CN109639648B - Acquisition strategy generation method and system based on acquired data abnormity - Google Patents

Abstract

The embodiment of the invention provides a method and a system for generating an acquisition strategy based on data acquisition abnormity, wherein the method comprises the following steps: and if the acquired data reported by the acquisition agents in the target network are judged to be abnormal, determining an acquisition agent set needing to be activated in the target network according to the acquisition items corresponding to the abnormal acquired data and a prestored information base, and generating an acquisition strategy in the target network according to the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set. The method and the system provided by the embodiment of the invention formulate a cooperative acquisition strategy aiming at abnormal acquisition data, can enable an acquisition agent to carry out differentiated data acquisition according to acquisition capacity, ensure the effectiveness of the acquired acquisition data, greatly reduce the waste rate of resources such as calculation, storage and bandwidth in a network, and simultaneously ensure important monitoring on the network operation condition and effective detection of threats.

Description

Acquisition strategy generation method and system based on acquired data abnormity

Technical Field

The embodiment of the invention relates to the technical field of network security, in particular to a method and a system for generating a collection strategy based on collected data abnormity.

Background

With the continuous development and wide popularization of communication technology, network technology and information technology, large-scale heterogeneous internet such as a world-wide integrated network, an internet of things, a special network and a network where various service systems (such as an electronic certificate service system, an electronic commerce system and an electronic government system) are located are formed. The large-scale heterogeneous internet has the characteristics of heterogeneous interconnection, dynamic access, mobile communication, multi-domain coexistence and the like, and bears a large amount of applications and data with important business values and sensitive contents. Meanwhile, network security events are not only directed at a certain device, but also threaten a wide coverage area and present a continuous high-risk situation, and network attack means and methods are more endless, which brings a serious threat to network security.

In order to analyze the network threat when the large-scale heterogeneous network is threatened, the operation state data of the devices and/or systems in the large-scale heterogeneous internet is generally collected through a collection agent, wherein the collection agent is a general term for a collector and a collection component. In the prior art, a method for acquiring data such as an operating state is as follows: all the acquisition agents in the large-scale heterogeneous internet are directly activated, so that all the acquisition agents acquire data such as the running state of equipment or a system within the self capacity range. This has the disadvantages that: the acquired data is excessive and redundant, so that the resources such as calculation, storage, bandwidth and the like in the network are wasted; due to the lack of consideration of association of system abnormal states in a plurality of devices, cooperative acquisition is not realized, redundant information for threat analysis is excessive, and the performance and accuracy of the threat analysis are affected.

Disclosure of Invention

Aiming at the technical problems in the prior art, the embodiment of the invention provides a method and a system for generating a collection strategy based on collected data abnormity.

In a first aspect, an embodiment of the present invention provides a method for generating an acquisition policy based on data acquisition anomalies, where the method includes:

if the acquired data reported by the acquisition agents in the target network are judged to be abnormal, determining an acquisition agent set needing to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set according to the acquisition items corresponding to the abnormal acquired data and a prestored information base;

generating an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequencies and acquisition priorities of the acquisition agents in the acquisition agent set;

the information base comprises an acquisition agent information sub-base, an acquisition object information sub-base and a threat characteristic information sub-base.

In a second aspect, an embodiment of the present invention provides a system for generating an acquisition policy based on data acquisition exception, including:

the acquisition information determining module is used for determining an acquisition agent set which needs to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set according to the acquisition items corresponding to the abnormal acquisition data and a prestored information base if the acquired data reported by the acquisition agents in the target network are judged to be abnormal;

the acquisition strategy generation module generates an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequency and acquisition priority of the acquisition agents in the acquisition agent set;

the information base comprises an acquisition agent information sub-base, an acquisition object information sub-base and a threat characteristic information sub-base.

In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the method provided in the first aspect when executing the program.

In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.

According to the acquisition strategy generation method and system based on the acquired data abnormity, the abnormity of the acquired data reported by the acquisition agent is judged, when the acquired data is abnormal, a cooperative acquisition strategy for the abnormal data is formulated according to the acquisition items corresponding to the abnormal acquired data and the pre-stored information base, the acquisition agent can carry out differentiated data acquisition according to the acquisition capacity, the effectiveness of the acquired data is ensured, the waste rate of resources such as calculation, storage and bandwidth in a network is greatly reduced, the effective detection of network threats and the efficiency and key monitoring capacity of the safety monitoring of the whole operation condition of the network can be simultaneously ensured.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a flowchart of a method for generating an acquisition policy based on data acquisition anomalies according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of an acquisition policy generation system based on acquired data exception according to an embodiment of the present invention;

fig. 3 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Fig. 1 is a flowchart of a method for generating an acquisition policy based on data acquisition exception according to an embodiment of the present invention, and as shown in fig. 1, the method includes:

step 101, if it is determined that the acquired data reported by the acquisition agents in the target network is abnormal, determining an acquisition agent set to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set according to the acquisition items corresponding to the abnormal acquired data and a pre-stored information base.

And 102, generating an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequencies and acquisition priorities of the acquisition agents in the acquisition agent set.

The information base comprises an acquisition agent information sub-base, an acquisition object information sub-base and a threat characteristic information sub-base.

Specifically, the method provided by the embodiment of the present invention is applied to a large-scale heterogeneous network for description, where the large-scale heterogeneous network may be a world-to-ground integrated network, a private network, and a network in which various service systems (e.g., an e-credential service system, an e-commerce system, and an e-government system) are located, and the target network in the embodiment of the present invention refers to any one or more of the networks.

First, the acquisition object in the target network is briefly explained:

in a heaven-earth integrated network, devices and systems include, but are not limited to: the system comprises various satellites, high-speed spacecraft terminals, ground terminals of a space-based backbone network, Ka large-capacity broadband portable/fixed terminals, high-orbit satellite mobile military handheld/civil vehicle-mounted terminals, low-orbit constellation handheld/vehicle-mounted terminals, Ku (FDMA) portable/fixed terminals, Ku (TDMA) portable/fixed terminals and other safety terminals, as well as identity authentication management systems, access authentication systems, internetwork interconnection safety control systems, password resource management systems, threat fusion analysis and situation early warning systems, whole-network safety equipment unified management systems and other systems, and gateways such as a space-based backbone satellite safety access gateway, a broadband satellite safety access gateway, a satellite mobile safety access gateway, a heterogeneous internetwork safety interconnection gateway, a ground internetwork safety interconnection gateway and the like.

In the internet of things, devices and systems include, but are not limited to: the system comprises equipment such as an Internet of things firewall, an Internet of things comprehensive security access gateway, an internetwork interconnection gateway, a heterogeneous data collection gateway, unidirectional/bidirectional data isolation equipment and the like, and systems such as data exchange application agent software, a data flow monitoring system, a programmable application protection system, an Internet of things topological mapping system, a security service demand and resource management system, a data storage scheduling management system, an Internet of things security management and control center management system, an equipment discovery and identification system and the like.

In a network where various service systems (e.g., e-credential service system, e-commerce system, e-government system) are located, devices and systems include, but are not limited to: electronic certificate high-speed approval service equipment, unified authentication service equipment and other equipment, an electronic certificate approval service management system, an electronic certificate state management and control system, a unified authentication service management system, an electronic certificate checking service system, a multi-business electronic certificate collaborative issuing system, a mass electronic certificate data storage system, an identity authentication system, a password service support system, a data storage system and other systems.

In private networks, the devices and systems also include some non-generic class of devices, including but not limited to: the system comprises an industrial control gateway, a flow filtering and monitoring device, a circulation control device, a storage system, an office system, a file exchange system and a supervision system.

For convenience of description, the above-described apparatuses or systems are collectively referred to as objects.

For any object in the target network, one or more acquisition agents may be deployed thereon, and the object with the acquisition agent deployed in the target network is referred to as an acquisition object. For any acquisition object, the acquisition agent deployed on the acquisition object is used for acquiring data such as the running state of the acquisition object.

For ease of understanding, the operational status data is described herein. The operation state data of the acquisition object is a specific value of the operation index of the acquisition object. For example, the operation state indexes of the acquisition object a are: the CPU utilization, the memory utilization, the number of packets received by the network interface, the available link bandwidth, and the connection duration, then the running state of the collection object is: specific values of CPU utilization rate, memory utilization rate, network interface receiving packet number, available link bandwidth and connection duration.

The execution subject of the method provided by the embodiment of the invention is called as an acquisition management center, the acquisition management center can be positioned outside the target network or in the target network, but no matter where the acquisition management center is positioned, the acquisition management center has the following functions: the method comprises the steps of receiving collected data reported by a collection agent in a target network, judging the abnormality of the collected data, generating a new collection strategy when the collected data are judged to be abnormal, and distributing the collection strategy to a corresponding collection agent to execute so as to adjust the collection agent to collect data such as corresponding running state and the like for subsequent analysis of network threats.

For ease of understanding, the collected data is described herein. The collected data reported by the collection agent is the data of the running state of the collection object where the collection agent is deployed. For example, the collection items of a collection agent a are: the CPU utilization rate, the memory utilization rate and the network interface receiving packet number are calculated, and then the collection agent is deployed on a collection object A, and the collection data of the collection agent is as follows: the specific value of the CPU utilization rate, the specific value of the memory utilization rate and the specific value of the network interface receiving packet number.

For step 101, firstly, an acquisition management center receives acquisition data reported by an acquisition agent; then, the acquisition management center determines whether the acquired data is abnormal. The method for determining whether the collected data is abnormal includes but is not limited to: threshold setting and judging method and collected data change gradient monitoring method.

The threshold setting method judges that: setting a normal threshold value for each acquisition item, and finding out abnormality by monitoring the relation between the acquired data and the normal threshold value. For example, the normal threshold of the CPU usage rate is set to 80%, the normal threshold of the memory usage rate is set to 65%, the normal threshold of the TCP FIN WAIT2 status number in the network status information is set to 30, when the value of the collected data exceeds the threshold, it is determined that the collected data is abnormal, and the collection item corresponding to the collected data is an abnormal collection item.

And judging by the acquired data change gradient monitoring method: and (4) calculating the change gradient of the acquired data to find the abnormality. For example, the CPU utilization rate is acquired once every 5 seconds, the data acquired in the last 10 times are respectively 30%, 35%, 32%, 29%, 36%, 39%, 36%, 34%, 80%, and 82%, it can be obviously observed that the 9 th acquired data has a significant trend, and it is determined that the acquired data is abnormal, and the CPU utilization rate is an abnormal acquisition item.

Then, whether to continue the subsequent operation is determined according to whether the collected data is abnormal. Specifically, if the abnormal data is acquired, an acquisition agent set to be activated in the target network, and an acquisition item, an acquisition frequency and an acquisition priority of an acquisition agent in the acquisition agent set are determined according to an acquisition item corresponding to the abnormal acquisition data and a pre-stored information base.

It should be noted that the information base includes an acquisition agent information sub-base, an acquisition object information sub-base, and a threat characteristic information sub-base. The acquisition agent information sub-library stores basic attributes, acquisition capacity, working configuration information, deployment information and running state of an acquisition agent; the acquisition object information sub-library stores acquisition object basic information; the threat characteristic information sub-library is used for storing the threat types of each type of threat that the target network may be subjected to and for analyzing data collection items required to collect each type of threat.

Further, according to the acquisition items corresponding to the abnormal acquisition data and a pre-stored information base, an acquisition agent set needing to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set are determined. The acquisition frequency of the acquisition agent refers to the number of times that the acquisition agent acquires the running state data per second, the priority of the acquisition agent refers to the priority of the acquisition agent for performing the current acquisition, and the acquisition agent is used for performing conflict detection and resolution on the existing acquisition strategy of the acquisition agent, and if conflicts related to acquisition items and/or acquisition frequency exist, resolution is performed according to the priority relation.

For step 102, an acquisition strategy in the target network is generated based on the acquisition agent set and any one or more of acquisition items, acquisition frequencies and acquisition priorities of the acquisition agents in the acquisition agent set. Specifically, the collection agent may be associated with its own collection item, collection frequency, and collection priority to generate a corresponding collection policy, and then each collection policy in the collection agent set is encapsulated to generate a collection policy in the target network.

According to the method provided by the embodiment of the invention, the abnormality of the collected data reported by the collection agent is judged, and when the collected data is abnormal, a cooperative collection strategy aiming at the abnormal data is formulated according to the collection item corresponding to the abnormal collected data and the prestored information base, so that the collection agent can carry out differentiated data collection according to the collection capacity, the effectiveness of the collected data is ensured, the waste rate of resources such as calculation, storage and bandwidth in a network is greatly reduced, and the effective detection of the network threat and the efficiency and key monitoring capacity of the safety monitoring of the whole operation condition of the network can be ensured at the same time.

On the basis of the above embodiments, the present invention specifically describes a process of creating an information library. That is, if it is determined that the acquired data reported by the acquisition agent in the target network is abnormal, determining an acquisition agent set to be activated in the target network, and an acquisition item, an acquisition frequency and an acquisition priority of the acquisition agent in the acquisition agent set according to an acquisition item corresponding to the abnormal acquired data and a pre-stored information base, where the method further includes:

step 001, storing basic attributes, acquisition capacity, working configuration information, deployment information and running state of an acquisition agent in a target network to create an acquisition agent information sub-library; storing basic information of an acquisition object in a target network to create an acquisition object information sub-library; and storing the threat types of each type of threat suffered by the target network and the associated collection items in an associated manner so as to create a threat characteristic information sub-library. And taking the acquisition agent information sub-library, the acquisition object information sub-library and the threat characteristic information sub-library as information libraries.

Note that the information library is stored in the acquisition management center in advance. The information base comprises an acquisition agent information sub-base, an acquisition object information sub-base and a threat characteristic information sub-base. The collection agent information sub-library stores basic attributes, collection capacity, working configuration information, deployment information and running state of collection agents. The collection object information sub-library stores collection object basic information. The threat characteristic information sub-repository stores threat characteristic information.

The following describes the creation of the collection agent information sub-base. Specifically, the creating of the collection agent information sub-library includes two ways of manual creation and automatic creation:

the manual creation means that when the acquisition agent accesses the network, any one or more of basic attributes, acquisition capacity, working configuration information and deployment information of the acquisition agent are stored in an acquisition management center in a manual entry mode. The manual entry mode includes but is not limited to: manual entry, optical disc import and two-dimensional code scanning entry.

The automatic creation means that any one or more of basic attributes, collection capability, work configuration information, deployment information and operation state of the collection agent stored in the collection agent are automatically read and stored in the collection management center. The automatic creation includes two ways of active creation and passive creation. The active creation means that the acquisition management center actively inquires and obtains any one or more of basic attributes, acquisition capability, work configuration information, deployment information and operation state information of the acquisition agents stored in the acquisition agents. Passive creation refers to the collection agent actively sending collection agent information (including, but not limited to, any one or more of the collection agent's basic attributes, collection capabilities, operational configuration information, deployment information, and operational status information) to the collection management center, either on a periodic or non-periodic basis.

The following describes the contents stored in the collection agent information sub-library:

the collection agent information stored by the collection agent information sub-base includes but is not limited to: any one or more of basic attributes, acquisition capabilities, job configuration information, deployment information, and operating state information. Wherein the basic attributes of the acquisition agent include, but are not limited to: supported hardware object types, supported operating system types, optionally, further including but not limited to: agent name, agent abbreviation, manufacturer model number, agent version number. The collection agent can be divided into two types, a collector and a collection component, and optionally, if the collection agent is a collector, the basic attributes include but are not limited to: delivery time, hardware module description and contact information; if the collection agent is a collection component, the basic attributes include, but are not limited to: component version update times are collected. Among them, the description of hardware modules includes but is not limited to: CPU model, memory size, MAC address, module name, hardware module manufacturer, radio firmware version number, machine model number, hardware vendor version, hardware vendor name, hardware vendor code.

The collection capability of the collection agent describes which data items the collection agent has the capability to collect, and the collection capability can be described in terms of a physical layer, a network layer, a kernel layer, an application layer and the like, and the entry format thereof includes but is not limited to: JSON, XML, XLSX. Particularly, in a large-scale heterogeneous internet, the types of devices and systems are various and have different functions, the acquisition capabilities of acquisition agents deployed on different types of devices and systems are greatly different, and no scheme is provided for uniformly describing the different acquisition capabilities at present, so that the requirement of uniform management of information acquisition in a whole network environment is difficult to meet. The embodiment of the invention provides a universal acquisition capacity unified description language, images are carried out on acquisition agents by abstracting common elements of different acquisition agents, and acquired information of different acquisition objects is layered and classified according to semantics, so that semantic normalization description of acquisition capacity is realized. The method realizes the differential acquisition capability description of any acquisition agent in software and hardware forms, and provides a basis for the unified management of strategy dynamic adjustment, cooperative acquisition and the like of the acquisition agents for dealing with different types of threats, different types of acquisition objects and different running states.

The acquisition capabilities of the acquisition agent at the physical layer include, but are not limited to, the following:

the system comprises hardware equipment invariable information acquisition capacity, hardware module invariable information acquisition capacity, hardware equipment variable information acquisition capacity and hardware module variable information acquisition capacity. The hardware device non-variable information acquisition capability includes but is not limited to: in addition to the hardware device ID, the hardware device name, the hardware device manufacturer name, the hardware device vendor name, the hardware device model number, the hardware device version number, and the hardware device type, for each type of hardware device, information matching the type needs to be collected, for example, in a world-wide integrated network, optional collection items thereof include but are not limited to: satellite number, satellite type, satellite hardware module, number of satellite ports, satellite coverage (including, but not limited to, satellite application range start longitude, satellite application range end longitude, satellite application range start latitude, and satellite application range end latitude). Optional acquisition items for the internet of things device include, but are not limited to: electromagnetic coupling, electromagnetic echo, electromagnetic scattering, signal fading, multipath effects, signal scattering, signal frequency shifting. For mobile phones, the acquisition items include but are not limited to: mobile phone model version, IMEI.

Hardware module immutable information gathering capabilities include, but are not limited to: hardware module ID, hardware module type, hardware module manufacturer, hardware module model, hardware module version number. Specific acquisition information needs to be set for each type of hardware module, for example, for a CPU, information such as CPU main frequency, CPU external frequency, CPU frequency multiplication, CPU interface, CPU cache and the like can be acquired selectively, for a network card, information such as selectable acquisition bandwidth and interface type and the like can be acquired, for a storage device, information such as selectable acquisition storage capacity and medium type and the like can be acquired, for a sensor device, proxy sensor power, supported data acquisition types, data acquisition ranges and the like can be acquired selectively, and for a battery, battery classification, battery capacity, energy density, current, open-circuit voltage, memory effect, self-discharge rate and the like can be acquired selectively.

The variable information acquisition capacity of the hardware equipment is different according to different types of acquisition objects. In a heaven-earth integrated network, the acquisition items include but are not limited to: satellite orbit data including, but not limited to: the satellite orbit semi-major axis, the satellite orbit eccentricity, the satellite orbit inclination, the satellite orbit true perigee angle, the satellite orbit perigee argument and the satellite orbit ascent point right ascension.

The variable information acquisition capability of the hardware module differs depending on the type of module. As for batteries, acquisition items include, but are not limited to: remaining capacity, state of charge, battery temperature, battery voltage, battery health information, for the CPU, the collection items include but are not limited to: percentage of CPU occupied by operating system, percentage of CPU occupied by application program, and CPU temperature.

The acquisition capabilities of the acquisition agent at the network layer include, but are not limited to, the following:

and network traffic information, such as original network traffic, application layer load information subjected to deep packet inspection, and the like.

Network interface information, such as local port, local address, remote port, remote address, number of inode nodes, connection type, connection status, transmit queue, receive queue, etc.

Network interface configuration information, such as network card name, network type, hardware address, network mask, broadcast address, maximum transmission unit, distance, hop count, network card description information, etc.

Network interface status information, such as network card name, source/destination address, wireless transceiving signal strength (transmission rate, bandwidth), access point, access beam, frequency point, number of received packets, number of received bytes, number of received erroneous packets, number of lost packets, fifo buffer error, number of packet frame errors, number of transmitted packets, number of transmitted bytes, number of transmitted erroneous packets, whether the network is available, whether WiFi is available, SSID of WiFi, BSSID of WiFi, connection speed, etc.

Communication protocols such as 2G, 3G, 4G, WiFi/WiFiMax, etc.

Network routing information such as destination address, gateway, mask, number of inquired times, distance, hop count, maximum transfer unit, window value, RTT value, network interface name, etc.

The network status information includes, for example, TCP ESTABLISHED status number, TCP SYN SENT status number, TCP SYN RECV status number, TCP FIN WAIT 1 status number, TCP FIN WAIT2 status number, TCP TIME WAIT status number, TCPCLOSED status number, TCP CLOSE WAIT status number, TCP LAST ACK status number, TCP LISTEN status number, TCPCLOSING status number, TCP IDLE status number, inbound TCP connection number, outbound TCP connection number, and the like.

TCP connection information, e.g., number of TCP connections actively established, number of TCP connections passively established, number of failed attempts to establish a connection, number of reset connections, number of current connections, TCP segments entering the entity, TCP segments leaving the entity, number of retransmissions, number of reception errors, number of transmission retransmissions, etc.

Link state information such as link start, link end, link bandwidth, link utilization, link connectivity, link propagation delay, link retention time, etc.

Other acquisition capabilities vary depending on the type of device, such as in a world-wide integrated network, acquisition items including but not limited to: the number of satellite node ports, the satellite node port information and the management domain satellite node information.

The satellite node port information includes, for example, a satellite node port index, a satellite node port type, a maximum rate of the satellite node port, an antenna corresponding to the satellite node port, a number of bytes received by the satellite node port, a number of bytes sent by the satellite node port, a number of input bytes discarded by the satellite node port, a number of output bytes discarded by the satellite node port, and the like.

The management domain satellite node information includes, for example, a management domain satellite node number, a management domain satellite node index, a management domain link type, and the like.

The acquisition capabilities of the acquisition agent at the kernel layer include, but are not limited to, the following:

operating system layer acquisition capabilities and file system layer acquisition capabilities, wherein operating system layer acquisition items include, but are not limited to: the system comprises an operating system name, an operating system version number, a system supplier, patch upgrading time, a patch number, a system user number, the number of the current processes of the system, a system log, power-on time, process information and statistical information. Wherein, the process information acquisition items include but are not limited to: the method comprises the following steps of process ID, process name, process state, father process ID, process priority, process nice value, process CPU utilization rate, number of threads under the process, total number of file descriptors, process execution directory, process current working directory, process root directory, user ID, user group ID, effective user group ID, user name, user group name, resident memory size, process starting time and CPU proportion. The statistical information collection items include, but are not limited to: the method comprises the following steps of total process number, Sleeping process number, Running process number, Zombie process number, Stopped process number, Idle process number and thread total number. Other acquisition items differ depending on the type of operation, such as for the android system, acquisition items include, but are not limited to: the method comprises the steps of obtaining an android revision version list, an android system code number, an android system version, a device driver name, a device substrate name, a device bootstrap version number, whether an android system is out of service, an android device host address, android built time and a system version character string according to a current system development code number, a system source code control value and an API level of a system of the device.

Collection items at the file system level include, but are not limited to: file system name, file system device name, file system size, file system used proportion, inode node number, available inode node number, static file system information (hard disk device name, path, total space), dynamic file system information (used space, available space, percentage of use).

The acquisition capabilities of the acquisition agent at the application layer include, but are not limited to, the following: database information, application software information, OA system information, Mail systems, document flow systems, and various application service logs such as Mail service log, FTP service log, MySQL log, SSH log, HTTP log, Web log, DNS log.

The acquisition capacity of the application layer is different according to different application fields of the acquisition agent, and in the heaven-earth integrated network, the acquisition agent can also acquire abnormal satellite terminal network access information, password resource abnormal use information and linkage control effect feedback information. In the e-credential service system, the collection agent may also collect e-credential abnormal behavior information, including but not limited to: excess/category opening, duplicate/false invoice reimbursement, false system connection, multiple attempts at passwords. In a private network, the collection agent can also collect illegal file operation, illegal circulation, illegal release, abnormal communication, illegal storage, illegal medium access operation and audit logs of equipment and a system in an office system; the user terminal can also collect log information, administrator audit logs and the like.

The working configuration information of the acquisition agent is a configuration set required by the acquisition agent for uniform management and basic operation maintenance of the acquisition agent obeying an acquisition management center. The job configuration information includes, but is not limited to: configuration ID, configurator ID, configuration time, configuration period of validity, configuration parameter name and parameter value list. The configuration parameter names include, but are not limited to: collection agent IP address, communication port, digital certificate, allowed configurator. The collection agent IP address and the communication port are used for communicating with a collection management center; the digital certificate is an identity of the acquisition agent and provides support for confidentiality and integrity of communication with the acquisition management center; the allowed configurator is used for verifying the legality of the acquisition agent configuration and the acquisition strategy configuration, preventing unauthorized users from illegally configuring the acquisition agent, and improving the safety of acquisition agent management.

The deployment information of the acquisition agents describes the corresponding relation between the acquisition agents and the acquisition objects, and each acquisition object can be provided with at least one acquisition agent. Deployment information includes, but is not limited to: acquisition object ID, deployment mode, acquisition object type, optionally including but not limited to: collecting the object operating system, the logic position, the physical position and the constraint condition for executing collection. Wherein, the ID of the acquisition object is the unique ID of the whole network; the deployment modes include an embedded type deployment mode and a bypass type deployment mode, wherein the embedded type deployment mode is that an acquisition agent is connected in series to a network, or is embedded into hardware equipment to perform acquisition, for example, an acquisition device in a PCIE board card form is embedded into a security gateway, and the bypass type deployment mode is that the acquisition agent is externally hung outside the security equipment/system to perform acquisition in a mirror image flow mode and the like; acquisition object types include, but are not limited to: the system comprises an access gateway, an interconnection gateway, a firewall, an IDS, an IPS, a server and a terminal; the acquisition object operating system is the operating system type of the equipment/system to be acquired and needs to be matched with the supported operating system type in the basic attribute of the acquisition agent; the logical locations include, but are not limited to: organization structure, topology structure, object type, security level and management responsibility; the physical location includes but is not limited to: one or more of network access identification and longitude and latitude; constraints for performing the acquisition include, but are not limited to: and acquiring one or more combinations of agent resource constraints and time constraints, wherein the CPU utilization rate is less than 90%, and the time is between 8:00 and 17: 00.

The operational status of the collection agent includes, but is not limited to: basic operating state, load size. The acquisition agent may report the operation state actively at regular intervals, or the acquisition management center initiates an acquisition agent operation state request when receiving a threat early warning/detecting system abnormality, and the specific triggering manner is not limited in the embodiments of the present invention. The basic operating states include, but are not limited to: the method comprises the steps of closing, silencing, abnormity and normality, wherein the collection agent is preset to be in a silencing state when being initialized, namely, the collection agent is started but is not in a state of executing a collection task. The load size includes but is not limited to: CPU, storage, network bandwidth and load size are taken as one of the consideration factors of the generation and adjustment of the acquisition strategy, whether the operation state of the acquisition agent is abnormal or overload operation is judged according to the load size, if the operation state is abnormal, the acquisition items are reduced, the acquisition frequency is reduced, and meanwhile, the acquisition items are reported to an acquisition management center. The acquisition strategy can be adaptively changed along with the operation state of the acquisition agent and the network environment through the load size, and the consumption of computing resources, storage resources and network resources caused by acquisition is reduced.

The acquisition items are matched with the acquisition capacity of the acquisition agent, namely the acquisition agent can only acquire the acquisition items in the acquisition capacity set of the acquisition agent, and the acquisition agent is optionally set to be full-acquisition with equal frequency during initialization and used as a data basis for subsequent threat analysis and system abnormity discovery.

The following describes contents stored in the acquisition object information sub library:

the sub-library of the collected object information stores basic information of the collected object and running state information, the basic information of the collected object refers to basic information required for describing equipment to be collected, and the basic information of the collected object includes but is not limited to: asset value, device type, device ID, device name (official name), device abbreviation (administrator assigned management name), vendor, device model, device factory time, device hardware module description (including but not limited to CPU model, memory size, MAC address, radio firmware version number, machine model, hardware vendor version, hardware vendor name, hardware vendor code, etc.), contact information. The acquisition object operating state information refers to information acquired by the acquisition agent and related to the operating state of the acquisition object, and includes but is not limited to: the CPU percentage occupied by the operating system, the CPU percentage occupied by the application program, the CPU temperature, the memory utilization rate, the disk utilization rate and the network state information.

The contents stored in the threat characteristic information sub-library are described as follows:

the threat characteristic information sub-repository stores threat types and associated acquisition terms for each type of threat suffered by the target network. For example, the threat type of a threat is a denial of service attack, and the associated collection items of the threat are CPU usage, memory usage, number of packets received by the network interface, available link bandwidth, connection duration, protocol type, target host network service type, connection normal or error status, number of data bytes from the source host to the target host, number of data bytes from the target host to the source host, number of error segments, and number of urgent packets.

Further, the present invention explains a process of creating the threat characteristic information sub-library in the above embodiment. That is, the threat types and associated collection items of each type of threat suffered by the target network are stored in association to create a threat characteristic information sub-library, further comprising:

and judging the acquisition items associated with the threats through the known type of threats happening to the target network and comparing the acquired data before and after the threats happen. Threat types of threats include, but are not limited to: denial of service attacks, illegal access, traffic anomalies, FTP trojans, or shockwave worms.

Specifically, taking the threat of denial of service attack as an example of the type of threat occurring in the target network, a description is given to a process of determining a collection item associated with the threat according to two collection data sets:

firstly, acquiring acquisition data corresponding to acquisition items of an acquisition agent before a target network generates a denial of service attack, and forming a first acquisition data set.

And acquiring the acquisition data corresponding to the acquisition items of the acquisition agents in the target network suffering from the denial of service attack after the target network has the denial of service attack, and forming a second acquisition data set.

And then, comparing each acquired data of the first acquired data set with corresponding acquired data in the second acquired data set, eliminating part of acquired data which has no obvious change before and after the threat in the second acquired data set, and combining the rest acquired data into a candidate acquired data set.

For example: the first collection data set is { CPU utilization rate 70%, memory utilization rate 60%, network interface receiving packet number 1300 and connection duration 3s }, the second collection data set is { CPU utilization rate 90%, memory utilization rate 90%, network interface receiving packet number 500 and connection duration 3s }, then, comparing CPU utilization rate 70% with CPU utilization rate 90%, comparing memory utilization rate 60% with memory utilization rate 90%, comparing network interface receiving packet number 1300 with network interface receiving packet number 500, comparing connection duration 3s with connection duration 3s, therefore, in the second collected data set, collected data (connection duration 3s) which is unchanged before and after the threat occurs are removed, and the remaining collected data (CPU utilization rate 90%, memory utilization rate 60% and network interface receiving packet number 500) are combined into a candidate collected data set. It should be noted that, the no obvious change in the embodiment of the present invention may be no change, or the change range is within a preset interval, where the preset interval may be specifically set according to an actual application scenario, and the embodiment of the present invention is not specifically limited to this.

Finally, based on the principal component analysis method, the first K acquisition items with the highest relevance to the threat are found out from the candidate acquisition data sets (CPU utilization rate 90%, memory utilization rate 60% and network interface received packet number 500) as the acquisition items associated with the threat. It should be noted that K may be specifically set according to an actual application scenario, and this is not specifically limited in the embodiment of the present invention. For example, K is 2, and if the first 2 acquisition items with the highest relevance to the threat are determined to be the CPU usage rate and the memory usage rate based on the principal component analysis, the CPU usage rate and the memory usage rate are used as the acquisition items associated with the threat.

And storing the threat type of the threat and the collection item associated with the threat in an associated manner to create threat type-collection item information in a threat characteristic information sub-library.

Specifically, the threat type-collected item information of the threat characteristic information sub-library may store a plurality of tables, where each table may be a corresponding relationship table of the threat type and the associated collected item, for example, table 1 is a corresponding relationship table of the threat type and the collected item, as shown in table 1, a first column is a threat type, and a second column is a collected item.

TABLE 1 corresponding relationship table of threat types and collection items

On the basis of the above embodiments, the embodiments of the present invention specifically describe the acquisition agent set that needs to be activated in the target network and the acquisition items of the acquisition agents in the acquisition agent set. Namely, according to the acquisition items corresponding to the abnormal acquisition data and the pre-stored information base, determining an acquisition agent set which needs to be activated in the target network and acquisition items of acquisition agents in the acquisition agent set, further comprising:

according to the acquisition items corresponding to the abnormal acquisition data, the threats associated with the acquisition items are searched in a threat characteristic information sub-library, and the acquisition items associated with the threats are used as an associated acquisition item set.

It is explained with table 1, for example, if the acquisition item corresponding to the abnormal acquisition data is the CPU utilization, then the threat associated with the CPU utilization is found in the threat characteristic information sub-library, and if the threat is a denial of service attack, then the acquisition item associated with the denial of service attack is taken as an associated acquisition item set, that is, the combination of the CPU utilization, the memory utilization, the number of packets received by the network interface, the available link bandwidth, the connection duration, the protocol type, the network service type of the target host, the normal or error state of the connection, the number of bytes of data from the source host to the target host, the number of bytes of data from the target host to the source host, the number of error segments, and the number of urgent packets is taken as an associated acquisition item set.

According to the acquisition object corresponding to the abnormal acquisition data, searching the acquisition object associated with the acquisition object in an acquisition object information sub-library, and taking the acquisition object and the associated acquisition object as an associated acquisition object set.

It should be noted that the acquisition management center may obtain the acquisition object corresponding to each acquired data, and if the acquisition item corresponding to the abnormal acquired data is the CPU utilization and the acquisition object corresponding to the abnormal acquired data is a, then the acquisition object associated with a is searched in the acquisition object information sub-library, and the acquisition objects associated with a and a are combined to serve as an associated acquisition object set.

And determining a collection agent set which needs to be activated in the target network and collection items of collection agents in the collection agent set according to the associated collection item set and the associated collection object set.

On the basis of the foregoing embodiments, the present invention specifically describes a process of searching for a collection object associated with a collection object, that is, according to a collection object corresponding to abnormal collection data, searching for the collection object associated with the collection object in a collection object information sub-library, and further includes:

and carrying out portrait drawing on the acquisition object in the acquisition object information sub-library.

For example, if the acquisition object corresponding to the abnormal acquisition data is a, the basic information of a is searched in the acquisition object information sub-library, one or more kinds of the basic information are selected as the portrait attributes, and all the acquisition objects in the acquisition object information sub-library are portrait. The selectable basic information may be a device type, an operating system type, a vulnerability list, a device model number, and the like.

And acquiring other acquisition objects with the portrait association degree of the acquisition object being greater than a preset threshold value in an acquisition object information sub-library, and taking the other acquisition objects as acquisition objects associated with the acquisition objects.

Searching the portrait attribute of each acquisition object in the network in the acquisition object information sub-library, calculating the portrait of each object, calculating the similarity between the portrait of each acquisition object and the portrait of A by using a similarity calculation algorithm, selecting all acquisition objects with the similarity larger than a threshold value, and taking A and all acquisition objects with the similarity larger than the threshold value as an acquisition object set.

The similarity calculation algorithm includes, but is not limited to: cosine similarity calculation algorithm, euclidean distance calculation algorithm, pearson correlation calculation algorithm, spearman rank correlation calculation algorithm, Mean Squared Difference (MSD), Jaccard distance calculation algorithm, manhattan distance calculation algorithm, and minkowski distance calculation algorithm.

On the basis of the foregoing embodiments, determining, according to the associated collection item set and the associated collection object set, a collection agent set to be activated in the target network, and collection items of collection agents in the collection agent set, further includes:

and searching the acquisition agents deployed on the acquisition objects in the associated acquisition object set in an acquisition agent information sub-library according to the associated acquisition object set to serve as a first acquisition agent set.

For example, if the collection of associated collection objects is { A, B }, then in the collection agent information sub-base, the collection agents deployed on A are found, and the collection agents deployed on B are found. If the collection agent deployed on A is a and the collection agent deployed on B is B, then { a, B } is taken as the first collection agent set.

And searching the acquisition capacity of the acquisition agent in the first acquisition agent set in the acquisition agent information sub-base.

Specifically, in the collection agent information sub-library, the collection capability of each collection agent in { a, b } is searched, that is, the collection capability of a is searched, and the collection capability of b is searched.

And in the first acquisition agent set, according to the acquisition capacity of the acquisition agent and the associated acquisition item set, determining an acquisition agent set to be activated in the target network and acquisition items of the acquisition agent in the acquisition agent set.

Specifically, in the first collection agent set { a, b }, a collection agent set to be activated in the target network and collection items of collection agents in the collection agent set are determined according to the collection capacity of a, the collection capacity of b and the associated collection item set.

On the basis of the foregoing embodiments, in the first collection agent set, according to the collection capability of the collection agent and the associated collection item set, determining a collection agent set to be activated in the target network and a collection item of the collection agent in the collection agent set, further including:

and for any acquisition agent in the first acquisition agent set, performing intersection or fuzzy matching on the acquisition capacity of the acquisition agent and the associated acquisition item set, and determining whether the acquisition agent is an acquisition agent needing to be activated or not according to an intersection or fuzzy matching result.

Wherein, fuzzy matching means: if the collection agent does not have the ability to collect some target collection items (e.g., item A), but has the ability to collect other items A₁…A_nIf by A₁…A_nAn approximation of A can be inferred, then A can be acquired₁…A_nTo obtain data.

Specifically, a in the first collection agent set { a, b } is taken as an example, the collection capacity of a and the associated collection item set are intersected, and if the intersection is not an empty set, a is determined to be a collection agent to be activated.

And forming the collection agents to be activated in the first collection agent set into a collection agent set to be activated, and regarding the collection agents in the collection agent set to be activated, taking the intersection or fuzzy matching result as the collection items of the collection agents.

On the basis of the above embodiments, determining an acquisition agent set to be activated in the target network and an acquisition frequency of an acquisition agent in the acquisition agent set according to an acquisition item corresponding to the abnormal acquisition data and a pre-stored information base, further comprising:

determining an acquisition object in which the acquisition agent is deployed;

and determining the acquisition frequency of the acquisition agent according to any one or more of the asset value of the acquisition object, the operation state of the acquisition agent and the link state.

On the basis of the foregoing embodiments, determining the collection frequency of the collection agent according to any one or more of the asset value of the collection object, the operation state of the collection agent, and the link state, further includes:

searching the asset value of the acquisition object in an acquisition object information sub-base, and digitizing the asset value to obtain a digitized asset value;

searching the operation state of the acquisition object in an acquisition object information sub-base, and digitizing the operation state to obtain a digitized acquisition object operation state;

searching the operation state of the acquisition agent in an acquisition agent information sub-base, and digitizing the operation state to obtain a digitized acquisition agent operation state;

searching deployment information of the acquisition agent in an acquisition agent information sub-base;

acquiring a link state based on the current acquisition item and the deployment information of the acquisition object, and digitizing the link state to obtain a digitized link state;

and determining the acquisition frequency of the acquisition agent according to the digitalized asset value, the digitalized acquisition object running state, the digitalized acquisition agent running state and the digitalized link state.

The acquisition frequency adjustment algorithm is exemplified as follows, for an acquisition item, the upper limit of the acquisition frequency is hfreq, the lower limit thereof is lfreq, the acquisition frequency calculation method may be weighted average, and av, cos, cas, ls respectively represent the asset value, the acquisition object state, the acquisition agent state, and the link state after digitization, and satisfy the following condition av ∈ [0,1 [, 1]],cos∈[0,1],cas∈[0,1],ls∈[0,1]；w₁,w₂,w₃,w₄Respectively representing the calculation weights of the asset value, the collection object state, the collection agent state and the link state, and meeting the following conditions: w is a₁≥0，w₂≥0，w₃≥0,w₄≥0,w₁+w₂+w₃+w₄1, the frequency freg + lfreq + is collected (hfreq-lfreq) × (w₁×av+w₂×cos+w₃×cas+w₄×ls)。

Specifically, the asset value of the collection object is stored in the collection object information sub-library, so that the corresponding asset value can be searched in the object information sub-library for the collection objects in the collection object set. The asset value of the collection object identifies the importance of the collection object, can be determined by an administrator according to the type of a system or equipment and the important condition of running service, and is stored in a collection management center. The purpose of the numeralization is to facilitate numerical calculations, e.g., asset value can be defined as between [0,1], with higher asset values yielding larger values.

The operation state of the acquisition object is stored in the acquisition object information sub-base, the operation state of the acquisition object can be calculated according to the water balance of the resource on the acquisition object, the overall resource level can be calculated in a weighting average equal mode, and the resource level comprises but is not limited to at least one of the following: CPU, disk, and network bandwidth.

The collection agent information sub-base stores the running states of the collection agents, including basic running states, load sizes and the like, and the running states of the collection agents can be calculated in a weighted average mode.

The collection agent information sub-base also stores collection agent deployment information of the collection object, acquires the link state based on the collection agent deployment information and the current (real-time) collection items of the collection object, and digitalizes the link state. Real-time acquisition items include, but are not limited to: available link bandwidth, number of packets received by the network interface, link utilization, link connectivity, link propagation delay, and link retention time.

And comprehensively calculating the acquisition frequency of the acquisition items according to the threat level, the asset value of the digitized acquisition object, the digitized acquisition agent state and the digitized link state.

On the basis of the foregoing embodiments, determining the collection priority of the collection agent according to any one or more of the asset value of the collection object, the operation state of the collection agent, and the link state, further includes:

determining an acquisition object in which the acquisition agent is deployed;

searching the asset value of the acquisition object in an acquisition object information sub-base;

determining a collection priority for the collection agent based on the asset value.

Specifically, the embodiment of the present invention may calculate the acquisition policy execution priority according to a monotonically increasing function, that is, the higher the asset value is, the better the current operating state of the acquisition object is, the better the current operating state of the acquisition agent is, and the better the link state is, the higher the acquisition priority is.

On the basis of the foregoing embodiments, if it is determined that the acquired data reported by the acquisition agent in the target network is abnormal, determining, according to an acquisition item corresponding to the abnormal acquired data and a pre-stored information base, an acquisition agent set that needs to be activated in the target network, and an acquisition item, an acquisition frequency, and an acquisition priority of the acquisition agent in the acquisition agent set, the method further includes:

for a collection object in a target network, determining a collection agent deployed in the collection object according to any one or more of the type and the degree of importance of the collection object, and deploying the collection agent in the collection object.

Specifically, the collection agent deploys on demand: and deploying the acquisition agent according to the acquisition requirement and the acquisition capacity. When the on-demand deployment occurs when the acquisition agent is initialized to be accessed to the network, the targeted optimization deployment is performed according to the actual requirements of the host type, the threat type, the equipment importance and the like, for example, for a gateway at a network boundary position which is easy to be attacked by denial of service, the acquisition agent with matched hardware type, operating system and acquisition capacity is deployed, and the traffic is mainly acquired; for a host which is easy to be threatened by scanning detection, illegal access and the like in an internal network, a collection agent with matched software type, operating system and collection capability is deployed, and data of an operating system layer and an application layer are collected emphatically.

The acquisition agent is deployed as required, and may also occur during the operation of the acquisition agent, and the acquisition management center determines the acquisition demand according to the received external threat early warning, or the sensed internal abnormal state, or the acquisition target formulated by the user.

And the fuzzy matching of the acquisition requirement and the acquisition capacity can obtain acquisition items which need to be further acquired on an acquisition agent and serve as a basis for dynamically expanding the acquisition capacity on line.

The on-line expansion acquisition unit according to needs can reduce the calculation resources and memory storage resources occupied by the acquisition agent during initial operation, and is suitable for data acquisition under resource limited conditions in large-scale heterogeneous network environments such as a world-wide integrated network.

On the basis of the above embodiments, generating an acquisition policy in a target network, and then further includes:

and distributing the acquisition strategy to the acquisition agents in the acquisition agent set to be activated according to the acquisition agent set to be activated contained in the acquisition strategy, so that the acquisition agents in the acquisition agent set to be activated execute the acquisition strategy to realize multipoint cooperative acquisition.

Fig. 2 is a schematic structural diagram of an acquisition policy generation system based on acquired data exception according to an embodiment of the present invention, and as shown in fig. 2, the system includes:

the acquisition information determining module 201 is configured to determine, if it is determined that acquisition data reported by an acquisition agent in the target network is abnormal, an acquisition agent set to be activated in the target network, and an acquisition item, an acquisition frequency, and an acquisition priority of the acquisition agent in the acquisition agent set according to an acquisition item corresponding to the abnormal acquisition data and a pre-stored information base; the acquisition strategy generation module 202 is used for generating an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequency and acquisition priority of the acquisition agents in the acquisition agent set; the information base comprises an acquisition agent information sub-base, an acquisition object information sub-base and a threat characteristic information sub-base.

The system provided in the embodiment of the present invention specifically executes the flows of the above-mentioned methods, and for details, the contents of the above-mentioned methods are referred to, and are not described herein again. According to the system provided by the embodiment of the invention, the abnormality of the collected data reported by the collection agent is judged, and when the collected data is abnormal, a cooperative collection strategy aiming at the abnormal data is formulated according to the collection item corresponding to the abnormal collected data and the prestored information base, so that the collection agent can carry out differentiated data collection according to the collection capacity, the effectiveness of the collected data is ensured, the waste rate of resources such as calculation, storage and bandwidth in a network is greatly reduced, and the effective detection of the network threat and the efficiency and key monitoring capacity of the safety monitoring of the whole operation condition of the network can be ensured at the same time.

Fig. 3 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 3, the electronic device may include: a processor (processor)301, a communication Interface (communication Interface)302, a memory (memory)303 and a communication bus 304, wherein the processor 301, the communication Interface 302 and the memory 303 complete communication with each other through the communication bus 304. The processor 301 may invoke a computer program stored on the memory 303 and executable on the processor 301 to perform the methods provided by the various embodiments described above, including, for example: if the acquired data reported by the acquisition agents in the target network are judged to be abnormal, determining an acquisition agent set needing to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set according to the acquisition items corresponding to the abnormal acquired data and a prestored information base; and generating an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequencies and acquisition priorities of the acquisition agents in the acquisition agent set.

In addition, the logic instructions in the memory 303 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Embodiments of the present invention further provide a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, and the method includes: if the acquired data reported by the acquisition agents in the target network are judged to be abnormal, determining an acquisition agent set needing to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set according to the acquisition items corresponding to the abnormal acquired data and a prestored information base; and generating an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequencies and acquisition priorities of the acquisition agents in the acquisition agent set.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (13)

1. A collection strategy generation method based on collected data abnormity is characterized by comprising the following steps:

if the acquired data reported by the acquisition agents in the target network are judged to be abnormal, determining an acquisition agent set needing to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set according to the acquisition items corresponding to the abnormal acquired data and a prestored information base;

generating an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequencies and acquisition priorities of the acquisition agents in the acquisition agent set;

the information base comprises an acquisition agent information sub-base, an acquisition object information sub-base and a threat characteristic information sub-base;

according to the acquisition items corresponding to the abnormal acquisition data and a pre-stored information base, determining an acquisition agent set which needs to be activated in the target network and acquisition items of acquisition agents in the acquisition agent set, further comprising:

according to an acquisition item corresponding to abnormal acquisition data, searching a threat associated with the acquisition item in a threat characteristic information sub-library, and taking the acquisition item associated with the threat as an associated acquisition item set;

according to an acquisition object corresponding to abnormal acquisition data, searching an acquisition object associated with the acquisition object in an acquisition object information sub-library, and taking the acquisition object and the associated acquisition object as an associated acquisition object set;

according to the associated collection item set and the associated collection object set, determining a collection agent set which needs to be activated in a target network and collection items of collection agents in the collection agent set;

wherein, according to the associated collection item set and the associated collection object set, a collection agent set to be activated in the target network and collection items of collection agents in the collection agent set are determined, and the method further comprises the following steps:

according to the associated collection object set, searching a collection agent deployed on a collection object in the associated collection object set in a collection agent information sub-library to serve as a first collection agent set;

searching the acquisition capacity of the acquisition agent in the first acquisition agent set in an acquisition agent information sub-base;

in the first collection agent set, according to the collection capability of a collection agent and the associated collection item set, determining a collection agent set to be activated in a target network and collection items of the collection agent in the collection agent set;

wherein, based on the collection agent set and any one or more of the collection items, collection frequency and collection priority of the collection agents in the collection agent set, the collection strategy in the target network is generated, further comprising:

and associating the acquisition agent with the acquisition items, the acquisition frequency and the acquisition priority to generate corresponding acquisition strategies, and then packaging each acquisition strategy in the acquisition agent set to generate the acquisition strategies in the target network.

2. The method according to claim 1, wherein if it is determined that the collected data reported by the collection agent in the target network is abnormal, determining a collection agent set to be activated in the target network, and the collection item, the collection frequency, and the collection priority of the collection agent in the collection agent set according to a collection item corresponding to the abnormal collected data and a pre-stored information base, before further comprising:

storing basic attributes, acquisition capacity, working configuration information, deployment information and running state of an acquisition agent in a target network to create an acquisition agent information sub-library; storing basic information of an acquisition object in a target network to create an acquisition object information sub-library; storing the threat types of each type of threat suffered by the target network and the associated acquisition items in an associated manner so as to create a threat characteristic information sub-library; and taking the acquisition agent information sub-library, the acquisition object information sub-library and the threat characteristic information sub-library as information libraries.

3. The method of claim 2, wherein associating the threat types and associated acquisitions for each type of threat suffered in the target network to create a sub-library of threat signature information comprises:

acquiring acquisition data corresponding to acquisition items of an agent before a known type of threat occurs to a target network to form a first acquisition data set;

acquiring acquisition data corresponding to acquisition items of an acquisition agent after the threat of the target network occurs, and forming a second acquisition data set;

determining a collection item associated with the threat from the first collection of data and/or the second collection of data;

and storing the threat types of the threats and the associated acquisition items in an associated manner to create a threat characteristic information sub-library.

4. The method according to claim 1, wherein according to a collection object corresponding to abnormal collection data, a collection object associated with the collection object is searched in a collection object information sub-library, and further comprising:

carrying out portrait on an acquisition object in an acquisition object information sub-library;

and acquiring other acquisition objects with the portrait association degree of the acquisition object being greater than a preset threshold value in an acquisition object information sub-library, and taking the other acquisition objects as acquisition objects associated with the acquisition objects.

5. The method of claim 1, wherein in the first collection agent set, the collection agent set to be activated in the target network and the collection items of the collection agents in the collection agent set are determined according to the collection capabilities of the collection agents and the associated collection item sets, and further comprising:

for the acquisition agents in the first acquisition agent set, performing intersection or fuzzy matching on the acquisition capacity of the acquisition agents and the associated acquisition item set, and determining whether the acquisition agents are the acquisition agents needing to be activated or not according to the intersection or fuzzy matching result;

and forming the acquisition agents to be activated in the first acquisition agent set into an acquisition agent set to be activated, and regarding the acquisition agents in the acquisition agent set, solving an intersection or fuzzy matching result between the acquisition capacity of the acquisition agents and the associated acquisition item set to serve as the acquisition items of the acquisition agents.

6. The method of claim 5, wherein the determining of the collection agent set to be activated in the target network and the collection frequency of the collection agents in the collection agent set according to the collection items corresponding to the abnormal collection data and the pre-stored information base further comprises:

determining an acquisition object in which the acquisition agent is deployed;

and determining the acquisition frequency of the acquisition agent according to any one or more of the asset value of the acquisition object, the operation state of the acquisition agent and the link state.

7. The method of claim 1, wherein determining the acquisition frequency of the acquisition agent according to any one or more of an asset value of the acquisition object, an operating state of the acquisition agent, and a link state, further comprises:

searching the asset value of the acquisition object in an acquisition object information sub-base, and digitizing the asset value to obtain a digitized asset value;

searching the operation state of the acquisition object in an acquisition object information sub-base, and digitizing the operation state to obtain a digitized acquisition object operation state;

searching the operation state of the acquisition agent in an acquisition agent information sub-base, and digitizing the operation state to obtain a digitized acquisition agent operation state;

searching deployment information of the acquisition agent in an acquisition agent information sub-base;

acquiring a link state based on the current acquisition item and the deployment information of the acquisition object, and digitizing the link state to obtain a digitized link state;

and determining the acquisition frequency of the acquisition agent according to the digitalized asset value, the digitalized acquisition object running state, the digitalized acquisition agent running state and the digitalized link state.

8. The method of claim 1, wherein determining the acquisition priority of the acquisition agent according to any one or more of an asset value of the acquisition object, an operating state of the acquisition agent, and a link state, further comprises:

determining an acquisition object in which the acquisition agent is deployed;

searching the asset value of the acquisition object in an acquisition object information sub-base;

determining a collection priority for the collection agent based on any one or more of the asset value, the operational status of the collection object, the operational status of the collection agent, and the link status.

9. The method according to claim 1, wherein if it is determined that the collected data reported by the collection agent in the target network is abnormal, determining a collection agent set to be activated in the target network, and the collection item, the collection frequency, and the collection priority of the collection agent in the collection agent set according to a collection item corresponding to the abnormal collected data and a pre-stored information base, before further comprising:

for a collection object in a target network, determining a collection agent deployed in the collection object according to any one or more of the type and the degree of importance of the collection object, and deploying the collection agent in the collection object.

10. The method of claim 1, wherein generating an acquisition policy in the target network further comprises:

and distributing the acquisition strategy to the acquisition agents in the acquisition agent set to be activated according to the acquisition agent set to be activated contained in the acquisition strategy, so that the acquisition agents in the acquisition agent set to be activated execute the acquisition strategy to realize multipoint cooperative acquisition.

11. An acquisition strategy generation system based on acquisition data anomaly, comprising:

the acquisition information determining module is used for determining an acquisition agent set which needs to be activated in the target network, and the acquisition items, the acquisition frequency and the acquisition priority of the acquisition agents in the acquisition agent set according to the acquisition items corresponding to the abnormal acquisition data and a prestored information base if the acquired data reported by the acquisition agents in the target network are judged to be abnormal;

the acquisition strategy generation module generates an acquisition strategy in the target network based on the acquisition agent set and any one or more of acquisition items, acquisition frequency and acquisition priority of the acquisition agents in the acquisition agent set;

the information base comprises an acquisition agent information sub-base, an acquisition object information sub-base and a threat characteristic information sub-base;

according to the acquisition items corresponding to the abnormal acquisition data and a pre-stored information base, determining an acquisition agent set which needs to be activated in the target network and acquisition items of acquisition agents in the acquisition agent set, further comprising:

according to an acquisition item corresponding to abnormal acquisition data, searching a threat associated with the acquisition item in a threat characteristic information sub-library, and taking the acquisition item associated with the threat as an associated acquisition item set;

according to an acquisition object corresponding to abnormal acquisition data, searching an acquisition object associated with the acquisition object in an acquisition object information sub-library, and taking the acquisition object and the associated acquisition object as an associated acquisition object set;

according to the associated collection item set and the associated collection object set, determining a collection agent set which needs to be activated in a target network and collection items of collection agents in the collection agent set;

wherein, according to the associated collection item set and the associated collection object set, a collection agent set to be activated in the target network and collection items of collection agents in the collection agent set are determined, and the method further comprises the following steps:

according to the associated collection object set, searching a collection agent deployed on a collection object in the associated collection object set in a collection agent information sub-library to serve as a first collection agent set;

searching the acquisition capacity of the acquisition agent in the first acquisition agent set in an acquisition agent information sub-base;

in the first collection agent set, according to the collection capability of a collection agent and the associated collection item set, determining a collection agent set to be activated in a target network and collection items of the collection agent in the collection agent set;

the acquisition strategy generation module is specifically used for:

and associating the acquisition agent with the acquisition items, the acquisition frequency and the acquisition priority to generate corresponding acquisition strategies, and then packaging each acquisition strategy in the acquisition agent set to generate the acquisition strategies in the target network.

12. An electronic device, comprising a memory and a processor, wherein the processor and the memory communicate with each other via a bus; the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 10.

13. A non-transitory computer-readable storage medium storing a computer program that causes a computer to perform the method according to any one of claims 1 to 10.

Images