公开(公告)号：WO2018071625A1

公开(公告)日：2018-04-19

申请号：PCT/US2017/056270

申请日：2017-10-12

Applicant: NEC LABORATORIES AMERICA, INC.

Inventor： CHEN, Zhengzhang ,  TANG, LuAn ,  LIN, Ying ,  LI, Zhichun ,  CHEN, Haifeng ,  JIANG, Guofei

IPC: H04L29/06 ,  G06N7/00

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/57 ,  G06N7/005 ,  H04L63/20

Abstract: Methods and systems for detecting security intrusions include detecting alerts in monitored system data. Temporal dependencies are determined (306) between the alerts based on a prefix tree formed from the detected alerts. Content dependencies between the alerts are determined (308) based on a distance between alerts in a graph representation of the detected alerts. The alerts are ranked (310) based on an optimization problem that includes the temporal dependencies and the content dependencies. A security management action (614) is performed based on the ranked alerts.

Abstract translation: 用于检测安全入侵的方法和系统包括检测所监视的系统数据中的警报。 基于由检测到的警报形成的前缀树，在警报之间确定（306）时间依赖性。 基于检测到的警报的图表表示中的警报之间的距离来确定（308）警报之间的内容依赖性。 基于包括时间依赖性和内容依赖性的优化问题对警报进行排名（310）。 基于排名的警报执行安全管理行动（614）。