CN114070623A - Method for distribution control and result synchronization of multi-stage linkage analysis model - Google Patents
Method for distribution control and result synchronization of multi-stage linkage analysis model Download PDFInfo
- Publication number
- CN114070623A CN114070623A CN202111357130.7A CN202111357130A CN114070623A CN 114070623 A CN114070623 A CN 114070623A CN 202111357130 A CN202111357130 A CN 202111357130A CN 114070623 A CN114070623 A CN 114070623A
- Authority
- CN
- China
- Prior art keywords
- analysis model
- analysis
- result
- reported
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 109
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000012544 monitoring process Methods 0.000 claims description 5
- 238000007405 data analysis Methods 0.000 abstract description 3
- 238000010276 construction Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for distribution control and result synchronization of a multi-stage linkage analysis model, which relates to the technical field of network security, and comprises the following steps of S101: acquiring the superior-inferior relation of a multi-level linkage system; s102: the upper-level system issues the analysis model to the lower-level system; s103: the lower system receives an analysis model issued by the upper system; s104: the lower system executes the analysis model issued by the upper system; s105: the lower system reports the analysis result of the analysis model; s106: and the superior system acquires the reported analysis result. The invention solves the problems that the upper system can not collect the data of the lower system and the analysis models between the upper system and the lower system are inconsistent, which causes the false alarm or the false alarm of the security incident in the existing network security big data analysis product.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method for distribution control and result synchronization of a multi-stage linkage analysis model.
Background
For a network security big data analysis product, because the amount of related logs is huge, a superior system cannot collect all logs of a subordinate system, and the logs of the subordinate system are stored by the subordinate system. After the subordinate system stores the log data by itself, the superior system can only perform model analysis on the own log of the current level, and cannot cover the model analysis range to the subordinate system, so that a large number of security events of the subordinate system cannot be discovered.
Disclosure of Invention
In view of the above drawbacks of the prior art, an object of the present invention is to provide a method for synchronizing distribution control and result of a multi-level linked analysis model, which is used to solve the problem of security event missing report or false report caused by inconsistency of the analysis models between upper and lower systems in the prior art.
The invention provides a method for distribution control and result synchronization of a multi-stage linkage analysis model, which comprises the following steps:
s101: acquiring the superior-inferior relation of a multi-level linkage system;
s102: the upper-level system issues the analysis model to the lower-level system;
s103: the lower system receives an analysis model issued by the upper system;
s104: the lower system executes the analysis model issued by the upper system;
s105: the lower system reports the analysis result of the analysis model;
s106: and the superior system acquires the reported analysis result.
In an embodiment of the present invention, the step S101 specifically includes:
and acquiring the system superior-subordinate relation of the system at the current level so as to determine whether the system at the current level needs to construct an analysis model, issue the analysis model, receive the analysis model and report alarm information.
In an embodiment of the present invention, the step S102 specifically includes:
reading all analysis models of the system at the current level, including the analysis models which are issued to the system at the current level by a superior system; and reading all the subordinate system nodes, transmitting all the analysis models of the current-level system to all the subordinate system nodes through the model issuing interface, and continuously monitoring whether the subordinate system feeds back the analysis models to be updated successfully or not, and recording.
In an embodiment of the present invention, the step S103 specifically includes:
reading all the superior system nodes, processing the analysis model with the issuing source being the superior system node, comparing the currently stored analysis model, executing the addition or update operation, and simultaneously feeding back the information of the successful update of the analysis model to the superior system nodes.
In an embodiment of the present invention, the step S104 is as follows:
and reading all the analysis models in the system at the current level according to the execution conditions of the analysis models, and executing and outputting alarm results.
In an embodiment of the present invention, the processing method for the alarm result is as follows:
for the alarm result calculated and output by the analysis model of the superior system, additionally adding a number field of a reported object in the alarm result, and marking an unreported label on the alarm result; and (4) marking a label which does not need to be reported on the alarm result calculated and output by the own analysis model of the system at the current level.
In an embodiment of the present invention, the step S105 specifically includes:
the system at the current level reads all the unreported data and determines the alarm reporting interface address of the node of the superior system so as to report the alarm; and when reporting an alarm, adding a number of a reporting object, a number of an original reporting system and a number of the reporting system.
In an embodiment of the present invention, the step S106 specifically includes:
the system at this stage acquires all the subordinate node lists, processes the data of the system number reported this time in the subordinate node lists, and does not process the data which is not in the lists.
In an embodiment of the present invention, a processing manner for the reported data is as follows:
and after the reported data is obtained, judging the number of the reported object in the data, modifying the reported state of the data with the reported object number consistent with the system number of the current level into a state without reporting, storing the data with the reported object number inconsistent with the system number of the current level, reporting the data again, and modifying the system number reported this time in the data into the current reported system number.
As described above, the method for multi-stage linkage analysis model distribution control and result synchronization according to the present invention has the following beneficial effects:
the invention solves the problems that the upper system can not collect the data of the lower system and the analysis models between the upper system and the lower system are inconsistent, which causes the false alarm or the false alarm of the security incident in the existing network security big data analysis product.
Drawings
FIG. 1 is a flow chart illustrating a method for analysis model distribution control and result synchronization as disclosed in an embodiment of the present invention.
FIG. 2 is a system level diagram illustrating a method for analysis model distribution control and result synchronization as disclosed in an embodiment of the present invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
Referring to fig. 1, the present invention provides a method for multi-level linkage analysis model distribution control and result synchronization, the method includes the following steps:
s101: acquiring the superior-inferior relation of a multi-level linkage system;
the cascade module obtains the system superior-inferior relation of the current system, thereby determining whether the current system needs to construct an analysis model, issue the analysis model, receive the analysis model, report an alarm and the like.
S102: the upper-level system issues the analysis model to the lower-level system;
and reading all the analysis models in the system at the current level, including the analysis models (if existing) issued to the system at the current level by the superior system. Reading all subordinate system nodes in the cascade module, transmitting all analysis models in the current-level system to all subordinate system nodes through a model issuing interface, and continuously monitoring whether the subordinate system feeds back the analysis models to be updated successfully or not, and recording.
S103: the lower system receives an analysis model issued by the upper system;
reading all upper-level system nodes in the cascade module, only processing the analysis model with the lower source as the upper-level system nodes in the model receiving module, comparing the analysis models in the current library, executing the addition or update operation, and simultaneously feeding back the information of the analysis model which is updated successfully to the upper-level system nodes.
S104: the lower system executes the analysis model issued by the upper system;
reading all analysis models in the system at the current level according to the execution conditions of the analysis models, executing the analysis results, and outputting alarm results to an alarm library through calculating the analysis results; for the alarm result calculated by the analysis model of the superior system, the number field of the reported object is additionally added in the alarm result, and the label which is not reported is marked on the alarm result, and for the alarm result calculated by the self-contained analysis model of the current system, the label which is not needed to be reported is marked.
S105: the lower system reports the analysis result of the analysis model;
the system at the current level reads all the unreported data from the alarm library, and determines the alarm reporting interface address of the system node at the upper level so as to carry out reporting; when reporting, the number of the reporting object, the number of the original reporting system and the number of the reporting system are added.
S106: and the superior system acquires the reported analysis result.
The system of this level obtains all subordinate node lists through the cascade module, only process the data that the system number of this report in the subordinate node list in reporting the module in warning, data not in the list are not processed; after the reported data is obtained, the number of a reported object in the data is judged, the data with the reported object number consistent with the system number of the current level modifies the reported state into a state without reporting, and then the data is stored in the alarm library of the current level; reporting data whose object number is not in accordance with the number of the system at the current level, storing the data in the alarm library at the current level, calling the alarm reporting module of the lower system again to report the data again,
and modifying the number of the reporting system in the data to be the number of the current reporting system.
Please refer to fig. 2, which is a method for performing distribution control and result synchronization based on the multi-cascade dynamic model according to the present invention, and introduces each system level:
the first-level cascade module is also the topmost cascade module and is provided with a model building module, an analysis engine module, an alarm library and a model issuing module;
and the user establishes an analysis model through the model construction module, the analysis model performs calculation through the current-level security big data storage and extraction element, and an alarm result is generated. When the analysis model is set to be issued, the system acquires all lower system lists through the cascade registration module, sends the analysis model to the lower system and requires execution/periodic execution; and simultaneously, continuously monitoring the issuing condition of the analysis model and the alarm reporting information.
The second-level cascade module and the third-level cascade module are intermediate-layer cascade modules and are provided with a model building module, a model receiving module, an analysis engine module, an alarm library, a model issuing module and an alarm reporting module. The middle layer cascade module can also establish an analysis model through the model construction module, and can also obtain an analysis model issued by a higher level through the model receiving module; the operation of the analysis model is also calculated through the storage and extraction elements of the safety big data of the current level, and then an alarm result is generated. After an alarm result is generated, judging whether the alarm needs to be reported or not according to a model source generated by the alarm; the model issuing module sends all analysis models to be issued to the lower level and requires execution/periodic execution by acquiring all lower level system lists in the cascade module; and simultaneously, continuously monitoring the issuing condition of the analysis model and the alarm reporting information.
The lowest cascade module is a bottom cascade module and is provided with a model building module, a model receiving module, an analysis engine module, an alarm library and an alarm reporting module. The bottom layer cascade module can also establish an analysis model through model construction, and can also receive and obtain an analysis model issued by a higher level through the model; the operation of the analysis model is also calculated through the storage and extraction elements of the safety big data of the current level, and then an alarm result is generated. And after the alarm is generated, judging whether the alarm needs to be reported according to the model source generated by the alarm.
In conclusion, the invention solves the problem that the analysis models of the upper system and the lower system are inconsistent in the prior art, so that the safety event is not reported or is reported in a wrong way. Therefore, the invention effectively overcomes various defects in the prior art and has high industrial utilization value.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (9)
1. A method for multi-level linkage analysis model distribution control and result synchronization, characterized by comprising the following steps:
s101: acquiring the superior-inferior relation of a multi-level linkage system;
s102: the upper-level system issues the analysis model to the lower-level system;
s103: the lower system receives an analysis model issued by the upper system;
s104: the lower system executes the analysis model issued by the upper system;
s105: the lower system reports the analysis result of the analysis model;
s106: and the superior system acquires the reported analysis result.
2. The method for the distribution control and the result synchronization of the multi-stage linkage analysis model according to claim 1, wherein the step S101 is specifically as follows:
and acquiring the system superior-subordinate relation of the system at the current level so as to determine whether the system at the current level needs to construct an analysis model, issue the analysis model, receive the analysis model and report alarm information.
3. The method for the distribution control and the result synchronization of the multi-stage linkage analysis model according to claim 1, wherein the step S102 is specifically as follows:
reading all analysis models of the system at the current level, including the analysis models which are issued to the system at the current level by a superior system; and reading all the subordinate system nodes, transmitting all the analysis models of the current-level system to all the subordinate system nodes through the model issuing interface, and continuously monitoring whether the subordinate system feeds back the analysis models to be updated successfully or not, and recording.
4. The method for the distribution control and the result synchronization of the multi-stage linkage analysis model according to claim 1, wherein the step S103 is specifically as follows:
reading all the superior system nodes, processing the analysis model with the issuing source being the superior system node, comparing the currently stored analysis model, executing the addition or update operation, and simultaneously feeding back the information of the successful update of the analysis model to the superior system nodes.
5. The method for the distribution control and the result synchronization of the multi-stage linkage analysis model according to claim 1, wherein the step S104 is specifically as follows:
and reading all the analysis models in the system at the current level according to the execution conditions of the analysis models, and executing and outputting alarm results.
6. The method for multi-level linkage analysis model distribution control and result synchronization according to claim 5, wherein the alarm result is processed in a manner that:
for the alarm result calculated and output by the analysis model of the superior system, additionally adding a number field of a reported object in the alarm result, and marking an unreported label on the alarm result; and (4) marking a label which does not need to be reported on the alarm result calculated and output by the own analysis model of the system at the current level.
7. The method for the distribution control and the result synchronization of the multi-stage linkage analysis model according to claim 1, wherein the step S105 is specifically as follows:
the system at the current level reads all the unreported data and determines the alarm reporting interface address of the node of the superior system so as to report the alarm; and when reporting an alarm, adding a number of a reporting object, a number of an original reporting system and a number of the reporting system.
8. The method for the distribution control and the result synchronization of the multi-stage linkage analysis model according to claim 1, wherein the step S106 is specifically as follows:
the system at this stage acquires all the subordinate node lists, processes the data of the system number reported this time in the subordinate node lists, and does not process the data which is not in the lists.
9. The method for the distribution control and the result synchronization of the multi-stage linkage analysis model according to claim 8, wherein the processing mode of the reported data is as follows:
and after the reported data is obtained, judging the number of the reported object in the data, modifying the reported state of the data with the reported object number consistent with the system number of the current level into a state without reporting, storing the data with the reported object number inconsistent with the system number of the current level, reporting the data again, and modifying the system number reported this time in the data into the current reported system number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111357130.7A CN114070623A (en) | 2021-11-16 | 2021-11-16 | Method for distribution control and result synchronization of multi-stage linkage analysis model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111357130.7A CN114070623A (en) | 2021-11-16 | 2021-11-16 | Method for distribution control and result synchronization of multi-stage linkage analysis model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114070623A true CN114070623A (en) | 2022-02-18 |
Family
ID=80273107
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111357130.7A Pending CN114070623A (en) | 2021-11-16 | 2021-11-16 | Method for distribution control and result synchronization of multi-stage linkage analysis model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114070623A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022367A (en) * | 2007-03-27 | 2007-08-22 | 杭州华为三康技术有限公司 | Network management method and system |
| CN107276830A (en) * | 2017-07-28 | 2017-10-20 | 郑州云海信息技术有限公司 | A kind of cascade management system and method for secure network |
-
2021
- 2021-11-16 CN CN202111357130.7A patent/CN114070623A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022367A (en) * | 2007-03-27 | 2007-08-22 | 杭州华为三康技术有限公司 | Network management method and system |
| CN107276830A (en) * | 2017-07-28 | 2017-10-20 | 郑州云海信息技术有限公司 | A kind of cascade management system and method for secure network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3798846B1 (en) | Operation and maintenance system and method | |
| CN108039959B (en) | Data situation perception method, system and related device | |
| CN101315558A (en) | Apparatus and methods to access information associated with a process control system | |
| CN109088773B (en) | Fault self-healing method and device, server and storage medium | |
| CN113326161B (en) | Root cause analysis method | |
| CN106407075B (en) | A kind of management method and system for big data platform | |
| CN112199394A (en) | Alarm information pushing method and system, intelligent terminal and storage medium | |
| CN116415206B (en) | Operator multiple data fusion method, system, electronic equipment and computer storage medium | |
| CN113360350B (en) | Method, device, equipment and storage medium for positioning root cause alarm of network equipment | |
| CN112148733A (en) | Method, device, electronic device and computer readable medium for determining fault type | |
| CN102111788A (en) | Alarm processing method and alarm management system | |
| CN110688539B (en) | Model management system and method | |
| CN115102834A (en) | Change risk assessment method, equipment and storage medium | |
| CN107408184A (en) | Patch monitors and analysis | |
| CN112966056A (en) | Information processing method, device, equipment, system and readable storage medium | |
| CN114070623A (en) | Method for distribution control and result synchronization of multi-stage linkage analysis model | |
| CN111414355A (en) | Offshore wind farm data monitoring and storing system, method and device | |
| CN116032725B (en) | Method and device for generating fault root cause positioning model | |
| CN116826961A (en) | Intelligent power grid dispatching and operation and maintenance system, method and storage medium | |
| CN115529219A (en) | Alarm analysis method and device, computer readable storage medium and electronic equipment | |
| CN109583726A (en) | The method and system of characterization processes state | |
| CN112765188B (en) | Configuration information processing method, configuration management system, electronic device and storage medium | |
| CN109658284A (en) | The appraisal procedure and system of equipment state | |
| CN113706739B (en) | Remote fault diagnosis processing method, platform and system | |
| CN102308309A (en) | Technologies for mapping a set of criteria |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20220218 |