ArcSight事件關(guān)聯(lián)分析課件

1、ArcSight CorrelationFabian LibeauSuperpan 翻譯hongliangpanQQ:28797575ArcSight ESMArcSight ESM作為一款應(yīng)對安全風(fēng)險(xiǎn)、合規(guī)要求和內(nèi)部威脅的企業(yè)安全管理系統(tǒng)，ArcSight ESM（Enterprise Security Management）能夠集中展示企業(yè)信息安全各方面的概況，同時還提供有實(shí)時監(jiān)視和事件關(guān)聯(lián)、風(fēng)險(xiǎn)分析、深入調(diào)查功能、報(bào)告、通知以及其他安全管理功能，可在企業(yè)范圍內(nèi)全面管理、審計(jì)安全事務(wù)。 2005 ArcSight Confidential2ArcSight ESM強(qiáng)大的事件收集能力和跨設(shè)備

2、的事件分類能力ArcSight ESM實(shí)現(xiàn)了實(shí)時數(shù)據(jù)格式標(biāo)準(zhǔn)化，超過260種默認(rèn)支持的設(shè)備，對每一種事件都進(jìn)行了詳盡的分類，以幫助管理員理解事件的含義，并進(jìn)行跨設(shè)備的分析。最為智能和靈活的關(guān)聯(lián)分析ArcSight ESM提供實(shí)時的、內(nèi)存內(nèi)(In-Memory) 關(guān)聯(lián)分析，具有106種預(yù)置關(guān)聯(lián)規(guī)則，圖形化規(guī)則編輯，支持資產(chǎn)分類、漏洞狀態(tài)與企業(yè)策略與風(fēng)險(xiǎn)管理目標(biāo)的關(guān)聯(lián)。直觀的調(diào)查分析和合規(guī)性報(bào)表ArcSight ESM具有169個可重用、圖形化數(shù)據(jù)監(jiān)視模塊，自由定義的儀表板（預(yù)置41個），靈活的報(bào)表格式，提供圖形化報(bào)表編輯器，提供預(yù)先打包的合規(guī)解決方案。 2005 ArcSight Confide

3、ntial3ArcSight ESM完善的自動安全響應(yīng)能力ArcSight ESM可與安全設(shè)備共同協(xié)作來關(guān)閉威脅通信，以阻止正在進(jìn)行的攻擊，提供威脅升級和工單處理功能。智能存儲ArcSight ESM集成了數(shù)據(jù)監(jiān)控、備份腳本、分區(qū)管理等等一系列的數(shù)據(jù)庫維護(hù)工具，提供綜合安全生命周期信息管理（SLIM）策略，利用自動的高度壓縮、存檔和恢復(fù)系統(tǒng)以減少存儲長期安全事件所需費(fèi)用。 2005 ArcSight Confidential4ArcSight ESM 2005 ArcSight Confidential5SOC中日志關(guān)聯(lián)分析的核心技術(shù)SIM/SEM/SIEM/SOC的日志關(guān)聯(lián)分析核心技術(shù)主要集

4、中在：日志收集、格式化、事件映射、關(guān)聯(lián)四個方面。日志收集：一個SIM產(chǎn)品是否有優(yōu)勢，就要看日志收集能否支持更多的設(shè)備日志類型，能否容易擴(kuò)展，自動識別支持未知設(shè)備日志。例如需要支持的協(xié)議有syslog、snmp trap、windows log、checkpoint opsec、database、file、xml、soap等等。格式化：日志收集來了，需要格式化統(tǒng)一標(biāo)準(zhǔn)，為后面的關(guān)聯(lián)，事件映射做準(zhǔn)備，如果格式化不夠標(biāo)準(zhǔn)，后面也不好做。 事件映射：將日志需要統(tǒng)一映射成一個標(biāo)準(zhǔn)，提供統(tǒng)一的解決方案，這個難度也比較大，各個廠家設(shè)備的日志名稱，類型，含義都不相同，如果統(tǒng)一映射，是個難題。 關(guān)聯(lián)分析：這個是

5、SIM的核心部分，例如ArcSight提供了簡單的事件關(guān)聯(lián)、上下文關(guān)聯(lián)、攻擊場景關(guān)聯(lián)、低慢攻擊關(guān)聯(lián)、位置關(guān)聯(lián)、身份關(guān)聯(lián)、角色關(guān)聯(lián)等等。關(guān)聯(lián)分析還有脆弱性信息關(guān)聯(lián)、因果關(guān)聯(lián)、推理關(guān)聯(lián)等等。 關(guān)鍵問題是如何利用這些技術(shù)，給用戶提供一個很好的SIM/SEM/SIEM/SOC系統(tǒng)，也是一個難題。 2005 ArcSight Confidential6 2005 ArcSight Confidential7AgendaArchitectural Overview概述ArcSight Risk Prioritization風(fēng)險(xiǎn)的優(yōu)先順序ArcSight different ways of correlat

6、ing information不同的關(guān)聯(lián)分析方法Rule based correlation基于規(guī)則Statistical correlation統(tǒng)計(jì)相關(guān)性分析Pattern discovery (advanced predictive DataMining)模式發(fā)現(xiàn)（先進(jìn)的預(yù)測數(shù)據(jù)挖掘）ArcSight Key Concepts 2005 ArcSight Confidential8VulnerabilityAssessment漏洞評估Architectural Overview架構(gòu)概述ConsoleDatabaseArcSightManagerAsset Management資產(chǎn)管理XML

7、Windows SystemsUnix/Linux/AIX/SolarisSecurityDevice安全設(shè)備SecurityDeviceDatabaseManagementSystemsSyslogConcentrator集中器Mainframe& Apps主機(jī)和應(yīng)用SecurityDeviceData Flows數(shù)據(jù)流 2005 ArcSight Confidential9ArcSight SmartAgent Overview智能代理Largest number of supported devices 150+100% Data CaptureIntelligent Event Cap

8、ture智能事件捕獲Normalization One format規(guī)范化 - 統(tǒng)一格式化Categorization Grouping similar events分類 - 分組類似事件Aggregation Event redundancy (50-80% for firewalls and routers)聚集 - 事件冗余（50-80的防火墻和路由器）Filtering Transfer and store only what you need過濾轉(zhuǎn)移和存儲您所需要的Secure, configurable and governed安全，配置和管轄的FlexAgents new Sma

9、rtAgents in hours在幾個小時FlexAgents 新CounterAct Agents automated remediation抵制代理 - 自動修復(fù)Flexible Data Collection Centralized or Distributed靈活的數(shù)據(jù)收集 - 集中式或分布式Flexible Collection靈活采集CounterActSmartAgentFlexAgent 2005 ArcSight Confidential10ArcSight SmartAgent - Event Normalization and Categorization事件規(guī)范化和分

10、類Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:7/6346 dst outside:54/6346Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:1/1967 to outside:54/62013Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:7/80

11、 (7/80) to isp:1/1967 (54/62013)Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 02/15605 to 6/443 flags FIN ACK on interface outsideSample Raw Pix Events:Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 02/15605 to 6/443 flags FIN ACK on interface outsideArcsight

12、 Categorization:Arcsight Normalization: 2005 ArcSight Confidential11ArcSight SmartAgent Guaranteed Delivery智能代理保證交付AnalystArcSightManagerPort 8443Cache緩存FailoverManager(optional)故障轉(zhuǎn)移管理器（可選）ArcSightEventArcSightEventCompressedEventSSLContentUpdates 2005 ArcSight Confidential12The ArcSight Manager - O

13、verviewReal-Time, In-Memory Correlation實(shí)時內(nèi)存關(guān)聯(lián)Real-time Dashboards實(shí)時儀表盤Anomaly Detection異常檢測Correlation Rules - known behaviors關(guān)聯(lián)規(guī)則 已知行為Pattern Discovery undiscovered patterns模式發(fā)現(xiàn) -未被發(fā)現(xiàn)的模式Flow Rates deviations from the norm流量速率-標(biāo)準(zhǔn)差 基線偏差A(yù)sset Linkage資產(chǎn)聯(lián)動Priority Scoring優(yōu)先評分Vulnerability漏洞Asset Value資產(chǎn)

14、價(jià)值Severity嚴(yán)重性Alerts, among other configurable actions其他配置的行動警告Scalability and High Availability Options可擴(kuò)展性和高可用性選項(xiàng)Intelligent Processing智能處理ManagerLINUX, Windows,UNIX, Macintosh 2005 ArcSight Confidential13AgendaArchitectural OverviewArcSight Risk Prioritization風(fēng)險(xiǎn)的優(yōu)先ArcSight different ways of correl

15、ating informationRule based correlationStatistical correlationPattern discovery (advanced predictive DataMining)ArcSight Key Concepts 2005 ArcSight Confidential14ArcSight Risk Correlation風(fēng)險(xiǎn)相關(guān)性EventsScansCorrelationDevicesPrioritizationWhats happening?Whatstargeted?Whatmatters?Whats vulnerable?漏洞、 脆弱

16、= False Alarm or Normal虛假報(bào)警或普通事件= Prioritized Red Alarm優(yōu)先紅色警報(bào)Dynamic Threat Severity Index動態(tài)威脅的嚴(yán)重程度指數(shù)Profiled Asset異常資產(chǎn)Confirmed Vulnerability已確認(rèn)的漏洞Weighting Algorithms加權(quán)算法+Detected Event檢測事件ArcSight fuses all key event sources and related inputs to rank event significance on multiple variables 所有關(guān)鍵

17、的事件源和多變量等級事件 2005 ArcSight Confidential15Asset Linkage and Priority Scoring - Overview資產(chǎn)聯(lián)動和優(yōu)先評分 - 概述Windows SystemsUnix/Linux/AIX/SolarisSecurityDeviceSecurityDeviceMainframe& AppsSecurityDevicePrioritization and Imported Scanned Assets資產(chǎn)的優(yōu)先順序和導(dǎo)入掃描的資產(chǎn)SmartAgentsArcSightEventArcSightManagerTMArcSight

18、 Prioritized Event事件優(yōu)先權(quán)VulnerabilityScanner漏洞掃描SmartAgentsAsset Information建模的程度（信心）Model ConfidenceHas asset been scanned for open ports and vulnerabilities?關(guān)聯(lián)RelevanceAre ports open on asset? Is it vulnerable?Severity嚴(yán)重性Is there a history withthis attacker or target (active lists)?資產(chǎn)重要性Asset Criti

19、calityHow important is thisasset to the business?代理嚴(yán)重性Agent SeverityMapping of reportingdevice severity toArcSight severity 2005 ArcSight Confidential16Asset Linkage and Priority Scoring Information Flow資產(chǎn)聯(lián)動和優(yōu)先評分 - 信息流Vulnerability Assessment漏洞評估 Three dimensional correlation of assets, events and v

20、ulnerabilities Allows organizations to apply SIM to risk management Minimizes dead end investigations Information seamlessly linked within the ArcSight system三二維相關(guān)的資產(chǎn)，事件和漏洞允許企業(yè)申請SIM卡風(fēng)險(xiǎn)管理最大限度地減少死胡同調(diào)查無縫鏈接的信息系統(tǒng)內(nèi)的ArcSightArcSight ManagerAssets Compliance Requirement Business RoleApplicationOperating Sys

21、temData roleCriticality資產(chǎn)重要性Vulnerabilities- Zones區(qū)ArcSightEventEvent CVEEvent Severity事件等級Priority Score Relevance 2005 ArcSight Confidential17Threat Priority Variables Considered威脅優(yōu)先 多種關(guān)系組合考慮Model Confidence:How well does ArcSight know this asset?Has it been scanned?Options: 0 = Asset is not model

22、ed沒有建模 4 = Asset has not been scanned for open ports or vulnerabilities 沒有掃描端口或漏洞 8 = Asset has been scanned for open ports or vulnerabilities, but not for both掃描端口或漏洞其一10 = Asset is scanned for both open ports and vulnerabilities掃描端口和漏洞Relevance:Is the port open, and has a vulnerability been exploi

23、ted利用?Options: 5 = Assets target port is open. 5 = Event will exploit a know asset vulnerabilitySeverity:Is there a history with this attacker or target (Active Lists)?Options: 5 = Hostile List 3 = Compromised 3 = Suspicious List 1 = Reconnaissance List 5 =敵對目錄3 =不受影響 折中3 =可疑名單1 =偵察名單The Priority of

24、 an event is theAgent Severity adjusted by: Model Confidence Relevance、 Severity、 Asset Criticality一個事件的優(yōu)先事項(xiàng)是代理嚴(yán)重性調(diào)整：模式的信心、關(guān)聯(lián)、嚴(yán)重性、資產(chǎn)重要性Asset Criticality:資產(chǎn)重要性How critical have I rated this asset within my organization.Options: 10 = Very High Criticality Assets非常高 8 = High Criticality Assets高 6 = Med

25、ium Criticality Assets中 4 = Low Criticality Assets低 2 = Very Low Criticality Assets非常低 0 = Unknown Criticality Assets未知Agent Severity:Mapping of reporting device severity to ArcSight severity.代理嚴(yán)重性：報(bào)告設(shè)備嚴(yán)重性到ArcSight的嚴(yán)重性的映射。 2005 ArcSight Confidential18Relevance drags down the Agent Severity. 相關(guān)性Examp

26、le:If Relevance = 0, the Priority = 0If Relevance = 10, the Priority = Agent SeverityModel Confidence tempers the effect of relevance on priority.建模程度Example: If Model Confidence = 0, Relevance has no effect on PriorityIf Model Confidence = 10, Priority acts the way specified above3.Formulae for the

27、 multiplication factor contributed by Model Confidence (M) and Relevance (R) R = ( R + M - R * M / 10 )If Severity (S) = 10 it adds up to 30% to Agent Severity to provide Priority: (1 + S * 3 / 100)Criticality applies a boost to Agent Severity by 20% if = (Very High)10;does nothing if Criticality =

28、(High) 8; and applies a decrement/drag if the Criticality is Medium/Low/Unknown (6/4/2): (1 + (Criticality - 8) / 10)Threat Priority The Formula威脅優(yōu)先級的公式 2005 ArcSight Confidential19Heuristic: Formula-Based啟發(fā)式：按公式計(jì)算Threat level formulaPrioritizes incident investigation and responseSums up complex inf

29、ormation from the network model 威脅級別的公式事故調(diào)查和應(yīng)對的優(yōu)先順序匯總了網(wǎng)絡(luò)模型的復(fù)雜信息C:arcsightManagerconfigserverThreatLevelFormula.xml 2005 ArcSight Confidential20Priority Calculation Exercise優(yōu)先級的計(jì)算練習(xí)StepsDevice Severity - Agent Severity - Calculation Exercise Agent Severity = Low Priority = 4 Asset Criticality is 0 =

30、20% decrease in priority. Priority = 3.2Severity = 0, no effect on priority. 2005 ArcSight Confidential21Priority is adjusted by Criticality通過重要性調(diào)整優(yōu)先級Combined factor for model confidence and relevance, lets call it MCR = MCR is calculated using the formula R * 10 MCR = = ( R + M - R * M / 10 )where

31、R (Relavance) = 5, M (Model Confidence ) = 4MCR = 7 = 30% drop in priority again. New Priority = 3.2 * 0.7 = 2.24 rounded off gives a 2. The Final Priority is - because of low values for criticality and relevance your final priority of the event came down from 4 to 2. 2005 ArcSight Confidential22Age

32、ndaArchitectural OverviewArcSight Risk PrioritizationArcSight different ways of correlating informationRule based correlation基于規(guī)則的關(guān)聯(lián)Statistical correlationPattern discovery (advanced predictive DataMining)ArcSight Key Concepts 2005 ArcSight Confidential23Rule based correlation基于規(guī)則的關(guān)聯(lián)Fast memory base

33、d algorithm, based on RETE 2 (/rete2.htm)快速的內(nèi)存算法Incorporates in Correlation:整合的相關(guān)性Events事件Vulnerability Information漏洞信息Active Lists (dynamic list with e.g. Asset/ User information)活動列表（如與動態(tài)列表資產(chǎn)/用戶信息Asset Categories (see later slides)資產(chǎn)類別（見稍后幻燈片）Asset Zones (IP ranges)資產(chǎn)區(qū)（IP范圍）Asset Networks (IP netw

34、orks/ groups of Asset Zones)資產(chǎn)網(wǎng)絡(luò)（IP網(wǎng)絡(luò)資產(chǎn)區(qū)/組）Results earlier rule based correlation早期規(guī)則為基礎(chǔ)的相關(guān)性Results earlier statistical correlation早期統(tǒng)計(jì)（靜態(tài)）為基礎(chǔ)的相關(guān)性 2005 ArcSight Confidential24Rules Theory規(guī)則理論1. Simple Aggregation Single event type or categoryBasic conditionsDe-duplication簡單 - 聚合單事件類型或類別基本條件重復(fù)數(shù)據(jù)刪除 ta

35、rgetspinge.g., any source repetitively profiling targetsarcsight_category startsWith /recontarget_address inSubnetgroupBy source_address2 or more matching events in 1 minutesource2. Complex Correlation Multi-Event JoinMultiple event types or categoriesBoolean conditionsComplete session or “round tri

36、p”復(fù)雜的關(guān)系 - 多事件加入多個事件類型或類別布爾條件完整會話或“來回”targetse.g., any source successfully engaging a targetarcsight_category startsWith /attacktarget_address inSubnet groupBy source_address, target_address1+ matching events in 1 minutejoin events across IDS, firewall, and host3. Complex Long SequenceMultiple sessio

37、nsPre-attack probes,attack formation/progression, and attack conclusionHandles long-term memory need using active lists 復(fù)雜鈥長序列多個會話、預(yù)探測攻擊，攻擊編隊(duì)/進(jìn)程，攻擊結(jié)束處理長期記憶需要使用活動列表attackFWIDSe.g., low&slow attack pattern across multiple rules/recon rule records source_address suspicious/attack rule upgrades source_a

38、ddress to hostileand records target_address as compromisedFinal rule looks for evidence of successrule1activelistactivelistrule2rule3sourceRule Types By Complexity復(fù)雜規(guī)則類型Example例子Approach方法途徑Catch and accumulate events in real-time in memory- - - - - - - -Good for event bursts在內(nèi)存中捕獲和累積事件良好的突發(fā)事件Catch

39、and correlate events in real-time in memory until the rule chain is complete- - - - - - - -Good for cross-event matching that occurs in a single session在內(nèi)存中捕獲和累積事件直到完成該規(guī)則鏈 - - - - - - - - 良好的交叉配對活動，在單個會話發(fā)生Break up sequences in logical segments and maintain active lists in the database that tie toget

40、her multiple rules - - - - - - - -Good for long elapsed time attack sequences that start and stop across multiple sessions打破序列邏輯段，保持積極的數(shù)據(jù)庫列出了多個規(guī)則聯(lián)系在一起 - - - - 經(jīng)過好長的時間序列，開始攻擊和跨多個會話停止 2005 ArcSight Confidential25Simple Correlation: Event Aggregation簡單的相關(guān)性：事件聚集Most basic correlation最基礎(chǔ)的關(guān)聯(lián)De-duplicates

41、events (many-to-one)去重Single source, single target單一源單一目標(biāo)Flatten event bursts壓扁事件爆發(fā)ArcSight SmartAgents do this too!CorrelationSingle EventMultiple Events(same base event)As above plusDistributed attack sources分布攻擊源Multiple attack targets多攻擊目標(biāo)Any field or combination of event fields (types of event)

42、人行事件領(lǐng)域（事件類型的組合）Interrelates diverse events不同的事件相互聯(lián)系CorrelationSingle EventMultiple Events(multiple event types, sources and/or targets) 2005 ArcSight Confidential26Simple Correlation: Event Aggregation簡單的相關(guān)性：事件聚集Most basic correlation最基礎(chǔ)的關(guān)聯(lián)De-duplicates events (many-to-one)去重Single source, single ta

43、rget單一源單一目標(biāo)Flatten event bursts壓扁事件爆發(fā)ArcSight SmartAgents do this too!CorrelationSingle EventMultiple Events(same base event)As above plusDistributed attack sources分布攻擊源Multiple attack targets多攻擊目標(biāo)Any field or combination of event fields (types of event)人行事件領(lǐng)域（事件類型的組合）Interrelates diverse events不同的事

44、件相互聯(lián)系CorrelationSingle EventMultiple Events(multiple event types, sources and/or targets) 2005 ArcSight Confidential27Advanced Correlation: Multi-event Joins高級的相關(guān)性：多事件加人Inter-relates (joins) diverse events with any combination of common field values e.g., source IP, target IP, port, protocol, userna

45、me, domain, location, zone etc分析不同事件的相互聯(lián)系，with事件通用屬性：例如，源IP，目標(biāo)IP，端口，協(xié)議，用戶名，域，位置，區(qū)域等Compare any event fields using flexible boolean logic (AND, OR, NOT)比較任意事件字段采用比較靈活的布爾邏輯（與，或，非）Good for cross-event matching of complete end-to-end sessions良好的跨事件的完整的端至端會話匹配E.g. correlating an attacker detected by NIDS

46、, crossing the firewall, compromising a host, creating a back connection to steal confidential dataCorrelationSingle EventMultiple Events with Common Event Fields (different base events)在事件通用屬性上分析多事件 2005 ArcSight Confidential28Complex Correlation: Attack State Monitoring復(fù)雜的相關(guān)性：攻擊狀態(tài)監(jiān)測Inter-relates e

47、vents across sessions using Active Lists使用活動列表分析跨多會話事件Any field or combination of event fields may be persisted from base events任何字段或字段組合的事件可能會從基本事件提煉Long & short -term state machines長期與短期的狀態(tài)機(jī)Good for tracking logical sequences of events良好的跟蹤事件的邏輯順序E.g. Reconnaissance, attack formation, progression

48、& conclusion例如偵察，攻擊形成，進(jìn)展及結(jié)論CorrelationEvent Sequence 1(multi-event joins)Record on Active List(state 1)CorrelationEvent Sequence 2Event Sequence 3CorrelationRecord on Active List(state 2)Single Event 2005 ArcSight Confidential29 ( 2 ) ( 1 )Rule based Cross-Correlation基于規(guī)則的交叉關(guān)聯(lián)分析Scenario 1 The attack

49、er is unsuccessful and alarms are false positives方案1 - 攻擊不成功和報(bào)警器誤報(bào)HackerN-IDSIDS reports WEB-IIS ISAPI .printer access to 48ArcSight categorizes the signature as /Attack/ and recognizes thatthe target is hosting Mission Critical ApplicationsArcSight correlates and fires the 1st rule Yellow Alarm: /

50、Attack Started / Perimeter Alarm / Mission Critical Asset ( Warning_Display )The source IP address is quietly recorded as suspiciousFWFirewall reports a “drop” from that source IP to that target IP address ArcSight correlates and fires the 2nd and final rule Green Status: / Attack Blocked / Dropped

51、at Firewall / Mission Critical Asset ( Information_Display )The target host is never touchedArcSight records the event for an audit trail, alarms are suppressed and the source IP address remains on the suspicious list48 Host 2005 ArcSight Confidential30Hacker19 Scenario 2 The attacker is successful

52、方案2 - 攻擊者成功N-IDSIDS reports WEB-IIS ISAPI .printer access to 48ArcSight categorizes the signature as /Attack/ and recognizes thatthe target is hosting Mission Critical Applications ( 1 )ArcSight correlates and fires the 1st rule Yellow Alarm: / Attack Started / Perimeter Alarm / Mission Critical Ass

53、et ( Warning_Display )The source IP address is quietly recorded as suspiciousFWFirewall reports an “accept” from that source IP to that target IP ( 2 )ArcSight correlates and fires the 2nd rule Red Alarm: / Attack Progressing / Crossed Firewall / Mission Critical Asset ( Threat_Display )The source I

54、P address is upgraded onto the hostile list48 The target gets “back doored”, indicated when thefirewall reports an FTP back out from the target to the attack sourceArcSight looks for FTP out signatures across different devicesHost ( 3 )ArcSight correlates and fires 3nd and final rule Double Red Alar

55、m: / Attack Succeeds / Compromised Target / Mission Critical Asset ( Confirmation_Display )The Target IP address is recorded as compromised, and an automated notification is sentRule based Cross-Correlation基于規(guī)則的交叉關(guān)聯(lián)分析 2005 ArcSight Confidential31ArcSight Rule Editor規(guī)則編輯JoinCondition 1Condition 2Incl

56、ude predefined Filters/ ConditionsAdd Asset InformationAdd Vulnerability InformationAdd Information from Active List Explanation: This rule looks for a correlation event that triggers from an attack against a system and the attacked system begins attacking other systems說明：此規(guī)則尋找一個相關(guān)事件觸發(fā)從一個對一個系統(tǒng)的攻擊和被攻

57、擊的系統(tǒng)開始攻擊其它系統(tǒng) 2005 ArcSight Confidential32AgendaArchitectural OverviewArcSight Risk PrioritizationArcSight different ways of correlating informationRule based correlationStatistical correlation 統(tǒng)計(jì)關(guān)聯(lián)Pattern discovery (advanced predictive DataMining)ArcSight Key Concepts 2005 ArcSight Confidential33Arc

58、Sight Statistical Correlation統(tǒng)計(jì)相關(guān)性ArcSight offers the following statistic types:Moving Average、Average、Identity、Kurtosis、SkewStandard DeviationVariance統(tǒng)計(jì)的ArcSight提供以下類型：移動平均線、平均、身分峰度、斜、標(biāo)準(zhǔn)差、方差A(yù)larm from those can be used for rule based correlations. 34Statistical Correlation: Event Rates統(tǒng)計(jì)相關(guān)性：事件發(fā)生率Ch

59、oice of statistical function moving average, standard deviation, skew, variance or Kurtosis統(tǒng)計(jì)功能選擇移動平均，標(biāo)準(zhǔn)偏差，偏差，方差或峰度Configurable sample period & interval配置的抽樣周期和間隔CorrelationSteady Stream of Events(same base event)源源不斷的事件流（相同的基礎(chǔ)事件）Controllable event frequency可控事件頻率Multiple attack dimensions多種攻擊尺度Any

60、field or combination of event fields (types of event)任意事件字段或組合字段Much more sophisticated than simply considering the rate of all events directed at a single targetCorrelationSingle EventChange in Base Event Rate(statistical function)變化中的事件發(fā)生率（統(tǒng)計(jì)功能）No Events更為復(fù)雜的不僅僅是考慮到在一個單一的目標(biāo)指示所有事件發(fā)生率 2005 ArcSight