当前,以APT为代表的新型网络安全攻击事件频发并造成了巨大危害,其定制性、隐蔽性、持续性等特点使得传统攻击检测方法难以奏效.然而,随着大数据技术的日益发展,对各类安全相关事件及系统运行环境信息进行了有效关联,使得有效识别这类攻击和威胁成为可能,安全事件关联分析技术也随之应运而生.首先阐述了安全事件关联分析技术的重要性及其目标意义;然后对现有的安全事件关联分析技术进行了综述,从基于属性特征的关联分析、基于逻辑推理的关联分析、基于概率统计的关联分析、基于机器学习的关联分析等方面,分析描述了现有各种安全事件关联分析技术的机理及其优缺点;最后对现有的开源安全事件关联分析软件进行了综述,从应用场景、编程语言、用户接口以及关联方法等角度进行了综合比较.%At present,the frequency of the new network security attacks events represented by APT is increasing,and it is more harmful to the enterprise information infrastructure.The new types of attack have the characteristics of customization,concealment and continuity,and these make it more difficult for traditional detection methods to detect or predict these deep-hidden attacks in time.However,with the development of big data technology,people can correlate the informarion about security events and system running environment effectively,and this makes it possible to detect new types of attack and threat.In this paper,we expounded the importance of security event correlation analytics,and then discussed the existing correlation analysis techniques from the aspect of event attributes,logical reasoning,statistics and machine learning.Finally we introduced several commonly used open-source correlation analysis software,and synthetically compared them in application scenarios,programming language,user interface,and the correlation method used.
展开▼
