CN108319852B - Event discrimination strategy creating method and device - Google Patents

Event discrimination strategy creating method and device Download PDF

Info

Publication number
CN108319852B
CN108319852B CN201810127394.5A CN201810127394A CN108319852B CN 108319852 B CN108319852 B CN 108319852B CN 201810127394 A CN201810127394 A CN 201810127394A CN 108319852 B CN108319852 B CN 108319852B
Authority
CN
China
Prior art keywords
event
strategy
alarm information
accumulated
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810127394.5A
Other languages
Chinese (zh)
Other versions
CN108319852A (en
Inventor
翟建军
钟金鑫
齐志彬
陈青民
张涵茗
张鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing An Xin Tian Xing Technology Co ltd
Original Assignee
Beijing An Xin Tian Xing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing An Xin Tian Xing Technology Co ltd filed Critical Beijing An Xin Tian Xing Technology Co ltd
Priority to CN201810127394.5A priority Critical patent/CN108319852B/en
Publication of CN108319852A publication Critical patent/CN108319852A/en
Application granted granted Critical
Publication of CN108319852B publication Critical patent/CN108319852B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides an event discrimination strategy creating method and device, the method utilizes a Markov model, a preset machine learning algorithm and a selected target execution action to calculate the accumulated event alarm information number of a current event discrimination strategy, and utilizes the target execution action to continuously optimize the current event discrimination strategy under the condition of meeting the preset strategy creating condition. The more the accumulated feedback is in the Markov model, the more accurate the event discrimination strategy is, and the current event discrimination strategy corresponding to the maximum accumulated event alarm information number is selected, so that the optimal event discrimination strategy is correspondingly obtained. Based on the method disclosed by the invention, the continuous optimization of the event discrimination strategy is realized, the created event discrimination strategy is ensured to be optimal, and the accuracy of strategy creation is greatly improved.

Description

Event discrimination strategy creating method and device
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for creating an event discrimination policy.
Background
With the rapid development of computer and network technologies, the application of information systems is continuously expanding, and assets in a network environment face various security risks. In order to realize the prevention and control of asset security risks, it is necessary to develop a log analysis management system.
The core part of the log analysis management system is an event discrimination strategy library, and the system analyzes the log codes according to the content of the event discrimination strategy in the library and gives an alarm to the event information obtained by analysis. At the present stage, the event judgment strategy is mainly compiled by advanced analysts in the field of information security by means of self experience, which causes a problem that the accuracy cannot be guaranteed.
Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for creating an event discrimination policy, so as to solve the problem that the accuracy of the event discrimination policy written by a high-level analyst by experience cannot be guaranteed. The technical scheme is as follows:
an event discrimination policy creation method includes:
acquiring a preset log code and an initial event judgment strategy, and taking the initial event judgment strategy as a current event judgment strategy;
selecting a target execution action corresponding to the current event judgment strategy from a preset creation action set;
calculating the number of accumulated event alarm information of the current event discrimination strategy under the log code according to a Markov model, a preset machine learning algorithm and the target execution action;
under the condition that a preset strategy creating condition is met, adjusting the current event distinguishing strategy according to the target execution action, taking the adjusted current event distinguishing strategy as the current event distinguishing strategy, and returning to execute the target execution action corresponding to the current event distinguishing strategy selected from a preset creating action set;
and under the condition that a preset strategy creating condition is not met, selecting the maximum accumulated event alarm information number from the accumulated event alarm information numbers, and creating a current event judgment strategy corresponding to the maximum accumulated event alarm information number.
Preferably, the selecting the target execution action corresponding to the current event discrimination policy from a preset creation action set includes:
judging whether the current event judgment strategy is the initial event judgment strategy or not;
if yes, selecting a target execution action from a preset creation action set according to a preset selection rule;
if not, calculating the execution probability of each execution action in the preset creation action set according to a greedy algorithm;
and selecting the execution action with the highest execution probability as the target execution action.
Preferably, the calculating the number of the accumulated event alert information of the current event discrimination policy under the log code according to a markov model, a preset machine learning algorithm and the target execution action includes:
defining an expected accumulated feedback function for representing the expected accumulated event alarm information number according to the Markov model and a preset machine learning algorithm;
acquiring the number of the last accumulated event alarm information, preset feedback parameters for representing the ratio of delay feedback to immediate feedback and the execution action transition probability of the current event judgment strategy under the target execution action;
substituting the number of the last accumulated event alarm information, the preset feedback parameter and the execution action transition probability into the expected accumulated feedback function, and calculating an expected accumulated feedback value of the current event judgment strategy under the log code;
and determining the expected accumulated feedback value as the number of the accumulated event alarm information.
Preferably, the creating of the current event discrimination policy corresponding to the maximum number of the accumulated event alarm information includes:
under the condition that the number of the selected maximum accumulated event alarm information is multiple, acquiring the number of target execution actions corresponding to the maximum accumulated event alarm information number;
selecting the maximum cumulative event alarm information number with the minimum target execution action number as the final cumulative event alarm information number;
and creating a current event judgment strategy corresponding to the final accumulated event alarm information number.
Preferably, the method further comprises the following steps:
and adding the created current event judgment strategy into an event judgment strategy library.
An event discrimination policy creation apparatus comprising: the device comprises an acquisition module, a selection module, a calculation module, an adjustment module and a selection creation module;
the acquisition module is used for acquiring a preset log code and an initial event judgment strategy, and taking the initial event judgment strategy as a current event judgment strategy;
the selection module is used for selecting a target execution action corresponding to the current event judgment strategy from a preset creation action set;
the calculation module is used for calculating the number of the accumulated event alarm information of the current event discrimination strategy under the log code according to a Markov model, a preset machine learning algorithm and the target execution action;
the adjusting module is used for adjusting the current event judgment strategy according to the target execution action under the condition that a preset strategy creating condition is met, taking the adjusted current event judgment strategy as a current event judgment strategy, and triggering the selecting module;
and the selecting and creating module is used for selecting the maximum accumulated event alarm information number from the accumulated event alarm information numbers under the condition that the preset strategy creating condition is not met, and creating the current event judgment strategy corresponding to the maximum accumulated event alarm information number.
Preferably, the selecting module is specifically configured to:
judging whether the current event judgment strategy is the initial event judgment strategy or not; if yes, selecting a target execution action from a preset creation action set according to a preset selection rule; if not, calculating the execution probability of each execution action in the preset creation action set according to a greedy algorithm; and selecting the execution action with the highest execution probability as the target execution action.
Preferably, the calculation module is specifically configured to:
defining an expected accumulated feedback function for representing the expected accumulated event alarm information number according to the Markov model and a preset machine learning algorithm; acquiring the number of the last accumulated event alarm information, preset feedback parameters for representing the ratio of delay feedback to immediate feedback and the execution action transition probability of the current event judgment strategy under the target execution action; substituting the number of the last accumulated event alarm information, the preset feedback parameter and the execution action transition probability into the expected accumulated feedback function, and calculating an expected accumulated feedback value of the current event judgment strategy under the log code; and determining the expected accumulated feedback value as the number of the accumulated event alarm information.
Preferably, the selection creation module, configured to create the current event judgment policy corresponding to the maximum number of the accumulated event alarm information, is specifically configured to:
under the condition that the number of the selected maximum accumulated event alarm information is multiple, acquiring the number of target execution actions corresponding to the maximum accumulated event alarm information number; selecting the maximum cumulative event alarm information number with the minimum target execution action number as the final cumulative event alarm information number; and creating a current event judgment strategy corresponding to the final accumulated event alarm information number.
Preferably, the method further comprises the following steps: adding a module;
and the adding module is used for adding the created current event discrimination strategy into the event discrimination strategy library.
Compared with the prior art, the invention has the following beneficial effects:
the method calculates the accumulated event alarm information number of the current event discrimination strategy by using a Markov model, a preset machine learning algorithm and a selected target execution action, and continuously optimizes the current event discrimination strategy by using the target execution action under the condition of meeting the preset strategy creation condition. The more the accumulated feedback is in the Markov model, the more accurate the event discrimination strategy is, and the current event discrimination strategy corresponding to the maximum accumulated event alarm information number is selected, so that the optimal event discrimination strategy is correspondingly obtained. Based on the method disclosed by the invention, the continuous optimization of the event discrimination strategy is realized, the created event discrimination strategy is ensured to be optimal, and the accuracy of strategy creation is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for creating an event discrimination policy according to an embodiment of the present invention;
fig. 2 is a flowchart of a part of a method for creating an event discrimination policy according to an embodiment of the present invention;
fig. 3 is a flowchart of another part of a method for creating an event discrimination policy according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an event discrimination policy creating apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Assets in the network environment: resources that are valuable to the system, here referring to the physical resources that can carry the actual traffic, such as operating systems, databases, middleware, security devices, and network devices.
Log code: this is referred to as the log data of the asset operation, which is the information that records the hardware, software and system problems in the system and can be used to monitor the events occurring in the system. Specifically, the code may include one or more of time, application, server action, file location, access status, source IP address, destination IP address, source port, and destination port.
And (3) event judging strategy: an event discrimination strategy library is dynamically maintained in the log analysis management system, and the event discrimination strategies in the library classify various events in asset operation according to certain characteristics, analyze collected log codes and judge the events to which the log codes belong.
Event alarm information: the log codes are analyzed through the event judgment strategy to judge events to which the log codes belong, and the log analysis system can give an alarm aiming at the events to generate event alarm information.
Markov model: a statistical model for a system in which there is a transition probability during a transition from one state to another, and this transition probability can be derived from the immediately preceding state, regardless of the original state of the system and the Markov process preceding the transition.
Machine learning: the special research on how a computer simulates or realizes the learning behavior of human beings so as to acquire new knowledge or skills and reorganize the existing knowledge structure to continuously improve the performance of the computer.
Reinforcement learning: the intelligent system is used for learning from environment to behavior mapping, and the purpose of maximum value of the function of the reward signal function is achieved. In reinforcement learning, the reinforcement signal provided by the environment is the only evaluation to produce the action goodness.
The embodiment of the invention provides an event discrimination strategy creation method, the method flow chart of which is shown in figure 1, and the method comprises the following steps:
s10, acquiring a preset log code and an initial event judgment strategy, and taking the initial event judgment strategy as a current event judgment strategy;
in this embodiment, the obtained log code is used as a sample for subsequent policy optimization, and because the content of the log code is fixed and unchanged, the number of event alarm information covered by the segment of log code, that is, the number of theoretical event alarm information, is fixed. If the number of the event alarm information aiming at the log code is obtained by the log analysis management system operating a certain event judgment strategy, namely the larger the number of the actual event alarm information is, the closer the actual number of the event alarm information is to the number of the theoretical event alarm information, the more the event judgment strategy is superior.
S20, selecting a target execution action corresponding to the current event discrimination strategy from a preset creation action set;
in this embodiment, the preset creation action set includes execution actions for different creation situations, where the execution action specifically refers to a modification action of the event discrimination policy, that is, an action for generating a character string. The selection of the target execution action may be randomly selected, or may be selected according to a certain rule, and this embodiment is not particularly limited.
In the specific implementation process, in the step S20, "selecting the target execution action corresponding to the current event judgment policy from the preset created action set," the following steps may be specifically adopted, and the flowchart of the method is shown in fig. 2:
s201, judging whether a current event judgment strategy is an initial event judgment strategy or not; if yes, go to step S202; if not, executing step S203;
s202, selecting a target execution action from a preset creating action set according to a preset selection rule;
in this embodiment, the preset selection rule may be a random selection, or may select a designated execution action.
S203, calculating the execution probability of each execution action in the preset created action set according to a greedy algorithm;
greedy algorithm is an improved hierarchical approach, which always makes the best choice currently seen when solving a problem, i.e. not considering the global optimum, but a local optimum solution in some sense. And when the execution probability of each execution action is calculated by using a greedy algorithm, the execution probability is related to the execution action of the target selected last time.
And S204, selecting the execution action with the maximum execution probability as a target execution action.
S30, calculating the number of the accumulated event alarm information of the current event discrimination strategy under the log code according to the Markov model, the preset machine learning algorithm and the target execution action;
in this embodiment, because the creation of the event discrimination policy belongs to a dynamic behavior, the situation of the next execution cannot be known in advance, and when the decision is selected to be created, the number of the currently obtained event alarm information is irrelevant to the number of the last or next event alarm information, and depends only on the log code and the current event discrimination policy. Therefore, the number of accumulated event alert information is calculated using the markov model in the present embodiment.
In the specific implementation process, in step S30, in the process of selecting a target execution action corresponding to the current event decision policy from the preset creation action set, and calculating the number of accumulated event alarm information of the current event decision policy under the log code according to the markov model, the preset machine learning algorithm, and the target execution action, the following steps may be specifically adopted, and the method flowchart is shown in fig. 3:
s301, defining an expected accumulated feedback function for representing the expected number of accumulated event alarm information according to a Markov model and a preset machine learning algorithm;
in the process of executing step S301, a markov model is first combined to define the creation process of the event discrimination policy as a five-tuple (S, a, r, δ, and π), where S represents an input log code, a represents a target execution action, r represents the number of actual event alarm messages generated after the log code is filtered by the current event discrimination policy, δ represents the difference between the number of theoretical event alarm messages and the number of actual event alarm messages, and π represents the current event discrimination policy.
Secondly, in order to obtain the most accurate event discrimination strategy pi, the maximum number of accumulated event alarm messages needs to be generated. Thereby accumulating the number V of event alarm informationπ(s) can be expressed by the following formula (1):
Figure GDA0001617016610000071
where γ is a constant over the [0,1) interval, representing the relative ratio of delayed feedback and immediate feedback. When γ is 0, the case where only immediate feedback is considered in the formula is explained. As γ approaches 1, it indicates that future delay feedback is of greater importance than immediate feedback.
In the process of creating and deciding the event discrimination strategy, the optimal event discrimination strategy is assumed to be recorded as pi*The following formula (2) can be used to represent:
Figure GDA0001617016610000072
discrimination strategy pi for obtaining optimal event*At this time, the maximum number V of the alarm information of the accumulated event needs to be obtainedπ(s), we should therefore pay more attention to the log code s and the target performing action a occurring in pairs, that is to say under the log code s what target should be made to perform action a.
In this embodiment, the preset machine learning algorithm is a Q-learning machine learning algorithm, which is one of the most commonly used reinforcement learning algorithms at present. Definition of Q (S, a)t) To perform action a under log code stValue of (a), definition of Q (S, a)t) Is performing action a when under log code StAnd thereafter discriminating the strategy pi according to the optimal event*Expected cumulative feedback of, and the number of cumulative event alarms VπThe relationship of(s) can be expressed by the following formula (3):
Figure GDA0001617016610000081
performing action a for each target that is likely to occurt+1Can be represented by the probability p (a)t+1|atS) transfer to at+1And from there can be a decision strategy pi according to the optimal event*Performing action to obtain the expected accumulated feedback as V*(s). Therefore, Q (S,at):
Figure GDA0001617016610000082
s302, acquiring the number of the last accumulated event alarm information, preset feedback parameters for representing the ratio of delay feedback to immediate feedback and the execution action transition probability of the current event judgment strategy under the target execution action;
s303, substituting the number of the last accumulated event alarm information, preset feedback parameters and execution action transition probability into an expected accumulated feedback function, and calculating an expected accumulated feedback value of the current event discrimination strategy under the log code;
and S304, determining the expected accumulated feedback value as the number of the accumulated event alarm information.
S40, under the condition of meeting the preset strategy creating condition, adjusting the current event judgment strategy according to the target execution action, taking the adjusted current event judgment strategy as the current event judgment strategy, and returning to the step S20;
in this embodiment, the preset policy creating condition may be a preset time period or a preset number of cycles, and the like, and this embodiment is not particularly limited.
S50, under the condition that the preset strategy creating condition is not met, selecting the maximum number of the accumulated event alarm information from the number of the accumulated event alarm information, and creating a current event judgment strategy corresponding to the maximum number of the accumulated event alarm information;
in the process of executing step S50, if the selected maximum number of the accumulated event alert information is one, the current event discrimination policy corresponding to the maximum number of the accumulated event alert information is directly created. And otherwise, if the number of the alarm information is multiple, selecting the maximum accumulated event alarm information number with the minimum target execution action number as the final accumulated event alarm information number, and creating a current event judgment strategy corresponding to the final accumulated event alarm information number.
In some other embodiments, to ensure timely operation of the log analysis management system, on the basis of the event discrimination policy creation method shown in fig. 1, the method further includes the following steps:
and adding the created current event judgment strategy into an event judgment strategy library.
The above steps S201 to S203 are only a preferred implementation manner of the process of "selecting the target execution action corresponding to the current event judgment policy from the preset created action set" in step S20 in this embodiment of the present application, and a specific implementation manner of this process may be arbitrarily set according to own requirements, which is not limited herein.
The above steps S301 to S304 are only one preferred implementation manner of the process of "calculating the number of accumulated event alarm messages of the current event discrimination policy under the log code according to the markov model, the preset machine learning algorithm, and the target execution action" in step S30 according to the embodiment of the present application, and the specific implementation manner of this process may be arbitrarily set according to the needs of the user, and is not limited herein.
The method for creating the event discrimination strategy provided by the embodiment of the invention calculates the number of accumulated event alarm messages of the current event discrimination strategy by using a Markov model, a preset machine learning algorithm and a selected target execution action, and continuously optimizes the current event discrimination strategy by using the target execution action under the condition of meeting the preset strategy creation condition. The more the accumulated feedback is in the Markov model, the more accurate the event discrimination strategy is, and the current event discrimination strategy corresponding to the maximum accumulated event alarm information number is selected, so that the optimal event discrimination strategy is correspondingly obtained. Based on the method disclosed by the invention, the continuous optimization of the event discrimination strategy is realized, the created event discrimination strategy is ensured to be optimal, and the accuracy of strategy creation is greatly improved.
Based on the event discrimination policy creation method provided in the foregoing embodiment, an embodiment of the present invention correspondingly provides an apparatus for executing the event discrimination policy creation method, and a schematic structural diagram of the apparatus is shown in fig. 4, where the apparatus includes: the system comprises an acquisition module 10, a selection module 20, a calculation module 30, an adjustment module 40 and a selection creation module 50;
the acquiring module 10 is configured to acquire a preset log code and an initial event discrimination policy, and use the initial event discrimination policy as a current event discrimination policy;
a selecting module 20, configured to select a target execution action corresponding to the current event discrimination policy from a preset created action set;
a calculating module 30, configured to calculate the number of accumulated event alarm information of the current event discrimination policy in the log code according to the markov model, the preset machine learning algorithm, and the target execution action;
the adjusting module 40 is configured to adjust the current event discrimination policy according to the target execution action when the preset policy creation condition is met, use the adjusted current event discrimination policy as the current event discrimination policy, and trigger the selecting module 20;
and the selecting and creating module 50 is configured to select the maximum cumulative event alarm information number from the cumulative event alarm information numbers and create a current event judgment policy corresponding to the maximum cumulative event alarm information number when the preset policy creating condition is not satisfied.
In other embodiments, the selecting module 20 is specifically configured to:
judging whether the current event judgment strategy is an initial event judgment strategy or not; if yes, selecting a target execution action from a preset creation action set according to a preset selection rule; if not, calculating the execution probability of each execution action in the preset creation action set according to a greedy algorithm; and selecting the execution action with the highest execution probability as the target execution action.
In some other embodiments, the calculation module 30 is specifically configured to:
defining an expected accumulated feedback function for representing the expected accumulated event alarm information number according to the Markov model and a preset machine learning algorithm; acquiring the number of the last accumulated event alarm information, preset feedback parameters for representing the ratio of delay feedback to immediate feedback and the execution action transition probability of the current event judgment strategy under the target execution action; substituting the number of the last accumulated event alarm information, preset feedback parameters and execution action transfer probability into an expected accumulated feedback function, and calculating an expected accumulated feedback value of the current event discrimination strategy under the log code; the expected cumulative feedback value is determined as the cumulative event alert information number.
In some other embodiments, the selection creating module 50, configured to create the current event judgment policy corresponding to the maximum number of the accumulated event alarm information, is specifically configured to:
under the condition that the number of the selected maximum accumulated event alarm information is multiple, acquiring the number of target execution actions corresponding to the maximum accumulated event alarm information number; selecting the maximum cumulative event alarm information number with the minimum target execution action number as the final cumulative event alarm information number; and creating a current event judgment strategy corresponding to the final accumulated event alarm information number.
In some other embodiments, on the basis of the event discrimination policy creating apparatus shown in fig. 4, the following modules are further included:
and the adding module is used for adding the created current event discrimination strategy into the event discrimination strategy library.
The event discrimination strategy creation device provided by the embodiment of the invention can realize continuous optimization of the event discrimination strategy, ensure the created event discrimination strategy to be optimal and greatly improve the accuracy of strategy creation.
The event discrimination policy creating method and apparatus provided by the present invention are described in detail above, and a specific example is applied in the present document to explain the principle and the implementation manner of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include or include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. An event discrimination policy creation method, comprising:
acquiring a preset log code and an initial event judgment strategy, and taking the initial event judgment strategy as a current event judgment strategy;
selecting a target execution action corresponding to the current event judgment strategy from a preset creation action set;
calculating the number of accumulated event alarm information of the current event discrimination strategy under the log code according to a Markov model, a preset machine learning algorithm and the target execution action;
under the condition that a preset strategy creating condition is met, adjusting the current event distinguishing strategy according to the target execution action, taking the adjusted current event distinguishing strategy as the current event distinguishing strategy, and returning to execute the target execution action corresponding to the current event distinguishing strategy selected from a preset creating action set;
under the condition that a preset strategy creating condition is not met, selecting the maximum accumulated event alarm information number from the accumulated event alarm information numbers, and creating a current event judgment strategy corresponding to the maximum accumulated event alarm information number;
the calculating the number of the accumulated event alarm information of the current event discrimination strategy under the log code according to the Markov model, the preset machine learning algorithm and the target execution action comprises the following steps:
defining an expected accumulated feedback function for representing the expected accumulated event alarm information number according to the Markov model and a preset machine learning algorithm;
acquiring the number of the last accumulated event alarm information, preset feedback parameters for representing the ratio of delay feedback to immediate feedback and the execution action transition probability of the current event judgment strategy under the target execution action;
substituting the number of the last accumulated event alarm information, the preset feedback parameter and the execution action transition probability into the expected accumulated feedback function, and calculating an expected accumulated feedback value of the current event judgment strategy under the log code;
and determining the expected accumulated feedback value as the number of the accumulated event alarm information.
2. The method according to claim 1, wherein the selecting the target execution action corresponding to the current event discrimination policy from a preset creation action set includes:
judging whether the current event judgment strategy is the initial event judgment strategy or not;
if yes, selecting a target execution action from a preset creation action set according to a preset selection rule;
if not, calculating the execution probability of each execution action in the preset creation action set according to a greedy algorithm;
and selecting the execution action with the highest execution probability as the target execution action.
3. The method according to claim 1, wherein the creating of the current event discrimination policy corresponding to the maximum number of the accumulated event alert information includes:
under the condition that the number of the selected maximum accumulated event alarm information is multiple, acquiring the number of target execution actions corresponding to the maximum accumulated event alarm information number;
selecting the maximum cumulative event alarm information number with the minimum target execution action number as the final cumulative event alarm information number;
and creating a current event judgment strategy corresponding to the final accumulated event alarm information number.
4. The method of claim 1, further comprising:
and adding the created current event judgment strategy into an event judgment strategy library.
5. An event discrimination policy creation apparatus, comprising: the device comprises an acquisition module, a selection module, a calculation module, an adjustment module and a selection creation module;
the acquisition module is used for acquiring a preset log code and an initial event judgment strategy, and taking the initial event judgment strategy as a current event judgment strategy;
the selection module is used for selecting a target execution action corresponding to the current event judgment strategy from a preset creation action set;
the calculation module is used for calculating the number of the accumulated event alarm information of the current event discrimination strategy under the log code according to a Markov model, a preset machine learning algorithm and the target execution action;
the adjusting module is used for adjusting the current event judgment strategy according to the target execution action under the condition that a preset strategy creating condition is met, taking the adjusted current event judgment strategy as a current event judgment strategy, and triggering the selecting module;
the selection creation module is used for selecting the maximum accumulated event alarm information number from the accumulated event alarm information numbers under the condition that the preset strategy creation condition is not met, and creating a current event judgment strategy corresponding to the maximum accumulated event alarm information number;
the calculation module is specifically configured to:
defining an expected accumulated feedback function for representing the expected accumulated event alarm information number according to the Markov model and a preset machine learning algorithm; acquiring the number of the last accumulated event alarm information, preset feedback parameters for representing the ratio of delayed feedback to immediate feedback and the execution action transition probability of the current event judgment strategy under the target execution action; substituting the number of the last accumulated event alarm information, the preset feedback parameter and the execution action transition probability into the expected accumulated feedback function, and calculating an expected accumulated feedback value of the current event judgment strategy under the log code; and determining the expected accumulated feedback value as the number of the accumulated event alarm information.
6. The apparatus of claim 5, wherein the selection module is specifically configured to:
judging whether the current event judgment strategy is the initial event judgment strategy or not; if yes, selecting a target execution action from a preset creation action set according to a preset selection rule; if not, calculating the execution probability of each execution action in the preset creation action set according to a greedy algorithm; and selecting the execution action with the highest execution probability as the target execution action.
7. The apparatus according to claim 5, wherein the selection creation module, configured to create the current event discrimination policy corresponding to the maximum number of alarm information items of the accumulated event, is specifically configured to:
under the condition that the number of the selected maximum accumulated event alarm information is multiple, acquiring the number of target execution actions corresponding to the maximum accumulated event alarm information number; selecting the maximum cumulative event alarm information number with the minimum target execution action number as the final cumulative event alarm information number; and creating a current event judgment strategy corresponding to the final accumulated event alarm information number.
8. The apparatus of claim 5, further comprising: adding a module;
and the adding module is used for adding the created current event discrimination strategy into the event discrimination strategy library.
CN201810127394.5A 2018-02-08 2018-02-08 Event discrimination strategy creating method and device Active CN108319852B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810127394.5A CN108319852B (en) 2018-02-08 2018-02-08 Event discrimination strategy creating method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810127394.5A CN108319852B (en) 2018-02-08 2018-02-08 Event discrimination strategy creating method and device

Publications (2)

Publication Number Publication Date
CN108319852A CN108319852A (en) 2018-07-24
CN108319852B true CN108319852B (en) 2022-05-06

Family

ID=62903199

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810127394.5A Active CN108319852B (en) 2018-02-08 2018-02-08 Event discrimination strategy creating method and device

Country Status (1)

Country Link
CN (1) CN108319852B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598588B (en) * 2022-03-14 2023-07-25 阿里巴巴(中国)有限公司 Server fault determination method and device and terminal equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105930944A (en) * 2016-07-12 2016-09-07 中国人民解放军空军装备研究院雷达与电子对抗研究所 DEC-POMDP-based collaborative optimization decision method and device
CN106850289A (en) * 2017-01-25 2017-06-13 东南大学 With reference to Gaussian process and the service combining method of intensified learning
CN107133654A (en) * 2017-05-25 2017-09-05 大连理工大学 A kind of method of monitor video accident detection
CN107292344A (en) * 2017-06-26 2017-10-24 苏州大学 A kind of robot real-time control method based on environmental interaction

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105930944A (en) * 2016-07-12 2016-09-07 中国人民解放军空军装备研究院雷达与电子对抗研究所 DEC-POMDP-based collaborative optimization decision method and device
CN106850289A (en) * 2017-01-25 2017-06-13 东南大学 With reference to Gaussian process and the service combining method of intensified learning
CN107133654A (en) * 2017-05-25 2017-09-05 大连理工大学 A kind of method of monitor video accident detection
CN107292344A (en) * 2017-06-26 2017-10-24 苏州大学 A kind of robot real-time control method based on environmental interaction

Also Published As

Publication number Publication date
CN108319852A (en) 2018-07-24

Similar Documents

Publication Publication Date Title
Landauer et al. Dynamic log file analysis: An unsupervised cluster evolution approach for anomaly detection
US7778715B2 (en) Methods and systems for a prediction model
US20160308725A1 (en) Integrated Community And Role Discovery In Enterprise Networks
US10101244B2 (en) Self-learning simulation environments
US10885167B1 (en) Intrusion detection based on anomalies in access patterns
US20160203316A1 (en) Activity model for detecting suspicious user activity
US8554767B2 (en) Context-based interests in computing environments and systems
CN105656693B (en) A kind of method and system of the information security abnormality detection based on recurrence
CN110445801B (en) Situation sensing method and system of Internet of things
Otoum et al. A comparative study of ai-based intrusion detection techniques in critical infrastructures
WO2022147564A1 (en) Detecting suspicious user logins in private networks using machine learning
CN113159615A (en) Intelligent information security risk measuring system and method for industrial control system
CN112380044B (en) Data anomaly detection method, device, computer equipment and storage medium
CN110474904B (en) Situation awareness method and system for improving prediction
CN105808368B (en) A kind of method and system of the information security abnormality detection based on random probability distribution
US20160269431A1 (en) Predictive analytics utilizing real time events
US20160259869A1 (en) Self-learning simulation environments
CN104871171A (en) Distributed pattern discovery
US10476754B2 (en) Behavior-based community detection in enterprise information networks
CN112016078A (en) Method, device, server and storage medium for detecting forbidding of login equipment
CN111460026B (en) Network flow anomaly detection method based on intuitionistic fuzzy time sequence diagram mining
CN108319852B (en) Event discrimination strategy creating method and device
CN111147300A (en) Network security alarm confidence evaluation method and device
Smrithy et al. Online anomaly detection using non-parametric technique for big data streams in cloud collaborative environment
US10936401B2 (en) Device operation anomaly identification and reporting system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant