CN113987492A - Method and device for determining alarm event - Google Patents

Method and device for determining alarm event Download PDF

Info

Publication number
CN113987492A
CN113987492A CN202111267950.7A CN202111267950A CN113987492A CN 113987492 A CN113987492 A CN 113987492A CN 202111267950 A CN202111267950 A CN 202111267950A CN 113987492 A CN113987492 A CN 113987492A
Authority
CN
China
Prior art keywords
alarm
alarm data
sequence
sequences
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111267950.7A
Other languages
Chinese (zh)
Inventor
顾杜娟
章瑞康
袁军
周娟
李文瑾
叶晓虎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhou Lvmeng Chengdu Technology Co ltd
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Shenzhou Lvmeng Chengdu Technology Co ltd
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhou Lvmeng Chengdu Technology Co ltd, Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Shenzhou Lvmeng Chengdu Technology Co ltd
Priority to CN202111267950.7A priority Critical patent/CN113987492A/en
Publication of CN113987492A publication Critical patent/CN113987492A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Abstract

The application discloses a method and a device for determining an alarm event, which are used for solving the problem of low accuracy caused by lack of association relation among different alarms when the alarm event is determined. The method provided in the present application comprises: acquiring an alarm data stream; acquiring an alarm data sequence to be matched from the alarm data stream, wherein the alarm data sequence is obtained by arranging a plurality of alarm data according to a time sequence; acquiring a plurality of rule sequences from the constructed alarm event map; respectively matching the alarm data sequence with the plurality of rule sequences, and determining a first rule sequence with the highest matching degree with the alarm data sequence from the plurality of rule sequences; and determining that the alarm event corresponding to the alarm data sequence is the first alarm event corresponding to the first rule sequence.

Description

Method and device for determining alarm event
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for determining an alarm event.
Background
With the normalized development of network attack and defense, enterprises face countless network attacks every day. Enterprises often deploy a variety of security devices to ensure the proper operation of business systems, such as network firewalls, intrusion detection systems, anti-virus systems, and the like. Security devices may receive a huge amount of alarm data each day, including a large number of repeated alarms or false alarms. However, for the same attack event, the alarm names generated by different devices may also be different, resulting in relative dispersion between alarms and lack of relevance. In the prior art, alarm correlation analysis is performed based on a knowledge graph, but the main body of the research object is the relationship between entities, the logic knowledge of an event is not mined, and the accuracy of determining the alarm event is not high.
Disclosure of Invention
The embodiment of the application provides a method and a device for determining an alarm event, wherein the alarm event corresponding to alarm data is determined through correlation analysis of the alarm data, so that the problem of low accuracy caused by lack of correlation among different alarms when the alarm event is determined is solved.
In a first aspect, an embodiment of the present application provides a method for determining an alarm event, including: acquiring an alarm data stream; acquiring an alarm data sequence to be matched from the alarm data stream, wherein the alarm data sequence is obtained by arranging a plurality of alarm data according to a time sequence; acquiring a plurality of rule sequences from the constructed alarm event map; the alarm affair map is obtained by analyzing according to a plurality of source tracing analysis reports of safety experts; the alarm event map consists of a plurality of nodes and directed edges among the nodes, wherein each node represents an alarm name, and the directed edges represent event relations among alarms identified by the alarm name; at least two nodes in the alarm event graph form a rule sequence with a time sequence relation, and each rule sequence corresponds to an alarm event; respectively matching the alarm data sequence with the plurality of rule sequences, and determining a first rule sequence with the highest matching degree with the alarm data sequence from the plurality of rule sequences; and determining that the alarm event corresponding to the alarm data sequence is the first alarm event corresponding to the first rule sequence.
Based on the scheme, when the alarm event corresponding to the alarm data is determined, the alarm event corresponding to the alarm data sequence is determined by combining the alarm event map obtained according to the expert traceability analysis report. The alarm event map establishes the event relation among different alarms, and further determines the matching relation among the alarms in the alarm data sequence through the event relation, and further determines the alarm event corresponding to the alarm data sequence.
In a possible implementation manner, obtaining an alarm data sequence to be matched from the alarm data stream includes: carrying out format normalization on different alarm data in the alarm data stream; performing data grouping on alarm data included in the alarm data stream subjected to format normalization to obtain a plurality of alarm sequence sets; performing duplicate removal processing on the plurality of alarm sequence sets respectively; and acquiring the alarm data sequence to be matched from the multiple alarm sequence sets after the duplication removal processing.
Based on the scheme, the alarm data in the alarm data stream can be preprocessed, the alarm data stream is converted into a non-repeated set of a plurality of alarm data sequences, interference of repeated alarm, error alarm and the like on the determined alarm event is reduced, and the accuracy of the determined alarm event is improved.
In a possible implementation manner, performing deduplication processing on the multiple alarm sequence sets respectively includes: dividing the first alarm sequence set into a plurality of alarm data sequences according to a set time interval, wherein the occurrence time ranges of the alarm data included in any two alarm data sequences are not overlapped; the first set of alarm sequences is any one of the plurality of sets of alarm sequences; respectively carrying out duplicate removal processing on the plurality of alarm data sequences; wherein, the alarm data sequence to be matched is any one of the alarm data sequences after the deduplication processing.
Based on the scheme, the multiple alarm sequence sets are subjected to duplicate removal processing respectively, so that the calculation process can be reduced and simplified, and the calculation workload is reduced.
In one possible implementation manner, performing deduplication processing on a plurality of alarm data sequences respectively includes: carrying out deduplication processing on alarm data which are continuously and identically generated in time and are included in the first alarm data sequence, and/or; and carrying out deduplication processing on the repeatedly generated sequence included in the first alarm data sequence.
In one possible implementation, the method further includes: traversing a historical alarm sequence set according to the first alarm data sequence; the historical alarm sequence set comprises N alarm data sequences obtained by grouping and processing alarm data streams acquired within a set time length before the alarm data streams are acquired, wherein N is a positive integer; acquiring M alarm data sequences including the first alarm data sequence from the historical alarm sequence set, wherein M is a positive integer less than or equal to N; the M alarm data sequences comprise at least one target alarm data which occurs after the first alarm data sequence besides the first alarm data; determining first alarm data with the highest degree of association with the first alarm data sequence from target alarm data included in M alarm data sequences, and taking the first alarm data as alarm data about to occur after the first alarm data sequence; and determining the association degree of the first alarm data and the first alarm data sequence according to the occurrence times of the first alarm data in the M alarm data sequences and the occurrence time interval between the first alarm data and the first alarm data sequence.
Based on the scheme, the next alarm or alarms which are about to occur after the first alarm sequence occurs can be predicted by calculating the relevance among different alarms, and the next alarm or alarms are fed back to the safety expert to form knowledge.
In a second aspect, an embodiment of the present application provides an apparatus for determining an alarm event, including:
the acquisition module is used for acquiring the alarm data stream;
the processing module is used for acquiring an alarm data sequence to be matched from the alarm data stream, wherein the alarm data sequence is obtained by arranging a plurality of alarm data according to a time sequence; acquiring a plurality of rule sequences from the constructed alarm event map; the alarm affair map is obtained by analyzing according to a plurality of source tracing analysis reports of safety experts; the alarm event map consists of a plurality of nodes and directed edges among the nodes, wherein each node represents an alarm name, and the directed edges represent event relations among alarms identified by the alarm name; at least two nodes in the alarm event map form a rule sequence with a time sequence relation, and each rule sequence corresponds to an alarm event.
The processing module is further configured to match the alarm data sequence with the plurality of rule sequences, and determine a first rule sequence with a highest matching degree with the alarm data sequence from the plurality of rule sequences; and determining that the alarm event corresponding to the alarm data sequence is the first alarm event corresponding to the first rule sequence.
In a possible implementation manner, when the processing module obtains the alarm data sequence to be matched from the alarm data stream, the processing module is specifically configured to:
carrying out format normalization on different alarm data in the alarm data stream; performing data grouping on alarm data included in the alarm data stream subjected to format normalization to obtain a plurality of alarm sequence sets; performing duplicate removal processing on the plurality of alarm sequence sets respectively; and acquiring the alarm data sequence to be matched from the multiple alarm sequence sets after the duplication removal processing.
In a possible implementation manner, when performing deduplication processing on the multiple alarm sequence sets, the processing module is specifically configured to:
dividing the first alarm sequence set into a plurality of alarm data sequences according to a set time interval, wherein the occurrence time ranges of the alarm data included in any two alarm data sequences are not overlapped; the first set of alarm sequences is any one of the plurality of sets of alarm sequences; respectively carrying out duplicate removal processing on the plurality of alarm data sequences; wherein, the alarm data sequence to be matched is any one of the alarm data sequences after the deduplication processing.
In a possible implementation manner, when performing deduplication processing on a plurality of alarm data sequences, the processing module is specifically configured to: carrying out deduplication processing on alarm data which are continuously and identically generated in time and are included in the first alarm data sequence, and/or; and carrying out deduplication processing on the repeatedly generated sequence included in the first alarm data sequence.
In one possible implementation manner, the processing module is further configured to:
traversing a historical alarm sequence set according to the first alarm data sequence;
the historical alarm sequence set comprises N alarm data sequences obtained by grouping and processing alarm data streams acquired within a set time length before the alarm data streams are acquired, wherein N is a positive integer; acquiring M alarm data sequences including the first alarm data sequence from the historical alarm sequence set, wherein M is a positive integer less than or equal to N; the M alarm data sequences comprise at least one target alarm data which occurs after the first alarm data sequence besides the first alarm data; determining first alarm data with the highest degree of association with the first alarm data sequence from target alarm data included in M alarm data sequences, and taking the first alarm data as alarm data about to occur after the first alarm data sequence; and determining the association degree of the first alarm data and the first alarm data sequence according to the occurrence times of the first alarm data in the M alarm data sequences and the occurrence time interval between the first alarm data and the first alarm data sequence.
In a third aspect, an embodiment of the present application provides an apparatus for determining an alarm event, including: a memory and a processor;
a memory for storing program instructions;
a processor, configured to call the program instructions stored in the memory, and execute the method described in the first aspect or any possible implementation manner of the first aspect according to the obtained program.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, which stores computer instructions that, when executed on a computer, cause the computer to perform the method described in the first aspect and any one of the possible implementations of the first aspect.
In a fifth aspect, the present application provides a computer program product, where the computer program product includes a computer program or instructions, and when the computer program or instructions is executed by a computer, the method in any one of the foregoing first aspect and possible implementation manners of the first aspect is implemented.
In addition, for technical effects brought by any one implementation manner of the second aspect to the fifth aspect, reference may be made to technical effects brought by different implementation manners of the first aspect, and details are not described here.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a schematic system architecture diagram of a method for determining an alarm event according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a method for determining an alarm event according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a method for processing an alarm data stream according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an apparatus for determining an alarm event according to an embodiment of the present application;
fig. 5 is a schematic diagram of another apparatus for determining an alarm event according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, as generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
The terms "first" and "second" in the description and claims of the present application and the accompanying drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the term "comprises" and any variations thereof, which are intended to cover non-exclusive protection. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus. The "plurality" in the present application may mean at least two, for example, two, three or more, and the embodiments of the present application are not limited.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this document generally indicates that the preceding and following related objects are in an "or" relationship unless otherwise specified.
Security devices may receive a huge amount of alarm data each day, including a large number of repeated alarms or false alarms. However, for the same attack event, the alarm names generated by different devices may also be different, resulting in relative dispersion between alarms and lack of relevance. In fact, a certain time sequence or causal relationship exists among most alarm events, so that alarm filters which are relatively dispersed need to be aggregated together, alarm association analysis is performed on the aggregated alarm, and association relationship among alarm data is mined, so that real alarm events are mined. The method aims to establish the incidence relation between alarm data, establish an Event Graph (EG) based on the alarm data through analysis of the alarm data, determine the alarm event corresponding to the alarm data through the relations of sequence, cause and effect, conditions, upper and lower positions and the like among the alarm data in the event Graph, and predict the alarm event, the alarm to be generated and the like through the incidence relation among the alarm data.
Fig. 1 illustrates an exemplary system architecture used in embodiments of the present application, which may include one or more servers 100, where the servers 100 may be hosts or various electronic devices. The server 100 may be a security device or a device connected to a security device. For example, when the server 100 is a security device, it may receive alarm data generated by other devices. For another example, when the server 100 is a device connected to the security devices, the server receives alarm data collected by each security device, and further processes alarm data generated by different security devices to determine an alarm event that generates the alarm data. Security devices include, but are not limited to, any one or combination of: firewall equipment, an intrusion detection system, equipment with a leak library, equipment with antivirus software and host monitoring.
The server may include a processor 110, a communication interface 120, and a memory 130.
Taking the example of the server 100 being connected to a plurality of security devices, the communication interface 120 is used for communicating with different security devices and receiving alarm data streams collected by different security devices.
The processor 110 is a control center of the server 100, connects various parts of the entire server 100 using various interfaces and routes, performs various functions of the server 100 and processes data by operating or executing software programs and/or modules stored in the memory 130 and calling data stored in the memory 130. Alternatively, processor 110 may include one or more processing units.
The memory 130 may be used to store software programs and modules, and the processor 110 executes various functional applications and data processing by operating the software programs and modules stored in the memory 130. The memory 130 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to a business process, and the like. Further, the memory 130 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.
It should be noted that the structure shown in fig. 1 is only an example, and the embodiment of the present invention is not limited thereto.
The present embodiment provides a method for determining an alarm event, and fig. 2 exemplarily shows a flow of the method for determining an alarm event, where the method may be performed by the server 100, and may also be performed by the processor 110 in the server. The following description is given by taking the server 100 as an example, and for convenience of description, the following description of the server 100 is not labeled.
201, the server obtains the alarm data stream.
For example, the server acts as a security device to receive alert data streams generated by other devices. For another example, the server may be coupled to a plurality of security devices and may receive the alarm data stream from the plurality of security devices.
Wherein, the alarm data stream comprises a plurality of alarm data. The alarm data includes, but is not limited to, the following attribute information: security device identification, alarm name (also referred to as alarm identification), alarm generation time, alarm type, source IP, source port, destination IP, destination port, etc.
202, the server obtains the alarm data sequence to be matched from the alarm data stream.
In some embodiments, the server may pre-process the alarm data stream to obtain a plurality of alarm data sequences. Each alarm data sequence of the plurality of alarm data sequences may be considered as one alarm data sequence to be matched.
For example, the preprocessing may include one or more of normalization, grouping, de-duplication filtering, compression, and the like.
Normalization the format normalization of alarm data of different formats can be understood. In some scenarios, different devices may generate alarm data for the same alarm in different formats. According to the embodiment of the application, through normalization processing, the formats of all alarm data included in the alarm data stream are unified, and subsequent processing is facilitated.
Grouping can be performed according to a set rule, for example, alarm data from the same attack source is divided into a group, and for example, alarm data attacking the same target device is divided into a group, and the like.
The deduplication filtering may be to perform deduplication processing on the same alarm data, or perform deduplication processing on the same alarm sequence, such as a recurring alarm sequence { a1, a2, a3 }.
And compression, namely dividing the alarm data stream according to a time period mode. The server obtains a plurality of rule sequences from the constructed alarm event graph 203.
In some embodiments, the server may process the report according to the analysis of tracing sources accumulated by the security experts to obtain an alarm event map. Specifically, an alarm event composed of a plurality of alarm data may be extracted by using a natural language processing technique, and mapped to a case map according to a time sequence relationship of occurrence of the alarm data, so as to obtain an alarm case map. The alarm event graph may be composed of a plurality of nodes and directed edges between the nodes, where each node represents an alarm name and the directed edges represent event relationships between alarms identified by the alarm names. For example, a physical relationship may include a sequential, causal, conditional, or up-down relationship. At least two nodes in the alarm event map form a rule sequence with a time sequence relation, and each rule sequence corresponds to an alarm event. Each rule sequence identifies a logical sequence of reasoning for a certain alarm event by the security expert. The alarm affair map is a distributed structure, and nodes and relations can be flexibly added, so that the alarm affair map is more convenient to update or modify.
In some embodiments, the server may obtain a plurality of rule sequences in the constructed alarm event graph based on the alarm data sequences. For example, the server may traverse the alarm event graph according to the first alarm of the alarm data sequence to be matched to obtain a plurality of rule sequences. Wherein each rule sequence contains the first alarm in the alarm data sequence.
And 204, the server respectively matches the alarm data sequence with the plurality of rule sequences to determine an alarm event corresponding to the alarm data sequence.
In some embodiments, the alarm data sequence is matched with the plurality of rule sequences, a first rule sequence with the highest matching degree with the alarm data sequence is determined from the plurality of rule sequences, and an alarm event corresponding to the alarm data sequence is determined to be a first alarm event corresponding to the first rule sequence.
As an example, when determining a first rule sequence with the highest matching degree with an alarm data sequence from among a plurality of rule sequences, when determining that the alarm data sequence completely matches the first rule sequence, determining that an alarm event corresponding to the alarm data sequence is a first alarm event corresponding to the first rule sequence, and then not matching the alarm data sequence with other rule sequences.
As another example, when there is no rule sequence that completely matches the alarm data sequence among the plurality of rule sequences, the rule sequence with the highest similarity to the alarm data sequence is obtained. For example, when the similarity of the alarm data sequence after matching with the first rule sequence is greater than or equal to the similarity threshold, it is determined that the alarm event corresponding to the alarm data sequence is the second alarm event corresponding to the first rule sequence.
As an example, the number of alarm data included in the alarm data sequence to be matched in the first rule sequence and the number of alarm data included in the alarm data sequence to be matched may be determined. For example, if the first rule sequence is < a _1a _2a _3>, and the alarm data sequence to be matched is < a _1a _4a _2a _3>, the similarity between the alarm data sequence and the first rule sequence is 75%. And when the set similarity threshold is 60%, the similarity between the alarm data sequence and the first rule sequence is greater than the similarity threshold, and the alarm event corresponding to the alarm data sequence is determined to be a second alarm event corresponding to the first rule sequence.
As follows, referring to fig. 3, a detailed description is given of a process in which a server performs preprocessing on an alarm data stream to obtain a plurality of alarm data sequences in the embodiment of the present application. Referring to fig. 3, the flow of the preprocessing may include:
301, carrying out format normalization on different alarm data in the alarm data stream.
It should be noted that, the alarm names and data structures generated by different manufacturers or different versions of devices may differ, that is, the same alarm may adopt different alarm data formats. For example, the alarm names of the ssh login and the ssh login authentication are different but the alarms belonging to the ssh login and the ssh login authentication are the same, so that the server can perform format normalization processing on different alarm data in the alarm data stream after receiving the alarm data stream to obtain the alarm data in the same format. For example, the similarity between the alarm names of different alarm data may be calculated by using a distance calculation algorithm, and when the similarity of the alarm names is greater than or equal to a set threshold, the alarm data with different alarm names is considered to belong to the same alarm, so that the alarm names may be unified, for example, the alarm name of one alarm data may be modified based on the alarm name of the other alarm data. That is, the alarm name of the other alarm data is modified to the same name as the alarm name of one of the alarm data. For example, the distance calculation algorithm may employ a Leven edit distance calculation algorithm.
And 302, performing data grouping on alarm data included in the alarm data stream subjected to format normalization to obtain a plurality of alarm sequence sets.
In some embodiments, the alarm data streams may be data-grouped according to the same information in different alarm data. The alarm data stores information such as the type of attack, a source network Protocol Address (hereinafter, referred to as an IP Address), and a destination IP Address. In some scenarios, an attacker may use multiple different source IP addresses to attack a certain destination IP address, so that alarm data streams may be grouped according to the destination IP addresses in the alarm data to obtain multiple alarm sequence sets. In other scenarios, the alarm data with the same attack type may be divided into a group. Of course, the grouping may also be performed in other manners, and this is not particularly limited in this embodiment of the application.
In some embodiments, the alarm data stream contains a large number of repeated, out-of-order and false alarms, and when the repeated alarm data is directly used, a large number of calculations are required, the calculation speed is slow, and the out-of-order and false alarms can bring interference to the calculations. Therefore, before the alarm data is matched with the rule sequence in the alarm event map, the alarm data stream is preprocessed, so that the influence of data such as repetition and disorder can be removed, key information can be reserved, and the alarm data sequence to be matched can be obtained.
As an example, after the alarm data stream is obtained, when it is determined that the out-of-order alarm is included, reordering may be performed according to a time sequence relationship, or deleting may be performed directly. When it is determined that there is false alarm data in the alarm data stream, the false alarm data may be deleted to reduce the impact of the false alarm on the accuracy of determining the alarm event. The embodiments of the present application are not limited to the specific processing method for out-of-order alarms and false alarms.
In some scenarios, before performing deduplication processing on a plurality of alarm sequence sets, the alarm sequence sets may be divided into a plurality of alarm short sequences according to time intervals, where the alarm short sequences may also be referred to as alarm data sequences. Taking the first alarm sequence set as an example, the first alarm sequence set may be divided into a plurality of alarm data sequences according to a set time interval, and the occurrence time ranges of the alarm data included in any two alarm data sequences are not overlapped. Wherein the time interval may be an hour, a day, a week, etc. In addition, when the alarm sequence set is divided into a plurality of alarm short sequences, the alarm short sequences may also be divided in other manners, which is not limited herein. Further, when the first alarm sequence set is subjected to the deduplication processing, it may be understood that each alarm data sequence in the first alarm sequence set is subjected to the deduplication processing, respectively. When the alarm data sequence is subjected to the deduplication processing, the continuous and repeated alarms or the repeated alarm sequence can be removed. For example, taking the first alarm data sequence as an example, the deduplication processing may be performed on alarm data included in the first alarm data sequence, the occurrence times of which are continuous and the same. And carrying out deduplication processing on the repeatedly generated sequence included in the first alarm data sequence. For convenience of description, the sequence included in the first alarm data sequence is referred to as a sub-sequence. As an example, taking the first alarm data sequence as an example, the first alarm data sequence is < a _1a _1a _2a _2a _3a _3>, wherein < a _1a _1>, < a _2a _2>, < a _3a _3> are continuously and repeatedly alarm data, and the alarm data sequence < a _1a _1>, < a _2a _2>, < a _3a _3> to be matched is obtained by removing the continuously and repeatedly a _1, a _2 and a _3 in < a _1a _1>, < a _2a _2>, < a _3a _3 >.
As another example, taking the first alarm data sequence as an example, the first alarm data sequence is < a _1a _2a _3a _1a _2a _3>, and the alarm data sequence < a _1a _2a _3> to be matched is obtained by removing the sub-sequence < a _1a _2a _3> which continuously and repeatedly appears.
In other scenarios, the alarm sequence set may not be subjected to alarm short sequence division. And directly carrying out deduplication processing on each alarm sequence set to obtain each alarm data sequence. It can be understood that the method for performing deduplication processing on each alarm sequence set is the same as the above method for performing deduplication processing on short sequences, and is not described here again.
After the alarm data stream processing, the alarm data stream can be converted into a non-repeated set of a plurality of alarm data sequences, wherein each alarm data sequence has a destination IP address and a timestamp, and can be expressed as < IP, start time, end time, alarm sequence >. Wherein, the starting time is the occurrence time of the first alarm node in the alarm data sequence, and the ending time is the occurrence time of the last alarm node in the alarm data sequence. And matching according to the alarm data sequence and the rule sequence generated by the alarm event map. In some embodiments, a plurality of rule sequences may be generated according to the time interval between the start time and the end time of the alarm sequence in the alarm data sequence to be matched and the alarm sequence traversal alarm event graph. For example, the maximum time interval between the plurality of alarm data included in the generated rule sequence is not greater than the time interval between the start time and the end time of the alarm sequence in the alarm data sequence to be matched.
As an example, a plurality of rule sequences with the first alarm as a starting point may be generated in the alarm event graph according to the first alarm in the alarm data sequences, and then the alarm data sequences are matched with the rule sequences, where the rule sequence with the highest matching degree is referred to as a fourth rule sequence, and the alarm event corresponding to the alarm data is an alarm event corresponding to the fourth rule sequence. For example, if the alarm sequence in the alarm data sequence is < b _1b _2b _3>, using b _1 as a starting point, generating a plurality of rule sequences using b _1 as a starting point in the alarm event map, and then determining a rule sequence with the highest matching degree with the alarm sequence < b _1b _2b _3> in the plurality of rule sequences, where the alarm event corresponding to the rule sequence is the alarm event corresponding to the alarm data.
Causal or sequential relations among alarms can be intuitively obtained from the alarm event graph, and a time sequence relation exists between 'webshell script uploading' and 'webshell backdoor access control'. However, the number of alarms and relationships in the alarm event map is relatively small, which is not enough to count the association relationship between the alarms. Therefore, the historical alarm data stream can be analyzed to obtain a plurality of historical alarm sequence sets, the association degree between different alarms in the alarm sequence sets is obtained from the historical alarm sequence sets, and a certain alarm or a subsequent alarm of the alarm data sequence is predicted through the association degree. The degree of association can be determined according to the occurrence times of different alarm data in the alarm data sequence and the occurrence time interval between the alarm data sequence and the degree of association.
In some embodiments, a historical alarm sequence set may be traversed according to a first alarm data sequence, where the historical alarm sequence set includes N alarm data sequences obtained by performing grouping processing on alarm data streams acquired within a set time period before the alarm data streams are acquired, where N is a positive integer. And then M alarm data sequences including the first alarm data sequence are obtained from the historical alarm sequence set, wherein M is a positive integer less than or equal to N. The M alarm data sequences include at least one target alarm data occurring after the first alarm data sequence in addition to the first alarm data. And determining first alarm data with the highest degree of association with the first alarm data sequence from target alarm data included in the M alarm data sequences, and taking the first alarm data as alarm data about to occur after the first alarm data sequence. And determining the association degree of the first alarm data and the first alarm data sequence according to the occurrence times of the first alarm data in the M alarm data sequences and the occurrence time interval between the first alarm data and the first alarm data sequence.
As an example, first, a historical alarm sequence set is obtained by performing grouping processing on alarm data streams within a set time period before a first alarm data sequence occurs, and a plurality of alarm data sequences including the first alarm data sequence are obtained by traversing the historical alarm sequence set according to the first alarm data sequence. For example, the first advertisementThe alert data sequence is<b_1b_2b_3>And grouping the historical alarm data to obtain 200 alarm data sequences. Then determining the historical alarm sequence set according to the specified time interval<b_1b_2b_3>The plurality of alarm data sequences included, assume that 100 alarm data sequences including the first alarm data sequence within the specified time interval are obtained. When the first alarm data is determined by the relevance, the relevance score of the time interval between the target alarm data and the first alarm data sequence and the weight of the occurrence times can be determined specifically. The greater the interval between the target alert data and the first alert data sequence, the smaller the ware relevance score. For example, 30 alarm data sequences are included in 100 alarm data sequences including the first alarm data sequence<b_1b_2b_3b_4b_5b_6>10, 10<b_1b_2b_3b_7b_4b_3>15, 15<b_1b_2b_3b_4b_7b_6>20, 20<b_1b_2b_3b_4b_7b_5>And 25<b_1b_2b_3b_5b_4b_6>. Calculate b _4, b _5, b _6, and b _7 and<b_1b_2b_3>the degree of association of (c). Take b _4 as an example, in<b_1b_2b_3b_4b_5b_6>Where b _4 is as<b_1b_2b_3>The next alarm data of the sequence, thus b _4 and<b_1b_2b_3>the association score between is 1 and the weight of the number of occurrences is<b_1b_2b_3b_4b_5b_6>In 100 target alarm sequences, i.e. ratio
Figure BDA0003327571900000141
<b_1b_2b_3b_7b_4b_3>B _4 and<b_1b_2b_3>there is also a b _5 between, thus b _4 and<b_1b_2b_3>becomes larger and the corresponding association score becomes smaller. In the alarm data sequence, b _4 and<b_1b_2b_3>the association score is
Figure BDA0003327571900000142
The weight is
Figure BDA0003327571900000143
By analogy, b _4 and<b_1b_2b_3>the degree of association between them is:
Figure BDA0003327571900000144
based on the same algorithm, b _5 and<b_1b_2b_3>has a degree of association of
Figure BDA0003327571900000145
b _6 and<b_1b_2b_3>has a degree of association of
Figure BDA0003327571900000146
b _7 and<b_1b_2b_3>has a degree of association of
Figure BDA0003327571900000147
In b _4, b _5, b _6 and b _7, b _4 and b _7<b_1b_2b_3>The highest degree of association between the first alarm data sequence and the second alarm data sequence, and then b _4 is taken as the next alarm data which is about to occur after the first alarm data sequence occurs.
In some embodiments, the server may update the regular sequence of alarm events in the alarm event map. For example, after the alarm sequence set is matched with the rule sequence, the association relationship between different alarms in the alarm sequence set may be calculated, a certain alarm or a subsequent alarm of the alarm sequence may be predicted through the association relationship, and the rule sequence of the alarm event may be updated in the event graph.
As an example, taking a first alarm sequence set as an example, a plurality of target alarm sequences included in the first alarm sequence set are obtained, where each target alarm sequence includes a first rule sequence; and when the generation times of a first target alarm sequence in the plurality of target alarm sequences in the first alarm sequence set are higher than the generation times of any other target alarm sequence, updating the rule sequence corresponding to the first alarm event according to the first target alarm sequence. For example, take the example that the first set of alarm sequences includes M target alarm sequences. And respectively determining the times of different target alarm sequences generated in the first alarm sequence set, and then updating the target alarm sequence with the highest generation time into a rule sequence corresponding to the first alarm event.
For example, the first alarm sequence set includes four different alarm data sequences, which are < a _1a _2a _3a _4>, < a _1a _2a _3a _5>, < a _1a _2a _3a _6>, < a _1a _2a _3a _7>, respectively, and the rule sequence corresponding to the first alarm event is < a _1a _2a _3 >. The number of occurrences of four alarm data sequences in the first alarm sequence set is calculated, for example, the number of occurrences of < a _1a _2a _3a _4> is 20 times, the number of occurrences of < a _1a _2a _3a _5> is 10 times, the number of occurrences of < a _1a _2a _3a _6> is 15 times, and the number of occurrences of < a _1a _2a _3a _7> is 50 times. The alarm data sequence < a _1a _2a _3a _7> with a high occurrence number may be used as a rule sequence corresponding to the first alarm event, and the rule sequence corresponding to the first alarm event may be updated to < a _1a _2a _3a _7> in the alarm event map. It is understood that when the alarm data sequence < a _1a _2a _3> occurs, it can be predicted from the alarm event map that the alarm data of the next step is likely to be the alarm data a _ 7.
Through the scheme, the problems that the number of nodes and relations corresponding to the alarm names in the alarm event graph is relatively small, the number of the nodes and relations is small when the rule sequence is generated, the incidence relation among the alarms cannot be counted comprehensively and the like can be solved. By calculating the relevance between different alarms, the subsequent alarm data of the alarm sequence can be predicted, so that potential alarms are mined. By updating the rule sequence in the alarm event map in real time, the association relationship between different alarms in the alarm event map is more comprehensive, and the alarm event corresponding to the alarm data is more accurate when the alarm event corresponding to the alarm data is determined by the alarm event map.
Based on the same technical concept, fig. 4 exemplarily shows that the embodiment of the present application provides an alarm event determination apparatus 400, which may execute the method flows shown in fig. 2 or fig. 3.
Referring to fig. 4, the apparatus specifically includes: an acquisition module 401 and a processing module 402.
The obtaining module 401 is configured to obtain an alarm data stream;
the processing module 402 is configured to obtain an alarm data sequence to be matched from the alarm data stream, where the alarm data sequence is obtained by arranging a plurality of alarm data according to a time sequence; acquiring a plurality of rule sequences from the constructed alarm event map; the alarm affair map is obtained by analyzing according to a plurality of source tracing analysis reports of safety experts; the alarm event map consists of a plurality of nodes and directed edges among the nodes, wherein each node represents an alarm name, and the directed edges represent event relations among alarms identified by the alarm name; at least two nodes in the alarm event graph form a rule sequence with a time sequence relation, and each rule sequence corresponds to an alarm event; respectively matching the alarm data sequence with the plurality of rule sequences, and determining a first rule sequence with the highest matching degree with the alarm data sequence from the plurality of rule sequences; and determining that the alarm event corresponding to the alarm data sequence is the first alarm event corresponding to the first rule sequence.
In some embodiments, when the alarm data sequence to be matched is obtained from the alarm data stream, the processing module 402 is specifically configured to:
carrying out format normalization on different alarm data in the alarm data stream;
performing data grouping on alarm data included in the alarm data stream subjected to format normalization to obtain a plurality of alarm sequence sets;
performing duplicate removal processing on the plurality of alarm sequence sets respectively;
and acquiring the alarm data sequence to be matched from the multiple alarm sequence sets after the duplication removal processing.
In some embodiments, when performing deduplication processing on the multiple alarm sequence sets, the processing module 402 is specifically configured to:
dividing the first alarm sequence set into a plurality of alarm data sequences according to a set time interval, wherein the occurrence time ranges of the alarm data included in any two alarm data sequences are not overlapped; the first set of alarm sequences is any one of the plurality of sets of alarm sequences;
respectively carrying out duplicate removal processing on the plurality of alarm data sequences;
wherein, the alarm data sequence to be matched is any one of the alarm data sequences after the deduplication processing.
In some embodiments, when performing deduplication processing on a plurality of alarm data sequences, the processing module 402 is specifically configured to:
carrying out deduplication processing on alarm data which are continuously and identically generated in time and are included in the first alarm data sequence, and/or; and carrying out deduplication processing on the repeatedly generated sequence included in the first alarm data sequence.
In some embodiments, the processing module 402 is further configured to traverse the set of historical alarm sequences according to a first alarm data sequence; the historical alarm sequence set comprises N alarm data sequences obtained by grouping and processing alarm data streams acquired within a set time length before the alarm data streams are acquired, wherein N is a positive integer; acquiring M alarm data sequences including the first alarm data sequence from the historical alarm sequence set, wherein M is a positive integer less than or equal to N; the M alarm data sequences comprise at least one target alarm data which occurs after the first alarm data sequence besides the first alarm data; determining first alarm data with the highest degree of association with the first alarm data sequence from target alarm data included in M alarm data sequences, and taking the first alarm data as alarm data about to occur after the first alarm data sequence; and determining the association degree of the first alarm data and the first alarm data sequence according to the occurrence times of the first alarm data in the M alarm data sequences and the occurrence time interval between the first alarm data and the first alarm data sequence.
Based on the same technical concept, an embodiment of the present application further provides an apparatus 500 for determining an alarm event, as shown in fig. 5, including:
a memory 501 for storing program instructions;
the processor 502 is configured to call the program instructions stored in the memory, and execute the method for determining the alarm event according to the obtained program.
In the embodiments of the present application, the processor 501 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor.
Memory 502, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 502 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 502 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 502 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A method for determining an alarm event, comprising:
acquiring an alarm data stream;
acquiring an alarm data sequence to be matched from the alarm data stream, wherein the alarm data sequence is obtained by arranging a plurality of alarm data according to a time sequence;
acquiring a plurality of rule sequences from the constructed alarm event map;
the alarm affair map is obtained by analyzing according to a plurality of source tracing analysis reports of safety experts; the alarm event map consists of a plurality of nodes and directed edges among the nodes, wherein each node represents an alarm name, and the directed edges represent event relations among alarms identified by the alarm name; at least two nodes in the alarm event graph form a rule sequence with a time sequence relation, and each rule sequence corresponds to an alarm event;
respectively matching the alarm data sequence with the plurality of rule sequences, and determining a first rule sequence with the highest matching degree with the alarm data sequence from the plurality of rule sequences;
and determining that the alarm event corresponding to the alarm data sequence is the first alarm event corresponding to the first rule sequence.
2. The method of claim 1, wherein the obtaining the sequence of alarm data to be matched from the alarm data stream comprises:
carrying out format normalization on different alarm data in the alarm data stream;
performing data grouping on alarm data included in the alarm data stream subjected to format normalization to obtain a plurality of alarm sequence sets;
performing duplicate removal processing on the plurality of alarm sequence sets respectively;
and acquiring the alarm data sequence to be matched from the multiple alarm sequence sets after the duplication removal processing.
3. The method of claim 2, wherein the performing the de-duplication processing for the plurality of alarm sequence sets respectively comprises:
dividing the first alarm sequence set into a plurality of alarm data sequences according to a set time interval, wherein the occurrence time ranges of the alarm data included in any two alarm data sequences are not overlapped; the first set of alarm sequences is any one of the plurality of sets of alarm sequences;
respectively carrying out duplicate removal processing on the plurality of alarm data sequences;
wherein, the alarm data sequence to be matched is any one of the alarm data sequences after the deduplication processing.
4. The method of claim 3, wherein the performing deduplication processing for the plurality of alarm data sequences respectively comprises:
carrying out deduplication processing on alarm data which are continuously and identically generated in time and are included in the first alarm data sequence, and/or;
and carrying out deduplication processing on the repeatedly generated sequence included in the first alarm data sequence.
5. The method of any of claims 2-4, further comprising:
traversing a historical alarm sequence set according to the first alarm data sequence;
the historical alarm sequence set comprises N alarm data sequences obtained by grouping and processing alarm data streams acquired within a set time length before the alarm data streams are acquired, wherein N is a positive integer;
acquiring M alarm data sequences including the first alarm data sequence from the historical alarm sequence set, wherein M is a positive integer less than or equal to N; the M alarm data sequences comprise at least one target alarm data which occurs after the first alarm data sequence besides the first alarm data;
determining first alarm data with the highest degree of association with the first alarm data sequence from target alarm data included in M alarm data sequences, and taking the first alarm data as alarm data about to occur after the first alarm data sequence;
and determining the association degree of the first alarm data and the first alarm data sequence according to the occurrence times of the first alarm data in the M alarm data sequences and the occurrence time interval between the first alarm data and the first alarm data sequence.
6. An apparatus for determining an alarm event, comprising:
the acquisition module is used for acquiring the alarm data stream;
the processing module is used for acquiring an alarm data sequence to be matched from the alarm data stream, wherein the alarm data sequence is obtained by arranging a plurality of alarm data according to a time sequence; acquiring a plurality of rule sequences from the constructed alarm event map; the alarm affair map is obtained by analyzing according to a plurality of source tracing analysis reports of safety experts; the alarm event map consists of a plurality of nodes and directed edges among the nodes, wherein each node represents an alarm name, and the directed edges represent event relations among alarms identified by the alarm name; at least two nodes in the alarm event graph form a rule sequence with a time sequence relation, and each rule sequence corresponds to an alarm event;
the processing module is further configured to match the alarm data sequence with the plurality of rule sequences, and determine a first rule sequence with a highest matching degree with the alarm data sequence from the plurality of rule sequences; and determining that the alarm event corresponding to the alarm data sequence is the first alarm event corresponding to the first rule sequence.
7. The apparatus of claim 6, wherein the processing module, when obtaining the alarm data sequence to be matched from the alarm data stream, is specifically configured to:
carrying out format normalization on different alarm data in the alarm data stream;
performing data grouping on alarm data included in the alarm data stream subjected to format normalization to obtain a plurality of alarm sequence sets;
performing duplicate removal processing on the plurality of alarm sequence sets respectively;
and acquiring the alarm data sequence to be matched from the multiple alarm sequence sets after the duplication removal processing.
8. The apparatus according to claim 7, wherein the processing module, when performing deduplication processing on the plurality of alarm sequence sets respectively, is specifically configured to:
dividing the first alarm sequence set into a plurality of alarm data sequences according to a set time interval, wherein the occurrence time ranges of the alarm data included in any two alarm data sequences are not overlapped; the first set of alarm sequences is any one of the plurality of sets of alarm sequences;
respectively carrying out duplicate removal processing on the plurality of alarm data sequences;
wherein, the alarm data sequence to be matched is any one of the alarm data sequences after the deduplication processing.
9. An apparatus for determining an alarm event, comprising:
a memory and a processor;
a memory for storing program instructions;
a processor for calling the program instructions stored in the memory and executing the method of any one of claims 1 to 5 according to the obtained program.
10. A computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 5.
CN202111267950.7A 2021-10-29 2021-10-29 Method and device for determining alarm event Pending CN113987492A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111267950.7A CN113987492A (en) 2021-10-29 2021-10-29 Method and device for determining alarm event

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111267950.7A CN113987492A (en) 2021-10-29 2021-10-29 Method and device for determining alarm event

Publications (1)

Publication Number Publication Date
CN113987492A true CN113987492A (en) 2022-01-28

Family

ID=79744025

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111267950.7A Pending CN113987492A (en) 2021-10-29 2021-10-29 Method and device for determining alarm event

Country Status (1)

Country Link
CN (1) CN113987492A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114944956A (en) * 2022-05-27 2022-08-26 深信服科技股份有限公司 Attack link detection method and device, electronic equipment and storage medium
CN115001753A (en) * 2022-05-11 2022-09-02 绿盟科技集团股份有限公司 Method and device for analyzing associated alarm, electronic equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001753A (en) * 2022-05-11 2022-09-02 绿盟科技集团股份有限公司 Method and device for analyzing associated alarm, electronic equipment and storage medium
CN115001753B (en) * 2022-05-11 2023-06-09 绿盟科技集团股份有限公司 Method and device for analyzing associated alarms, electronic equipment and storage medium
CN114944956A (en) * 2022-05-27 2022-08-26 深信服科技股份有限公司 Attack link detection method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US11522882B2 (en) Detection of adversary lateral movement in multi-domain IIOT environments
Liu et al. Host-based intrusion detection system with system calls: Review and future trends
US9736173B2 (en) Differential dependency tracking for attack forensics
EP3107026B1 (en) Event anomaly analysis and prediction
US10409980B2 (en) Real-time representation of security-relevant system state
US20220263860A1 (en) Advanced cybersecurity threat hunting using behavioral and deep analytics
US10915626B2 (en) Graph model for alert interpretation in enterprise security system
US11449604B2 (en) Computer security
CN113987492A (en) Method and device for determining alarm event
CN104871171B (en) Distributed mode is found
Landauer et al. Time series analysis: unsupervised anomaly detection beyond outlier detection
CN112241439B (en) Attack organization discovery method, device, medium and equipment
CN111294233A (en) Network alarm statistical analysis method, system and computer readable storage medium
CN115001753A (en) Method and device for analyzing associated alarm, electronic equipment and storage medium
GB2583892A (en) Adaptive computer security
US20220335013A1 (en) Generating readable, compressed event trace logs from raw event trace logs
US11477225B2 (en) Pre-emptive computer security
CN108733543B (en) Log analysis method and device, electronic equipment and readable storage medium
CN112287339A (en) APT intrusion detection method and device and computer equipment
CN113746780B (en) Abnormal host detection method, device, medium and equipment based on host image
US11436320B2 (en) Adaptive computer security
CN114972827A (en) Asset identification method, device, equipment and computer readable storage medium
CN116361153A (en) Method and device for testing firmware codes, electronic equipment and storage medium
CN108351940B (en) System and method for high frequency heuristic data acquisition and analysis of information security events
Meenakshi et al. Literature survey on log-based anomaly detection framework in cloud

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination