CN113535458A - Abnormal false alarm processing method and device, storage medium and terminal - Google Patents

Abnormal false alarm processing method and device, storage medium and terminal Download PDF

Info

Publication number
CN113535458A
CN113535458A CN202111089557.3A CN202111089557A CN113535458A CN 113535458 A CN113535458 A CN 113535458A CN 202111089557 A CN202111089557 A CN 202111089557A CN 113535458 A CN113535458 A CN 113535458A
Authority
CN
China
Prior art keywords
classification
requirement
information
theme
topic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111089557.3A
Other languages
Chinese (zh)
Other versions
CN113535458B (en
Inventor
殷钱安
梁淑云
余贤喆
王启凡
陶景龙
刘胜
马影
周晓勇
魏国富
夏玉明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202111089557.3A priority Critical patent/CN113535458B/en
Priority to PCT/CN2021/124046 priority patent/WO2023039973A1/en
Publication of CN113535458A publication Critical patent/CN113535458A/en
Application granted granted Critical
Publication of CN113535458B publication Critical patent/CN113535458B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0781Error filtering or prioritizing based on a policy defined by the user or on a policy defined by a hardware/software module, e.g. according to a severity level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0706Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
    • G06F11/0727Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in a storage system, e.g. in a DASD or network based storage system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/289Phrasal analysis, e.g. finite state techniques or chunking

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Quality & Reliability (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method and a device for processing abnormal false alarm, a storage medium and a terminal, relates to the technical field of internet and mainly aims to solve the problem that abnormal information cannot be effectively and accurately processed in the prior art. The method comprises the following steps: acquiring service demand information and operation information of an operation object to be alarmed; determining an operation subject classification corresponding to a requirement subject classification keyword of the service requirement information based on a requirement operation subject mapping relation, wherein the requirement operation subject mapping relation is used for representing subject classification relations between different requirement subject classification keywords and different operation subject classifications; and if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that alarm information generated based on the operation information is a false alarm event, and deleting the alarm information. The method is mainly used for processing abnormal false alarms.

Description

Abnormal false alarm processing method and device, storage medium and terminal
Technical Field
The invention relates to the technical field of internet, in particular to a method and a device for processing abnormal false alarm, a storage medium and a terminal.
Background
With the rapid development of the internet technology, the data security problem is more and more prominent, and in order to avoid the data leakage of a system or a terminal device, which causes property loss of a user, the data security protection becomes more and more important. In practical application, a system or device behavior is generally subjected to security detection based on a behavior security monitoring system, so that security protection is realized. In the process, when the working content changes, for example, a data processing person performs a large amount of operation behaviors in a non-working period due to a service change, there is a case of behavior security detection misinformation, and in order to ensure the protection effect of the security monitoring system and reduce the false alarm rate of protection, it is usually necessary to perform false alarm judgment on the abnormal information of security detection so as to reduce the false alarm.
At present, the abnormity detected by safety is usually judged by adopting a manual or white list rule matching mode for false alarm, but because the quantity of the abnormity information and the target generating the abnormity information is large, the service requirement is complex, the working type of data change is not single, no matter the white list matching mode or the manual mode is adopted, the real-time change is continuously carried out according to the service type and the requirement content for manual maintenance, so that a large amount of labor cost is consumed, the artificial judgment error is easy to occur, the speed of false alarm judgment is slow, the processing is not accurate, and the abnormal false alarm cannot be effectively and accurately processed.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for processing an exception error report, a storage medium, and a terminal, and mainly aims to solve the problem that the existing method cannot effectively and accurately process exception information.
According to an aspect of the present invention, a method for processing an abnormal false alarm is provided, which includes:
acquiring service demand information and operation information of an operation object to be alarmed;
determining an operation subject classification corresponding to a requirement subject classification keyword of the service requirement information based on a requirement operation subject mapping relation, wherein the requirement operation subject mapping relation is used for representing a subject classification relation between different requirement subject classification keywords and different operation subject classifications, and the subject classification relation is determined by matching the requirement subject classification keyword and the operation subject classification based on different requirement subject classifications and combination relations between the different requirement subject classification keywords and the different operation subject classifications as well as the different operation subject classification keywords;
and if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that alarm information generated based on the operation information is a false alarm event, and deleting the alarm information.
Further, before the obtaining of the service requirement information and the operation information of the operation object to be alarmed, the method further includes:
and respectively analyzing the historical service requirement information and the historical operation information by using the topic classification key words, and constructing a requirement operation topic mapping relation based on the analyzed requirement topic classification key words and the operation topic classification key words.
Further, the respectively performing topic classification keyword analysis on the historical service requirement information and the historical operation information, and constructing a requirement operation topic mapping relation based on the analyzed requirement topic classification keyword and the operation topic classification keyword includes:
respectively segmenting words of historical service demand information and historical operation information to obtain a demand segmentation sequence and an operation segmentation sequence;
performing topic classification and topic classification keyword extraction on the demand participle sequence and the operation participle sequence according to a topic classification model to obtain a demand topic classification keyword and an operation topic classification keyword, wherein the topic classification comprises a demand topic classification and an operation topic classification, and the number of the demand topic classification keyword is the same as that of the operation topic classification keyword;
and establishing a demand operation theme mapping relation among the demand theme classification, the demand theme classification keywords, the operation theme classification and the operation theme classification keywords based on a demand operation matching library, wherein the demand operation matching library stores a combination relation among different demand theme classifications, different demand theme classification keywords, different operation theme classification keywords and different operation theme classifications keywords which are received and updated according to a preset time interval.
Further, the determining, based on the requirement operation topic mapping relationship, an operation topic classification corresponding to the requirement topic classification keyword of the service requirement information includes:
calculating a second similarity between the requirement word segmentation sequence of the service requirement information and each requirement topic classification keyword in the requirement operation topic mapping relation;
selecting a requirement subject classification matched with the requirement subject classification keyword corresponding to the largest second similarity in the second similarities;
and searching an operation subject classification corresponding to the requirement subject classification based on the requirement operation subject mapping relation.
Further, before determining the operation topic classification corresponding to the requirement topic classification keyword of the service requirement information based on the requirement operation topic mapping relationship, the method further includes:
performing text word segmentation on the service demand information by using a text word segmentation algorithm, and performing text word segmentation on the operation information based on a preset separator to respectively obtain a demand word segmentation sequence and an operation word segmentation sequence;
and performing theme division on the demand participle sequence and the operation participle sequence by combining a theme classification model and an information measurement index to obtain a demand theme classification keyword matched with the demand theme classification and an operation theme classification keyword matched with the operation theme classification.
Further, before the obtaining of the service requirement information and the operation information of the operation object to be alarmed, the method further includes:
and if the difference number of the classification key words of the demand subjects in the service demand information and the historical service demand information exceeds a preset difference threshold value, updating the mapping relation of the demand operation subjects based on the service demand information.
Further, after determining that the alarm information generated based on the operation information is a false alarm event and deleting the alarm information, the method further includes:
and counting the identity information, the false alarm time, the false alarm times and the business requirement information corresponding to the false alarm event of the operation object to be alarmed which is determined to be the false alarm event, and generating and outputting abnormal false alarm information.
According to another aspect of the present invention, there is provided an exception false alarm processing apparatus, including:
the acquisition module is used for acquiring the service requirement information and the operation information of the operation object to be alarmed;
the determining module is used for determining an operation theme classification corresponding to a requirement theme classification keyword of the service requirement information based on a requirement operation theme mapping relation, the requirement operation theme mapping relation is used for representing a theme classification relation between different requirement theme classification keywords and different operation theme classifications, and the theme classification relation is determined by matching the requirement theme classification keyword and the operation theme classification based on a combination relation between different requirement theme classifications, different requirement theme classification keywords, different operation theme classifications and different operation theme classification keywords;
and the deleting module is used for determining that the alarm information generated based on the operation information is a false alarm event and deleting the alarm information if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is greater than a first similarity threshold.
Further, the apparatus further comprises:
and the construction module is used for respectively carrying out theme classification keyword analysis on the historical service requirement information and the historical operation information and constructing a requirement operation theme mapping relation based on the analyzed requirement theme classification keyword and the operation theme classification keyword.
Further, the building module comprises:
the word segmentation unit is used for segmenting words of the historical service demand information and the historical operation information respectively to obtain a demand word segmentation sequence and an operation word segmentation sequence;
the extraction unit is used for carrying out theme classification and theme classification keyword extraction on the demand participle sequence and the operation participle sequence according to a theme classification model to obtain a demand theme classification keyword and an operation theme classification keyword, wherein the theme classification comprises a demand theme classification and an operation theme classification, and the number of the demand theme classification keyword and the number of the theme classification of the operation theme classification keyword are the same;
the establishing unit is used for establishing a requirement operation theme mapping relation among the requirement theme classification, the requirement theme classification key words, the operation theme classification and the operation theme classification key words based on a requirement operation matching library, and the requirement operation matching library stores a combination relation among different requirement theme classifications, different requirement theme classification key words, different operation theme classifications and different operation theme classification key words which are received and updated according to preset time intervals.
Further, the determining module includes:
the calculation unit is used for calculating a second similarity between the requirement word segmentation sequence of the service requirement information and each requirement topic classification keyword in the requirement operation topic mapping relation;
the selecting unit is used for selecting the demand topic classification matched with the demand topic classification keyword corresponding to the largest second similarity in the second similarities;
and the searching unit is used for searching the operation theme classification corresponding to the requirement theme classification based on the requirement operation theme mapping relation.
Further, the apparatus further comprises:
the word segmentation module is used for performing text word segmentation on the service demand information by using a text word segmentation algorithm, performing text word segmentation on the operation information based on a preset separator, and respectively obtaining a demand word segmentation sequence and an operation word segmentation sequence;
and the dividing module is used for carrying out theme division on the demand participle sequence and the operation participle sequence by combining a theme classification model and an information measurement index to obtain a demand theme classification keyword matched with the demand theme classification and an operation theme classification keyword matched with the operation theme classification.
Further, the apparatus further comprises:
and the updating module is used for updating the mapping relation of the demand operation theme based on the service demand information if the difference number of the demand theme classification key words in the service demand information and the historical service demand information exceeds a preset difference threshold value.
Further, the apparatus further comprises:
and the counting module is used for counting the identity information, the false alarm time, the false alarm times and the service requirement information corresponding to the false alarm event of the operation object to be alarmed determined as the false alarm event, and generating and outputting abnormal false alarm information.
According to another aspect of the present invention, a storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to execute an operation corresponding to the above processing method for abnormal false alarms.
According to still another aspect of the present invention, there is provided a terminal including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the processing method of the abnormal false alarm.
By the technical scheme, the technical scheme provided by the embodiment of the invention at least has the following advantages:
the invention provides a processing method and a device for abnormal false alarm, a storage medium and a terminal, compared with the prior art, the embodiment of the invention obtains service demand information and operation information of an operation object to be alarmed; determining an operation subject classification corresponding to a requirement subject classification keyword of the service requirement information based on a requirement operation subject mapping relation, wherein the requirement operation subject mapping relation is used for representing subject classification relations between different requirement subject classification keywords and different operation subject classifications; if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that the alarm information generated based on the operation information is a false alarm event, deleting the alarm information, greatly reducing the labor cost, avoiding the error condition of abnormal false alarm caused by artificial judgment, greatly increasing the accuracy of identifying the abnormal false alarm, and improving the efficiency of processing the abnormal false alarm.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a method for processing an abnormal false alarm according to an embodiment of the present invention;
FIG. 2 is a flow chart of another abnormal false alarm processing method provided by the embodiment of the present invention;
FIG. 3 is a flow chart of another abnormal false alarm processing method provided by the embodiment of the present invention;
FIG. 4 is a block diagram illustrating an exception false alarm processing apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The embodiment of the invention provides a method for processing abnormal false alarm, as shown in figure 1, the method comprises the following steps:
101. and acquiring service demand information and operation information of an operation object to be alarmed.
In the embodiment of the invention, aiming at the real-time detection of the network security, the alarm information is generated according to the information of the abnormal condition in different security detection modes, so that the abnormal condition is eliminated. The service requirement information is the content of the requirement for detecting network security in network security, including but not limited to behaviors, file objects, designated program codes, and the like, and the acquired service requirement information exists in the form of a service requirement document. The operation object to be warned is an operation subject which has been determined to be abnormal, including but not limited to an operator id, an ip address, an equipment number, and the like, so that the operation object to be warned is used as an abnormal warning target, further, the operation information is the operation content of the operation object to be warned, which is determined to be the abnormal warning target, including but not limited to operation behaviors, operation content, and the like, and the obtained operation information exists in the form of an operation log, which is not specifically limited in the embodiment of the present invention.
It should be noted that the service demand information in step 101 is recent service demand information, that is, service demand information that is obtained by shortening a time interval with respect to historical service information and is close to a current time, and when step 101 is executed, the historical service information and the recent service information may be compared to determine that the same service demand information is used as the service demand information in step 101.
102. And determining an operation subject classification corresponding to the requirement subject classification key words of the service requirement information based on the requirement operation subject mapping relation.
In the embodiment of the invention, the requirement topic classification key words are key words classified by words representing various requirement contents in the service requirement information, wherein the service requirement information can be classified according to different requirement topics to obtain different requirement topic classifications, including but not limited to system file classification, behavior classification and the like, so that each classification is represented by the key words. Similarly, the operation information may be classified according to the operation subject to obtain different operation subject classifications, including but not limited to ip classification, id classification, and the like, which is not specifically limited in the embodiment of the present invention. Because the requirement operation theme mapping relation is used for representing the theme classification relation between different requirement theme classification keywords and different operation theme classifications, the matched operation theme classification can be found from the requirement operation theme mapping relation according to the requirement theme classification keywords.
It should be noted that, since one category can be represented by a plurality of keywords, correspondingly, one category of demand topic can correspond to a plurality of keywords of demand topic category, one category of operation topic can correspond to a plurality of keywords of operation topic category, the mapping relation of the demand operation theme not only includes the corresponding relation between the keyword of the demand theme classification and the demand theme classification, and the keyword of the operation theme classification and the operation theme classification, but also includes the corresponding relation between the keyword of the demand theme classification and the operation theme classification, and the keyword of the operation theme classification and the demand theme classification, after determining the keyword of the classification of the demand theme, the corresponding classification of the operation theme can be found based on the mapping relation of the demand operation theme, the requirement topic classification key words can correspond to a plurality of operation topic classification key words under one operation topic classification.
103. And if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that alarm information generated based on the operation information is a false alarm event, and deleting the alarm information.
In the embodiment of the invention, after the operation subject classification matched with the requirement subject classification key words is determined, because one operation subject classification comprises at least one operation subject classification key word, whether the operation subject classification key word is a false alarm event or not is determined by calculating the first similarity between the operation information and the operation subject classification key word and comparing the first similarity with the first similarity threshold. Because the operation information exists in the form of the operation log, when the first similarity of the operation information and the operation subject classification key words is calculated, word segmentation processing can be carried out on the operation information, and therefore similarity calculation is completed. If the first similarity between the operation information and the operation topic classification keywords is calculated to be larger than the first similarity threshold, the operation information is similar to the operation topic classification keywords, and abnormal alarm information generated by the operation information belongs to a false alarm condition.
In the embodiment of the present invention, for further explanation and limitation, before the obtaining of the service requirement information and the operation information of the operation object to be alarmed, the method further includes: and respectively analyzing the historical service requirement information and the historical operation information by using the topic classification key words, and constructing a requirement operation topic mapping relation based on the analyzed requirement topic classification key words and the operation topic classification key words.
In order to realize the judgment of the false alarm condition, the topic classification key words are analyzed by combining the historical service requirements and the historical operation information, namely, the topic classification is determined according to the historical service requirements and the historical operation information, including the requirement topic classification and the operation topic classification, so that the topic classification key words corresponding to the topic classifications are obtained, and the requirement operation topic mapping relation is constructed. The requirement topic classification is used for representing topic classifications of different requirements in the service requirement information, the operation topic classification is used for representing topic classifications of different operations summarized by the operation information, and further each topic classification can be determined through a keyword, so that a requirement operation topic mapping relation is established based on the requirement topic classification keyword, the requirement topic classification, the operation topic classification keyword and the operation topic classification.
In the embodiment of the present invention, for further explanation and limitation, as shown in fig. 2, the performing topic classification keyword analysis on the historical service requirement information and the historical operation information, respectively, and constructing a requirement operation topic mapping relationship based on the analyzed requirement topic classification keyword and the operation topic classification keyword includes: 201. respectively segmenting words of historical service demand information and historical operation information to obtain a demand segmentation sequence and an operation segmentation sequence; 202. performing topic classification and topic classification keyword extraction on the demand participle sequence and the operation participle sequence according to a topic classification model to obtain a demand topic classification keyword and an operation topic classification keyword; 203. and establishing a requirement operation theme mapping relation among the requirement theme classification, the requirement theme classification key words, the operation theme classification and the operation theme classification key words based on a requirement operation matching library.
Specifically, word segmentation is performed according to the extracted historical service demand information and historical operation information to obtain a demand word segmentation sequence and an operation word segmentation series respectively, since the information in the service demand document is text content and the information in the operation document is various character strings, word segmentation is performed on the service demand information in the service demand document according to the text and word segmentation is performed on the operation information in the operation document according to a space separator, so that a list1 and an operation word segmentation series list2 which are used as the demand word segmentation sequence in step 201 are obtained respectively, which is not limited in the embodiment of the present invention. In addition, in step 202, in order to accurately determine the topic classification and the keywords of different topic classifications, the topic classification is performed on the demand participle sequence and the operation participle sequence based on the topic classification model, and the keywords of different subject classifications are extracted, wherein the topic classification includes the demand topic classification and the operation topic classification, and the number of the topic classification keywords of the demand topic classification is the same as that of the topic classification keywords of the operation topic classification. The topic classification model is an unsupervised bayesian model LDA (latent Dirichlet allocation), topic classification is performed on a demand participle sequence and an operation participle sequence through the trained LDA model to obtain each topic classification and keywords corresponding to each topic classification, and a keyword topword1 of the demand topic classification and a keyword topword2 of the operation topic classification are respectively obtained based on the topic classification including the demand topic classification and the operation topic classification.
It should be noted that, in the embodiment of the present invention, since the requirement operation matching library stores the combination relationship between the different requirement topic classifications and the different requirement topic classification keywords which are received and updated according to the preset time interval and the different operation topic classifications and the different operation topic classification keywords respectively, after the requirement topic classification keyword, the operation topic classification keyword, the requirement topic classification and the operation topic classification are determined, the requirement operation topic mapping relationship is established based on the combination relationship between the different requirement topic classifications and the different requirement topic classification keywords and the different operation topic classifications and the different operation topic classification keywords in the requirement operation matching library. The combination relation stored in the demand operation matching library is a combination relation which is input or updated by a technician according to a preset time interval, and the range of the combination relation covered in the demand operation matching library is far larger than the range of the demand operation theme mapping relation established among historical service demand information, theme classifications extracted from the historical operation information and theme classification keywords.
In an embodiment of the present invention, for further explanation and limitation, the determining, based on the requirement operation topic mapping relationship, an operation topic classification corresponding to the requirement topic classification keyword of the service requirement information includes: calculating a second similarity between the requirement word segmentation sequence of the service requirement information and each requirement topic classification keyword in the requirement operation topic mapping relation; selecting a requirement subject classification matched with the requirement subject classification keyword corresponding to the largest second similarity in the second similarities; and searching an operation subject classification corresponding to the requirement subject classification based on the requirement operation subject mapping relation.
In order to improve the identification accuracy of abnormal false alarm, the similarity between a requirement word segmentation sequence of business requirement information and each requirement topic classification keyword in a requirement operation topic mapping relation, namely a second similarity is calculated, and the second similarity is a plurality of similarity values because the similarity is calculated between the requirement word segmentation sequence and the plurality of requirement topic classification keywords, so that the requirement topic classification keyword corresponding to the largest one of the similarity values is determined, and the requirement topic classification matched with the requirement topic classification keyword is selected. Because the requirement operation theme mapping relation comprises the relations between different requirement theme classifications and different operation theme classifications, after the requirement theme classification is determined based on the maximum similarity value, the operation theme classification corresponding to the requirement theme classification is found from the requirement operation theme mapping relation, so that the similarity is calculated according to each operation theme classification keyword and operation information in the operation theme classification, and whether the operation theme is a false alarm event or not is determined.
It should be noted that, in the embodiment of the present invention, the calculation of the similarity is performed through numerical data, and therefore, before the similarity is calculated between the requirement word segmentation sequence and the requirement topic classification keyword, words need to be converted into word vectors, for example, word vectors are converted through a word2vec model, so that the similarity is calculated on a numerical basis.
In an embodiment of the present invention, for further explanation and limitation, as shown in fig. 3, before determining an operation topic classification corresponding to a requirement topic classification keyword of the business requirement information based on a requirement operation topic mapping relationship, the method further includes: 301. performing text word segmentation on the service demand information by using a text word segmentation algorithm, and performing text word segmentation on the operation information based on a preset separator to respectively obtain a demand word segmentation sequence and an operation word segmentation sequence; 302. and performing theme division on the demand participle sequence and the operation participle sequence by combining a theme classification model and an information measurement index to obtain a demand theme classification keyword matched with the demand theme classification and an operation theme classification keyword matched with the operation theme classification.
In order to efficiently perform matching based on the requirement operation theme mapping relationship, specifically, the service requirement information in the service requirement document is text content, that is, text word segmentation is performed on the service requirement information through a text word segmentation algorithm, and the text word segmentation algorithm can be a jieba (C + +) tool in the natural language processing technology, so that a requirement word segmentation sequence is obtained. Moreover, because the operation information in the operation document is the content in the form of character strings, the text word segmentation is carried out on the operation information through the preset separator, and thus the operation word segmentation sequence is obtained. In addition, since the topic division needs to be performed on the demand word segmentation sequence and the operation word segmentation sequence after the text word segmentation, on the basis of performing the topic classification on the topic classification model, an optimal number of topic classification numbers is selected in combination with the information measurement indexes, so that N demand topic classifications, M operation topic classifications, and corresponding topic classification keywords of each topic classification, such as demand topic classification keyword topword1 and operation topic classification keyword topword2, are obtained. The information measurement index is a measurement index determined by a confusion perplexity method, and is used for measuring the quality degree of a probability distribution or probability model prediction sample, namely the quality degree of classification of the topic classification model in the embodiment of the invention, and is determined based on a set index, and the embodiment of the invention is not particularly limited.
In the embodiment of the present invention, for further explanation and limitation, before the obtaining of the service requirement information and the operation information of the operation object to be alarmed, the method further includes: and if the difference number of the classification key words of the demand subjects in the service demand information and the historical service demand information exceeds a preset difference threshold value, updating the mapping relation of the demand operation subjects based on the service demand information.
In order to better identify abnormal false alarms and improve the accuracy of false alarm identification, the number of differences between service demand information and demand topic classification keywords in historical service demand information is counted, namely the demand topic classification keywords in the service demand information are compared with the demand topic classification keywords in the historical service demand information one by one, if the number of differences exceeds a preset difference threshold value, the difference between the current service demand information and the historical service information is larger, and a demand operation topic mapping relation established according to the historical service information is not suitable for identifying the abnormal false alarms corresponding to the current service demand information, so that the demand operation topic mapping relation is updated based on the service demand information. Specifically, the requirement theme classification and the requirement theme classification keywords in the service requirement information are prompted, and a requirement operation theme mapping relationship between the requirement operation theme classification and the operation main classification keywords of the historical operation information is constructed by combining the combination relationship in the requirement operation matching library, which is not specifically limited in the embodiment of the present invention.
In the embodiment of the present invention, for further explanation and limitation, the method is characterized in that, after determining that the alarm information generated based on the operation information is a false alarm event and deleting the alarm information, the method further includes: and counting the identity information, the false alarm time, the false alarm times and the business requirement information corresponding to the false alarm event of the operation object to be alarmed which is determined to be the false alarm event, and generating and outputting abnormal false alarm information.
In order to improve the effectiveness of false alarm processing, after the alarm information generated based on the operation information is determined to be a false alarm event, the identity information, the false alarm time, the false alarm times and the business requirement information corresponding to the occurrence of the false alarm event of the operation object to be alarmed are counted, and abnormal false alarm information is generated and output. The operation object to be alarmed is an operation subject which is determined to be abnormal, so that the identity information is the identity information identified based on information such as an operator id, an ip address, an equipment number and the like, such as a name and the like, the false alarm time is the time for generating the alarm information, the time is determined by a time timer for identifying network security in a current execution end, and the number of false alarms is the number of times of generating the false alarm time counted according to a preset time interval, such as a week, 3 days and the like. And in order to realize the display effect of abnormal false alarm, generating abnormal false alarm information by combining the service demand information corresponding to the false alarm event and outputting the abnormal false alarm information. The abnormal false alarm information is used for representing the state of the false alarm, so that technicians can judge the complete detection rule of the network to optimize the detection efficiency of the network safety.
Compared with the prior art, the embodiment of the invention provides a method for processing abnormal false alarm, which comprises the steps of acquiring service demand information and operation information of an operation object to be alarmed; determining an operation subject classification corresponding to a requirement subject classification keyword of the service requirement information based on a requirement operation subject mapping relation, wherein the requirement operation subject mapping relation is used for representing subject classification relations between different requirement subject classification keywords and different operation subject classifications; if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that the alarm information generated based on the operation information is a false alarm event, deleting the alarm information, greatly reducing the labor cost, avoiding the error condition of abnormal false alarm caused by artificial judgment, greatly increasing the accuracy of identifying the abnormal false alarm, and improving the efficiency of processing the abnormal false alarm.
Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention provides an apparatus for processing an abnormal false alarm, as shown in fig. 4, where the apparatus includes:
an obtaining module 41, configured to obtain service requirement information and operation information of an operation object to be alarmed;
a determining module 42, configured to determine, based on a requirement operation topic mapping relationship, an operation topic classification corresponding to a requirement topic classification keyword of the service requirement information, where the requirement operation topic mapping relationship is used to represent topic classification relationships between different requirement topic classification keywords and different operation topic classifications;
a deleting module 43, configured to determine that alarm information generated based on the operation information is a false alarm event if a first similarity between the operation information and an operation topic classification keyword of the operation topic classification is greater than a first similarity threshold, and delete the alarm information.
Further, the apparatus further comprises:
and the construction module is used for respectively carrying out theme classification keyword analysis on the historical service requirement information and the historical operation information and constructing a requirement operation theme mapping relation based on the analyzed requirement theme classification keyword and the operation theme classification keyword.
Further, the building module comprises:
the word segmentation unit is used for segmenting words of the historical service demand information and the historical operation information respectively to obtain a demand word segmentation sequence and an operation word segmentation sequence;
the extraction unit is used for carrying out theme classification and theme classification keyword extraction on the demand participle sequence and the operation participle sequence according to a theme classification model to obtain a demand theme classification keyword and an operation theme classification keyword, wherein the theme classification comprises a demand theme classification and an operation theme classification, and the number of the demand theme classification keyword and the number of the theme classification of the operation theme classification keyword are the same;
the establishing unit is used for establishing a requirement operation theme mapping relation among the requirement theme classification, the requirement theme classification key words, the operation theme classification and the operation theme classification key words based on a requirement operation matching library, and the requirement operation matching library stores a combination relation among different requirement theme classifications, different requirement theme classification key words, different operation theme classifications and different operation theme classification key words which are received and updated according to preset time intervals.
Further, the determining module includes:
the calculation unit is used for calculating a second similarity between the requirement word segmentation sequence of the service requirement information and each requirement topic classification keyword in the requirement operation topic mapping relation;
the selecting unit is used for selecting the demand topic classification matched with the demand topic classification keyword corresponding to the largest second similarity in the second similarities;
and the searching unit is used for searching the operation theme classification corresponding to the requirement theme classification based on the requirement operation theme mapping relation.
Further, the apparatus further comprises:
the word segmentation module is used for performing text word segmentation on the service demand information by using a text word segmentation algorithm, performing text word segmentation on the operation information based on a preset separator, and respectively obtaining a demand word segmentation sequence and an operation word segmentation sequence;
and the dividing module is used for carrying out theme division on the demand participle sequence and the operation participle sequence by combining a theme classification model and an information measurement index to obtain a demand theme classification keyword matched with the demand theme classification and an operation theme classification keyword matched with the operation theme classification.
Further, the apparatus further comprises:
and the updating module is used for updating the mapping relation of the demand operation theme based on the service demand information if the difference number of the demand theme classification key words in the service demand information and the historical service demand information exceeds a preset difference threshold value.
Further, the apparatus further comprises:
and the counting module is used for counting the identity information, the false alarm time, the false alarm times and the service requirement information corresponding to the false alarm event of the operation object to be alarmed determined as the false alarm event, and generating and outputting abnormal false alarm information.
Compared with the prior art, the embodiment of the invention provides a processing device for abnormal false alarm, which obtains the service requirement information and the operation information of the operation object to be alarmed; determining an operation subject classification corresponding to a requirement subject classification keyword of the service requirement information based on a requirement operation subject mapping relation, wherein the requirement operation subject mapping relation is used for representing subject classification relations between different requirement subject classification keywords and different operation subject classifications; if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that the alarm information generated based on the operation information is a false alarm event, deleting the alarm information, greatly reducing the labor cost, avoiding the error condition of abnormal false alarm caused by artificial judgment, greatly increasing the accuracy of identifying the abnormal false alarm, and improving the efficiency of processing the abnormal false alarm.
According to an embodiment of the present invention, a storage medium is provided, where the storage medium stores at least one executable instruction, and the computer executable instruction can execute the method for processing the abnormal false alarm in any of the above method embodiments.
Fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the terminal.
As shown in fig. 5, the terminal may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein: the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically execute relevant steps in the above-described method for processing an abnormal false alarm.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The terminal comprises one or more processors, which can be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations:
acquiring service demand information and operation information of an operation object to be alarmed;
determining an operation subject classification corresponding to a requirement subject classification keyword of the service requirement information based on a requirement operation subject mapping relation, wherein the requirement operation subject mapping relation is used for representing a subject classification relation between different requirement subject classification keywords and different operation subject classifications, and the subject classification relation is determined by matching the requirement subject classification keyword and the operation subject classification based on different requirement subject classifications and combination relations between the different requirement subject classification keywords and the different operation subject classifications as well as the different operation subject classification keywords;
and if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that alarm information generated based on the operation information is a false alarm event, and deleting the alarm information.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A processing method for abnormal false alarm is characterized by comprising the following steps:
acquiring service demand information and operation information of an operation object to be alarmed;
determining an operation subject classification corresponding to a requirement subject classification keyword of the service requirement information based on a requirement operation subject mapping relation, wherein the requirement operation subject mapping relation is used for representing a subject classification relation between different requirement subject classification keywords and different operation subject classifications, and the subject classification relation is determined by matching the requirement subject classification keyword and the operation subject classification based on different requirement subject classifications and combination relations between the different requirement subject classification keywords and the different operation subject classifications as well as the different operation subject classification keywords;
and if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is larger than a first similarity threshold, determining that alarm information generated based on the operation information is a false alarm event, and deleting the alarm information.
2. The method according to claim 1, wherein before the obtaining the service requirement information and the operation information of the operation object to be alarmed, the method further comprises:
and respectively analyzing the historical service requirement information and the historical operation information by using the topic classification key words, and constructing a requirement operation topic mapping relation based on the analyzed requirement topic classification key words and the operation topic classification key words.
3. The method of claim 2, wherein the step of performing topic classification keyword analysis on the historical service requirement information and the historical operation information, and the step of constructing a requirement operation topic mapping relationship based on the analyzed requirement topic classification keyword and the operation topic classification keyword comprises the steps of:
respectively segmenting words of historical service demand information and historical operation information to obtain a demand segmentation sequence and an operation segmentation sequence;
performing topic classification and topic classification keyword extraction on the demand participle sequence and the operation participle sequence according to a topic classification model to obtain a demand topic classification keyword and an operation topic classification keyword, wherein the topic classification comprises a demand topic classification and an operation topic classification, and the number of the demand topic classification keyword is the same as that of the operation topic classification keyword;
and establishing a demand operation theme mapping relation among the demand theme classification, the demand theme classification keywords, the operation theme classification and the operation theme classification keywords based on a demand operation matching library, wherein the demand operation matching library stores a combination relation among different demand theme classifications, different demand theme classification keywords, different operation theme classification keywords and different operation theme classifications keywords which are received and updated according to a preset time interval.
4. The method of claim 3, wherein the determining the operation topic classification corresponding to the requirement topic classification keyword of the business requirement information based on the requirement operation topic mapping relationship comprises:
calculating a second similarity between the requirement word segmentation sequence of the service requirement information and each requirement topic classification keyword in the requirement operation topic mapping relation;
selecting a requirement subject classification matched with the requirement subject classification keyword corresponding to the largest second similarity in the second similarities;
and searching an operation subject classification corresponding to the requirement subject classification based on the requirement operation subject mapping relation.
5. The method according to claim 3, wherein before determining the operation topic classification corresponding to the requirement topic classification keyword of the business requirement information based on the requirement operation topic mapping relationship, the method further comprises:
performing text word segmentation on the service demand information by using a text word segmentation algorithm, and performing text word segmentation on the operation information based on a preset separator to respectively obtain a demand word segmentation sequence and an operation word segmentation sequence;
and performing theme division on the demand participle sequence and the operation participle sequence by combining a theme classification model and an information measurement index to obtain a demand theme classification keyword matched with the demand theme classification and an operation theme classification keyword matched with the operation theme classification.
6. The method according to claim 1, wherein before the obtaining the service requirement information and the operation information of the operation object to be alarmed, the method further comprises:
and if the difference number of the classification key words of the demand subjects in the service demand information and the historical service demand information exceeds a preset difference threshold value, updating the mapping relation of the demand operation subjects based on the service demand information.
7. The method according to any one of claims 1-6, wherein the determining that generating alarm information based on the operation information is a false alarm event further comprises, after deleting the alarm information:
and counting the identity information, the false alarm time, the false alarm times and the business requirement information corresponding to the false alarm event of the operation object to be alarmed which is determined to be the false alarm event, and generating and outputting abnormal false alarm information.
8. An apparatus for processing an abnormal false alarm, comprising:
the acquisition module is used for acquiring the service requirement information and the operation information of the operation object to be alarmed;
the determining module is used for determining an operation theme classification corresponding to a requirement theme classification keyword of the service requirement information based on a requirement operation theme mapping relation, the requirement operation theme mapping relation is used for representing a theme classification relation between different requirement theme classification keywords and different operation theme classifications, and the theme classification relation is determined by matching the requirement theme classification keyword and the operation theme classification based on a combination relation between different requirement theme classifications, different requirement theme classification keywords, different operation theme classifications and different operation theme classification keywords;
and the deleting module is used for determining that the alarm information generated based on the operation information is a false alarm event and deleting the alarm information if the first similarity between the operation information and the operation subject classification key words of the operation subject classification is greater than a first similarity threshold.
9. A storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to execute operations corresponding to the processing method of an abnormal false positive according to any one of claims 1 to 7.
10. A terminal, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the processing method of the abnormal false alarm according to any one of claims 1-7.
CN202111089557.3A 2021-09-17 2021-09-17 Abnormal false alarm processing method and device, storage medium and terminal Active CN113535458B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111089557.3A CN113535458B (en) 2021-09-17 2021-09-17 Abnormal false alarm processing method and device, storage medium and terminal
PCT/CN2021/124046 WO2023039973A1 (en) 2021-09-17 2021-10-15 Abnormal false alarm processing method and apparatus, and storage medium and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111089557.3A CN113535458B (en) 2021-09-17 2021-09-17 Abnormal false alarm processing method and device, storage medium and terminal

Publications (2)

Publication Number Publication Date
CN113535458A true CN113535458A (en) 2021-10-22
CN113535458B CN113535458B (en) 2021-12-28

Family

ID=78092747

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111089557.3A Active CN113535458B (en) 2021-09-17 2021-09-17 Abnormal false alarm processing method and device, storage medium and terminal

Country Status (2)

Country Link
CN (1) CN113535458B (en)
WO (1) WO2023039973A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114661515A (en) * 2022-05-23 2022-06-24 武汉四通信息服务有限公司 Alarm information convergence method and device, electronic equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108053041A (en) * 2017-12-13 2018-05-18 国网辽宁省电力有限公司电力科学研究院 Substation associates electrical secondary system anomalous identification and anti-error system and method under scene more
CN109815697A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 Wrong report behavior processing method and processing device
CN110191124A (en) * 2019-05-29 2019-08-30 哈尔滨安天科技集团股份有限公司 Website discrimination method, device and storage equipment based on web front-end exploitation data
CN110362545A (en) * 2019-05-27 2019-10-22 平安科技(深圳)有限公司 Log monitoring method, device, terminal and computer readable storage medium
CN110837874A (en) * 2019-11-18 2020-02-25 上海新炬网络信息技术股份有限公司 Service data abnormity detection method based on time series classification
CN111106959A (en) * 2019-12-20 2020-05-05 贵州黔岸科技有限公司 Abnormity monitoring and alarming system and method for transportation management system
CN111752811A (en) * 2020-06-29 2020-10-09 平安普惠企业管理有限公司 Abnormal alarm information processing method, electronic device and storage medium
CN113076410A (en) * 2021-04-22 2021-07-06 网银在线(北京)科技有限公司 Abnormal information processing method, device, equipment and storage medium
WO2021179574A1 (en) * 2020-03-12 2021-09-16 平安科技(深圳)有限公司 Root cause localization method, device, computer apparatus, and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109145609B (en) * 2018-09-06 2023-06-23 平安科技(深圳)有限公司 Data processing method and device
CN110086767A (en) * 2019-03-11 2019-08-02 中国电子科技集团公司电子科学研究院 A kind of hybrid intrusion detection system and method
US11539745B2 (en) * 2019-03-22 2022-12-27 Proofpoint, Inc. Identifying legitimate websites to remove false positives from domain discovery analysis
CN112612844B (en) * 2020-12-18 2024-02-09 深圳前海微众银行股份有限公司 Data processing method, device, equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108053041A (en) * 2017-12-13 2018-05-18 国网辽宁省电力有限公司电力科学研究院 Substation associates electrical secondary system anomalous identification and anti-error system and method under scene more
CN109815697A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 Wrong report behavior processing method and processing device
CN110362545A (en) * 2019-05-27 2019-10-22 平安科技(深圳)有限公司 Log monitoring method, device, terminal and computer readable storage medium
CN110191124A (en) * 2019-05-29 2019-08-30 哈尔滨安天科技集团股份有限公司 Website discrimination method, device and storage equipment based on web front-end exploitation data
CN110837874A (en) * 2019-11-18 2020-02-25 上海新炬网络信息技术股份有限公司 Service data abnormity detection method based on time series classification
CN111106959A (en) * 2019-12-20 2020-05-05 贵州黔岸科技有限公司 Abnormity monitoring and alarming system and method for transportation management system
WO2021179574A1 (en) * 2020-03-12 2021-09-16 平安科技(深圳)有限公司 Root cause localization method, device, computer apparatus, and storage medium
CN111752811A (en) * 2020-06-29 2020-10-09 平安普惠企业管理有限公司 Abnormal alarm information processing method, electronic device and storage medium
CN113076410A (en) * 2021-04-22 2021-07-06 网银在线(北京)科技有限公司 Abnormal information processing method, device, equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
胡阳雨: ""面向移动应用生态系统的新型欺诈行为分析关键技术研究"", 《中国博士学位论文全文数据库•信息科技辑》 *
马琳茹: ""网络安全告警信息处理技术研究"", 《中国博士学位论文全文数据库》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114661515A (en) * 2022-05-23 2022-06-24 武汉四通信息服务有限公司 Alarm information convergence method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113535458B (en) 2021-12-28
WO2023039973A1 (en) 2023-03-23

Similar Documents

Publication Publication Date Title
CN111639497B (en) Abnormal behavior discovery method based on big data machine learning
CN113282461B (en) Alarm identification method and device for transmission network
CN110928718A (en) Exception handling method, system, terminal and medium based on correlation analysis
CN109992484B (en) Network alarm correlation analysis method, device and medium
CN111160021A (en) Log template extraction method and device
CN113254255B (en) Cloud platform log analysis method, system, device and medium
CN112131249A (en) Attack intention identification method and device
CN113535458B (en) Abnormal false alarm processing method and device, storage medium and terminal
CN113282920B (en) Log abnormality detection method, device, computer equipment and storage medium
CN115686910A (en) Fault analysis method and device, electronic equipment and medium
CN114968959A (en) Log processing method, log processing device and storage medium
CN113947076A (en) Policy data detection method and device, computer equipment and storage medium
CN116383742B (en) Rule chain setting processing method, system and medium based on feature classification
CN112613176A (en) Slow SQL statement prediction method and system
CN112579781A (en) Text classification method and device, electronic equipment and medium
CN116126807A (en) Log analysis method and related device
CN115422028A (en) Credibility evaluation method and device for label portrait system, electronic equipment and medium
CN115168509A (en) Processing method and device of wind control data, storage medium and computer equipment
CN114881112A (en) System anomaly detection method, device, equipment and medium
CN112597498A (en) Webshell detection method, system and device and readable storage medium
CN112800061B (en) Data storage method, device, server and storage medium
CN115906170B (en) Security protection method and AI system applied to storage cluster
US20240104072A1 (en) Method, Apparatus And Electronic Device For Detecting Data Anomalies, And Readable Storage Medium
CN117194049B (en) Cloud host intelligent behavior analysis method and system based on machine learning algorithm
CN116841779A (en) Abnormality log detection method, abnormality log detection device, electronic device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant