CN113158234A - Method, device, equipment and medium for quantifying occurrence frequency of security event - Google Patents

Method, device, equipment and medium for quantifying occurrence frequency of security event Download PDF

Info

Publication number
CN113158234A
CN113158234A CN202110335627.2A CN202110335627A CN113158234A CN 113158234 A CN113158234 A CN 113158234A CN 202110335627 A CN202110335627 A CN 202110335627A CN 113158234 A CN113158234 A CN 113158234A
Authority
CN
China
Prior art keywords
data
event
probability
probability parameter
counting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110335627.2A
Other languages
Chinese (zh)
Other versions
CN113158234B (en
Inventor
汪浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Wuqi Intelligent Technology Co ltd
Original Assignee
Shanghai Wuqi Intelligent Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Wuqi Intelligent Technology Co ltd filed Critical Shanghai Wuqi Intelligent Technology Co ltd
Priority to CN202110335627.2A priority Critical patent/CN113158234B/en
Publication of CN113158234A publication Critical patent/CN113158234A/en
Application granted granted Critical
Publication of CN113158234B publication Critical patent/CN113158234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Databases & Information Systems (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computational Mathematics (AREA)
  • Algebra (AREA)
  • Probability & Statistics with Applications (AREA)
  • Operations Research (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computing Systems (AREA)
  • Complex Calculations (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method, a device, equipment and a storage medium for quantifying occurrence frequency of a security event, wherein the method comprises the following steps: acquiring raw data, wherein the raw data comprises input data and/or event data; performing first calculation according to the original data to obtain target counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter; calculating posterior probability parameters according to the target counting data and the prior probability parameters; and determining the occurrence frequency distribution of the events according to the posterior probability parameters. The method describes the event occurrence frequency by probability distribution, and provides a scientific basis for the occurrence probability of the safety event and further the quantification of information safety risks. Compared with the common non-quantitative (or semi-quantitative) method of the risk matrix, the quantitative method used by the invention can build the risk control decision on the basis of more definite and transparent basis.

Description

Method, device, equipment and medium for quantifying occurrence frequency of security event
Technical Field
The invention relates to the technical field of computer network information security, in particular to a method, a device, equipment and a medium for quantifying occurrence frequency of security events.
Background
The daily work of the information security department can be divided into responding to the security events that have occurred and preventing the security events that may occur, i.e. controlling the security risks, wherein it is more important to prevent the security events that may occur. However, the implementation of the risk control measures requires the support of various resources such as personnel and funds, but the resources are limited, so the information security department must analyze and evaluate the risk, and process the security events with high priority after determining the priority.
Currently, the mainstream information security risk analysis method is "risk matrix". The mode divides the risk occurrence rate into a plurality of grades, and the possible influence caused by the risk occurrence rate is also divided into a plurality of grades, which are sequentially represented by corresponding sequence numbers from low to high. The risk level determination for a specific event is given by the product of the sequence number representing the occurrence rate and the sequence number representing the possible impact size, and is also in the form of (e.g. low, medium, high, etc.) multiple levels. The risk matrix has a number of problems: the method comprises the steps that different people have different degrees of influence on events, have different abstract understandings of low, middle and high levels, influence the communication effect and judge risk events; the numerical values of the ordinal type cannot be operated theoretically and cause errors in actual operation.
The risk matrix has many problems, which make its analysis result of the risk unreliable. The choice of the risk control measures thus obtained is naturally not guaranteed to be rational. In addition, the effectiveness of risk control measures depends on comparing the risk analysis results before and after implementation. Since both cannot be quantized, the difference cannot be quantized naturally. This results in an inability to make a clear assessment of the control effect and thus an inability to make improvements based on the assessment.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, a device, and a medium for quantifying occurrence frequency of a security event, so as to clearly and accurately quantify a risk of the information security event.
According to an embodiment of the first aspect of the present invention, there is provided a method for quantifying occurrence frequency of security events, including:
acquiring raw data, wherein the raw data comprises input data and/or event data;
performing first calculation according to the original data to obtain target counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter;
calculating posterior probability parameters according to the target counting data and the prior probability parameters;
and obtaining the event occurrence frequency distribution according to the posterior probability parameters.
According to some embodiments of the invention, the obtaining raw data comprises:
receiving data information of an event as event data in a sliding window mode;
determining input data of a target event according to the target event input by a user; the target event is an event of which the occurrence probability is to be determined.
According to some embodiments of the invention, the performing the first calculation according to the raw data to obtain target count data comprises:
and when the event data of the original data does not exist, reading an event counting database according to the input data of the original data, and obtaining the target counting data.
According to some embodiments of the invention, the performing the first calculation according to the raw data to obtain target count data comprises:
when the event data of the original data exist, event counting is carried out in a sliding window mode according to the event data of the original data, and event counting data are obtained;
writing the event counting data into an event counting database;
and reading an event counting database according to the input data of the original data, and obtaining the target counting data.
According to some embodiments of the invention, the performing the second calculation according to the input data in the raw data to obtain the prior probability parameter includes:
and when the input data of the original data is matched with the data of the probability parameter database, reading the prior probability parameters from the probability parameter database.
According to some embodiments of the invention, the performing the second calculation according to the input data in the raw data to obtain the prior probability parameter includes:
when the input data of the original data is not matched with the data of the probability parameter database, acquiring prior knowledge data related to the input data from a prior knowledge database;
and calculating to obtain the prior probability parameter according to the prior knowledge data, and writing the prior probability parameter into the probability parameter library, or updating the probability parameter according to the prior probability parameter.
In accordance with some embodiments of the present invention,
the calculation formula of the posterior probability parameter is as follows: a ═ a0+a1,b=b0+b1
Wherein, a0、b0Is a first parameter and a second parameter of the prior probability parameter, a1、b1Counting the number of days in which an event occurs and the number of days in which an event does not occur in the recording time zone in the target;
the calculation formula of the posterior probability distribution is as follows:
Figure BDA0002997730960000031
wherein, Pbeta(x; a, b) represents the probability that the probability of occurrence of an event is x, a, b are the first and second parameters of the posterior probability parameter,
Figure BDA0002997730960000032
the formula is a probability distribution described by a beta distribution described by the posterior probability parameter, which is a Gamma function.
According to a second aspect of the present invention, there is provided a security event occurrence frequency quantization apparatus comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring original data, and the original data comprises input data and/or event data;
the first calculation module is used for performing first calculation according to the original data to obtain target counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter;
the second calculation module is used for calculating a posterior probability parameter according to the counting data and the prior probability parameter;
and the determining module is used for calculating the event occurrence frequency distribution according to the posterior probability parameters.
According to a third aspect of the invention, there is provided an electronic device comprising a processor and a memory;
the memory is used for storing programs;
the processor executes the program to implement the method of the first aspect.
According to a fourth aspect of the present invention there is provided a computer readable storage medium storing a program for execution by a processor to perform the method of the first aspect of the present invention.
The embodiment of the invention also discloses a computer program product or a computer program, which comprises computer instructions, and the computer instructions are stored in a computer readable storage medium. The computer instructions may be read by a processor of a computer device from a computer-readable storage medium, and the computer instructions executed by the processor cause the computer device to perform the foregoing method.
Embodiments of the present invention provide a method for generating event data by obtaining raw data, the raw data including input data and/or event data; performing first calculation according to the original data to obtain counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter; calculating posterior probability parameters according to the counting data and the prior probability parameters; and obtaining the event occurrence frequency distribution according to the posterior probability parameters. The probability distribution is used for describing the event occurrence frequency, and the frequency meets certain probability distribution, so that the event occurrence frequency is described through the probability distribution, and a scientific basis is provided for the occurrence probability of the safety event and further the quantification of information safety risks. Compared with the common non-quantitative (or semi-quantitative) method of the risk matrix, the quantitative method used by the invention can build the risk control decision on the basis of more definite and transparent basis.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart illustrating the overall steps provided by an embodiment of the present invention;
FIG. 2 is a flowchart of an embodiment of a sliding window recording event count data;
FIG. 3 is a flowchart of a prior probability parameter calculation process provided by an embodiment of the present invention;
fig. 4 is a detailed flowchart of the overall steps provided by the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
To solve the problems in the prior art, an embodiment of the present invention provides a method for quantifying occurrence frequency of a security event, as shown in fig. 1, the method includes the following steps:
acquiring raw data, wherein the raw data comprises input data and/or event data;
performing first calculation according to the original data to obtain target counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter;
calculating posterior probability parameters according to the target counting data and the prior probability parameters;
and obtaining the event occurrence frequency distribution according to the posterior probability parameters.
Specifically, the input data may be, for example, a rising screen lock resulting in data leakage, and the event data may be, for example, a computer log.
Further as a preferred embodiment, the acquiring raw data includes:
receiving data information of an event as event data in a sliding window mode;
determining input data of a target event according to the target event input by a user; the target event is an event of which the occurrence probability is to be determined.
In particular, sliding window counting, which refers to the translation of a counting window over time, is commonly used for real-time data statistics. For example, real-time data is counted using a sliding window with a step size of 1 minute and a width of 5 minutes. A new data point is obtained every one minute and a count of the last five minutes is recorded.
Further as a preferred embodiment, the performing the first calculation according to the raw data to obtain the target count data includes:
and when the event data of the original data does not exist, reading an event counting database according to the input data of the original data, and obtaining the target counting data.
It should be noted that the event count database in the embodiment of the present invention is used for storing event count data.
Further as a preferred embodiment, the performing the first calculation according to the raw data to obtain the target count data includes:
when the event data of the original data exist, event counting is carried out in a sliding window mode according to the event data of the original data, and event counting data are obtained;
writing the event counting data into an event counting database;
and reading an event counting database according to the input data of the original data, and obtaining the target counting data.
Referring to fig. 2, the sliding window records real-time event data and writes the real-time event data into an event count database, wherein the time window of the sliding window count is 1 day, the sliding step is also 1 day (24 hours), the sliding window counts the occurrence frequency of events, and the steps of writing the event data into the database are as follows:
the first step is as follows: at a fixed time every day, counting whether an event occurs in the past day (24 hours), if so, counting 1, and if not, counting 0;
the second step is that: storing event data counted by the sliding window into an event counting database, as shown in table 1, storing a table for case data of the event counting database, where event _ id is an event type number, time _ window is a recording time, and has _ happy is an occurrence.
TABLE 1
Figure BDA0002997730960000051
Figure BDA0002997730960000061
Further as a preferred embodiment, the performing a second calculation according to the input data in the raw data to obtain a prior probability parameter includes:
and when the input data of the original data is matched with the data of the probability parameter database, reading the prior probability parameters from the probability parameter database.
Further as a preferred embodiment, the performing a second calculation according to the input data in the raw data to obtain a prior probability parameter includes:
when the input data of the original data is not matched with the probability parameter database data, as shown in fig. 3, acquiring prior knowledge data related to the input data from a prior knowledge database;
and calculating to obtain the prior probability parameter according to the prior knowledge data, and writing the prior probability parameter into the probability parameter library, or updating the probability parameter according to the prior probability parameter.
In the description of the present invention, it is to be understood that the prior knowledge is data in a prior knowledge database from a collection of security event histories occurring for other companies seen by the industry or media, and there may be multiple data sources. The storage format is a 90% confidence interval of the number of days of occurrence; the minimum and maximum values of this interval may both be less than 1, indicating that only one instance will occur over a period of more than one year; for example, 0.5 indicates that such events will occur in one day for a period of two years. Furthermore, the maximum does not exceed 365 (events of the same type that occur multiple times within the same day, usually with high correlation, should count as 1). When the same event corresponds to multiple data sources, the minimum and maximum values must be averaged separately. We can thus find the mean confidence interval of the number of days of occurrence of the event to be (M, M) within one year.
The prior probability parameter calculation steps are as follows:
the first step is as follows: converting the annual incidence confidence interval (M, M) into a daily transmission rate confidence interval, namely (M/365 );
the second step is that: calculating parameters a, b in the following probability density expression:
Figure BDA0002997730960000062
wherein, Pbeta(x; a, b) represents the probability that the probability of occurrence of an event is x, and the specific calculation mode is as follows:
the probability of x falling between (M/365 ) is known to be 90%, and the probability of x < M/365 and x > M/365 are both known to be 5%:
Figure BDA0002997730960000071
Figure BDA0002997730960000072
from these two equations, the values of a and b can be solved, assuming (a)0,b0)。
The third step: the prior probability parameter (a)0,b0) And storing the event _ id into a probability parameter library, and as shown in table 2, storing a case data storage table of the probability parameter library part, wherein event _ id is an event type number, time _ window is recording time, alpha _ prior is a first parameter of prior probability, and beta _ prior is a second parameter.
TABLE 2
event_id time_add alpha_prior beta_prior
2 2020/10/01 1.5 100.3
3 2020/10/01 3.1 50.1
4 2020/10/02 2.8 101.3
5 2020/10/01 10.2 308.5
Further as a preferred embodiment, the calculation formula of the posterior probability parameter is: a ═ a0+a1,b=b0+b1Wherein a is0、b0Is a first parameter and a second parameter of the prior probability parameter, a1、b1The number of days in which an event occurs and the number of days in which an event does not occur in the recording time zone in the target count data are specifically defined as: in the past, T (min (H, W); H is the time span of the historical data, W is the width of the time window, min (H, W) represents that the smaller value of H and W is taken, if all the historical data do not occupy the time window, only the existing data are counted) days, a exists1The event occurred every day, with b1=T-a1No occurrence in days;
the calculation formula of the posterior probability distribution is as follows:
Figure BDA0002997730960000073
wherein, Pbeta(x; a, b) represents the probability that the probability of occurrence of an event is x, a, b are the first and second parameters of the posterior probability parameter,
Figure BDA0002997730960000074
is a Gamma function, the formula is a probability distribution described by the beta distribution described by the posterior probability parameter;
the posterior probability parameter calculation principle provided by the embodiment of the invention is as follows:
assuming whether the event occurs or not to accord with a binomial distribution, namely, an event with an occurrence probability of x, in the observation of T days, the number of days in which the event occurs is a, and the probability of the number of days in which the event does not occur is b:
Figure BDA0002997730960000081
wherein
Figure BDA0002997730960000082
By observing results (a)1,a1) To update the distribution of x, by the bayesian formula:
P(x|a1,b1;a0,b0)=L(a1,b1|x)P(x;a0,b0)/P(a1,b1)
wherein, P (x | a)1,b1;a0,b0) Is posterior distribution;
L(a1,b1| x) is a likelihood function, and accords with binomial distribution;
P(x;a0,b0) Prior distribution, and according with beta distribution;
since the binomial distribution and the beta distribution are conjugate distribution, the posterior distribution will satisfy the beta distribution due to the property of conjugate distribution, so P (x | a) can be calculated by the posterior probability distribution formula1,b1;a0,b0)。
Referring to fig. 4, the following describes in detail the implementation process of the security event occurrence frequency quantifying method of the present invention with reference to the attached drawings, specifically, when the occurrence frequency of a specific event needs to be obtained, the program starts and executes the following steps:
the first step is as follows: acquiring input data when a user wants to acquire event occurrence frequency data, and checking a probability parameter library by a system to determine whether a record of the event exists;
the second step is that: if the probability parameter library does not have a record of the event or the data information is expired (the writing time and the current time are compared, if the difference exceeds the preset validity period, the data needs to be updated), entering a third step; if the record of the event exists in the probability parameter base and the record is not expired, entering a fourth step;
the third step: acquiring the prior knowledge corresponding to the event from a prior knowledge database, calculating a prior probability parameter, and storing the prior probability parameter in a probability parameter database (writing or updating a prior probability parameter part);
the fourth step: a sliding window counter (executed in parallel with the first to third steps) receives event information (such as a log), counts events in a sliding window manner, and writes the events into an event count database;
the fifth step: acquiring prior probability parameters from a probability parameter database, acquiring target counting data from an event counting database, and calculating the posterior probability parameters;
and a sixth step: and determining the occurrence frequency distribution of the events according to the posterior probability parameters.
In summary, according to the method for quantifying the occurrence frequency of the security event provided by the embodiment of the present invention, the occurrence frequency of the event is described by using probability distribution, and since the frequency meets a certain probability distribution, the occurrence frequency of the event is described by using probability distribution, which provides a scientific basis for quantifying the occurrence probability of the security event and further the information security risk. Compared with the common non-quantitative (or semi-quantitative) method of the risk matrix, the quantitative method used by the invention can build the risk control decision on the basis of more definite and transparent basis.
The embodiment of the invention also provides a device for quantizing the occurrence frequency of the safety event, which comprises:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring original data, and the original data comprises input data and/or event data;
the first calculation module is used for performing first calculation according to the original data to obtain counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter;
the second calculation module is used for calculating a posterior probability parameter according to the counting data and the prior probability parameter;
and the determining module is used for calculating the event occurrence frequency distribution according to the posterior probability parameters.
The embodiment of the invention also provides the electronic equipment, which comprises a processor and a memory;
the memory is used for storing programs;
the processor executes the program to implement the method as described above.
An embodiment of the present invention further provides a computer-readable storage medium, where the storage medium stores a program, and the program is executed by a processor to implement the method described above.
The embodiment of the invention also discloses a computer program product or a computer program, which comprises computer instructions, and the computer instructions are stored in a computer readable storage medium. The computer instructions may be read by a processor of a computer device from a computer-readable storage medium, and executed by the processor to cause the computer device to perform the method illustrated in fig. 1.
In alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flow charts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed and in which sub-operations described as part of larger operations are performed independently.
Furthermore, although the present invention is described in the context of functional modules, it should be understood that, unless otherwise stated to the contrary, one or more of the described functions and/or features may be integrated in a single physical device and/or software module, or one or more functions and/or features may be implemented in a separate physical device or software module. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary for an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be understood within the ordinary skill of an engineer, given the nature, function, and internal relationship of the modules. Accordingly, those skilled in the art can, using ordinary skill, practice the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative of and not intended to limit the scope of the invention, which is defined by the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the invention have been shown and described, it will be understood by those of ordinary skill in the art that: various changes, modifications, substitutions and alterations can be made to the embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A method for quantifying frequency of occurrence of security events, comprising:
acquiring raw data, wherein the raw data comprises input data and/or event data;
performing first calculation according to the original data to obtain target counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter;
calculating posterior probability parameters according to the target counting data and the prior probability parameters;
and determining the occurrence frequency distribution of the events according to the posterior probability parameters.
2. The method of quantifying frequency of occurrence of security events according to claim 1, wherein said obtaining raw data comprises:
receiving data information of an event as event data in a sliding window mode;
determining input data of a target event according to the target event input by a user; the target event is an event of which the occurrence probability is to be determined.
3. The method for quantifying occurrence frequency of security events according to claim 1, wherein the performing a first calculation based on the raw data to obtain target count data comprises:
and when the event data of the original data does not exist, reading an event counting database according to the input data of the original data, and obtaining the target counting data.
4. The method for quantifying occurrence frequency of security events according to claim 1, wherein the performing a first calculation based on the raw data to obtain target count data comprises:
when the event data of the original data exist, event counting is carried out in a sliding window mode according to the event data of the original data, and event counting data are obtained;
writing the event count data to an event count database;
and reading an event counting database according to the input data of the original data, and obtaining the target counting data.
5. The method for quantifying occurrence frequency of security events according to claim 1, wherein the second calculation according to the input data in the raw data to obtain the prior probability parameter comprises:
and when the input data of the original data is matched with the data of the probability parameter database, reading the prior probability parameters from the probability parameter database.
6. The method for quantifying occurrence frequency of security events according to claim 1, wherein the second calculation according to the input data in the raw data to obtain the prior probability parameter comprises:
when the input data of the original data is not matched with the data of the probability parameter database, acquiring prior knowledge data related to the input data from a prior knowledge database;
and calculating to obtain the prior probability parameter according to the prior knowledge data, and writing the prior probability parameter into the probability parameter library, or updating the probability parameter according to the prior probability parameter.
7. The method of quantifying frequency of occurrence of security events according to claim 1,
the calculation formula of the posterior probability parameter is as follows: a ═ a0+a1,b=b0+b1
Wherein, a0、b0Is a first parameter and a second parameter of the prior probability parameter, a1、b1Counting the number of days in which an event occurs and the number of days in which an event does not occur in the recording time zone in the target;
the calculation formula of the posterior probability distribution is as follows:
Figure FDA0002997730950000021
wherein, Pbeta(x; a, b) represents the probability that the probability of occurrence of an event is x, a, b are the first and second parameters of said a posteriori probability parameter, and Γ (a) is a Gamma function, which formula describes a probability distribution by means of the beta distribution described by said a posteriori probability parameter.
8. A security event occurrence frequency quantifying apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring original data, and the original data comprises input data and/or event data;
the first calculation module is used for performing first calculation according to the original data to obtain target counting data; performing second calculation according to input data in the original data to obtain a prior probability parameter;
the second calculation module is used for calculating a posterior probability parameter according to the counting data and the prior probability parameter;
and the determining module is used for calculating the event occurrence frequency distribution according to the posterior probability parameters.
9. An electronic device comprising a processor and a memory;
the memory is used for storing programs;
the processor executing the program realizes the method according to any one of claims 1-7.
10. A computer-readable storage medium, characterized in that the storage medium stores a program, which is executed by a processor to implement the method according to any one of claims 1 to 7.
CN202110335627.2A 2021-03-29 2021-03-29 Method, device, equipment and medium for quantifying occurrence frequency of security event Active CN113158234B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110335627.2A CN113158234B (en) 2021-03-29 2021-03-29 Method, device, equipment and medium for quantifying occurrence frequency of security event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110335627.2A CN113158234B (en) 2021-03-29 2021-03-29 Method, device, equipment and medium for quantifying occurrence frequency of security event

Publications (2)

Publication Number Publication Date
CN113158234A true CN113158234A (en) 2021-07-23
CN113158234B CN113158234B (en) 2022-09-27

Family

ID=76885410

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110335627.2A Active CN113158234B (en) 2021-03-29 2021-03-29 Method, device, equipment and medium for quantifying occurrence frequency of security event

Country Status (1)

Country Link
CN (1) CN113158234B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004057503A2 (en) * 2002-12-20 2004-07-08 Accenture Global Services Gmbh Quantification of operational risks
JP2005327214A (en) * 2004-05-17 2005-11-24 Mitsui Sumitomo Insurance Co Ltd Disaster occurrence frequency estimation device, method, software and recording medium, and disaster event occurrence frequency estimation system
CN102854461A (en) * 2012-08-24 2013-01-02 中国电力科学研究院 Probability forecasting method and system of switch equipment faults
CN103957525A (en) * 2014-05-12 2014-07-30 江苏大学 Malicious node detection method based on clustering trust evaluation in internet of vehicles
US20150081431A1 (en) * 2013-09-18 2015-03-19 Yahoo Japan Corporation Posterior probability calculating apparatus, posterior probability calculating method, and non-transitory computer-readable recording medium
US20190005501A1 (en) * 2017-06-29 2019-01-03 Paypal, Inc. System and method for malware detection
CN110019290A (en) * 2017-08-31 2019-07-16 腾讯科技(深圳)有限公司 Recommended method and device based on statistics priori
WO2019234130A1 (en) * 2018-06-05 2019-12-12 Swiss Reinsurance Company Ltd. Event generator for a risk quantifying forecast system using a structured forward-looking simulation technique with global long-tail risk events causing casualty loss accumulation, and method thereof
CN111913887A (en) * 2020-08-19 2020-11-10 中国人民解放军军事科学院国防科技创新研究院 Software behavior prediction method based on beta distribution and Bayesian estimation
CN112052306A (en) * 2019-06-06 2020-12-08 北京京东振世信息技术有限公司 Method and device for identifying data
CN112162878A (en) * 2020-09-30 2021-01-01 深圳前海微众银行股份有限公司 Database fault discovery method and device, electronic equipment and storage medium

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004057503A2 (en) * 2002-12-20 2004-07-08 Accenture Global Services Gmbh Quantification of operational risks
JP2005327214A (en) * 2004-05-17 2005-11-24 Mitsui Sumitomo Insurance Co Ltd Disaster occurrence frequency estimation device, method, software and recording medium, and disaster event occurrence frequency estimation system
CN102854461A (en) * 2012-08-24 2013-01-02 中国电力科学研究院 Probability forecasting method and system of switch equipment faults
US20150081431A1 (en) * 2013-09-18 2015-03-19 Yahoo Japan Corporation Posterior probability calculating apparatus, posterior probability calculating method, and non-transitory computer-readable recording medium
CN103957525A (en) * 2014-05-12 2014-07-30 江苏大学 Malicious node detection method based on clustering trust evaluation in internet of vehicles
US20190005501A1 (en) * 2017-06-29 2019-01-03 Paypal, Inc. System and method for malware detection
CN110019290A (en) * 2017-08-31 2019-07-16 腾讯科技(深圳)有限公司 Recommended method and device based on statistics priori
WO2019234130A1 (en) * 2018-06-05 2019-12-12 Swiss Reinsurance Company Ltd. Event generator for a risk quantifying forecast system using a structured forward-looking simulation technique with global long-tail risk events causing casualty loss accumulation, and method thereof
CN112052306A (en) * 2019-06-06 2020-12-08 北京京东振世信息技术有限公司 Method and device for identifying data
CN111913887A (en) * 2020-08-19 2020-11-10 中国人民解放军军事科学院国防科技创新研究院 Software behavior prediction method based on beta distribution and Bayesian estimation
CN112162878A (en) * 2020-09-30 2021-01-01 深圳前海微众银行股份有限公司 Database fault discovery method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
梁喆: "公共安全领域中地下震动信号探测和识别的关键技术研究", 《中国优秀博硕士学位论文全文数据库(博士)基础科学辑》 *

Also Published As

Publication number Publication date
CN113158234B (en) 2022-09-27

Similar Documents

Publication Publication Date Title
CN109978379B (en) Time series data abnormity detection method and device, computer equipment and storage medium
CN110751371B (en) Commodity inventory risk early warning method and system based on statistical four-bit distance and computer readable storage medium
US10031829B2 (en) Method and system for it resources performance analysis
JP7293260B2 (en) How to analyze log patterns
EP2972959B1 (en) Auditing of data processing applications
CN111612040B (en) Financial data anomaly detection method and related device based on isolated forest algorithm
CN111694815A (en) Database anomaly detection method and device
US7149659B1 (en) System and method for performing reliability analysis
Metzger et al. Getting time right: Using Cox models and probabilities to interpret binary panel data
US11004564B2 (en) Method and apparatus for processing medical data
CN113158234B (en) Method, device, equipment and medium for quantifying occurrence frequency of security event
US20060064365A1 (en) System and method for audit sampling
US11176107B2 (en) Processing data records in a multi-tenant environment to ensure data quality
CN116720946A (en) Credit risk prediction method, device and storage medium based on recurrent neural network
EP3032424A1 (en) Registering an event
CN115601183A (en) Claims data processing analysis method and system
CN115034580A (en) Quality evaluation method and device for fusion data set
CN114924943A (en) Data middling station evaluation method based on artificial intelligence and related equipment
Bright et al. Explaining download patterns in open government data: citizen participation or private enterprise?
CN112907141A (en) Pressure testing method, device, equipment and storage medium
Bereznay et al. Did something change? using statistical techniques to interpret service and resource metrics
CN114648228B (en) Method, device and equipment for evaluating service execution efficiency
CN117423475B (en) Department infection risk identification method and system applied to hospital scene
Leech et al. Log-Normal Distribution Modelling with Quantised Data
Dewoskin et al. Sampling Techniques for Data Audits

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant