CN113472725B - Data processing method and device - Google Patents

Data processing method and device Download PDF

Info

Publication number
CN113472725B
CN113472725B CN202010246584.6A CN202010246584A CN113472725B CN 113472725 B CN113472725 B CN 113472725B CN 202010246584 A CN202010246584 A CN 202010246584A CN 113472725 B CN113472725 B CN 113472725B
Authority
CN
China
Prior art keywords
event
request
user
node
abnormal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010246584.6A
Other languages
Chinese (zh)
Other versions
CN113472725A (en
Inventor
杨涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN202010246584.6A priority Critical patent/CN113472725B/en
Publication of CN113472725A publication Critical patent/CN113472725A/en
Application granted granted Critical
Publication of CN113472725B publication Critical patent/CN113472725B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides a data processing method and a data processing device, wherein the method comprises the following steps: acquiring log data aiming at an abnormal event; performing anomaly analysis on the log data to obtain abnormal event information; generating an abnormal event graph aiming at the abnormal event according to the abnormal event information; and sending the abnormal event graph to a client for visualization. By the aid of the method and the device, automatic analysis and visualization of the abnormal events are achieved, response time is shortened, positioning efficiency and accuracy are improved, and the abnormal events can be directly and completely reflected.

Description

Data processing method and device
Technical Field
The present application relates to the field of security technologies, and in particular, to a method and an apparatus for data processing.
Background
In a public network environment, due to the existence of attack behaviors such as scanning, installing trojans, starting malicious processes and the like, abnormal events often occur in a cloud server, so that security threats are formed, and further, the user assets are lost.
In the prior art, a worker usually performs manual positioning after receiving alarm information, and the manual positioning has the problems of long response time, low positioning efficiency, low accuracy and the like, and cannot intuitively and completely reflect an abnormal event.
Disclosure of Invention
In view of the above, it is proposed to provide a method and apparatus for data processing that overcomes or at least partially solves the above mentioned problems, comprising:
a method of data processing, the method comprising:
acquiring log data aiming at the abnormal event;
performing anomaly analysis on the log data to obtain abnormal event information;
generating an abnormal event graph aiming at the abnormal event according to the abnormal event information;
and sending the abnormal event graph to a client for visualization.
Optionally, the step of generating an abnormal event map for the abnormal event according to the abnormal event information includes:
establishing a plurality of event nodes by adopting the abnormal event information;
determining an incidence relation among the plurality of event nodes;
and combining the incidence relation and the event nodes to generate an abnormal event graph.
Optionally, the step of performing anomaly analysis on the log data to obtain the abnormal event information includes:
in the process of anomaly analysis, the log data is adopted to carry out bidirectional traversal on the abnormal event to obtain event source information and event influence information;
and combining the event source information and the event influence information to obtain abnormal event information.
Optionally, the plurality of event nodes comprises at least the following:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
Optionally, the method further comprises:
when an establishment request is received, determining target data corresponding to the establishment request;
establishing a new event node in the abnormal event graph by adopting the target data;
and establishing an incidence relation between the new event node and other event nodes.
Optionally, the target data comprises any one of:
log data, user-defined data.
Optionally, the method further comprises:
and when an editing request is received, editing the event node corresponding to the editing request.
Optionally, the method further comprises:
and when a deletion request is received, deleting the event node corresponding to the deletion request.
Optionally, the step of obtaining log data for the abnormal event includes:
receiving a visualization request for the abnormal event sent by the client;
in response to the visualization request, log data for the exception event is obtained.
Optionally, before the step of receiving a visualization request for an abnormal event sent by the client, the method further includes:
generating alarm information for the abnormal event when the abnormal event is detected;
and sending the alarm information to a client.
Optionally, the method further comprises:
acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier;
and aggregating the abnormal event graphs corresponding to the target devices.
Optionally, the log data comprises any one or more of:
weblog data, device log data.
A method of data processing, the method comprising:
acquiring log data for a user event;
analyzing the log data to obtain user event information;
generating a user event graph aiming at the user event according to the user event information;
and sending the user event graph to a client for visualization.
A method of data processing, the method comprising:
generating a visualization request for an exception event in response to a visualization operation;
sending the visualization request to a server;
when an abnormal event graph which is returned by the server and aims at the abnormal event is received, visualizing the abnormal event graph; the abnormal event graph is generated by the server side according to the abnormal event information by acquiring the log data aiming at the abnormal event, performing abnormal analysis on the log data to obtain the abnormal event information.
Optionally, the exceptional event graph includes a plurality of event nodes and an association relationship between the event nodes.
Optionally, the plurality of event nodes comprises at least the following:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
Optionally, the method further comprises:
responding to a node establishing operation, and acquiring target data corresponding to the node establishing operation;
generating an establishment request by adopting the target data;
sending the establishment request to the server; the server is used for determining target data corresponding to the establishment request when the establishment request is received, establishing a new event node in the abnormal event graph by adopting the target data, and establishing an incidence relation between the new event node and other event nodes.
Optionally, the target data comprises any one of:
log data and user-defined data.
Optionally, the method further comprises:
responding to the node editing operation, and generating an editing request;
sending the editing request to the server; the server is used for editing the event node corresponding to the editing request when the editing request is received.
Optionally, the method further comprises:
generating a deletion request in response to a node deletion operation;
sending the deletion request to the server; the server is used for deleting the event node corresponding to the deletion request when the deletion request is received.
Optionally, before the step of generating a visualization request for an abnormal event in response to a user operation, the method further includes:
receiving alarm information aiming at the abnormal event sent by the server;
and visualizing the alarm information.
Optionally, the log data comprises any one or more of:
weblog data, device log data.
A method of data processing, the method comprising:
generating a visualization request for a user event in response to a visualization operation;
sending the visualization request to a server;
when a user event graph which is returned by the server and aims at the user event is received, visualizing the user event graph; the user event graph is generated by the server side according to user event information by acquiring log data aiming at the user event, analyzing the log data to obtain the user event information.
An apparatus for data processing, the apparatus comprising:
the log data acquisition module is used for acquiring log data aiming at the abnormal event;
the abnormal event information obtaining module is used for carrying out abnormal analysis on the log data to obtain abnormal event information;
the abnormal event graph generating module is used for generating an abnormal event graph aiming at the abnormal event according to the abnormal event information;
and the abnormal event graph sending module is used for sending the abnormal event graph to a client for visualization.
Optionally, the abnormal event map generating module includes:
the event node establishing submodule is used for establishing a plurality of event nodes by adopting the abnormal event information;
the incidence relation determining submodule is used for determining the incidence relation among the event nodes;
and the abnormal event graph generation sub-module is used for generating an abnormal event graph by combining the incidence relation and the event nodes.
Optionally, the abnormal event information obtaining module includes:
the bidirectional traversal submodule is used for performing bidirectional traversal on the abnormal event by adopting the log data in the process of analyzing the abnormity to obtain event source information and event influence information;
and the abnormal event information combining submodule is used for combining the event source information and the event influence information to obtain abnormal event information.
Optionally, the plurality of event nodes comprises at least the following:
the node aiming at the attack source, the node aiming at the attack behavior and the node aiming at the attack target.
Optionally, the method further comprises:
the target data determining module is used for determining target data corresponding to the establishment request when the establishment request is received;
the node establishing module is used for establishing a new event node in the abnormal event graph by adopting the target data;
and the incidence relation establishing module is used for establishing incidence relations between the new event node and other event nodes.
Optionally, the target data comprises any one of:
log data, user-defined data.
Optionally, the method further comprises:
and the node editing module is used for editing the event node corresponding to the editing request when the editing request is received.
Optionally, the method further comprises:
and the node deleting module is used for deleting the event node corresponding to the deleting request when the deleting request is received.
Optionally, the log data obtaining module includes:
a visualization request receiving submodule, configured to receive a visualization request for the abnormal event sent by the client;
and the visualization request response submodule is used for responding to the visualization request and acquiring log data aiming at the abnormal event.
Optionally, the method further comprises:
the warning information generating module is used for generating warning information aiming at the abnormal event when the abnormal event is detected;
and the alarm information sending module is used for sending the alarm information to the client.
Optionally, the method further comprises:
the target equipment determining module is used for acquiring a user identifier and determining a plurality of target equipment corresponding to the user identifier;
and the abnormal event graph aggregation module is used for aggregating the abnormal event graphs corresponding to the target devices.
Optionally, the log data comprises any one or more of:
weblog data, device log data.
An apparatus for data processing, the apparatus comprising:
the log data acquisition module is used for acquiring log data aiming at the user event;
the user event information obtaining module is used for analyzing the log data to obtain user event information;
the user event graph generating module is used for generating a user event graph aiming at the user event according to the user event information;
and the user event graph sending module is used for sending the user event graph to a client for visualization.
An apparatus for data processing, the apparatus comprising:
the visualization request generation module is used for responding to visualization operation and generating a visualization request aiming at an abnormal event;
the visualization request sending module is used for sending the visualization request to a server;
the abnormal event graph visualization module is used for visualizing the abnormal event graph when the abnormal event graph aiming at the abnormal event returned by the server is received; the abnormal event graph is generated by the server side according to abnormal event information, wherein the server side obtains log data aiming at the abnormal event, performs abnormal analysis on the log data to obtain the abnormal event information.
Optionally, the exceptional event graph includes a plurality of event nodes and an association relationship between the event nodes.
Optionally, the plurality of event nodes comprises at least the following:
the node aiming at the attack source, the node aiming at the attack behavior and the node aiming at the attack target.
Optionally, the method further comprises:
the target data acquisition module is used for responding to the node establishment operation and acquiring target data corresponding to the node establishment operation;
the establishment request generating module is used for generating an establishment request by adopting the target data;
the establishment request sending module is used for sending the establishment request to the server; the server is used for determining target data corresponding to the establishment request when the establishment request is received, establishing a new event node in the abnormal event graph by adopting the target data, and establishing an incidence relation between the new event node and other event nodes.
Optionally, the target data comprises any one of:
log data, user-defined data.
Optionally, the method further comprises:
the editing request generating module is used for responding to the node editing operation and generating an editing request;
the editing request sending module is used for sending the editing request to the server; the server is used for editing the event node corresponding to the editing request when the editing request is received.
Optionally, the method further comprises:
the deleting request generating module is used for responding to the node deleting operation and generating a deleting request;
a deletion request sending module, configured to send the deletion request to the server; the server is used for deleting the event node corresponding to the deletion request when the deletion request is received.
Optionally, the method further comprises:
the alarm information receiving module is used for receiving the alarm information aiming at the abnormal event sent by the server;
and the warning information visualization module is used for visualizing the warning information.
Optionally, the log data comprises any one or more of:
weblog data, device log data.
An apparatus for data processing, the apparatus comprising:
the visualization request generation module is used for responding to the visualization operation and generating a visualization request aiming at the user event;
the visualization request sending module is used for sending the visualization request to a server;
the user event graph visualization module is used for visualizing the user event graph when receiving the user event graph which is returned by the server and aims at the user event; the user event graph is generated by the server side according to user event information by acquiring log data aiming at the user event, analyzing the log data to obtain the user event information.
An electronic device comprising a processor, a memory and a computer program stored on the memory and being executable on the processor, the computer program, when executed by the processor, implementing the steps of the method of data processing as described above.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of data processing as set forth above.
The embodiment of the application has the following advantages:
in the embodiment of the application, log data aiming at an abnormal event are acquired, abnormal analysis is carried out on the log data to obtain abnormal event information, then an abnormal event graph aiming at the abnormal event is generated according to the abnormal event information, and the abnormal event graph is sent to a client side for visualization, so that automatic analysis and visualization of the abnormal event are realized, the response time is reduced, the positioning efficiency and accuracy are improved, and the abnormal event can be directly and completely reflected.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings needed to be used in the description of the present application will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
FIG. 1 is a flow chart illustrating steps of a method for data processing according to an embodiment of the present application;
FIG. 2 is a diagram of an exception event provided by an embodiment of the present application;
FIG. 3 is a flow chart of steps of another method of data processing provided by an embodiment of the present application;
FIG. 4 is a flow chart of steps of another method of data processing provided by an embodiment of the present application;
FIG. 5 is a flow chart of steps in another method of data processing provided by an embodiment of the present application;
fig. 6 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application;
FIG. 7 is a block diagram of another data processing apparatus according to an embodiment of the present application;
FIG. 8 is a schematic diagram of another data processing apparatus according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, a flowchart illustrating steps of a data processing method according to an embodiment of the present application is shown, where the method may be applied to a server, such as a cloud security center.
The cloud security center can perform security monitoring and diagnosis services, provides services such as security event detection, vulnerability scanning and baseline configuration checking for the assets on the cloud, combines big data and a machine learning algorithm, can help a user to comprehensively know and effectively process potential safety hazards of the server in real time through multi-engine searching and killing, and achieves centralized security management of the assets on the cloud.
Specifically, the method can comprise the following steps:
step 101, acquiring log data aiming at an abnormal event;
as an example, the log data may include any one or more of:
weblog data, device log data (e.g., server log data).
Under the public network environment, the cloud server may be subjected to various attacks, such as scanning, installing trojans, starting malicious processes and the like, after the attacks are received, the intrusion detection function can detect abnormal events, and then can output alarm data to alarm the abnormal events.
In an embodiment of the present application, step 101 may include the following sub-steps:
receiving a visualization request for the abnormal event sent by the client; in response to the visualization request, log data for the exception event is obtained.
As an example, the client may be a Web client.
When the visualization operation of a user is detected, the client can generate a visualization request for an abnormal event and can send the visualization request to the server, and the server can receive the visualization request sent by the client, so that an automatic invasion link restoration function in the server is triggered, and log data for the abnormal event is collected.
In an embodiment of the present application, before the step of receiving the visualization request for the abnormal event sent by the client, the following steps may further be included:
generating alarm information for the abnormal event when the abnormal event is detected; and sending the alarm information to a client.
When an abnormal event is detected, if alarm data generated by an intrusion detection function is received, alarm information aiming at the abnormal event can be generated and sent to a client side, the client side can further visualize the alarm information so as to give an alarm to a user, and the user can use the alarm information as an entrance and a starting point to open an investigation page aiming at the abnormal event, so that the complete hacker intrusion process can be browsed through simple interaction, the vulnerability and the intrusion reason can be quickly positioned, and the safe operation cost can be effectively reduced.
102, performing anomaly analysis on the log data to obtain abnormal event information;
after the log data are obtained, the log data can be subjected to anomaly analysis, each walking behavior of a hacker is automatically identified by utilizing a big data analysis method, the behavior of the intruder is dynamically drawn, and then the information of an anomaly event can be obtained, so that the suspicious behavior and the action of the hacker are presented in a correlated manner, the intrusion path and the behavior of the hacker can be presented in a panoramic manner at the view angle of a single intrusion event, and the coming and going pulse of the anomaly event is clearly displayed on one graph.
In one example, a relational exploration can be made for the behavior within a single asset, and logs within a single server can be analyzed to find out relationships between the interiors, such as after a hacker has invaded a file, and if another file is accessed through the file, the behavior path of the hacker can be depicted.
In an embodiment of the present application, step 102 may include the following sub-steps:
in the process of anomaly analysis, the log data is adopted to carry out bidirectional traversal on the abnormal event to obtain event source information and event influence information; and combining the event source information and the event influence information to obtain abnormal event information.
In the process of abnormal analysis, two-way traversal can be performed by taking an abnormal event as a starting point, namely, data are disassociated from two directions for analysis, and event source information and event influence information are obtained.
Specifically, one direction is the source of the abnormal event, for example, all the reasons which may generate the abnormal event are associated, and the reasons can be found again to find the final attack source, and the other direction is the influence of the abnormal event, for example, the influence surface of the abnormal event is found to possibly influence the assets one by one.
Due to the fact that bidirectional traversal is conducted, all relations can be gathered, the maximum connected graph can be found, and all nodes in the graph can be displayed at one time when visualization is conducted, namely the maximum connected graph.
Step 103, generating an abnormal event map aiming at the abnormal event according to the abnormal event information;
after obtaining the abnormal event information, the abnormal event information can be aggregated and visualized in a graph structure, an abnormal event graph aiming at the abnormal event is generated, hacker attack behaviors and paths are reflected intuitively, a machine suffering from security intrusion or possibly suffering from the security intrusion is finally discovered and processed, the occurrence of intrusion behaviors is avoided through investigation and processing, and the security degree of the system is improved.
In an embodiment of the present application, step 103 may include the following sub-steps:
establishing a plurality of event nodes by adopting the abnormal event information; determining an incidence relation among the plurality of event nodes; and combining the incidence relation and the event nodes to generate an abnormal event graph.
Wherein the plurality of event nodes may include at least the following:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
In specific implementation, attack source information, attack behavior information, attack node information and the like can be determined from abnormal event information, then a plurality of event nodes can be established by adopting the information, and the event nodes can be used as one primitive in an abnormal event graph.
After the event nodes are established, incidence relations, such as access relations and call relations, among the event nodes can be determined, and then the event nodes are connected according to the incidence relations to form an intrusion link, so that an abnormal event graph can be obtained.
In an example, in a survey interface of a client, the abnormal state and the incidence relation of the cloud assets can be presented in a panoramic mode through an abnormal event graph.
For example, the presented information elements include: attack source (node for attack source), asset (node for attack target), security alarm (visualization of alarm information), log data, binary file (for node of attack mode, hacker performs attack behavior with binary file).
For example, visualizing the associative relationships between the presentities and the entity elements may include:
1. the relationship between the attack source and the asset (attack target);
2. the active path of the attack source inside the asset (attack target);
3. the active paths and attack relations of different attack sources among different assets (attack targets);
4. the reason for the generation of the single alarm and the affected relationship thereof.
In an example, a host panel, an alarm panel, and a resource panel may also be displayed in the left-side alternative column of the client, in the host panel, all hosts under the user are displayed, and hosts of unconfirmed alarm information may be set to the top, in the alarm panel, all alarm information associated by auto-tracing is displayed, which may be sorted by time, in the resource panel: and an attack source, a malicious sample, a malicious download source and a user-defined node are added, and remarks are added to the resources.
In an embodiment of the present application, the method may further include the following steps:
acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier; and aggregating the abnormal event graphs corresponding to the target devices.
When a user logs in, a user identifier, such as a UUID, can be obtained, then a plurality of target devices (assets on the cloud) corresponding to the user identifier can be determined, then abnormal event graphs corresponding to the target devices can be aggregated, for example, the same attack source and the same attack target in the abnormal event graphs are overlapped, and then the graphs are overlapped, so that the problem related to the same user is aggregated, the relationship between a single abnormal behavior and other abnormal behaviors can be presented, the related safety problem research and judgment can be provided, and a plurality of intrusion behaviors of a certain hacker/attack source can be presented.
And 104, sending the abnormal event graph to a client for visualization.
After the abnormal event graph is obtained, the abnormal event graph can be sent to the client, and after the abnormal event graph is received, the client can render the abnormal event graph by adopting an online template and data, so that an intrusion link can be visually presented.
As shown in fig. 2, there are nodes 172. Times.m., www. Times.m. times.com for the attack source, there are nodes BizServer and BizServer001 for the attack target, and for multiple attack behaviors, and the intrusion process can be known from the abnormal event graph as follows:
1. 172. Once → process PS (start-up process) → dash (start-up process) → access to the malicious download source → BizServer;
2. 172. Once → process PS (start-up process) → dash (start-up process) → access to the malicious download source → BizServer001;
3、172.*.*.*→BizServer001;
4、www.***.com→BizServer001。
in an example, the user may archive the exceptional graph as a survey result for the alert information for further use in subsequent surveys.
In an embodiment of the present application, the method may further include the following steps:
when an establishment request is received, determining target data corresponding to the establishment request; establishing a new event node in the abnormal event graph by adopting the target data; and establishing the incidence relation between the new event node and other event nodes.
Wherein the target data may include any one of:
log data and user-defined data.
When the node establishment operation of the user is detected, the client can obtain target data corresponding to the node establishment operation, then an establishment request can be generated by adopting the target data, and the establishment request is sent to the server.
When the establishment request is received, the target data corresponding to the establishment request can be determined, and then a new event node can be established in the abnormal event graph by adopting the target data, and the incidence relation between the new event node and other event nodes, namely the edge relation can be established.
For example, original log data may be displayed in a lower log area in an investigation interface of a client (the log data of a user may also be accessed), the user may select one log data, drag the selected log data into a displayed abnormal event graph, respond to the node establishing operation, establish an event node for the selected log data, and manually create an edge by the user, and may also configure file information (log naming) for the event node for the log data so as to facilitate future viewing.
For another example, the user may access user-defined data to a page, and the user may use the user-defined data to create a data primitive (event node) in the presented abnormal event graph, such as "access a malicious download page", and then connect the data primitive with an existing hacker primitive (node for attack source) or asset primitive (node for attack target) to form a relationship.
In an embodiment of the present application, the method may further include the following steps:
and when an editing request is received, editing the event node corresponding to the editing request.
When the node editing operation of the user is detected, the client can generate an editing request and send the editing request to the server, and the server edits the event node corresponding to the editing request, so that the event node can be updated and displayed in the client.
In an embodiment of the present application, the following steps may be further included:
and when a deletion request is received, deleting the event node corresponding to the deletion request.
When detecting the node deletion operation of the user, the client can generate a deletion request and send the deletion request to the server, and the server deletes the event node corresponding to the deletion request, so that the update display can be performed in the client.
In the embodiment of the application, log data aiming at an abnormal event are acquired, abnormal analysis is carried out on the log data to obtain abnormal event information, then an abnormal event graph aiming at the abnormal event is generated according to the abnormal event information, and the abnormal event graph is sent to a client side for visualization, so that automatic analysis and visualization of the abnormal event are realized, the response time is reduced, the positioning efficiency and accuracy are improved, and the abnormal event can be directly and completely reflected.
Referring to fig. 3, a flowchart illustrating steps of another data processing method provided in an embodiment of the present application, which may be applied to a client, such as a Web client, is shown.
Specifically, the method can comprise the following steps:
step 301, responding to a visualization operation, generating a visualization request for an abnormal event;
when the visualization operation of the user is detected, for example, the warning information corresponding to the abnormal event is clicked, the client may generate a visualization request for the abnormal event.
In an embodiment of the present application, before step 301, the following steps may be further included:
receiving alarm information aiming at the abnormal event sent by the server; and visualizing the alarm information.
When an abnormal event is detected, if alarm data output by an intrusion detection function is received, alarm information aiming at the abnormal event can be generated and sent to a client side, the client side can further visualize the alarm information so as to give an alarm to a user, the user can use the alarm information as an entrance and a starting point to open an investigation page aiming at the abnormal event, the complete hacker intrusion process can be browsed through simple interaction, the bug and the intrusion reason can be quickly positioned, and the safe operation cost is effectively reduced.
Step 302, sending the visualization request to a server;
after generating the visualization request, the client may send the visualization request to the server.
Step 303, when an abnormal event graph aiming at the abnormal event returned by the server is received, visualizing the abnormal event graph; the abnormal event graph is generated by the server side according to abnormal event information, wherein the server side obtains log data aiming at the abnormal event, performs abnormal analysis on the log data to obtain the abnormal event information.
The abnormal event graph may include a plurality of event nodes and an incidence relation between the plurality of event nodes, where the plurality of event nodes may include at least the following items:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
As an example, the log data may include any one or more of:
weblog data, device log data (e.g., server log data).
After the visualization request is received, an automatic intrusion link restoration function in the server can be triggered, automatic backtracking analysis can be performed on abnormal events, and required original logs are collected.
After the log data are obtained, the log data can be subjected to anomaly analysis, each walking behavior of a hacker is automatically identified by utilizing a big data analysis method, the behavior of the intruder is dynamically drawn, and then the information of an anomaly event can be obtained, so that the suspicious behavior and the action of the hacker are presented in a correlated manner, the intrusion path and the behavior of the hacker can be presented in a panoramic manner at the view angle of a single intrusion event, and the coming and going pulse of the anomaly event is clearly displayed on one graph.
After obtaining the abnormal event information, the abnormal event information can be aggregated and visualized in a graph structure to generate an abnormal event graph aiming at the abnormal event, so that hacker attack behaviors and paths are reflected intuitively, machines suffering from security intrusion or possibly suffering from the security intrusion are finally discovered and processed, the occurrence of intrusion behaviors is avoided through investigation and processing, and the security degree of the system is improved.
After the abnormal event graph is obtained, the abnormal event graph can be sent to the client, and after the abnormal event graph is received, the client can render the abnormal event graph by adopting an online template and data, so that an intrusion link can be visually presented.
In an example, in a survey interface of a client, the abnormal state and the incidence relation of the cloud assets can be presented in a panoramic mode through an abnormal event graph.
For example, the presented information elements include: attack source (node for attack source), asset (node for attack target), security alarm (visualization of alarm information), log data, binary file (for node of attack mode, hacker performs attack behavior with binary file).
For example, visualizing associations between presentities and entity elements may include:
1. the relationship between the attack source and the asset (attack target);
2. the active path of the attack source inside the asset (attack target);
3. the active paths and attack relations of different attack sources among different assets (attack targets);
4. the generation reason and the affected relation of the single alarm.
In an example, a host panel, an alarm panel, and a resource panel may also be displayed in the left-side alternative column of the client, in the host panel, all hosts under the user are displayed, and hosts of unconfirmed alarm information may be set to the top, in the alarm panel, all alarm information associated by auto-tracing is displayed, which may be sorted by time, in the resource panel: and an attack source, a malicious sample, a malicious download source and a user-defined node are added, and remarks are added to the resources.
In an embodiment of the present application, the following steps may be further included:
responding to a node establishment operation, and acquiring target data corresponding to the node establishment operation; generating an establishment request by adopting the target data; sending the establishment request to the server; the server is used for determining target data corresponding to the establishment request when the establishment request is received, establishing a new event node in the abnormal event graph by adopting the target data, and establishing an incidence relation between the new event node and other event nodes.
Wherein the target data may include any one of:
log data, user-defined data.
When the node establishment operation of the user is detected, the client can obtain target data corresponding to the node establishment operation, then an establishment request can be generated by adopting the target data, and the establishment request is sent to the server.
When the establishment request is received, the target data corresponding to the establishment request can be determined, and then a new event node can be established in the abnormal event graph by adopting the target data, and the incidence relation between the new event node and other event nodes, namely the edge relation can be established.
For example, original log data may be displayed in a lower log area in an investigation interface of a client (the log data of a user may also be accessed), the user may select one log data, drag the selected log data into a displayed abnormal event graph, respond to the node establishing operation, establish an event node for the selected log data, and manually create an edge by the user, and may also configure file information (log naming) for the event node for the log data so as to facilitate future viewing.
For another example, the user may access user-defined data to a page, and the user may use the user-defined data to create a data primitive (event node) in the presented abnormal event graph, such as "access a malicious download page", and then connect the data primitive with an existing hacker primitive (node for attack source) or asset primitive (node for attack target) to form a relationship.
In an embodiment of the present application, the following steps may be further included:
responding to the node editing operation, and generating an editing request; sending the editing request to the server; the server is used for editing the event node corresponding to the editing request when the editing request is received.
When the node editing operation of the user is detected, the client can generate an editing request and send the editing request to the server, and the server edits the event node corresponding to the editing request, so that the event node can be updated and displayed in the client.
In an embodiment of the present application, the following steps may be further included:
generating a deletion request in response to a node deletion operation; sending the deletion request to the server; the server is used for deleting the event node corresponding to the deletion request when the deletion request is received.
When detecting the node deletion operation of the user, the client can generate a deletion request and send the deletion request to the server, and the server deletes the event node corresponding to the deletion request, so that the update display can be performed in the client.
In the embodiment of the application, the visualization request for the abnormal event is generated by responding to the visualization operation, the visualization request is sent to the server, the abnormal event graph is visualized when the abnormal event graph for the abnormal event returned by the server is received, the abnormal event graph is generated according to the abnormal event information by the server by acquiring the log data for the abnormal event and performing abnormal analysis on the log data to obtain the abnormal event information, and the automatic analysis and visualization of the abnormal event are realized, the response time is reduced, the positioning efficiency and accuracy are improved, and the abnormal event can be intuitively and completely reflected.
Referring to fig. 4, a flowchart illustrating steps of a method for data processing according to an embodiment of the present application is shown, where the method may be applied to a server, such as a cloud security center.
Step 401, acquiring log data for a user event;
as an example, the log data may include any one or more of:
weblog data, device log data.
In an embodiment of the present application, step 401 may include the following steps:
receiving a visualization request for the user event sent by the client; in response to the visualization request, log data for the user event is obtained.
In an embodiment of the present application, before the step of receiving a visualization request for a user event sent by the client, the method further includes:
generating alarm information for the user event when the user event is detected; and sending the alarm information to a client.
Step 402, analyzing the log data to obtain user event information;
in an embodiment of the present application, step 402 may include the following sub-steps:
in the analysis process, the log data is adopted to carry out bidirectional traversal on the user event to obtain event source information and event influence information; and combining the event source information and the event influence information to obtain user event information.
Step 403, generating a user event graph for the user event according to the user event information;
in an embodiment of the present application, step 403 may include the following sub-steps:
establishing a plurality of event nodes by adopting the user event information; determining an incidence relation among the plurality of event nodes; and combining the incidence relation and the event nodes to generate a user event graph.
As an example, the plurality of event nodes may include at least the following:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
In an embodiment of the present application, the method further includes:
acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier; and aggregating the user event graphs corresponding to the target devices.
And step 404, sending the user event graph to a client for visualization.
In an embodiment of the present application, the method further includes:
when an establishment request is received, determining target data corresponding to the establishment request; establishing a new event node in the user event graph by adopting the target data; and establishing an incidence relation between the new event node and other event nodes.
In an embodiment of the application, the target data includes any one of:
log data and user-defined data.
In an embodiment of the present application, the method further includes:
and when an editing request is received, editing the event node corresponding to the editing request.
In an embodiment of the present application, the method further includes:
and when a deletion request is received, deleting the event node corresponding to the deletion request.
It should be noted that the user event may be an event that the user is interested in, which may include an abnormal event, and the method for processing data of the user event in the embodiment of the present application may refer to the specific process of the method for processing data of the abnormal event in fig. 1 and fig. 3 above.
Referring to fig. 5, a flowchart illustrating steps of another data processing method provided in an embodiment of the present application is shown, where the method may be applied to a client, such as a Web client.
Step 501, responding to a visualization operation, and generating a visualization request aiming at a user event;
in an embodiment of the present application, before step 501, the following steps may also be included:
receiving alarm information aiming at the user event sent by the server; and visualizing the alarm information.
Step 502, sending the visualization request to a server;
step 503, when a user event graph aiming at the user event returned by the server is received, visualizing the user event graph; the user event graph is generated by the server side according to user event information by acquiring log data aiming at the user event, analyzing the log data to obtain the user event information.
As an example, the log data may include any one or more of:
weblog data, device log data.
In an embodiment of the present application, the user event graph may include a plurality of event nodes and an association relationship between the plurality of event nodes.
In an embodiment of the present application, the event nodes include at least the following items:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
In an embodiment of the present application, the method further includes:
responding to a node establishing operation, and acquiring target data corresponding to the node establishing operation; generating an establishment request by adopting the target data; sending the establishment request to the server; the server is used for determining target data corresponding to the establishment request when the establishment request is received, establishing a new event node in the user event graph by adopting the target data, and establishing an association relation between the new event node and other event nodes.
In an embodiment of the application, the target data includes any one of:
log data, user-defined data.
In an embodiment of the present application, the method further includes:
responding to the node editing operation, and generating an editing request; sending the editing request to the server; the server is used for editing the event node corresponding to the editing request when the editing request is received.
In an embodiment of the present application, the method further includes:
generating a deletion request in response to a node deletion operation; sending the deletion request to the server; the server is used for deleting the event node corresponding to the deletion request when the deletion request is received.
It should be noted that the user event may be an event that the user pays attention to, which may include an abnormal event, and the method for processing data of the user event according to the embodiment of the present application may refer to the specific process of the method for processing data of an abnormal event in fig. 1 and fig. 3 above.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those of skill in the art will recognize that the embodiments described in this specification are presently preferred embodiments and that no particular act is required to implement the embodiments of the disclosure.
Referring to fig. 6, a schematic structural diagram of a data processing apparatus provided in an embodiment of the present application is shown, which may specifically include the following modules:
a log data obtaining module 601, configured to obtain log data for an abnormal event;
an abnormal event information obtaining module 602, configured to perform abnormal analysis on the log data to obtain abnormal event information;
an abnormal event map generating module 603, configured to generate an abnormal event map for the abnormal event according to the abnormal event information;
the abnormal event map sending module 604 is configured to send the abnormal event map to the client for visualization.
In an embodiment of the present application, the exceptional graph generating module 603 includes:
the event node establishing submodule is used for establishing a plurality of event nodes by adopting the abnormal event information;
an incidence relation determining submodule for determining incidence relations among the event nodes;
and the abnormal event graph generation sub-module is used for generating an abnormal event graph by combining the incidence relation and the event nodes.
In an embodiment of the present application, the abnormal event information obtaining module 602 includes:
the bidirectional traversal submodule is used for performing bidirectional traversal on the abnormal event by adopting the log data in the process of analyzing the abnormality to obtain event source information and event influence information;
and the abnormal event information combining submodule is used for combining the event source information and the event influence information to obtain abnormal event information.
In an embodiment of the present application, the event nodes include at least the following items:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
In an embodiment of the present application, the method further includes:
the target data determining module is used for determining target data corresponding to the establishment request when the establishment request is received;
the node establishing module is used for establishing a new event node in the abnormal event graph by adopting the target data;
and the incidence relation establishing module is used for establishing incidence relations between the new event node and other event nodes.
In an embodiment of the application, the target data includes any one of:
log data and user-defined data.
In an embodiment of the present application, the method further includes:
and the node editing module is used for editing the event node corresponding to the editing request when the editing request is received.
In an embodiment of the present application, the method further includes:
and the node deleting module is used for deleting the event node corresponding to the deleting request when the deleting request is received.
In an embodiment of the present application, the log data obtaining module 601 includes:
a visualization request receiving submodule, configured to receive a visualization request for the abnormal event sent by the client;
and the visualization request response submodule is used for responding to the visualization request and acquiring log data aiming at the abnormal event.
In an embodiment of the present application, the method further includes:
the warning information generating module is used for generating warning information aiming at the abnormal event when the abnormal event is detected;
and the alarm information sending module is used for sending the alarm information to the client.
In an embodiment of the present application, the method further includes:
the target equipment determining module is used for acquiring a user identifier and determining a plurality of target equipment corresponding to the user identifier;
and the abnormal event graph aggregation module is used for aggregating the abnormal event graphs corresponding to the target devices.
In an embodiment of the application, the log data includes any one or more of:
weblog data, device log data.
Referring to fig. 7, a schematic structural diagram of a data processing apparatus according to an embodiment of the present application is shown, which may specifically include the following modules:
a visualization request generating module 701, configured to generate a visualization request for an abnormal event in response to a visualization operation;
a visualization request sending module 702, configured to send the visualization request to a server;
an abnormal event graph visualization module 703, configured to visualize an abnormal event graph for the abnormal event when the abnormal event graph returned by the server for the abnormal event is received; the abnormal event graph is generated by the server side according to the abnormal event information by acquiring the log data aiming at the abnormal event, performing abnormal analysis on the log data to obtain the abnormal event information.
In an embodiment of the present application, the exceptional graph includes a plurality of event nodes and an association relationship between the event nodes.
In an embodiment of the present application, the event nodes include at least the following items:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
In an embodiment of the present application, the method further includes:
the target data acquisition module is used for responding to the node establishment operation and acquiring target data corresponding to the node establishment operation;
the establishment request generating module is used for generating an establishment request by adopting the target data;
the establishment request sending module is used for sending the establishment request to the server; the server is used for determining target data corresponding to the establishment request when the establishment request is received, establishing a new event node in the abnormal event graph by adopting the target data, and establishing an incidence relation between the new event node and other event nodes.
In an embodiment of the application, the target data includes any one of:
log data and user-defined data.
In an embodiment of the present application, the method further includes:
the editing request generating module is used for responding to the node editing operation and generating an editing request;
the editing request sending module is used for sending the editing request to the server; the server is used for editing the event node corresponding to the editing request when the editing request is received.
In an embodiment of the present application, the method further includes:
a deletion request generation module, configured to generate a deletion request in response to a node deletion operation;
a deletion request sending module, configured to send the deletion request to the server; the server is used for deleting the event node corresponding to the deletion request when the deletion request is received.
In an embodiment of the present application, the method further includes:
the alarm information receiving module is used for receiving the alarm information aiming at the abnormal event sent by the server side;
and the warning information visualization module is used for visualizing the warning information.
In an embodiment of the application, the log data includes any one or more of:
weblog data, device log data.
Referring to fig. 8, a schematic structural diagram of a data processing apparatus provided in an embodiment of the present application is shown, which may specifically include the following modules:
a log data acquiring module 801, configured to acquire log data for a user event;
a user event information obtaining module 802, configured to analyze the log data to obtain user event information;
a user event graph generating module 803, configured to generate a user event graph for the user event according to the user event information;
a user event graph sending module 804, configured to send the user event graph to a client for visualization.
Referring to fig. 9, a schematic structural diagram of a data processing apparatus provided in an embodiment of the present application is shown, which may specifically include the following modules:
a visualization request generating module 901, configured to generate a visualization request for a user event in response to a visualization operation;
a visualization request sending module 902, configured to send the visualization request to a server;
a user event graph visualization module 903, configured to visualize a user event graph for the user event, where the user event graph is returned by the server and is directed to the user event; the user event graph is generated by the server side according to user event information by acquiring log data aiming at the user event, analyzing the log data to obtain the user event information.
An embodiment of the present application also provides an electronic device, which may include a processor, a memory, and a computer program stored on the memory and capable of running on the processor, and when executed by the processor, the computer program implements the steps of the method for processing data as described above.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the above data processing method.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are all described in a progressive manner, and each embodiment focuses on differences from other embodiments, and portions that are the same and similar between the embodiments may be referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the true scope of the embodiments of the present application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrases "comprising one of \ 8230; \8230;" does not exclude the presence of additional like elements in a process, method, article, or terminal device that comprises the element.
The method and apparatus for data processing provided above are introduced in detail, and specific examples are applied herein to explain the principles and embodiments of the present application, and the descriptions of the above embodiments are only used to help understand the method and core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (44)

1. A method of data processing, the method comprising:
acquiring log data aiming at an abnormal event;
performing anomaly analysis on the log data to obtain abnormal event information;
generating an abnormal event graph aiming at the abnormal event according to the abnormal event information;
sending the abnormal event graph to a client for visualization;
wherein the step of obtaining log data for an exceptional event comprises:
receiving a visualization request for the abnormal event sent by the client;
responding to the visualization request, triggering an automatic invading link restoring function, and acquiring log data aiming at the abnormal event;
wherein, still include:
acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier;
aggregating the abnormal event graphs corresponding to the multiple target devices, including: and overlapping the same attack source and attack target in the multiple abnormal event graphs.
2. The method of claim 1, wherein the step of generating an exceptional graph for the exceptional based on the exceptional information comprises:
establishing a plurality of event nodes by adopting the abnormal event information;
determining an incidence relation among the plurality of event nodes;
and combining the incidence relation and the event nodes to generate an abnormal event graph.
3. The method of claim 2, wherein the step of performing anomaly analysis on the log data to obtain anomaly event information comprises:
in the process of anomaly analysis, the log data is adopted to carry out bidirectional traversal on the abnormal event to obtain event source information and event influence information;
and combining the event source information and the event influence information to obtain abnormal event information.
4. The method of claim 3, wherein the plurality of event nodes comprises at least the following:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
5. The method of claim 2, further comprising:
when an establishment request is received, determining target data corresponding to the establishment request;
establishing a new event node in the abnormal event graph by adopting the target data;
and establishing an incidence relation between the new event node and other event nodes.
6. The method of claim 5, wherein the target data comprises any one of:
log data, user-defined data.
7. The method of claim 2, further comprising:
and when an editing request is received, editing the event node corresponding to the editing request.
8. The method of claim 2, further comprising:
and when a deletion request is received, deleting the event node corresponding to the deletion request.
9. The method according to claim 1, wherein before the step of receiving the visualization request for the abnormal event sent by the client, further comprising:
generating alarm information for the abnormal event when the abnormal event is detected;
and sending the alarm information to a client.
10. The method of claim 1, wherein the log data comprises any one or more of:
weblog data, device log data.
11. A method of data processing, the method comprising:
acquiring log data for a user event;
analyzing the log data to obtain user event information;
generating a user event graph aiming at the user event according to the user event information;
sending the user event graph to a client for visualization;
wherein the obtaining log data for the user event comprises:
receiving a visualization request for the user event sent by the client;
responding to the visualization request, triggering an automatic invasion link restoration function, and acquiring log data aiming at the user event;
wherein, still include:
acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier;
aggregating the user event graphs corresponding to the multiple target devices, including: and overlapping the same attack source and attack target in the multiple user event graphs.
12. A method of data processing, the method comprising:
generating a visualization request for an exception event in response to a visualization operation;
sending the visualization request to a server;
when an abnormal event graph which is returned by the server and aims at the abnormal event is received, visualizing the abnormal event graph; the abnormal event graph is generated by the server side through triggering an automatic invasion link restoration function, obtaining log data aiming at the abnormal event, carrying out abnormal analysis on the log data to obtain abnormal event information and generating according to the abnormal event information;
wherein the server is further configured to: acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier; aggregating the abnormal event graphs corresponding to the multiple target devices, including: and overlapping the same attack source and attack target in the multiple abnormal event graphs.
13. The method of claim 12, wherein the exceptional graph comprises a plurality of event nodes and associations between the plurality of event nodes.
14. The method of claim 13, wherein the plurality of event nodes comprises at least the following:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
15. The method of claim 13 or 14, further comprising:
responding to a node establishment operation, and acquiring target data corresponding to the node establishment operation;
generating an establishment request by adopting the target data;
sending the establishment request to the server; the server is used for determining target data corresponding to the establishment request when the establishment request is received, establishing a new event node in the abnormal event graph by adopting the target data, and establishing an incidence relation between the new event node and other event nodes.
16. The method of claim 15, wherein the target data comprises any one of:
log data, user-defined data.
17. The method of claim 13 or 14, further comprising:
responding to the node editing operation, and generating an editing request;
sending the editing request to the server; the server is used for editing the event node corresponding to the editing request when the editing request is received.
18. The method of claim 13 or 14, further comprising:
generating a deletion request in response to a node deletion operation;
sending the deletion request to the server; the server is used for deleting the event node corresponding to the deletion request when the deletion request is received.
19. The method of claim 12, further comprising, prior to the step of generating a visualization request for an exception event in response to a user action:
receiving alarm information aiming at the abnormal event sent by the server;
and visualizing the alarm information.
20. The method of claim 12, wherein the log data comprises any one or more of:
weblog data, device log data.
21. A method of data processing, the method comprising:
generating a visualization request for a user event in response to a visualization operation;
sending the visualization request to a server;
when a user event graph which is returned by the server and aims at the user event is received, visualizing the user event graph; the user event graph is generated by the server side according to user event information, wherein the server side acquires log data aiming at the user event by triggering an automatic intrusion link restoration function, analyzes the log data to obtain the user event information;
wherein the server is further configured to: acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier; aggregating the user event graphs corresponding to the plurality of target devices, including: and overlapping the same attack source and attack target in the multiple user event graphs.
22. An apparatus for data processing, the apparatus comprising:
the log data acquisition module is used for acquiring log data aiming at the abnormal event;
the abnormal event information obtaining module is used for carrying out abnormal analysis on the log data to obtain abnormal event information;
the abnormal event graph generating module is used for generating an abnormal event graph aiming at the abnormal event according to the abnormal event information;
the abnormal event graph sending module is used for sending the abnormal event graph to a client for visualization;
wherein, the log data acquisition module comprises:
a visualization request receiving submodule, configured to receive a visualization request for the abnormal event sent by the client;
the visualized request response submodule is used for responding to the visualized request, triggering an automatic invading link restoring function and acquiring log data aiming at the abnormal event;
wherein, still include:
the target equipment determining module is used for acquiring a user identifier and determining a plurality of target equipment corresponding to the user identifier;
an abnormal event graph aggregation module, configured to aggregate the abnormal event graphs corresponding to the multiple target devices, where the abnormal event graph aggregation module includes: and overlapping the same attack source and attack target in the multiple abnormal event graphs.
23. The apparatus of claim 22, wherein the exceptional graph generating module comprises:
the event node establishing submodule is used for establishing a plurality of event nodes by adopting the abnormal event information;
the incidence relation determining submodule is used for determining the incidence relation among the event nodes;
and the abnormal event graph generation sub-module is used for generating an abnormal event graph by combining the incidence relation and the event nodes.
24. The apparatus of claim 23, wherein the abnormal event information obtaining module comprises:
the bidirectional traversal submodule is used for performing bidirectional traversal on the abnormal event by adopting the log data in the process of analyzing the abnormity to obtain event source information and event influence information;
and the abnormal event information combining submodule is used for combining the event source information and the event influence information to obtain abnormal event information.
25. The apparatus of claim 24, wherein the plurality of event nodes comprises at least the following:
the node aiming at the attack source, the node aiming at the attack behavior and the node aiming at the attack target.
26. The apparatus of claim 23, further comprising:
the target data determining module is used for determining target data corresponding to the establishment request when the establishment request is received;
the node establishing module is used for establishing a new event node in the abnormal event graph by adopting the target data;
and the incidence relation establishing module is used for establishing incidence relations between the new event node and other event nodes.
27. The apparatus of claim 26, wherein the target data comprises any one of:
log data, user-defined data.
28. The apparatus of claim 23, further comprising:
and the node editing module is used for editing the event node corresponding to the editing request when the editing request is received.
29. The apparatus of claim 23, further comprising:
and the node deleting module is used for deleting the event node corresponding to the deleting request when the deleting request is received.
30. The apparatus of claim 22, further comprising:
the warning information generating module is used for generating warning information aiming at the abnormal event when the abnormal event is detected;
and the alarm information sending module is used for sending the alarm information to the client.
31. The apparatus of claim 22, wherein the log data comprises any one or more of:
weblog data, device log data.
32. An apparatus for data processing, the apparatus comprising:
the log data acquisition module is used for acquiring log data aiming at the user event;
the user event information obtaining module is used for analyzing the log data to obtain user event information;
the user event graph generating module is used for generating a user event graph aiming at the user event according to the user event information;
the user event graph sending module is used for sending the user event graph to a client for visualization;
the log data acquisition module is specifically configured to: receiving a visualization request for the user event sent by the client; responding to the visualization request, triggering an automatic invading link restoring function, and acquiring log data aiming at the user event;
wherein the apparatus is further configured to: acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier; aggregating the user event graphs corresponding to the plurality of target devices, including: and overlapping the same attack source and attack target in the plurality of user event graphs.
33. An apparatus for data processing, the apparatus comprising:
the visualization request generation module is used for responding to visualization operation and generating a visualization request aiming at the abnormal event;
the visualization request sending module is used for sending the visualization request to a server;
the abnormal event graph visualization module is used for visualizing the abnormal event graph when the abnormal event graph aiming at the abnormal event returned by the server is received; the abnormal event graph is generated by the server side according to abnormal event information, wherein the server side acquires log data aiming at the abnormal event by triggering an automatic invasion link reduction function, performs abnormal analysis on the log data to obtain the abnormal event information;
the server is further used for acquiring a user identifier and determining a plurality of target devices corresponding to the user identifier; aggregating the abnormal event graphs corresponding to the multiple target devices, including: and overlapping the same attack source and attack target in the multiple abnormal event graphs.
34. The apparatus of claim 33, wherein the exceptional graph comprises a plurality of event nodes and associations between the plurality of event nodes.
35. The apparatus of claim 34, wherein the plurality of event nodes comprises at least the following:
a node for an attack source, a node for an attack behavior, and a node for an attack target.
36. The apparatus of claim 34 or 35, further comprising:
the target data acquisition module is used for responding to the node establishment operation and acquiring target data corresponding to the node establishment operation;
the establishment request generation module is used for generating an establishment request by adopting the target data;
the establishment request sending module is used for sending the establishment request to the server; the server is used for determining target data corresponding to the establishment request when the establishment request is received, establishing a new event node in the abnormal event graph by adopting the target data, and establishing an incidence relation between the new event node and other event nodes.
37. The apparatus of claim 36, wherein the target data comprises any one of:
log data and user-defined data.
38. The apparatus of claim 34 or 35, further comprising:
the editing request generating module is used for responding to the node editing operation and generating an editing request;
the editing request sending module is used for sending the editing request to the server; the server is used for editing the event node corresponding to the editing request when the editing request is received.
39. The apparatus of claim 34 or 35, further comprising:
the deleting request generating module is used for responding to the node deleting operation and generating a deleting request;
a deletion request sending module, configured to send the deletion request to the server; the server is used for deleting the event node corresponding to the deletion request when the deletion request is received.
40. The apparatus of claim 33, further comprising:
the alarm information receiving module is used for receiving the alarm information aiming at the abnormal event sent by the server;
and the warning information visualization module is used for visualizing the warning information.
41. The apparatus of claim 33, wherein the log data comprises any one or more of:
weblog data, device log data.
42. An apparatus for data processing, the apparatus comprising:
the visualization request generation module is used for responding to the visualization operation and generating a visualization request aiming at the user event;
the visualization request sending module is used for sending the visualization request to a server;
the user event graph visualization module is used for visualizing the user event graph when receiving the user event graph which is returned by the server and aims at the user event; the user event graph is generated by the server side according to user event information, wherein the server side acquires log data aiming at the user event by triggering an automatic invasion link restoration function, analyzes the log data to obtain the user event information;
wherein the server is further configured to: acquiring a user identifier, and determining a plurality of target devices corresponding to the user identifier; aggregating the user event graphs corresponding to the plurality of target devices, including: and overlapping the same attack source and attack target in the multiple user event graphs.
43. An electronic device, comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, the computer program, when executed by the processor, implementing the steps of the method of data processing according to any one of claims 1 to 21.
44. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of data processing according to any one of claims 1 to 21.
CN202010246584.6A 2020-03-31 2020-03-31 Data processing method and device Active CN113472725B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010246584.6A CN113472725B (en) 2020-03-31 2020-03-31 Data processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010246584.6A CN113472725B (en) 2020-03-31 2020-03-31 Data processing method and device

Publications (2)

Publication Number Publication Date
CN113472725A CN113472725A (en) 2021-10-01
CN113472725B true CN113472725B (en) 2023-04-07

Family

ID=77865685

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010246584.6A Active CN113472725B (en) 2020-03-31 2020-03-31 Data processing method and device

Country Status (1)

Country Link
CN (1) CN113472725B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack
CN107911355A (en) * 2017-11-07 2018-04-13 杭州安恒信息技术有限公司 A kind of website back door based on attack chain utilizes event recognition method
CN110519264A (en) * 2019-08-26 2019-11-29 奇安信科技集团股份有限公司 Tracking source tracing method, device and the equipment of attack

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN106790023B (en) * 2016-12-14 2019-03-01 平安科技(深圳)有限公司 Network security Alliance Defense method and apparatus
CN108111342B (en) * 2017-12-15 2021-08-27 北京华创网安科技股份有限公司 Visualization-based threat alarm display method
CN110442498B (en) * 2019-06-28 2022-11-25 平安科技(深圳)有限公司 Abnormal data node positioning method and device, storage medium and computer equipment
CN110933101B (en) * 2019-12-10 2022-11-04 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103701795A (en) * 2013-12-20 2014-04-02 北京奇虎科技有限公司 Identification method and device for attack source of denial of service attack
CN107911355A (en) * 2017-11-07 2018-04-13 杭州安恒信息技术有限公司 A kind of website back door based on attack chain utilizes event recognition method
CN110519264A (en) * 2019-08-26 2019-11-29 奇安信科技集团股份有限公司 Tracking source tracing method, device and the equipment of attack

Also Published As

Publication number Publication date
CN113472725A (en) 2021-10-01

Similar Documents

Publication Publication Date Title
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US10986120B2 (en) Selecting actions responsive to computing environment incidents based on action impact information
US20230164175A1 (en) Dynamic adaptive defense for cyber-security threats
CN108696473B (en) Attack path restoration method and device
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
JP7101272B2 (en) Automatic threat alert triage through data history
US11544374B2 (en) Machine learning-based security threat investigation guidance
US10795991B1 (en) Enterprise search
CN109962891A (en) Monitor method, apparatus, equipment and the computer storage medium of cloud security
CN114070629B (en) Security arrangement and automatic response method, device and system for APT attack
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
CN103078835A (en) System and method for restricting pathways to harmful hosts in computer networks
CN110636085A (en) Attack detection method and device based on flow and computer readable storage medium
CN111371623B (en) Service performance and safety monitoring method and device, storage medium and electronic equipment
WO2019084072A1 (en) A graph model for alert interpretation in enterprise security system
CN112131571B (en) Threat tracing method and related equipment
CN110971579A (en) Network attack display method and device
CN112668010A (en) Method, system and computing device for scanning industrial control system for bugs
CN113660115A (en) Network security data processing method, device and system based on alarm
Vernekar et al. MapReduce based log file analysis for system threats and problem identification
CN113726790A (en) Network attack source identification and blocking method, system, device and medium
CN114024773B (en) Webshell file detection method and system
CN113918938A (en) User entity behavior analysis method and system of continuous immune safety system
AU2014233889A1 (en) Online privacy management
Lavrova et al. Wavelet-analysis of network traffic time-series for detection of attacks on digital production infrastructure

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40060946

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant