CN110535702A - A kind of alarm information processing method and device - Google Patents
A kind of alarm information processing method and device Download PDFInfo
- Publication number
- CN110535702A CN110535702A CN201910817936.6A CN201910817936A CN110535702A CN 110535702 A CN110535702 A CN 110535702A CN 201910817936 A CN201910817936 A CN 201910817936A CN 110535702 A CN110535702 A CN 110535702A
- Authority
- CN
- China
- Prior art keywords
- address
- source
- threat
- rating number
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
- H04L41/0609—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time based on severity or priority
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
- H04L41/0627—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time by acting on the notification or alarm source
Abstract
This application discloses a kind of alarm information processing method and devices, which comprises extracts the alarm type, source IP address and purpose IP address of warning information to be graded;Within a preset period of time, the alarm type Rating Number for reflecting the alarm type frequency of occurrences is obtained, the IP address information Rating Number for threatening source Rating Number and reflect IP address information association threat degree whether the threat source of the reflection warning information first appears;It is weighted the warning information threat level that summation determines the expression warning information threat degree based on the alarm type Rating Number, threat source Rating Number and the IP address information Rating Number, and the warning information is ranked up based on the warning information threat level.It can be to improve and threaten event response speed using scheme provided by the present application.
Description
Technical field
This application involves technical field of network security more particularly to a kind of alarm information processing methods and device.
Background technique
Under the growing trend of network flow, network attack also becomes increasingly complex, in the prior art, each in order to cope with
The increasingly complicated network attack of kind, generally using such as intrusion detection device, firewall box, terminal detection and response apparatus net
Network security detection equipment carries out real-time monitoring to network, terminal etc., by abnormal conditions such as network attacks in the form of warning information
Output, is supplied to network security operation maintenance personnel, however, detection network security can be reported by mistake due to detection device in this way,
The reasons such as inspection policies difference cause security detection equipment to generate a large amount of warning information, and network is pacified within the limited time
Full operation maintenance personnel can not quickly from largely include wrong report warning information in orient real Cyberthreat event, drop
The low efficiency for threatening event response.
Summary of the invention
The embodiment of the present application provides a kind of alarm information processing method and device, works as network in the prior art for solving
When generating a large amount of warning information, network security operation maintenance personnel, security study personnel can not be quickly based on a large amount of alarm letters
The problem of breath positioning live network threatens event.
In a first aspect, providing a kind of alarm information processing method, comprising:
Extract the alarm type, source IP address and purpose IP address of warning information to be graded;
Obtain the threat of the alarm type Rating Number for reflecting the alarm type frequency of occurrences, the reflection warning information
What whether source first appeared threatens source Rating Number and reflects the IP address information grading number of IP address information association threat degree
Value;Wherein, the information that the alarm type is combined with the source IP address is to for the threat source;
Based on the alarm type Rating Number, threat source Rating Number and the IP address information Rating Number into
Row weighted sum determines the warning information threat level for indicating the warning information threat degree, and is based on the warning information prestige
Side of body grade is ranked up the warning information.
It may be implemented in a period of time by alarm information processing method provided by the present application, generate a large amount of warning information
When, it is ranked up according to the severity that warning information threatens, the orderly warning information shown after sequence can make O&M safe
Personnel quickly orient the realistic threat event in network, improve the working efficiency of safe operation maintenance personnel, security study personnel, drop
The response cycle of low threat event.
Optionally, obtaining the warning information type score includes:
The alarm type based on extraction searches the mapping table of the alarm type Yu alarm type Rating Number
Determine the alarm type Rating Number;
The alarm type threatens source IP address number different in the library of source based on history from the mapping table of Rating Number
Mesh and the associated source IP address number of the alarm type calculate the alarm class for indicating the warning information type frequency of occurrences
The Rating Number of type and determine;
Wherein, it is threat source information within a preset period of time that the history, which threatens source library,.
By obtaining, source IP address number and the associated source IP address of a certain alarm type be not total in history threat source library
Number determines the frequency that every kind of alarm type occurs, and the frequency angle occurred from every kind of alarm type determines instruction alarm letter
The Rating Number of breath association threat degree.
Optionally, the acquisition IP address information Rating Number includes:
Based in warning information in the source IP address and the destination IP address and preset time period source IP address and
Purpose IP address determines point set and line set, wherein the element of the point set is the different source IP address and described
Purpose IP address, the element of the line set are the different source IP address and the destination IP address pair;
It determines to indicate that the source IP address is corresponding with the destination IP address with the line set based on the point set
The association map of relationship;
Based on all IP address grade scoring values after the association map and initialization, and institute is calculated by iterative manner
There is the grade scoring value of IP address, determines that the average value of the source IP address and the destination IP address rank score value is described
The Rating Number of IP address information, the Rating Number of the IP address information characterize the IP address and are related to the number of alarm event
Amount.
Optionally, obtaining threat source Rating Number includes:
Judge whether the threat source belongs to the history and threaten source;
If the threat source, which belongs to the history, threatens source, it is the first numerical value that threat source Rating Number, which is arranged,;If
The threat source is not belonging to the history and threatens source, then it is second value that threat source Rating Number, which is arranged,;
Wherein, first numerical value is greater than the second value.
Second aspect, provides a kind of warning information processing unit, and described device includes:
Extraction module: for extracting the alarm type, source IP address and purpose IP address of warning information to be graded;
Obtain module: for obtaining described in the alarm type Rating Number for reflecting the alarm type frequency of occurrences, reflection
What whether the threat source of warning information first appeared threatens source Rating Number and reflects the IP of IP address information association threat degree
Address information Rating Number;Wherein, the information that the alarm type is combined with the source IP address is to for the threat source;
Sorting module: for being based on the alarm type Rating Number, threat source Rating Number and the IP address
Information Rating Number is weighted summation and determines the warning information threat level for indicating the warning information threat degree, and is based on
The warning information threat level is ranked up the warning information.
Optionally, the acquisition module is specifically used for:
The alarm type based on extraction searches the mapping table of the alarm type Yu alarm type Rating Number
Determine the alarm type Rating Number;
The alarm type threatens source IP address number different in the library of source based on history from the mapping table of Rating Number
Mesh and the associated source IP address number of the alarm type calculate the alarm class for indicating the warning information type frequency of occurrences
The Rating Number of type and determine;
Wherein, it is threat source information within a preset period of time that the history, which threatens source library,.
Optionally, the acquisition module is specifically used for:
Based in warning information in the source IP address and the destination IP address and preset time period source IP address and
Purpose IP address determines point set and line set, wherein the element of the point set is the different source IP address and described
Purpose IP address, the element of the line set are the different source IP address and the destination IP address pair;
The source IP address and the destination IP address corresponding relationship are determined based on the point set and the line set
Association map;
Based on all IP address grade scoring values after the association map and initialization, and institute is calculated by iterative manner
There is the grade scoring value of IP address, determines that the average value of the source IP address and the destination IP address rank score value is described
The Rating Number of IP address information, the Rating Number of the IP address information characterize the IP address and are related to the number of alarm event
Amount.
Optionally, the acquisition module is specifically used for: judging whether the threat source belongs to the history and threaten source;If institute
It states threat source and belongs to history threat source, then it is the first numerical value that threat source Rating Number, which is arranged,;If the threat source is not
Belong to the history and threaten source, then it is second value that threat source Rating Number, which is arranged,;Wherein, first numerical value is greater than institute
State second value.
The third aspect, the embodiment of the present application also provides a kind of computer storage mediums, comprising:
The computer readable storage medium includes computer program, when computer program is run on computers, is made
It obtains the computer and executes method described in first aspect in the above method.
Fourth aspect, the embodiment of the present application also provides a kind of computer program products comprising instruction, comprising:
When described instruction is run on computers, so that the computer executes in the above method described in first aspect
Method.
Detailed description of the invention
Fig. 1 is a kind of alarm information processing method flow diagram provided by application embodiment;
Fig. 2 is to obtain warning information IP address information Rating Number flow chart provided by application embodiment;
Fig. 3 is provided a kind of warning information processing unit schematic diagram by application embodiment.
Specific embodiment
It is numerous in view of detection device in the prior art, detection data amount is big, a large amount of warning information, network security can be generated
Operation maintenance personnel, security study personnel quickly can not orient live network based on a large amount of warning information and threaten event.This Shen
It please embodiment offer following solution.
The embodiment of the present invention is to solve the above problems, general thought is as follows:
The alarm type information, source IP address information and purpose IP address of every warning information of generation are first extracted, then
Alarm type and source IP address are combined into information pair, that is, determine threat source, then determines alarm class by way of tabling look-up
Type Rating Number determines threat source Rating Number using default rule and reflects IP address information with being associated with the IP of threat degree
Location information Rating Number finally determines warning information based on determining three Rating Numbers relevant to warning information threat degree
Threat level, and warning information is ranked up according to determining warning information threat level.
It may be implemented in a period of time by alarm information processing method provided by the present application, generate a large amount of warning information
When, it is ranked up according to the severity that warning information threatens, the orderly warning information shown after sequence can make safe O&M
Personnel, security study personnel quickly orient the event that really threatens in network, improve the work effect of O&M security officer
Rate.
As shown in Fig. 1, a kind of alarm information processing method specific implementation step provided by the embodiments of the present application is as follows:
Step 101: extracting the alarm type, source IP address and purpose IP address of warning information to be graded;
When exception, attack occurs in network, the analysis to network flow that security detection equipment can generate is as a result, namely
Warning information, security detection equipment here can be intrusion detection device, user subject behavioural analysis equipment, firewall and set
Standby, terminal detection and response apparatus etc. can include timestamp, the source IP address, purpose of network flow in the warning information of generation
The fields such as IP address, alarm type, first by the source IP in every warning information to be sorted when sorting to warning information
Location, purpose IP address, alarm type information extract.
Wherein, warning information to be sorted is the warning information generated in the preset period, preset time period herein
It can be as unit of minute, can also hour be unit, specifically, system O&M Security Officer can need to carry out according to business
Default, after the period determines, the warning information collected in the specified period is used as warning information to be sorted.
It determines wait the warning information and after extracting related information needed of sorting, carries out following steps 102.
Step 102: obtaining and reflect the alarm type Rating Number of the alarm type frequency of occurrences, reflection the alarm letter
What whether the threat source of breath first appeared threatens source Rating Number and reflects the IP address letter of IP address information association threat degree
Cease Rating Number;
Wherein, the step of obtaining warning information type Rating Number are as follows: the warning information type search alarm based on extraction
The mapping table of information type and warning information type Rating Number determines warning information type based on the corresponding relationship in table
The mapping table of Rating Number, warning information type and warning information type Rating Number in the embodiment of the present application is preparatory
Determining.
Further, it before the mapping table for determining warning information type and warning information type Rating Number, needs
It determines that history threatens source, and source is threatened to be defined as the information of source IP address and alarm type to (source ip, message
type).Also, if the two above field of two alarms is all identical, this two warning information belong to the same threat source;
If at least one field of two above field is different, then it is assumed that two warning information are different threat sources.And history prestige
When the acquisition in side of body source, it is first determined history alarm information data, the warning information generated within a preset period of time are history alarm
Information such as preset time period is 7 days, then former 7 days warning information data, as history alarm information bank, is based on history alarm
History required for information bank determines threatens source.
After determining history threat source, the alarm type of source IP address number and extraction different in the library of source is threatened based on history
Associated source IP address number, using inverse IP associated frequencies algorithm ((Inverse IP Correlation Frequency,
IICF the Rating Number for)) calculating every kind of warning information type establishes the mapping table of warning information type and Rating Number;
Determine warning information type Rating Number, statistical history first threatens IP sum N different in the library of sourceip;And for
Each alarm type M, the threat source number that statistics alarm type is M, the i.e. associated source IP address number N of the alarm typem,
During calculating frequency, different IP sum N is usedipAs molecule, the associated source IP address number N of the alarm typemMake
For denominator.For the associated source IP address number N of the alarm typemThe case where may being 0, by denominator plus 1.Meanwhile to prevent
As the associated source IP address number N of the alarm typemFrom different IP sum NipWhen equal, denominator numerical value is more than denominator numerical value,
So molecule numerical value is added 1.The then Rating Number of the warning information type are as follows:
IICF (M)=log ((Nip+1)/(Nm+1))+1
The Rating Number of every kind of warning information type is determined with this calculation method, and establishes mapping table.In this Shen
The frequency that a warning information type occurs in all IP please be reflected by each warning information type Rating Number in embodiment,
If a warning information type source IP address more with number is associated with appearance, then it represents that this warning information is that information illustrates class
A possibility that alarm or wrong report, is bigger, and threat degree is lower, its Rating Number of correspondence corresponds to lower;And if an announcement
Alert information type is associated with appearance with fewer source IP, then it represents that this warning information threat degree is higher, corresponds to its grading number
Value correspondence is higher.
The mapping table that warning information type Yu warning information type Rating Number are established using the method, extracts announcement
The mapping table of warning information type and warning information type Rating Number is searched after alert information type, so that it may determine to accuse
Alert information type Rating Number.
Further, as shown in Fig. 2, it obtains wait warning information IP address information each in the warning information that sorts grading number
The step process of value is as follows:
Step 1: building association map.Firstly, the source IP address and purpose IP address of the warning information based on extraction and pre-
If the source IP address and purpose IP address of the warning information in the period determine point set and line set, wherein the application is implemented
The element in point set in example is different source IP address and the destination IP address, and the element of line set is source IP address
With purpose IP address pair, one of source IP address and a purpose IP address constitute a member of a line as line set
Element.Secondly, determining to indicate each source IP address and purpose IP address corresponding relationship based on the point set and the line set
Association map;Element in association map in each line set is point and the corresponding purpose IP address of a source IP address
Between line, the direction of line is to be directed toward purpose IP address by source IP address.
It is associated with map based on above-mentioned IP, an IP address grade scoring value PRi is initialized to all IP address points, uses
PageRank algorithm iteration, which calculates, updates all newest PR values of IP address point.When iterate to calculate round be more than preset times when or
When PageRank algorithm is restrained automatically, the PR value of obtained each node is denoted as IP address information Rating Number, finally by institute
Source IP address and the average value of purpose IP address grade scoring value are the Rating Number of the IP address information.
By PageRank algorithm, the key scoring of the associated IP address association threat degree of the warning information of acquisition
Value.And score value is higher, then illustrating IP address associated by the warning information, associated alarm event is more in the recent period, that is,
Say that the corresponding warning information of the IP address is paid close attention to greater need for operation maintenance personnel.
Further, obtaining threat source Rating Number includes, the specific steps are as follows:
Judge whether the threat source belongs to the history and threaten source;Based on predetermined history threat source library,
Determine the Rating Number in each threat source.Namely determine that threat source is that history threatens source still to increase threat source newly, wherein increasing newly
Threat source represents the threat event source newly increased in network environment, the dynamic event being able to reflect in network, for example, newly
The infected network host increased, it is intended to infect other hosts, the newly-increased host captured by attacker, attacker will be with this
A little hosts are that springboard is attempted to attack other hosts or the network facilities, cause a large amount of network failure.Therefore, increasing threat source newly can
The quickly dynamic change of positioning Cyberthreat event.
Therefore, if the source of threat belongs to the history and threatens source, it is the first numerical value that threat source Rating Number, which is arranged,;If threatening
Source is not belonging to the history and threatens source, then it is second value that threat source Rating Number, which is arranged, wherein if the threat source of alarm is
Newly-increased threat source, threat source the first numerical value of Rating Number determined are S1, if the threat source of alarm is that history threatens source, really
The threat source Rating Number second value made is S2;Also, in the embodiment of the present application, S1 is greater than S2, for example, S1 value is
When 2, S2 value is 0.1.
It is walked as follows after getting alarm type Rating Number, threat source Rating Number and IP address information Rating Number
Rapid 103.
Step 103: based on alarm type Rating Number, source Rating Number and IP address information Rating Number being threatened to be added
Power summation determines the warning information threat level for indicating the warning information threat degree, and is threatened based on determining warning information
Grade is ranked up the warning information.
Based on alarm type Rating Number, threaten source Rating Number and IP address information Rating Number to warning information into
Before row sequence, using preset algorithm, all types of score values are normalized between 0 to 1 respectively, which can
To be min-max standardized method (Min-max normalization), the normalization of all Rating Numbers can be prevented some
Rating Number, which crosses ambassador and finally calculates grade score value, generates big deviation, and the accuracy of grade score value calculating can be improved;To all
After Rating Number is normalized, based on normalized alarm type Rating Number, source Rating Number and IP address information are threatened
Rating Number, which is determined, determines a grade score value using the algorithm of weighting summation, and then determines alarm letter according to these level score value
The grade threatened is ceased, the rule based on grade sequence can be to be arranged from high to low according to threat degree, can also be according to prestige
Side of body degree is arranged from low to high, the embodiment of the present application to sequence rule with no restrictions.
As shown in Fig. 3, it is based on the above method, the embodiment of the present application also provides a kind of warning information processing unit, described
Device includes:
Extraction module 301: for extracting the alarm type, source IP address and purpose IP address of warning information to be graded;
Obtain module 302: for obtaining the alarm type Rating Number for reflecting the alarm type frequency of occurrences, reflection institute
That states whether the threat source of warning information first appear threatens source Rating Number and reflects IP address information association threat degree
IP address information Rating Number;Wherein, the information that the alarm type is combined with the source IP address is to for the threat source;
Sorting module 303: for based on the alarm type Rating Number, threat source Rating Number and the IP
Location information Rating Number is weighted summation and determines the warning information threat level for indicating the warning information threat degree, and base
The warning information is ranked up in the warning information threat level.
Optionally, the acquisition module 302 is specifically used for:
The alarm type based on extraction searches the mapping table of the alarm type Yu alarm type Rating Number
Determine the alarm type Rating Number;
The alarm type threatens source IP address number different in the library of source based on history from the mapping table of Rating Number
Mesh and the associated source IP address number of the alarm type calculate the alarm class for indicating the warning information type frequency of occurrences
The Rating Number of type and determine;
Wherein, it is threat source information within a preset period of time that the history, which threatens source library,.
Optionally, the acquisition module 302 is specifically used for:
Based in warning information in the source IP address and the destination IP address and preset time period source IP address and
Purpose IP address determines point set and line set, wherein the element of the point set is the different source IP address and described
Purpose IP address, the element of the line set are the different source IP address and the destination IP address pair;
The source IP address and the destination IP address corresponding relationship are determined based on the point set and the line set
Association map;
Based on all IP address grade scoring values after the association map and initialization, and institute is calculated by iterative manner
There is the grade scoring value of IP address, determines that the average value of the source IP address and the destination IP address rank score value is described
The Rating Number of IP address information, the Rating Number of the IP address information characterize the IP address and are related to the number of alarm event
Amount.
Optionally, the acquisition module 302 is specifically used for: judging whether the threat source belongs to the history and threaten source;
If the threat source, which belongs to the history, threatens source, it is the first numerical value that threat source Rating Number, which is arranged,;If the threat
Source is not belonging to the history and threatens source, then it is second value that threat source Rating Number, which is arranged,;Wherein, first numerical value is big
In the second value.
The embodiment of the present application also provides a kind of computer storage mediums, comprising:
The computer readable storage medium includes computer program, when computer program is run on computers, is made
It obtains the computer and executes method described in attached drawing 1.
The embodiment of the present application also provides a kind of computer program products comprising instruction, comprising:
When described instruction is run on computers, so that the computer executes method described in attached drawing 1.This field
Interior technical staff is it should be appreciated that embodiments herein can provide as method, system or computer program product.Therefore, this Shen
The form of complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects please can be used.And
And it wherein includes the computer-usable storage medium of computer usable program code that the application, which can be used in one or more,
The form for the computer program product implemented on (including but not limited to magnetic disk storage and optical memory etc.).
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Obviously, those skilled in the art can carry out various modification and variations without departing from the essence of the application to the application
Mind and range.In this way, if these modifications and variations of the application belong to the range of the claim of this application and its equivalent technologies
Within, then the application is also intended to include these modifications and variations.
Claims (10)
1. a kind of alarm information processing method, which is characterized in that the described method includes:
Extract the alarm type, source IP address and purpose IP address of warning information to be graded;
Obtain the alarm type Rating Number for reflecting the alarm type frequency of occurrences, the threat source of the reflection warning information is
The no IP address information Rating Number for threatening source Rating Number and reflect IP address information association threat degree first appeared;Its
In, information that the alarm type is combined with the source IP address is to for the threat source;
Added based on the alarm type Rating Number, threat source Rating Number and the IP address information Rating Number
It weighs summation and determines the warning information threat level for indicating the warning information threat degree, and based on warning information threat etc.
Grade is ranked up the warning information.
2. the method as described in claim 1, which is characterized in that obtaining the alarm type score value includes:
The mapping table determination of the alarm type and alarm type Rating Number is searched based on the alarm type of extraction
The alarm type Rating Number;
The alarm type and the mapping table of Rating Number based on history threaten source IP address number different in the library of source and
The associated source IP address number of alarm type calculates the alarm type for indicating the warning information type frequency of occurrences
Rating Number and determine;
Wherein, it is threat source information within a preset period of time that the history, which threatens source library,.
3. the method as described in claim 1, which is characterized in that described to obtain the IP address information Rating Number and include:
Based on the source IP address and purpose in warning information in the source IP address and the destination IP address and preset time period
IP address determines point set and line set, wherein the element of the point set is the different source IP address and the purpose
IP address, the element of the line set are the different source IP address and the destination IP address pair;
It determines to indicate the source IP address and the destination IP address corresponding relationship based on the point set and the line set
Association map;
Based on all IP address grade scoring values after the association map and initialization, and all IP are calculated by iterative manner
The grade scoring value of address determines the average value of the source IP address and the destination IP address rank score value for the IP
The Rating Number of location information, the Rating Number of the IP address information characterize the IP address and are related to the quantity of alarm event.
4. method according to claim 2, which is characterized in that obtaining threat source Rating Number includes:
Judge whether the threat source belongs to the history and threaten source;
If the threat source, which belongs to the history, threatens source, it is the first numerical value that threat source Rating Number, which is arranged,;If described
Threat source is not belonging to the history and threatens source, then it is second value that threat source Rating Number, which is arranged,;
Wherein, first numerical value is greater than the second value.
5. a kind of warning information processing unit, which is characterized in that described device includes:
Extraction module: for extracting the alarm type, source IP address and purpose IP address of warning information to be graded;
Obtain module: for obtaining the alarm type Rating Number for reflecting the alarm type frequency of occurrences, the reflection alarm
What whether the threat source of information first appeared threatens source Rating Number and reflects the IP address of IP address information association threat degree
Information Rating Number;Wherein, the information that the alarm type is combined with the source IP address is to for the threat source;
Sorting module: for being based on the alarm type Rating Number, threat source Rating Number and the IP address information
Rating Number is weighted summation and determines the warning information threat level for indicating the warning information threat degree, and based on described
Warning information threat level is ranked up the warning information.
6. device as claimed in claim 5, which is characterized in that the acquisition module is specifically used for:
The mapping table determination of the alarm type and alarm type Rating Number is searched based on the alarm type of extraction
The alarm type Rating Number;
The alarm type and the mapping table of Rating Number based on history threaten source IP address number different in the library of source and
The associated source IP address number of alarm type calculates the alarm type for indicating the warning information type frequency of occurrences
Rating Number and determine;
Wherein, it is threat source information within a preset period of time that the history, which threatens source library,.
7. device as claimed in claim 5, which is characterized in that the acquisition module is specifically used for:
Based on the source IP address and purpose in warning information in the source IP address and the destination IP address and preset time period
IP address determines point set and line set, wherein the element of the point set is the different source IP address and the purpose
IP address, the element of the line set are the different source IP address and the destination IP address pair;
The pass of the source IP address Yu the destination IP address corresponding relationship is determined based on the point set and the line set
Join map;
Based on all IP address grade scoring values after the association map and initialization, and all IP are calculated by iterative manner
The grade scoring value of address determines the average value of the source IP address and the destination IP address rank score value for the IP
The Rating Number of location information, the Rating Number of the IP address information characterize the IP address and are related to the quantity of alarm event.
8. device as claimed in claim 6, which is characterized in that the acquisition module is specifically used for: judging that the threat source is
It is no to belong to history threat source;If the threat source, which belongs to the history, threatens source, threat source Rating Number is set
For the first numerical value;If the threat source is not belonging to the history and threatens source, it is the second number that threat source Rating Number, which is arranged,
Value;Wherein, first numerical value is greater than the second value.
9. a kind of computer storage medium, which is characterized in that the computer readable storage medium includes computer program, works as meter
When calculation machine program is run on computers, so that the computer executes the method as described in Claims 1-4 is any.
10. a kind of computer program product comprising instruction, which is characterized in that when described instruction is run on computers, make
It obtains the computer and executes such as the described in any item methods of Claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910817936.6A CN110535702B (en) | 2019-08-30 | 2019-08-30 | Alarm information processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910817936.6A CN110535702B (en) | 2019-08-30 | 2019-08-30 | Alarm information processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110535702A true CN110535702A (en) | 2019-12-03 |
| CN110535702B CN110535702B (en) | 2022-07-12 |
Family
ID=68665672
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910817936.6A Active CN110535702B (en) | 2019-08-30 | 2019-08-30 | Alarm information processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110535702B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111147300A (en) * | 2019-12-26 | 2020-05-12 | 北京神州绿盟信息安全科技股份有限公司 | Network security alarm confidence evaluation method and device |
| CN111224988A (en) * | 2020-01-08 | 2020-06-02 | 国网陕西省电力公司信息通信公司 | Network security information filtering method |
| CN111475804A (en) * | 2020-03-05 | 2020-07-31 | 浙江省北大信息技术高等研究院 | Alarm prediction method and system |
| CN112019523A (en) * | 2020-08-07 | 2020-12-01 | 贵州黔源电力股份有限公司 | Network auditing method and device for industrial control system |
| CN112615888A (en) * | 2020-12-30 | 2021-04-06 | 绿盟科技集团股份有限公司 | Threat assessment method and device for network attack behavior |
| CN113515433A (en) * | 2021-07-28 | 2021-10-19 | 中移(杭州)信息技术有限公司 | Alarm log processing method, device, equipment and storage medium |
| CN113542200A (en) * | 2020-04-20 | 2021-10-22 | 中国电信股份有限公司 | Risk control method, risk control device and storage medium |
| CN113691498A (en) * | 2021-07-23 | 2021-11-23 | 全球能源互联网研究院有限公司 | Electric power internet of things terminal safety state evaluation method and device and storage medium |
| CN113794727A (en) * | 2021-09-16 | 2021-12-14 | 山石网科通信技术股份有限公司 | Method and device for generating threat intelligence feature library, storage medium and processor |
| CN114124552A (en) * | 2021-11-29 | 2022-03-01 | 恒安嘉新(北京)科技股份公司 | Network attack threat level obtaining method, device and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753862A (en) * | 2013-12-27 | 2015-07-01 | 华为技术有限公司 | Method and device for improving network security |
| CN106713049A (en) * | 2017-02-04 | 2017-05-24 | 杭州迪普科技股份有限公司 | Alarm method and device of monitor |
| US20170293614A1 (en) * | 2015-04-23 | 2017-10-12 | Tencent Technology (Shenzhen) Company Limited | Method and device for information processing |
| CN108073611A (en) * | 2016-11-14 | 2018-05-25 | 国网江苏省电力公司镇江供电公司 | The filter method and device of a kind of warning information |
| CN109922069A (en) * | 2019-03-13 | 2019-06-21 | 中国科学技术大学 | The multidimensional association analysis method and system that advanced duration threatens |
-
2019
- 2019-08-30 CN CN201910817936.6A patent/CN110535702B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753862A (en) * | 2013-12-27 | 2015-07-01 | 华为技术有限公司 | Method and device for improving network security |
| US20170293614A1 (en) * | 2015-04-23 | 2017-10-12 | Tencent Technology (Shenzhen) Company Limited | Method and device for information processing |
| CN108073611A (en) * | 2016-11-14 | 2018-05-25 | 国网江苏省电力公司镇江供电公司 | The filter method and device of a kind of warning information |
| CN106713049A (en) * | 2017-02-04 | 2017-05-24 | 杭州迪普科技股份有限公司 | Alarm method and device of monitor |
| CN109922069A (en) * | 2019-03-13 | 2019-06-21 | 中国科学技术大学 | The multidimensional association analysis method and system that advanced duration threatens |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111147300B (en) * | 2019-12-26 | 2022-04-29 | 绿盟科技集团股份有限公司 | Network security alarm confidence evaluation method and device |
| CN111147300A (en) * | 2019-12-26 | 2020-05-12 | 北京神州绿盟信息安全科技股份有限公司 | Network security alarm confidence evaluation method and device |
| CN111224988A (en) * | 2020-01-08 | 2020-06-02 | 国网陕西省电力公司信息通信公司 | Network security information filtering method |
| CN111475804A (en) * | 2020-03-05 | 2020-07-31 | 浙江省北大信息技术高等研究院 | Alarm prediction method and system |
| CN111475804B (en) * | 2020-03-05 | 2023-10-24 | 杭州未名信科科技有限公司 | Alarm prediction method and system |
| CN113542200A (en) * | 2020-04-20 | 2021-10-22 | 中国电信股份有限公司 | Risk control method, risk control device and storage medium |
| CN113542200B (en) * | 2020-04-20 | 2023-03-24 | 中国电信股份有限公司 | Risk control method, risk control device and storage medium |
| CN112019523A (en) * | 2020-08-07 | 2020-12-01 | 贵州黔源电力股份有限公司 | Network auditing method and device for industrial control system |
| CN112615888A (en) * | 2020-12-30 | 2021-04-06 | 绿盟科技集团股份有限公司 | Threat assessment method and device for network attack behavior |
| CN112615888B (en) * | 2020-12-30 | 2022-08-12 | 绿盟科技集团股份有限公司 | Threat assessment method and device for network attack behavior |
| CN113691498B (en) * | 2021-07-23 | 2023-03-14 | 全球能源互联网研究院有限公司 | Electric power internet of things terminal safety state evaluation method and device and storage medium |
| CN113691498A (en) * | 2021-07-23 | 2021-11-23 | 全球能源互联网研究院有限公司 | Electric power internet of things terminal safety state evaluation method and device and storage medium |
| CN113515433B (en) * | 2021-07-28 | 2023-08-15 | 中移(杭州)信息技术有限公司 | Alarm log processing method, device, equipment and storage medium |
| CN113515433A (en) * | 2021-07-28 | 2021-10-19 | 中移(杭州)信息技术有限公司 | Alarm log processing method, device, equipment and storage medium |
| CN113794727A (en) * | 2021-09-16 | 2021-12-14 | 山石网科通信技术股份有限公司 | Method and device for generating threat intelligence feature library, storage medium and processor |
| CN114124552A (en) * | 2021-11-29 | 2022-03-01 | 恒安嘉新(北京)科技股份公司 | Network attack threat level obtaining method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110535702B (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535702A (en) | A kind of alarm information processing method and device | |
| CN107666410A (en) | Network Safety Analysis system | |
| US11194906B2 (en) | Automated threat alert triage via data provenance | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| JP2018170006A (en) | Generic framework to detect cyber threats in electric power grid | |
| CN109840157A (en) | Method, apparatus, electronic equipment and the storage medium of fault diagnosis | |
| CN111814999B (en) | Fault work order generation method, device and equipment | |
| CN105556526A (en) | Hierarchical threat intelligence | |
| US20240129327A1 (en) | Context informed abnormal endpoint behavior detection | |
| CN110232006B (en) | Equipment alarm method and related device | |
| CN113342564A (en) | Log auditing method and device, electronic equipment and medium | |
| Botev et al. | Detecting non-technical energy losses through structural periodic patterns in AMI data | |
| CN108092985B (en) | Network security situation analysis method, device, equipment and computer storage medium | |
| CN114978877B (en) | Abnormality processing method, abnormality processing device, electronic equipment and computer readable medium | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN110445766A (en) | Ddos attack method for situation assessment and device | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN111030972A (en) | Asset information management and visual display method, device and storage equipment | |
| CN114553596B (en) | Multi-dimensional security condition real-time display method and system suitable for network security | |
| CN107545355B (en) | Fault reason diagnosis method and device | |
| CN110457349A (en) | The monitoring method and monitoring device of information outflow | |
| KR20220116410A (en) | Security compliance automation method | |
| CN113162904B (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
| CN105791263A (en) | Information security risk pre-warning method and management system | |
| CN110399261B (en) | System alarm clustering analysis method based on co-occurrence graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant after: NSFOCUS Technologies Group Co.,Ltd. Applicant after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Applicant before: NSFOCUS TECHNOLOGIES Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |