set; the network security system comprises a security rule base, a security event data set and a security event data set, wherein the security event data set comprises event data of a plurality of security events detected by the network security system based on the security rule base in a preset history period;
the activity determining module is used for determining the activity parameters of each security rule in the security rule base based on the security event data set;
and the rule base management module is used for controlling each safety rule in the safety rule base to be opened or closed according to the activity degree parameters of each safety rule.
In a third aspect, an embodiment of the present application provides a computer device comprising a memory storing a computer program and a processor implementing the steps of the method according to the first aspect when the processor executes the computer program.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method according to the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the steps of the method according to the first aspect.
The method, the device, the computer equipment and the storage medium for managing the safety rule base acquire a safety event data set; determining the liveness parameter of each security rule in the security rule base based on the security event data set; and controlling each safety rule in the safety rule library to be opened or closed according to the activity degree parameters of each safety rule. According to the embodiment of the application, the security rules with lower hit times in the security rule base can be closed, so that the network security system does not need to traverse all the security rules in the security rule base when performing security detection, and the detection efficiency of the network security system can be improved.
Drawings
FIG. 1 is a diagram of an application environment for a security rule base management method in one embodiment;
FIG. 2 is a flow diagram of a method of security rule base management in one embodiment;
FIG. 3 is a flowchart illustrating steps for determining liveness parameters of security rules in one embodiment;
FIG. 4 is a flow diagram of a process for determining a local liveness set in one embodiment;
FIG. 5 is a flow diagram of a process for determining rule set aggregation in one embodiment;
FIG. 6 is a flow chart illustrating a step of determining a target event group set in one embodiment;
FIG. 7 is a flow chart illustrating steps for controlling security rules in a security rule base according to one embodiment;
FIG. 8 is a flow chart illustrating steps for determining the turn-on probability of each security rule in one embodiment;
FIG. 9 is a schematic diagram of an on probability curve in one embodiment;
FIG. 10 is a block diagram of a security rule base management apparatus in one embodiment;
FIG. 11 is an internal block diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Fig. 1 is a schematic diagram of an application scenario of security rule base management according to an embodiment of the present application. As shown in fig. 1, the application scenario includes a management server 101 and a plurality of network servers 102 disposed in different networks, where a network security management system is disposed on the management server 101, and a network security system is disposed on the network server 102, and the network security system can perform security detection on a network where the network security system is located, so as to detect actions such as intrusion and attack. The management server 101 communicates with the network server 102 through a network, for example, the network server 102 sends the determined local activity set to the management server 101, the management server 101 determines a global activity set according to the local activity sets, and then the management server 101 returns the global activity set to the network server 102. The data storage system may store data that the web server 102 needs to process, such as a security event data set and a security rule base. The data storage system may be integrated on the web server 102 or may be located on the cloud or other web server. The management server 101 and the web server 102 may be implemented as separate servers or as a server cluster composed of a plurality of servers.
In the conventional technology, a network security system performs security detection according to a security rule base, and needs to traverse each security rule in the security rule base. To maintain the ability to detect intrusion, attack, etc., network security systems must maintain a broad and comprehensive library of security rules. With the endless layering of loopholes and the continuous expansion of the security rule base, the security rules which need to be traversed are more and more, so that the detection efficiency is gradually reduced.
Based on the above conventional technology, the embodiment of the present application provides a management scheme of a security rule base, where a security event data set is obtained first; then, determining the liveness parameter of each security rule in the security rule base based on the security event data set; and then controlling each safety rule in the safety rule library to be opened or closed according to the activity degree parameters of each safety rule. According to the embodiment of the application, the security rule with lower hit times in the security rule base can be closed, namely the security rule base is adaptively adjusted, so that a network security system does not need to traverse all the security rules in the security rule base when performing security detection, and the detection efficiency can be improved.
It should be noted that the beneficial effects or the technical problems to be solved by the embodiments of the present application are not limited to this one, but may be other implicit or related problems, and particularly, reference may be made to the following description of embodiments.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
In one embodiment, as shown in fig. 2, a security rule base management method is provided, and the method is applied to the network server in fig. 1 for illustration, and may include the following steps:
step 201, a security event data set is obtained.
The security event data set comprises event data of a plurality of security events detected by the network security system based on a security rule base in a preset history period. The event data includes event time, source address of the security event, rule identification of security rule for security event hit, and response code of network security system to response to the security event, etc., as shown with reference to table 1.
TABLE 1
The network security system carries out security detection based on a security rule base to obtain event data of a security event; thereafter, event data for the security event is stored. When the security rule base needs to be managed, acquiring event data in a preset history period from stored event data to obtain a security event data set.
The security rule base is managed according to a preset time or a preset period. For example, if the preset time is X years, X months and X days, the security rule base is managed at the preset time; or if the preset period is monthly, the security rule base is managed monthly. It should be noted that the trigger condition for managing the security rule base is not limited to the above description.
Step 202, determining the liveness parameter of each security rule in the security rule base based on the security event data set.
Wherein the liveness parameter characterizes the hit condition of the security rule. Optionally, the greater the liveness parameter, the greater the number of times the security rule is hit; the smaller the liveness parameter, the fewer the number of hits the security rule is indicated.
After the security event data set is obtained, the hit condition of each security rule in the security rule base can be determined according to the security event data set, and the liveness parameter is obtained.
For example, based on event data such as event time, source address, rule identification, and response code, it is determined that security rule 1 in the security rule base is frequently hit within a preset history period, and security rule 2 is not hit … … within the preset history period. And then, calculating parameters representing frequent hits of the safety rule 1 according to the event data to obtain the liveness parameters of the safety rule 1. And similarly, calculating the liveness parameters of other security rules.
And 203, controlling each security rule in the security rule base to be opened or closed according to the activity degree parameters of each security rule.
For each security rule in the security rule library, if the activity level parameter represents that the security rule is hit frequently in a preset history period, controlling the security rule to be started; and if the activity parameter indicates that the safety rule is hit for a lower number of times in the preset history period, controlling the safety rule to be closed.
For example, if the activity parameter corresponding to the safety rule 1 is a and is greater than a preset parameter threshold x, the safety rule 1 is controlled to be started; and the corresponding liveness parameter of the safety rule 2 is b, which is smaller than the preset parameter threshold value x, and the safety rule 2 is controlled to be closed.
In the above embodiment, a security event data set is first acquired; then, determining the liveness parameter of each security rule in the security rule base based on the security event data set; and then controlling each safety rule in the safety rule library to be opened or closed according to the activity degree parameters of each safety rule. According to the embodiment of the application, the security rules with lower hit times in the security rule base can be closed, so that the network security system does not need to traverse all the security rules in the security rule base when performing security detection, and the detection efficiency of the network security system can be improved.
In one embodiment, as shown in fig. 3, referring to the above process of determining the liveness parameters of each security rule in the security rule base based on the security event data set, the embodiment of the present application may include the following steps:
step 301, a local activity set and a global maximum activity set are determined based on a security event data set.
The local liveness set comprises local liveness of each security rule, and the local liveness characterizes hit conditions of the security rules in a single network; the global maximum liveness set comprises global maximum liveness of each security rule, and the global maximum liveness characterizes the maximum value of hit conditions of the security rules in all networks.
After the security event data set is obtained, the hit condition of each security rule in the network can be determined according to the security event data set, so that the local liveness of each security rule is obtained, and the local liveness of a plurality of security rules forms a local liveness set.
After determining the local liveness of each security rule, the local liveness of each security rule in other networks can be obtained from other networks; then, for each security rule, determining the maximum value of the local liveness of each security rule in all networks to obtain the global maximum liveness of the security rule; finally, a global liveness set is composed of the global maximum liveness of the plurality of security rules.
Step 302, determining the activity parameters of each security rule according to a pre-acquired historical activity set, a local activity set and a global maximum activity set.
The historical activity set comprises historical activity of a plurality of safety rules, and the historical activity is local activity determined by historical time.
According to the historical activity level set, the local activity level set and the global maximum activity level set, determining the historical activity level, the local activity level and the global maximum activity level of each security rule; and then, weighting calculation is carried out on the historical liveness, the local liveness and the global maximum liveness, so as to obtain liveness parameters of the security rule.
The liveness parameter for determining the security rule may be determined with reference to equation (1):
(1)
where w_i is an activity parameter, wi is a local activity, history_wi is a historical activity, max_w is a global maximum activity, σ is a weight corresponding to the historical activity, and δ is a weight corresponding to the global maximum activity.
As can be seen from equation (1), when the local liveness of the security rule is 0, the global maximum liveness is used to determine the liveness parameter; and when the local rule of the security rule is greater than 0, the global maximum liveness is not used to determine the liveness parameter. Optionally, when the local liveness of the security rule is 0, the weight δ corresponding to the global maximum liveness is 0.5, and when the local liveness of the security rule is greater than 0, the weight δ corresponding to the global maximum liveness is 0. Optionally, the weight σ corresponding to the historical liveness is 0.5.
In the above embodiment, the local activity set and the global maximum activity set are determined based on the security event data set; a local activity set and a global maximum activity set are determined based on the security event data set. According to the embodiment of the application, the environment differences of different networks are comprehensively considered, the local liveness, the global maximum liveness and the historical liveness are fused to determine the liveness parameters, and the effectiveness and the comprehensiveness of the liveness parameters can be improved.
In one embodiment, as shown in fig. 4, related to the above-mentioned process of determining a local activity set based on a security event data set, an embodiment of the present application may include the following steps:
step 401, determining a rule set based on the security event data set and a preset time window size.
Wherein the rule group set includes a plurality of rule groups, each rule group includes a plurality of security rules, and id is a rule identifier of the security rule with reference to table 2.
TABLE 2
Determining a plurality of time windows according to the preset time window size, and determining event data of each time window based on the safety event data set; processing the event data of each time window to obtain a plurality of rule groups corresponding to each time window and the total event amount corresponding to each rule group; and then, processing the rule group and the total event amount respectively corresponding to the time windows to obtain a rule group set.
Step 402, determining the local liveness of each security rule according to the total event amount of the target rule group to which each security rule belongs, and forming a local liveness set by the local liveness of a plurality of security rules.
And for each safety rule, determining at least one target rule group to which the safety rule belongs, and summing the total event amount of the at least one target rule group to obtain the local activity of the safety rule. As shown in formula (2):
(2)
Where wi is the local liveness, i is the serial number of the security rule, and j is the serial number of the rule set.
Referring to table 1, the target rule group to which id3 belongs includes rule_group1, rule_group2, rule_group3, wherein the total number of events of rule_group1 is C1, the total number of events of rule_group2 is C2, and the total number of events of rule_group3 is C3, and if the local activity w3=c1+c2+c3 of id 3.
In the above embodiment, the rule set is determined based on the security event data set and a preset time window size; and determining the local liveness of each security rule according to the total event amount of the target rule group to which the security rule belongs, and forming a local liveness set by the local liveness of a plurality of security rules. According to the embodiment of the application, the hit condition of the safety rule can be effectively evaluated by analyzing the view angle of the rule group, and a basis is provided for managing the safety rule base.
In one embodiment, the event data includes event time, source address and rule identifier, as shown in fig. 5, and the process of determining a rule group set based on the security event data set and a preset time window size is related to the process of determining a rule group set, which may include the following steps:
step 501, determining a plurality of time windows according to the event time and the time window size of each security event in the security event data set.
Determining the starting time of a first time window according to the event time of each security event in the security event data set; a plurality of time windows are determined based on a start time of the first time window and a time window size.
For example, the event times of all the security events are arranged according to the time sequence, then the event time with the forefront time is determined as the starting time1 of the first time window, the ending time 2=time 1+time_window of the first time window is determined according to the starting time1 of the first time window and the time window size time_window, and the first time window is (time 1, time 2). And taking the ending time of the first time window as the starting time of the second time window, and determining the ending time of the second time window according to the starting time of the second time window and the size of the time window. Similarly, a plurality of time windows may be determined.
Step 502, for each time window, extracting the security events in the time window from the security event data set, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set.
Wherein the initial event group set comprises a plurality of initial event groups, each initial event group comprises a plurality of security events with the same source address and the same rule identification.
For each time window, firstly extracting the security event in the time window from the security event data set according to the event time; then, dividing the extracted security event according to the source address and the rule identifier to obtain a plurality of initial event groups; and forming an initial event group set by a plurality of initial event groups. Referring to Table 3, an initial set of event groups for a first time window is shown.
TABLE 3 Table 3
And 503, filtering the initial event group set to obtain a target event group set corresponding to the time window.
The target event group set comprises a plurality of target event groups, and each target event group comprises a plurality of rule groups divided according to source addresses.
When the network security system performs security detection, a false alarm condition may occur, so after the initial event group set is determined, whether the false alarm condition exists or not can be determined according to the response code, then the initial event group set is filtered according to the false alarm condition, and a target event group set is determined according to the filtered initial event group set.
Referring to table 4, the target event group set event_group { event_group1, event_group2, event_group3 … … } for the first time window is shown. Sliding the time window, the set of target event groups for other time windows may be determined with reference to the above.
TABLE 4 Table 4
And 504, merging the target event group sets corresponding to the time windows according to the source address to obtain a rule group set.
After the target event group set corresponding to each time window is determined, merging processing is carried out on the target event group sets corresponding to the time windows, so that a rule group set is obtained.
For example, if a source address ip in time window 1 exists in time window 2, merging the set of target event groups of time window 1 with the set of target event groups of time window 2 to obtain a rule group; and the total event amount after combination is the sum of the event amounts of the two target event group sets. If a source address in time window 1 does not exist in time window 2, then the set of target event groups for time window 1 is treated directly as a rule group. And so on, a plurality of rule groups are obtained, and rule group sets are formed by the plurality of rule groups, as shown in table 2 in the above embodiment.
In the above embodiment, a plurality of time windows are determined according to the event time and the time window size of each security event in the security event data set; for each time window, extracting the security events in the time window from the security event data set, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set; for each time window, extracting the security events in the time window from the security event data set, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set; and for each time window, extracting the security events in the time window from the security event data set, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set. The embodiment of the application adopts the sliding window mode to group the security events, the operation amount of each time window is smaller, and the operation of a plurality of time windows can be performed in parallel, so that the grouping speed and the grouping efficiency can be improved, and the self-adaptive adjustment efficiency of the security rule base is improved.
In one embodiment, as shown in fig. 6, the process of filtering the initial event group to obtain the target event group set corresponding to the time window may include the following steps:
and 601, carrying out normalization processing on each initial event group according to the number of the events to obtain event group parameters of each initial event group.
Wherein the event group parameter characterizes a duty cycle of a request success event in the initial event group. It can be appreciated that the larger the event group parameter, the higher the duty cycle of the request success event in the initial event group, and the fewer false alarm events; the smaller the event group parameter, the lower the duty cycle of the request success event in the initial event group, and the more false positive events.
When the initial event group is filtered, the event number of the request success event in the initial event group can be determined first, and then normalization processing is carried out according to the event number of the request success event and the event number of the initial event group, so as to obtain the event group parameters of the initial event group.
Alternatively, the normalization process may include the steps of:
and step 6011, carrying out normalization processing according to the event number of the initial event group and a preset constant to obtain the normalized event number. As shown in formula (3):
(3)
Wherein cnt_n is the normalized event number, cnt is the event number of the initial event group, and max_cnt is a preset constant. Optionally, the preset constant max_cnt is 20.
According to the above formula (3), a smaller value is selected from the number of the events of the initial event group and a preset constant, and then the ratio of the smaller value to the preset constant is calculated to obtain the normalized number of the events.
And 6012, carrying out normalization processing according to the number of the events in the initial event group and the number of the events requesting the success events, and obtaining the normalized number of the success events.
And determining the event number of the request success event in the initial event group according to the response code, and then calculating the ratio between the event number of the request success event and the event number in the initial event group to obtain the normalized success event number. Optionally, the first bit of the response code requesting a success event is 2, e.g., response codes 201, 202, 203, etc.
Considering that the number of events of the initial event group may be 0, the normalized number of success events may be determined using equation (4).
(4)
Wherein sreq_n is the number of successful events after normalization, sreq is the number of events requesting successful events, cnt is the number of events of the initial event group.
Step 6013, determining the event group parameters of the initial event group according to the normalized event number and the normalized success event number.
And calculating the ratio of the normalized number of successful events to the normalized number of events to obtain the event group parameters of the initial event group. As shown in formula (5):
(5)
where k is the event group parameter, cnt_n is the normalized number of events, sreq_n is the normalized number of successful events.
Step 602, filtering the initial event group set according to the event group parameters of each initial event group and a preset event threshold value to obtain a target event group set.
For each initial event group, comparing event group parameters of the initial event group with a preset event threshold value, and determining whether to filter the initial event group according to a comparison result; thereafter, a set of target event groups is composed of unfiltered initial event groups.
Alternatively, the filtering process may include: for each initial event group in the initial event group set, if the event group parameter is smaller than a preset event threshold value, filtering the initial event group; and obtaining a target event group set according to unfiltered initial event groups in the initial event group set.
For example, the preset event threshold is 3, if the event parameter of the initial event group is less than 3, it indicates that the request success event of the initial event group is less and the false alarm event is more, so the initial event group is filtered out.
In the above embodiment, normalization processing is performed on each initial event group according to the number of events, so as to obtain event group parameters of each initial event group; and carrying out normalization processing on each initial event group according to the number of the events to obtain event group parameters of each initial event group. In the embodiment of the application, the event number is normalized by combining the response code to obtain the event group parameters, and the event group with more false alarm events can be effectively filtered, so that the influence of false alarm time on the liveness parameters is reduced, and the accuracy of the liveness parameters is improved.
In one embodiment, the determining the global maximum activity set includes: the local activity sets are sent to a preset server, so that the preset server can determine the global maximum activity of each safety rule according to the local activity sets, and the global maximum activity of the safety rules forms the global maximum activity set; and receiving a global liveness set fed back by a preset server.
The preset server may be the management server in fig. 1.
After the network server of each network determines the local activity set, the local activity set is sent to a preset server. After a preset server obtains a local activity set of a plurality of networks, determining the local activity of each security rule in the plurality of networks, and selecting the largest local activity as the global maximum activity. Thereafter, a global maximum liveness is composed of the global maximum liveness of the plurality of security rules.
The management server feeds the global liveness set back to the network server of each network respectively, so that the network server can determine liveness parameters of each security rule according to the global maximum liveness set.
In the above embodiment, the local activity set is sent to the preset server, so that the preset server determines the global maximum activity of each security rule according to the local activity sets, and the global maximum activity of each security rule forms the global maximum activity set; and receiving a global liveness set fed back by a preset server. The embodiment of the application acquires the global maximum liveness set, and can consider the hit condition of the safety rule outside under the condition of local miss of the safety rule, thereby integrating the environmental differences of different networks and improving the validity and the comprehensiveness of liveness parameters of the safety rule.
In one embodiment, as shown in fig. 7, the process of controlling the opening or closing of each security rule in the security rule base according to the activity parameter of each security rule may include the following steps:
step 701, determining the opening probability of each security rule according to the liveness parameter and the operation load data of the network security system.
The operation load data may include at least one of CPU utilization, memory utilization, and packet loss rate. The opening probability is used to characterize the probability of opening the security rules.
The operation load data influences the detection efficiency of the network security system, and in practical application, the opening probability of each security rule is calculated by combining the activity parameters of the security rule and the operation load data of the network security system. It can be appreciated that the smaller the operation load data, the more security rules in the security rule base are allowed to be opened, and the larger the calculated opening probability is; the larger the operating load data, the fewer security rules are opened in the security rule base, and the smaller the calculated opening probability.
Step 702, controlling each security rule in the security rule base to be opened or closed according to the opening probability of each security rule.
For each safety rule in the safety rule library, if the opening probability of the safety rule is greater than or equal to a preset probability threshold value, controlling the safety rule to be opened; and if the opening probability of the safety rule is smaller than the preset probability threshold, controlling the safety rule to be closed.
In one embodiment, a random number for each security rule is obtained; and controlling the opening or closing of each security rule according to the random number and the opening probability of each security rule. As shown in formula (6):
(6)
wherein v is the state of the safety rule, v=0 indicates that the control safety rule is closed, and v=1 indicates that the control safety rule is opened; RAND (0, 1) is a random number between 0 and 1, and y is the opening probability of the security rule.
In the above embodiment, the opening probability of each security rule is determined according to the liveness parameter and the operation load data of the network security system; and controlling the opening or closing of each safety rule in the safety rule base according to the opening probability of each safety rule. The embodiment of the application sets the opening probability for each security rule by combining the operation load condition of the network security system, and can realize the self-adaptive adjustment of the security rule base under different allowable load conditions, thereby improving the detection efficiency of the network security system.
In one embodiment, as shown in fig. 8, related to the above process of determining the opening probability of each security rule according to the activity parameter and the operation load data of the network security system, the embodiment of the present application may include the following steps:
step 801, determining a target load interval where the operation load data is located from a plurality of preset load intervals.
A plurality of load sections are preset, and corresponding target load sections are determined according to the operation load data.
For example, an operation load threshold value (0 < xa < 1) and a threshold value (xa < xb < 1) are set, and 3 load sections are divided according to the operation load threshold value: optionally, xa=0.5, xb=0.9, and the load zone in which the operation load data x is located is determined as the target load zone.
The operation load data can be collected according to a preset collection period. Alternatively, the acquisition period is 10 minutes, i.e., the operational load data is acquired every 10 minutes.
Step 802, for each security rule in the security rule base, determining a rule category of the security rule according to the liveness parameter.
The rule class may also characterize the hit of the security rule. In practical application, rule categories are arranged according to the hit number from more to less, and may include active rule, silent rule, sleep rule and sleep rule. It should be noted that the rule category is not limited to the above description, and may include other categories.
For each security rule in the security rule base, after the activity level parameter of the security rule is determined, the rule category of the security rule can be determined according to a preset activity threshold, a preset sleep threshold and a preset activity level parameter.
For example, an activity threshold t1, a sleep threshold t2, where t1> t21; 1) When the liveness parameter wi > t1, determining the rule category of the safety rule as an active rule; 2) When the liveness parameter t1> wi > t2, determining the safe rule type as a silent rule; 3) When the liveness parameter t2> wi >0, determining the rule category of the safety rule as a sleep rule; 4) When the liveness parameter wi=0, the rule category of the security rule is determined to be the sleep rule. Alternatively, t1=100, t2=10.
Step 803, determining the opening probability of each security rule according to the operation load data, the class parameter corresponding to the rule class of the security rule and the preset relation corresponding to the target load interval.
For different load intervals, different preset relational expressions can be adopted for determining the opening probability of the safety rule, as shown in a formula (7):
(7)
wherein f 1 (w) and f 2 (w) rule class being a security ruleAnd the category parameters are respectively corresponding to the category parameters. For different rule categories, f 1 (w) and f 2 The values of (w) are different.
For example, for an active rule, i.e. when the activity parameter wi of the security rule>At t1, f 1 (w)=1,f 2 (w) =0.8; for silent rules, i.e. when the liveness parameter t1 of the security rule>wi>At t2, f 1 (w)=0.8,f 2 (w) =0.5; for sleep rules, i.e. when the liveness parameter t2 of the security rules>wi>At 0, f 1 (w)=0.5,f 2 (w) =0; for dormancy rules, i.e. when the liveness parameter wi=0 of the security rules, f 1 (w)=0,f 2 (w)=0。
The turn-on probability curve shown in fig. 9 can be obtained according to formula 7.
In practical applications, the preset relation for determining the turn-on probability is not limited to the linear relation of the above formula (7), and other nonlinear relations may be used.
In the above embodiment, the target load interval where the operation load data is located is determined from a plurality of preset load intervals; for each security rule in the security rule base, determining the rule category of the security rule according to the liveness parameter; and determining the opening probability of each safety rule according to the operation load data, the class parameters corresponding to the rule classes of the safety rules and the preset relational expression corresponding to the target load interval. The embodiment 3 of the application combines the operation load conditions of the network security system to set different opening probabilities for security rules of different types, and the rule opening probabilities are set differently, so that the self-adaptive adjustment of different security rules under different operation load conditions can be realized, and the application efficiency of the security rules and the detection efficiency of the network security system are improved.
In one embodiment, a method for managing a security rule base is provided, which is described by taking the application of the method to the network server in fig. 1 as an example, and may include the following steps:
and step 1, acquiring a security event data set.
The security event data set comprises event data of a plurality of security events detected by the network security system based on a security rule base in a preset history period. The event data includes at least one of event time, source address, rule identification, and response code.
Step 2, determining the starting time of a first time window according to the event time of each security event in the security event data set; a plurality of time windows are determined based on a start time of the first time window and a time window size.
And 3, extracting the security events in the time window from the security event data set for each time window, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set.
Wherein the initial event group set comprises a plurality of initial event groups, each initial event group comprises a plurality of security events with the same source address and the same rule identification.
Step 4, carrying out normalization processing according to the event number of the initial event group and a preset constant to obtain normalized event number; carrying out normalization processing according to the number of the events in the initial event group and the number of the events requesting the success events to obtain the normalized number of the success events; and determining event group parameters of the initial event group according to the normalized event number and the normalized success event number.
Step 5, for each initial event group in the initial event group set, if the event group parameter is smaller than a preset event threshold value, filtering the initial event group; and obtaining a target event group set according to unfiltered initial event groups in the initial event group set.
And 6, merging the target event group sets corresponding to the time windows according to the source address to obtain a rule group set.
And 7, determining the local liveness of each security rule according to the total event amount of the target rule group to which each security rule belongs, and forming a local liveness set by the local liveness of a plurality of security rules.
Step 8, the local activity sets are sent to a preset server, so that the preset server can determine the global maximum activity of each safety rule according to the local activity sets, and the global maximum activity of the safety rules forms a global maximum activity set; and receiving a global liveness set fed back by a preset server.
And 9, determining the liveness parameters of each security rule according to a pre-acquired historical liveness set, a local liveness set and a global maximum liveness set.
Step 10, determining a target load interval in which the operation load data is located from a plurality of preset load intervals; for each security rule in the security rule base, determining the rule category of the security rule according to the liveness parameter; and determining the opening probability of each safety rule according to the operation load data, the class parameters corresponding to the rule classes of the safety rules and the preset relational expression corresponding to the target load interval.
Step 11, obtaining random numbers of all security rules; and controlling the opening or closing of each security rule according to the random number and the opening probability of each security rule.
It should be understood that, although the steps in the above-described flowcharts are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described above may include a plurality of steps or stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of execution of the steps or stages is not necessarily sequential, but may be performed in turn or alternately with at least a part of other steps or stages.
In one embodiment, as shown in fig. 10, there is provided a security rule base management apparatus including:
a data acquisition module 901, configured to acquire a security event data set; the network security system comprises a security rule base, a security event data set and a security event data set, wherein the security event data set comprises event data of a plurality of security events detected by the network security system based on the security rule base in a preset history period;
An liveness determination module 902, configured to determine liveness parameters of each security rule in the security rule base based on the security event data set;
the rule base management module 903 is configured to control each security rule in the security rule base to be opened or closed according to the activity parameter of each security rule.
In one embodiment, the liveness determination module 902 is specifically configured to determine a local liveness set and a global maximum liveness set based on a security event data set; the local liveness set comprises the local liveness of each security rule, and the global maximum liveness set comprises the global maximum liveness of each security rule; and determining the liveness parameters of each security rule according to the pre-acquired historical liveness set, the local liveness set and the global maximum liveness set.
In one embodiment, the liveness determining module 902 is specifically configured to determine a rule set based on the security event data set and a preset time window size; the rule set comprises a plurality of rule sets, each rule set comprising a plurality of security rules; and determining the local liveness of each security rule according to the total event amount of the target rule group to which the security rule belongs, and forming a local liveness set by the local liveness of a plurality of security rules.
In one embodiment, the event data includes event time, source address and rule identifier, and the activity determining module 902 is specifically configured to determine a plurality of time windows according to the event time and the time window size of each security event in the security event data set; for each time window, extracting the security events in the time window from the security event data set, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set; the initial event group set comprises a plurality of initial event groups, wherein each initial event group comprises a plurality of security events with the same source address and the same rule identification; filtering the initial event group set to obtain a target event group set corresponding to the time window; the target event group set comprises a plurality of target event groups, and each target event group comprises a plurality of rule groups divided according to source addresses; and merging the target event group sets corresponding to the time windows according to the source address to obtain a rule group set.
In one embodiment, the liveness determining module 902 is specifically configured to normalize each initial event group according to the number of events to obtain an event group parameter of each initial event group; and filtering the initial event group set according to the event group parameters of each initial event group and a preset event threshold value to obtain a target event group set.
In one embodiment, the liveness determining module 902 is specifically configured to perform normalization processing according to the number of events of the initial event group and a preset constant, so as to obtain a normalized number of events; carrying out normalization processing according to the number of the events in the initial event group and the number of the events requesting the success events to obtain the normalized number of the success events; and determining event group parameters of the initial event group according to the normalized event number and the normalized success event number.
In one embodiment, the liveness determining module 902 is specifically configured to, for each initial event group in the initial event group set, filter the initial event group if the event group parameter is smaller than a preset event threshold; and obtaining a target event group set according to unfiltered initial event groups in the initial event group set.
In one embodiment, the liveness determination module 902 is specifically configured to determine a start time of a first time window according to an event time of each security event in the security event data set; a plurality of time windows are determined based on a start time of the first time window and a time window size.
In one embodiment, the liveness determining module 902 is specifically configured to send a local liveness set to a preset server, so that the preset server determines a global maximum liveness of each security rule according to a plurality of local liveness sets, and the global maximum liveness of each security rule forms a global maximum liveness set; and receiving a global liveness set fed back by a preset server.
In one embodiment, the rule base management module 903 is specifically configured to determine an opening probability of each security rule according to the activity parameter and the operation load data of the network security system; and controlling the opening or closing of each safety rule in the safety rule base according to the opening probability of each safety rule.
In one embodiment, the rule base management module 903 is specifically configured to determine, from a plurality of preset load intervals, a target load interval in which the operation load data is located; for each security rule in the security rule base, determining the rule category of the security rule according to the liveness parameter; and determining the opening probability of each safety rule according to the operation load data, the class parameters corresponding to the rule classes of the safety rules and the preset relational expression corresponding to the target load interval.
In one embodiment, the rule base management module 903 is specifically configured to obtain a random number corresponding to each security rule; and controlling the opening or closing of each security rule according to the random number and the opening probability of each security rule.
The specific definition of the security rule base management device can be referred to as the definition of the security rule base management method hereinabove, and will not be described herein. The above-described respective modules in the security rule base management apparatus may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 11. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing security rule base management data. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program when executed by a processor implements a security rule base management method.
In one embodiment, there is also provided a computer readable storage medium having stored thereon a computer program executable by a processor of a server to perform the above method. The storage medium may be a non-transitory computer readable storage medium, which may be, for example, ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
In an embodiment, a computer program product is also provided, which, when executed by a processor, can implement the above-mentioned method. The computer program product includes one or more computer instructions. When loaded and executed on a computer, these computer instructions may implement some or all of the methods described above, in whole or in part, in accordance with the processes or functions described in embodiments of the present disclosure.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any references to memory, storage, databases, or other media hit in various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, or the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (DynamicRandom Access Memory, DRAM), and the like.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples illustrate only a few embodiments of the application, which are described in detail and are not to be construed as limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of protection of the present application is to be determined by the appended claims.

Claims (13)

1. A method of security rule base management, the method comprising:
acquiring a security event data set; the security event data set comprises event data of a plurality of security events detected by a network security system based on a security rule base in a preset history period;
based on the safety event data set and the preset time window size, filtering according to the event time, the source address and the rule identification of the safety event to determine a rule group set; the rule set includes a plurality of rule sets, each rule set including a plurality of security rules;
Determining the activity degree parameters of each security rule in the security rule base according to the total event amount of the target rule group to which each security rule belongs;
determining the opening probability of each security rule according to the liveness parameter and the operation load data of the network security system;
controlling the opening or closing of each safety rule in the safety rule base according to the opening probability of each safety rule;
wherein, the determining the opening probability of each security rule according to the liveness parameter and the operation load data of the network security system includes:
determining a target load interval in which the operation load data are located from a plurality of preset load intervals;
for each security rule in the security rule base, determining the rule category of the security rule according to the liveness parameter; the rule category includes at least one of an active rule, a silent rule, a sleep rule, and a dormant rule;
and determining the opening probability of each safety rule according to the operation load data, the class parameter corresponding to the rule class of the safety rule and the preset relation corresponding to the target load interval.
2. The method according to claim 1, wherein determining the activity level parameter of each security rule in the security rule base according to the total event amount of the target rule group to which each security rule belongs comprises:
determining a local activity set and a global maximum activity set according to the total event amount of the target rule group to which each safety rule belongs; the local liveness set comprises local liveness of each safety rule, and the global maximum liveness set comprises global maximum liveness of each safety rule;
and determining the liveness parameter of each safety rule according to a pre-acquired historical liveness set, the local liveness set and the global maximum liveness set.
3. The method of claim 2, wherein determining the local liveness set based on the total amount of events for the target rule group to which each of the security rules belongs comprises:
and determining the local liveness of each security rule according to the total event amount of the target rule group to which the security rule belongs, and forming the local liveness set by the local liveness of a plurality of security rules.
4. A method according to claim 3, wherein said determining a set of rules based on said set of security event data and a predetermined time window size and filtering based on event time, source address and rule identification of a security event comprises:
determining a plurality of time windows according to the event time of each security event in the security event data set and the size of the time window;
for each time window, extracting the security events in the time window from the security event data set, and dividing the extracted security events according to the source address and the rule identifier to obtain an initial event group set; the initial event group set comprises a plurality of initial event groups, and each initial event group comprises a plurality of security events with the same source address and the same rule identification;
filtering the initial event group set to obtain a target event group set corresponding to the time window; the target event group set comprises a plurality of target event groups, and each target event group comprises a plurality of rule groups divided according to source addresses;
and merging the target event group sets corresponding to the time windows according to the source address to obtain the rule group set.
5. The method of claim 4, wherein the filtering the initial event group to obtain the target event group set corresponding to the time window includes:
normalizing each initial event group according to the number of the events to obtain event group parameters of each initial event group;
and filtering the initial event group set according to the event group parameters of the initial event groups and a preset event threshold value to obtain the target event group set.
6. The method of claim 5, wherein normalizing each of the initial event groups according to the number of events to obtain event group parameters for each of the initial event groups comprises:
normalizing according to the event number of the initial event group and a preset constant to obtain normalized event number;
normalizing according to the number of the events in the initial event group and the number of the events requesting the success events to obtain the normalized number of the success events;
and determining the event group parameters of the initial event group according to the normalized event number and the normalized success event number.
7. The method of claim 5, wherein filtering the initial event group set according to the event group parameters of each initial event group and a preset event threshold to obtain the target event group set comprises:
for each initial event group in the initial event group set, if the event group parameter is smaller than the preset event threshold value, filtering the initial event group;
and obtaining the target event group set according to unfiltered initial event groups in the initial event group set.
8. The method of claim 6, wherein determining a plurality of time windows based on the event time of each security event in the security event data set and the time window size comprises:
determining the starting time of a first time window according to the event time of each security event in the security event data set;
and determining the time windows according to the starting time of the first time window and the size of the time window.
9. The method of claim 2, wherein the determining of the global maximum liveness set comprises:
The local activity sets are sent to a preset server, so that the preset server can determine global maximum activity of each safety rule according to a plurality of the local activity sets, and the global maximum activity sets are formed by the global maximum activity of the safety rules;
and receiving the global maximum activity set fed back by the preset server.
10. The method of claim 1, wherein controlling opening or closing of each of the security rules in the security rule base according to the opening probability of each of the security rules comprises:
acquiring random numbers corresponding to the security rules;
and controlling the opening or closing of each safety rule according to the random number and the opening probability of each safety rule.
11. A security rule base management apparatus, the apparatus comprising:
the data acquisition module is used for acquiring a security event data set; the security event data set comprises event data of a plurality of security events detected by a network security system based on a security rule base in a preset history period;
the activity determining module is used for determining a rule group set based on the safety event data set and the preset time window size and filtering according to the event time, the source address and the rule identifier of the safety event; the rule set includes a plurality of rule sets, each rule set including a plurality of security rules; according to the total event amount of the target rule group to which each safety rule belongs, the activity degree parameter of each safety rule;
The rule base management module is used for determining the opening probability of each security rule according to the liveness parameter and the operation load data of the network security system; controlling the opening or closing of each safety rule in the safety rule base according to the opening probability of each safety rule;
the rule base management module is specifically configured to determine a target load interval in which the operation load data is located from a plurality of preset load intervals; for each security rule in the security rule base, determining the rule category of the security rule according to the liveness parameter; the rule category includes at least one of an active rule, a silent rule, a sleep rule, and a dormant rule; and determining the opening probability of each safety rule according to the operation load data, the class parameter corresponding to the rule class of the safety rule and the preset relation corresponding to the target load interval.
12. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 10 when the computer program is executed.
13. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 10.
CN202310906721.8A 2023-07-24 2023-07-24 Security rule base management method, device, computer equipment and storage medium Active CN116633695B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310906721.8A CN116633695B (en) 2023-07-24 2023-07-24 Security rule base management method, device, computer equipment and storage medium
PCT/CN2023/140249 WO2025020439A1 (en) 2023-07-24 2023-12-20 Security rule base management method and apparatus, computer device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310906721.8A CN116633695B (en) 2023-07-24 2023-07-24 Security rule base management method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116633695A CN116633695A (en) 2023-08-22
CN116633695B true CN116633695B (en) 2023-11-03

Family

ID=87592458

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310906721.8A Active CN116633695B (en) 2023-07-24 2023-07-24 Security rule base management method, device, computer equipment and storage medium

Country Status (2)

Country Link
CN (1) CN116633695B (en)
WO (1) WO2025020439A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633695B (en) * 2023-07-24 2023-11-03 中国电信股份有限公司 Security rule base management method, device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243060A (en) * 2017-01-19 2018-07-03 上海直真君智科技有限公司 A kind of network security alarm risk determination method presorted based on big data
CN112084036A (en) * 2020-09-21 2020-12-15 新华三信息安全技术有限公司 Control method and device for message detection rule, electronic equipment and storage medium
CN115955347A (en) * 2022-12-21 2023-04-11 北京天融信网络安全技术有限公司 Intrusion prevention rule processing method, device, equipment and medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012054868A2 (en) * 2010-10-21 2012-04-26 Visa International Service Association Software and methods for risk and fraud mitigation
US9225772B2 (en) * 2011-09-26 2015-12-29 Knoa Software, Inc. Method, system and program product for allocation and/or prioritization of electronic resources
CN105592061A (en) * 2015-10-27 2016-05-18 杭州华三通信技术有限公司 Attack rule closure method and device
CN113722573B (en) * 2020-05-26 2024-02-09 中国电信股份有限公司 Method, system and storage medium for generating network security threat data set
CN114598659B (en) * 2020-11-19 2024-07-05 华为技术有限公司 Rule base optimization method and device
US20220383321A1 (en) * 2021-05-25 2022-12-01 Affirm, Inc. System, Method and Apparatus for Creating, Testing and Disseminating Fraud Rules
CN116633695B (en) * 2023-07-24 2023-11-03 中国电信股份有限公司 Security rule base management method, device, computer equipment and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108243060A (en) * 2017-01-19 2018-07-03 上海直真君智科技有限公司 A kind of network security alarm risk determination method presorted based on big data
CN112084036A (en) * 2020-09-21 2020-12-15 新华三信息安全技术有限公司 Control method and device for message detection rule, electronic equipment and storage medium
CN115955347A (en) * 2022-12-21 2023-04-11 北京天融信网络安全技术有限公司 Intrusion prevention rule processing method, device, equipment and medium

Also Published As

Publication number Publication date
CN116633695A (en) 2023-08-22
WO2025020439A1 (en) 2025-01-30

Similar Documents

Publication Publication Date Title
Gogoi et al. MLH-IDS: a multi-level hybrid intrusion detection method
US9544321B2 (en) Anomaly detection using adaptive behavioral profiles
US11269995B2 (en) Chain of events representing an issue based on an enriched representation
WO2020201994A1 (en) System and method for improved anomaly detection using relationship graphs
US20180069883A1 (en) Detection of Known and Unknown Malicious Domains
WO2002014989A2 (en) Permission level generation based on adaptive learning
CN104601556A (en) Attack detection method and system for WEB
CN103916385A (en) WAF safety monitoring system based on intelligent algorithm
CN116633695B (en) Security rule base management method, device, computer equipment and storage medium
CN120498762A (en) Method, device, equipment, storage medium and program product for controlling network attack of digital power grid
Barsha et al. Anomaly detection in SCADA systems: A state transition modeling
US20210142424A1 (en) Importance sketching of influence dynamics in massive-scale networks
Liu et al. A membership inference and adversarial attack defense framework for network traffic classifiers
CN118869373B (en) Network attack early warning and tracing method, system and device based on logic knowledge graph
CN119449441A (en) Network security dynamic management method and related device based on IP verification
WO2025161307A1 (en) Attack source tracing method and apparatus, device, and medium
CN117764606A (en) A correlation analysis method, system and equipment for electric carbon blockchain transaction behavior based on graph method
CN117692188A (en) Power security event correlation analysis method and device for attack monitoring scenarios
CN114389830B (en) DDoS attack detection method, device, equipment and readable storage medium
US12149559B1 (en) Reputation and confidence scoring for network identifiers based on network telemetry
CN119094216B (en) An Internet of Things network intrusion detection method, device, medium and product
CN119477507B (en) Police finance communication integrated anti-fraud platform and method
CN117596049B (en) A DDoS attack detection method and device
CN113760664B (en) Two-stage threshold attack detection method, computer and storage medium
CN112261006B (en) Mining method, terminal and storage medium for discovering dependency relationship among threat behaviors

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20230822

Assignee: Tianyiyun Technology Co.,Ltd.

Assignor: CHINA TELECOM Corp.,Ltd.

Contract record no.: X2024110000040

Denomination of invention: Management method, device, computer equipment, and storage medium for security rule library

Granted publication date: 20231103

License type: Common License

Record date: 20240914

EE01 Entry into force of recordation of patent licensing contract