CN114422327B - Alarm handling suggestion generation method, device and system and computer readable storage medium - Google Patents

Alarm handling suggestion generation method, device and system and computer readable storage medium Download PDF

Info

Publication number
CN114422327B
CN114422327B CN202210041231.1A CN202210041231A CN114422327B CN 114422327 B CN114422327 B CN 114422327B CN 202210041231 A CN202210041231 A CN 202210041231A CN 114422327 B CN114422327 B CN 114422327B
Authority
CN
China
Prior art keywords
alarm
information
treatment
treatment suggestion
suggestion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210041231.1A
Other languages
Chinese (zh)
Other versions
CN114422327A (en
Inventor
迟鹏飞
武方
苗维杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Zhongdian Anke Modern Technology Co ltd
Original Assignee
Hangzhou Zhongdian Anke Modern Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Zhongdian Anke Modern Technology Co ltd filed Critical Hangzhou Zhongdian Anke Modern Technology Co ltd
Priority to CN202210041231.1A priority Critical patent/CN114422327B/en
Publication of CN114422327A publication Critical patent/CN114422327A/en
Application granted granted Critical
Publication of CN114422327B publication Critical patent/CN114422327B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/50Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Computational Linguistics (AREA)
  • Molecular Biology (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Alarm Systems (AREA)

Abstract

A method of alert treatment recommendation generation, comprising: the security management system generates alarm information through association analysis; determining alarm treatment suggestions according to the identification information of the alarm information; and according to a configurable display template, displaying the alarm handling suggestion. According to the alarm treatment suggestion generation scheme, the alarm treatment suggestion information is provided according to the alarm information, so that not only can the detailed information about the alarm be obtained, but also the alarm treatment suggestion information such as the hazard range, the hazard degree and the countermeasure which can be adopted by the hazard response of the alarm can be timely and accurately obtained, meanwhile, the operability and the flexibility of the alarm treatment suggestion information are further improved through the configurability of a knowledge base and a template, the information is updated and supplemented in time, and the accuracy is improved.

Description

Alarm handling suggestion generation method, device and system and computer readable storage medium
Technical Field
The present disclosure relates to the field of automated industrial process safety, and more particularly, to a method, apparatus, system, and computer-readable storage medium for generating an alarm handling suggestion.
Background
With the continuous development of network technology and the dependence of life and work of people on the network, information security is particularly important. Theory and technology of information-based security management is also continually evolving.
In order to continuously cope with new security challenges, security devices such as a firewall, a UTM, an intrusion detection and protection system, a vulnerability scanning system, an antivirus system, a terminal management system and the like appear in the security management of network information. The various security devices are isolated and cannot correlate and share information, thus forming individual "security defensive islands" that cannot produce a synergistic effect. The complex IT resources and the safety equipment thereof generate a large amount of safety data, such as safety logs and events, and when the large amount of safety information which is split from each other is processed, console interfaces and alarm windows of various products are operated, so that on one hand, the working efficiency of safety management is low, and meanwhile, the real potential safety hazard is difficult to find; on the other hand, such isolated security devices are unable to meet the increasingly stringent information system audit and internal control requirements, level protection requirements, and the ever-increasing business sustainability requirements of network users. To this end, the security management (Security Operation Center, SOC) system provides a collaborative system for enabling collaboration of various isolated security devices.
In the prior art, the SOC system includes a plurality of functional modules, such as an asset management module, a vulnerability management module, a traffic management module, an association analysis module, and a risk calculation module, all of which are responsible for collecting and managing asset information of the whole network, for example, the asset management module is responsible for collecting and managing vulnerability information of all assets of the whole network, and the association analysis module and the risk calculation module are responsible for processing security events of the whole network. In this way, each module participates in the overall process of preventing and handling network security events.
In the prior art, when the alarm information generated by the security management system SOC is displayed to the user, the user can only check the detailed information about the alarms, but cannot know the hazard range, the hazard degree and the precaution measures which can be taken by the hazard response of the alarms. Therefore, a technical scheme is urgently needed to solve the defects in the prior art.
Disclosure of Invention
In view of the foregoing technical problems, the present disclosure proposes an alert handling suggestion generation method, apparatus, system, and computer-readable storage medium.
In a first aspect, a method of generating an alert treatment recommendation includes:
the security management system generates alarm information through association analysis;
determining alarm treatment suggestions according to the identification information of the alarm information;
and according to a configurable display template, displaying the alarm handling suggestion.
Further, the identification information of the alarm information comprises the type of the alarm information, and corresponding alarm treatment suggestions are determined according to the determined specific type of the alarm information.
Further, the alert treatment suggestions include principles and hazards of the alert, treatment suggestions and comments of the alert, or a combination of one or more of the three reference cases.
Further, the security management system comprises a knowledge base, configurable system fields and custom fields are set in the knowledge base, and the configurable alarm handling advice is realized through the configurable system fields and custom fields.
Further, an alert treatment recommendation generation model is included for evaluating generation of the alert treatment recommendation based on the alert information.
Further, the alarm treatment suggestion generation model is a neural network model, which is obtained by model training through sample data of a plurality of data sources; the sample data of the data source may include sample data accessible over a network, sample data provided by a variety of expert systems, and/or custom sample data.
Further, the configurable presentation template comprises built-in variables and/or custom variables, and rendering presentation of the alarm handling suggestion is achieved through assignment replacement of the built-in variables and/or custom variables.
In a second aspect, an alert treatment recommendation generation apparatus, the apparatus comprising:
the alarm information module is used for generating alarm information through association analysis by the security management system;
the alarm treatment suggestion module is used for determining alarm treatment suggestions according to the identification information of the alarm information;
and the display module is used for displaying the alarm treatment suggestion according to the configurable display template.
In a third aspect, an alarm handling advice generation system comprising a processor and a memory, the processor executing computer instructions stored in the memory, implementing the method of any of the preceding first aspects.
In a fourth aspect, a computer readable storage medium stores computer instructions for causing a computer system to perform any of the methods of the first aspect.
The present disclosure discloses an alarm handling suggestion generation method, apparatus, system and computer readable storage medium. The alarm treatment suggestion generation method comprises the following steps: the security management system generates alarm information through association analysis; determining alarm treatment suggestions according to the identification information of the alarm information; and according to a configurable display template, displaying the alarm handling suggestion. By the alarm treatment suggestion generation scheme, the technical problems of insufficient alarm information provision, poor operability, insufficient flexibility and the like in the prior art are solved. The alarm treatment suggestion information is provided according to the alarm information, so that detailed information about the alarm can be obtained, the alarm treatment suggestion information such as the hazard range, the hazard degree and the counter measures which can be taken by hazard countermeasures of the alarm can be timely and accurately obtained, meanwhile, the operability and the flexibility of the alarm treatment suggestion information are further improved through the configurability of a knowledge base and a template, the information is updated and supplemented timely, and the accuracy is improved.
The foregoing description is only an overview of the disclosed technology, and may be implemented in accordance with the disclosure of the present disclosure, so that the above-mentioned and other objects, features and advantages of the present disclosure can be more clearly understood, and the following detailed description of the preferred embodiments is given with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1: an alarm handling advice generation method flow chart of one embodiment of the present disclosure;
fig. 2: an alarm handling advice generation method flow chart of another embodiment of the present disclosure;
fig. 3: an alarm handling advice generation arrangement of an embodiment of the present disclosure;
fig. 4: an alarm handling suggestion generation system block diagram of one embodiment of the present disclosure;
fig. 5: computer-readable storage medium structure diagram of alert handling suggestion generation for one embodiment of the present disclosure.
Detailed Description
Other advantages and effects of the present disclosure will become readily apparent to those skilled in the art from the following disclosure, which describes embodiments of the present disclosure by way of specific examples. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the disclosure by way of illustration, and only the components related to the disclosure are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
FIG. 1 is a flow chart of an alarm handling proposal generation method provided by an embodiment of the present disclosure, which may be performed by a provided alarm handling proposal generation apparatus, which may be implemented as software, or as a combination of software and hardware, which may be integrated in some electronic device, such as a server or a terminal device, provided in a data processing system. As shown in fig. 1, the alarm handling advice generation method includes the steps of:
and step 1, the security management system generates alarm information through association analysis.
A security management (Security Operation Center, SOC) system provides a collaboration system for enabling collaboration of various isolated security devices. The security management system SOC generates corresponding alarm information according to the operation data of various security devices through association analysis so as to warn the security events of the security devices. However, in the prior art, the generated alarm information is only given about the alarm event, for example, a certain risk occurs, a certain type of intrusion alert occurs, and so on. The scope of the hazards generated by the alarms, the degree of the hazards and the precautions taken by the hazard countermeasures cannot be known according to the alarm information.
To this end, the present disclosure optionally determines a corresponding alert treatment recommendation while generating alert information.
And 2, determining alarm treatment suggestions according to the identification information of the alarm information.
Each alarm message corresponds to at least one distinct type of security event, each security event having its corresponding principles and hazards, corresponding treatment recommendations, and one or more corresponding reference cases. This information is both urgently needed and valuable for the management of security events. Such information may constitute alarm handling suggestions corresponding to alarm information of the present application.
Wherein, principle and harm: the principle of risk associated with alarms and the consequences that may be brought about are described.
Treatment advice: providing treatment advice for the alert is described.
Reference case: previous analysis and treatment cases are described.
In one embodiment, various security event information, alert information, and corresponding alert treatment suggestions are organized, stored through a pre-set knowledge base.
In one embodiment, the security management system SOC determines the alarm information through association analysis, where the alarm information includes identification information, and the identification information may be a type for identifying the alarm information, or may be a fuzzy type or a specific type. For example, in the security event accessed by the database, the SQL injects the alarm information of the security event, the fuzzy type corresponding to the alarm information can be configured as MYSQL type, and the specific type can be configured as SQL injection type. The identification information may also be other information capable of identifying the alarm information, such as a unique code.
In one embodiment, the knowledge base sets configurable system fields and/or custom fields by which the alert handling suggestions are configurable. For example, discretionary configuration principles and hazards, handling advice or reference cases.
In one embodiment, as shown in fig. 2, the security management system SOC determines the alarm information through association analysis, and may query the set knowledge base to determine the corresponding alarm treatment suggestion according to the identification information of the configured alarm information. When the configured identification information is of a specific type, the corresponding alarm treatment suggestion can be directly inquired and determined; when the configured identification information is of a fuzzy type, knowledge base matching inquiry can be carried out through keywords extracted from the security event information and the alarm information, the corresponding specific type is determined, and then the corresponding alarm treatment suggestion is determined.
In one embodiment, a unique code may be employed as the identification information for the alert information, and the corresponding alert treatment recommendation is determined by determining the unique code.
In one embodiment, the security management system SOC provides an optional configuration that configurably selects whether to attach alarm treatment recommendation information while generating alarm information. Or providing a selectable triggering mode, such as providing a selectable button, and generating alarm treatment suggestions corresponding to the alarm information through triggering operation.
And step 3, displaying the alarm treatment suggestion according to a configurable display template.
In the security management system SOC, a configurable display template is set aiming at alarm information and/or alarm treatment suggestion, and the template adopts built-in variables and/or custom variables to realize the configurability of information, format and/or style.
In one embodiment, as shown in FIG. 5, an identification of the alarm treatment recommendation, such as an encoding of the alarm treatment recommendation, is appended to the alarm information. Extracting a template of the corresponding alarm treatment suggestion according to the identification of the alarm treatment suggestion, wherein the template comprises built-in variables and/or custom variables, determining specific information corresponding to the alarm treatment suggestion according to the coding of the alarm treatment suggestion, and realizing rendering display of the alarm treatment suggestion through assignment replacement of the built-in variables and/or custom variables.
In one embodiment, as shown in fig. 2, the specific information corresponding to the template and/or the alarm handling suggestion may be cached in a cache, for example, a redis cache, and when the information is processed, the information is directly obtained from the cache, so as to improve the information processing efficiency.
In an embodiment, an alarm handling advice generation model is provided in the safety management system SOC for evaluating the generation of the alarm handling advice based on the alarm information. The alert treatment recommendation generation model employs a machine learning model that is obtained through training of sample data acquired from one or more data sources.
In one embodiment, a neural network model is employed to train the alarm handling proposal generation model, such as a multi-layer feed forward network BP neural network model, a convolutional neural network model CNN, a deep neural network model DNN, a long short term memory artificial neural network model LSTM, a residual neural network model ResNet, and the like. Sample data sources include network data, various expert system data, and custom samples.
In one embodiment, a convolutional neural network CNN model is adopted, in the training process, a ResNet model is used for extracting data features from the sample data, and the extracted data features are input into the trained convolutional neural network CNN model; and calculating a training difference value by using a multitask loss function, correcting training parameters, further continuously and iteratively training the convolutional neural network CNN model, and ending the training of the convolutional neural network CNN model when the training ending condition is met, for example, the training ending condition is smaller than a certain threshold value, so as to obtain the alarm treatment suggestion generation model.
By the alarm handling suggestion generation method, the technical problems of insufficient alarm information provision, poor operability, insufficient flexibility and the like in the prior art are solved. The alarm treatment suggestion information is provided according to the alarm information, so that detailed information about the alarm can be obtained, the alarm treatment suggestion information such as the hazard range, the hazard degree and the counter measures which can be taken by hazard countermeasures of the alarm can be timely and accurately obtained, meanwhile, the operability and the flexibility of the alarm treatment suggestion information are further improved through the configurability of a knowledge base and a template, the information is updated and supplemented timely, and the accuracy is improved.
Fig. 3 is a schematic diagram of an apparatus for generating an alarm handling suggestion according to an embodiment of the disclosure, the apparatus including:
the alarm information module is used for generating alarm information through association analysis by the security management system;
the alarm treatment suggestion module is used for determining alarm treatment suggestions according to the identification information of the alarm information;
and the display module is used for displaying the alarm treatment suggestion according to the configurable display template.
As shown in fig. 3, the function modules included in the alarm handling suggestion generation apparatus implement the following functions:
the security management system generates alarm information through association analysis;
a security management (Security Operation Center, SOC) system provides a collaboration system for enabling collaboration of various isolated security devices. The security management system SOC generates corresponding alarm information according to the operation data of various security devices through association analysis so as to warn the security events of the security devices. However, in the prior art, the generated alarm information is only given about the alarm event, for example, a certain risk occurs, a certain type of intrusion alert occurs, and so on. The scope of the hazards generated by the alarms, the degree of the hazards and the precautions taken by the hazard countermeasures cannot be known according to the alarm information.
To this end, the present disclosure optionally determines a corresponding alert treatment recommendation while generating alert information.
Determining alarm treatment suggestions according to the identification information of the alarm information;
each alarm message corresponds to at least one distinct type of security event, each security event having its corresponding principles and hazards, corresponding treatment recommendations, and one or more corresponding reference cases. This information is both urgently needed and valuable for the management of security events. Such information may constitute alarm handling suggestions corresponding to alarm information of the present application.
Wherein, principle and harm: the principle of risk associated with alarms and the consequences that may be brought about are described.
Treatment advice: providing treatment advice for the alert is described.
Reference case: previous analysis and treatment cases are described.
In one embodiment, various security event information, alert information, and corresponding alert treatment suggestions are organized, stored through a pre-set knowledge base.
In one embodiment, the security management system SOC determines the alarm information through association analysis, where the alarm information includes identification information, and the identification information may be a type for identifying the alarm information, or may be a fuzzy type or a specific type. For example, in the security event accessed by the database, the SQL injects the alarm information of the security event, the fuzzy type corresponding to the alarm information can be configured as MYSQL type, and the specific type can be configured as SQL injection type. The identification information may also be other information capable of identifying the alarm information, such as a unique code.
In one embodiment, the knowledge base sets configurable system fields and/or custom fields by which the alert handling suggestions are configurable. For example, discretionary configuration principles and hazards, handling advice or reference cases.
In one embodiment, as shown in fig. 2, the security management system SOC determines the alarm information through association analysis, and may query the set knowledge base to determine the corresponding alarm treatment suggestion according to the identification information of the configured alarm information. When the configured identification information is of a specific type, the corresponding alarm treatment suggestion can be directly inquired and determined; when the configured identification information is of a fuzzy type, knowledge base matching inquiry can be carried out through keywords extracted from the security event information and the alarm information, the corresponding specific type is determined, and then the corresponding alarm treatment suggestion is determined.
In one embodiment, a unique code may be employed as the identification information for the alert information, and the corresponding alert treatment recommendation is determined by determining the unique code.
In one embodiment, the security management system SOC provides an optional configuration that configurably selects whether to attach alarm treatment recommendation information while generating alarm information. Or providing a selectable triggering mode, such as providing a selectable button, and generating alarm treatment suggestions corresponding to the alarm information through triggering operation.
And according to a configurable display template, displaying the alarm handling suggestion.
In the security management system SOC, a configurable display template is set aiming at alarm information and/or alarm treatment suggestion, and the template adopts built-in variables and/or custom variables to realize the configurability of information, format and/or style.
In one embodiment, as shown in FIG. 2, an identification of the alarm treatment recommendation, such as an encoding of the alarm treatment recommendation, is appended to the alarm information. Extracting a template of the corresponding alarm treatment suggestion according to the identification of the alarm treatment suggestion, wherein the template comprises built-in variables and/or custom variables, determining specific information corresponding to the alarm treatment suggestion according to the coding of the alarm treatment suggestion, and realizing rendering display of the alarm treatment suggestion through assignment replacement of the built-in variables and/or custom variables.
In one embodiment, as shown in fig. 2, the specific information corresponding to the template and/or the alarm handling suggestion may be cached in a cache, for example, a redis cache, and when the information is processed, the information is directly obtained from the cache, so as to improve the information processing efficiency.
In an embodiment, an alarm handling advice generation model is provided in the safety management system SOC for evaluating the generation of the alarm handling advice based on the alarm information. The alert treatment recommendation generation model employs a machine learning model that is obtained through training of sample data acquired from one or more data sources.
In one embodiment, a neural network model is employed to train the alarm handling proposal generation model, such as a multi-layer feed forward network BP neural network model, a convolutional neural network model CNN, a deep neural network model DNN, a long short term memory artificial neural network model LSTM, a residual neural network model ResNet, and the like. Sample data sources include network data, various expert system data, and custom samples.
In one embodiment, a convolutional neural network CNN model is adopted, in the training process, a ResNet model is used for extracting data features from the sample data, and the extracted data features are input into the trained convolutional neural network CNN model; and calculating a training difference value by using a multitask loss function, correcting training parameters, further continuously and iteratively training the convolutional neural network CNN model, and ending the training of the convolutional neural network CNN model when the training ending condition is met, for example, the training ending condition is smaller than a certain threshold value, so as to obtain the alarm treatment suggestion generation model.
Fig. 4 is a system configuration diagram according to an embodiment of the present disclosure. As depicted in fig. 4, the system 40 includes a processor and a memory, the processor executing computer instructions stored in the memory to implement all or part of the steps of the alert treatment proposal generation method of the various embodiments of the present disclosure described previously.
Fig. 5 is a schematic diagram of a computer-readable storage medium according to an embodiment of the present disclosure. As shown in fig. 5, a computer-readable storage medium 50 according to an embodiment of the present disclosure has stored thereon non-transitory computer-readable instructions 51. When the non-transitory computer readable instructions 51 are executed by the processor, all or part of the steps of the alert treatment recommendation generation method of the various embodiments of the present disclosure described previously are performed.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be contained in the electronic device; or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: constructing a basic page, wherein the page code of the basic page is used for constructing an environment required by the operation of the service page and/or realizing the same abstract workflow in the similar service scene; constructing one or more page templates, wherein the page templates are used for providing code templates for realizing service functions in service scenes; based on the corresponding page template, generating a final page code of each page of the service scene through code conversion of a specific function of each page of the service scene; and merging the generated final page code of each page into the page code of the basic page to generate the code of the service page.
Alternatively, the computer-readable medium carries one or more programs that, when executed by the electronic device, cause the electronic device to: constructing a basic page, wherein the page code of the basic page is used for constructing an environment required by the operation of the service page and/or realizing the same abstract workflow in the similar service scene; constructing one or more page templates, wherein the page templates are used for providing code templates for realizing service functions in service scenes; based on the corresponding page template, generating a final page code of each page of the service scene through code conversion of a specific function of each page of the service scene; and merging the generated final page code of each page into the page code of the basic page to generate the code of the service page.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. The name of the unit does not in any way constitute a limitation of the unit itself, for example the first acquisition unit may also be described as "unit acquiring at least two internet protocol addresses".
The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).

Claims (4)

1. A method of generating an alert treatment recommendation, the method comprising:
step one, a security management system generates alarm information through association analysis;
step two, determining alarm treatment suggestions according to the identification information of the alarm information;
the identification information of the alarm information comprises the type of the alarm information, and corresponding alarm treatment suggestions are determined according to the determined specific type of the alarm information;
the alert treatment advice includes principles and hazards of the alert, treatment advice and opinion of the alert, or a combination of one or more of the three references; wherein, the principle of the alarm and the risk principle related to the hazard description alarm and possible consequences; providing treatment suggestions for the alarm with the treatment suggestion and opinion descriptions of the alarm; the reference case describes a past analysis and treatment case;
the security management system comprises a knowledge base, wherein configurable system fields and/or custom fields are set in the knowledge base, and the configurable alarm treatment suggestion is realized through the configurable system fields and/or custom fields;
step three, according to a configurable display template, displaying the alarm treatment suggestion;
an identification of an alarm treatment suggestion is attached to the alarm information;
extracting a template of the corresponding alarm treatment suggestion according to the identification of the alarm treatment suggestion, wherein the template comprises built-in variables;
determining specific information corresponding to the alarm treatment suggestion according to the code of the alarm treatment suggestion, and realizing rendering display of the alarm treatment suggestion through assignment replacement of the built-in variable and/or the custom variable;
the safety management system comprises an alarm treatment suggestion generation model, wherein the alarm treatment suggestion generation model is used for evaluating and generating the alarm treatment suggestion according to the alarm information;
the alarm treatment suggestion generation model is a neural network model, and is obtained by model training through sample data of a plurality of data sources;
the sample data of the data source comprises sample data accessible on a network, sample data provided by a plurality of expert systems, and/or custom sample data;
adopting a convolutional neural network CNN model, extracting data features from the sample data by using a ResNet model in the training process, and inputting the extracted data features into the trained convolutional neural network CNN model; and calculating a training difference value by using a multitask loss function, correcting training parameters, further continuously and iteratively training the convolutional neural network CNN model, and ending the training of the convolutional neural network CNN model when the training ending condition is met, thereby obtaining the alarm treatment suggestion generation model.
2. An alert treatment recommendation generating device, the device comprising:
the alarm information module is used for generating alarm information through association analysis by the security management system;
the alarm treatment suggestion module is used for determining alarm treatment suggestions according to the identification information of the alarm information;
the identification information of the alarm information comprises the type of the alarm information, and corresponding alarm treatment suggestions are determined according to the determined specific type of the alarm information;
the alert treatment advice includes principles and hazards of the alert, treatment advice and opinion of the alert, or a combination of one or more of the three references; wherein, the principle of the alarm and the risk principle related to the hazard description alarm and possible consequences; providing treatment suggestions for the alarm with the treatment suggestion and opinion descriptions of the alarm; the reference case describes a past analysis and treatment case;
the security management system comprises a knowledge base, wherein configurable system fields and/or custom fields are set in the knowledge base, and the configurable alarm treatment suggestion is realized through the configurable system fields and/or custom fields;
the display module is used for displaying the alarm treatment suggestion according to a configurable display template;
an identification of an alarm treatment suggestion is attached to the alarm information;
extracting a template of the corresponding alarm treatment suggestion according to the identification of the alarm treatment suggestion, wherein the template comprises built-in variables;
determining specific information corresponding to the alarm treatment suggestion according to the code of the alarm treatment suggestion, and realizing rendering display of the alarm treatment suggestion through assignment replacement of the built-in variable and/or the custom variable;
the safety management system comprises an alarm treatment suggestion generation model, wherein the alarm treatment suggestion generation model is used for evaluating and generating the alarm treatment suggestion according to the alarm information;
the alarm treatment suggestion generation model is a neural network model, and is obtained by model training through sample data of a plurality of data sources;
the sample data of the data source comprises sample data accessible on a network, sample data provided by a plurality of expert systems, and/or custom sample data;
adopting a convolutional neural network CNN model, extracting data features from the sample data by using a ResNet model in the training process, and inputting the extracted data features into the trained convolutional neural network CNN model; and calculating a training difference value by using a multitask loss function, correcting training parameters, further continuously and iteratively training the convolutional neural network CNN model, and ending the training of the convolutional neural network CNN model when the training ending condition is met, thereby obtaining the alarm treatment suggestion generation model.
3. An alarm handling advice generation system comprising a processor and a memory, the processor executing computer instructions stored in the memory, implementing the method of claim 1.
4. A computer-readable storage medium storing non-transitory computer-readable instructions that, when executed by a computer, cause the computer to perform the method of claim 1.
CN202210041231.1A 2022-01-14 2022-01-14 Alarm handling suggestion generation method, device and system and computer readable storage medium Active CN114422327B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210041231.1A CN114422327B (en) 2022-01-14 2022-01-14 Alarm handling suggestion generation method, device and system and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210041231.1A CN114422327B (en) 2022-01-14 2022-01-14 Alarm handling suggestion generation method, device and system and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN114422327A CN114422327A (en) 2022-04-29
CN114422327B true CN114422327B (en) 2023-06-20

Family

ID=81273216

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210041231.1A Active CN114422327B (en) 2022-01-14 2022-01-14 Alarm handling suggestion generation method, device and system and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN114422327B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117240554B (en) * 2023-09-19 2024-05-07 海通证券股份有限公司 Security event management method and electronic equipment
CN118012725B (en) * 2024-04-09 2024-07-09 西安热工研究院有限公司 Trusted management platform alarm management method, system, equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571407A (en) * 2010-12-30 2012-07-11 中国移动通信集团河北有限公司 Alarm correlation analysis method and device
CN112884177A (en) * 2021-03-09 2021-06-01 国网冀北电力有限公司信息通信分公司 Communication management system defect order assigning method and device
CN113516565B (en) * 2021-04-08 2024-07-30 国家电网有限公司 Knowledge base-based intelligent alarm processing method and device for power monitoring system
CN113495825A (en) * 2021-06-17 2021-10-12 中国工商银行股份有限公司 Line alarm processing method and device, electronic equipment and readable storage medium
CN113821408B (en) * 2021-09-23 2024-08-27 中国建设银行股份有限公司 Server alarm processing method and related equipment

Also Published As

Publication number Publication date
CN114422327A (en) 2022-04-29

Similar Documents

Publication Publication Date Title
CN114422327B (en) Alarm handling suggestion generation method, device and system and computer readable storage medium
US20190258747A1 (en) Interactive digital twin
US10365945B2 (en) Clustering based process deviation detection
CN112487208B (en) Network security data association analysis method, device, equipment and storage medium
CN105556517A (en) Smart search refinement
CN112527791A (en) Intelligent urban brain big data system
CN113886606B (en) Data annotation method, device, medium and equipment based on knowledge graph
CA2954448C (en) System and method for identifying relevant information for an enterprise
US20210326366A1 (en) Generation of lineage data subset based upon business role
CN115809302A (en) Metadata processing method, device, equipment and storage medium
CN112100239A (en) Portrait generation method and apparatus for vehicle detection device, server and readable storage medium
Happa et al. Assessing a decision support tool for SOC analysts
CN112330335A (en) Tracing method and device in agricultural production process, storage medium and electronic equipment
Bhargavi et al. Dynamic complex event processing—adaptive rule engine
US20240121274A1 (en) Methods and systems for processing cyber incidents in cyber incident management systems using dynamic processing hierarchies
CN117331779A (en) Storage visualization processing method and device based on three-dimensional digital twin
Blackwell et al. Computer says ‘don’t know’-interacting visually with incomplete AI models
US20220292426A1 (en) Systems and methods for creating, training, and evaluating models, scenarios, lexicons, and policies
CN114416673A (en) User behavior abnormity detection method and system embedded with tense
US10909242B2 (en) System and method for detecting security risks in a computer system
ur Rehman et al. Big data analysis and implementation in different areas using IoT
US9053422B1 (en) Computer system and method for planning a strategy from data and model ontologies to meet a challenge
TWI536289B (en) System and method for identifying relevant information for an enterprise
Computing DTSHPS’18
CN117435577A (en) Big data supervision method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 311215 Room 216, Floor 2, Building B, No. 858, Jianshe Second Road, Xiaoshan Economic and Technological Development Zone, Xiaoshan District, Hangzhou City, Zhejiang Province

Applicant after: Hangzhou Zhongdian Anke Modern Technology Co.,Ltd.

Address before: 310051 Building 3, No. 351, Changhe Road, Changhe Street, Binjiang District, Hangzhou City, Zhejiang Province

Applicant before: Hangzhou rischen Anke Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant