Currently, the field of information security is confronted with various challenges. On the one hand, security architectures of enterprises are becoming increasingly complicated, and more and more various types of security devices and security data are emerged, which makes conventional analysis capacity obviously powerless; on the other hand, with the rise of new threats, such as APT (Advanced Persistent Threat), and with the further development of internal control and compliance, there is a growing need to store and analyze more security information and to make decisions and responses more quickly.
Conventionally, it would take several days or even several months to know inconspicuous security threats, because it's difficult for a large number of uncorrelated data to be constituted a concise and organized “puzzle” of event. The greater the amount of data collected and analyzed, the more chaotic the data appears, the longer the time required to reconstruct the event. If the attack is fast and ferocious, spend a few days or months to diagnose the problem will bring huge compliance and financial impact. Therefore, there is a need to improve this situation. In case of a fast and ferocious attack (for example, denial of service attack or rapidly spreading worms), it may lead to significant influences on compliance and finance to spend several days or even several months to diagnose the problems. Therefore, there is a need for improving such situation.