CN114579809A - Event analysis method and device, electronic equipment and storage medium - Google Patents
Event analysis method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114579809A CN114579809A CN202210088238.9A CN202210088238A CN114579809A CN 114579809 A CN114579809 A CN 114579809A CN 202210088238 A CN202210088238 A CN 202210088238A CN 114579809 A CN114579809 A CN 114579809A
- Authority
- CN
- China
- Prior art keywords
- link
- event
- matching
- pattern
- mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides an event analysis method, an event analysis device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a mode rule, associating the mode rule and generating a mode matching link; acquiring an input event stream, and matching an event source in the input event stream with the mode matching link; if the event source is successfully matched with the pattern matching link, acquiring a pattern matching state link; and obtaining an event link analysis result of the input event stream based on the mode matching state link. According to the method and the device, the pattern rule is obtained, the obtained pattern rule is correlated to generate the pattern matching link, the event source in the input event stream to be analyzed is matched with the pattern matching link to obtain the pattern matching state link, the event can be completely and accurately backtracked, and accurate analysis can be performed.
Description
Technical Field
The present invention relates to the field of data analysis technologies, and in particular, to an event analysis method and apparatus, an electronic device, and a storage medium.
Background
As ubiquitous sensor networks and smart devices continue to collect more and more data, we face the challenge of analyzing the growing data stream in near real-time. Being able to quickly respond to changing trends or provide up-to-date business intelligence may be a determining factor in the success or failure of a company. A key issue in real-time processing is the detection of event patterns in the data stream.
At present, the traditional data processing is mainly based on a relational database, the processing capacity is limited under the condition of facing mass data, and the acquisition, analysis and processing have the conditions of high delay and low throughput under the conditions of facing heterogeneous data and multidimensional data, so that the bottleneck on performance exists, and the requirements of customers on data analysis, association and processing and sorting under a new environment cannot be met.
At present, the traditional form data association analysis has the following defects:
1. the data sources are simplified, the traditional data correlation analysis data sources mainly take static storage data as the main data, but with the development of internet services, more and more demands are required to rapidly analyze and process real-time data.
2. The large data processing capacity is lacked, and under the conditions of massive data, heterogeneous data and multi-dimensional data, the data acquisition, analysis, processing and storage can meet huge challenges.
3. Currently, the correlation analysis capability is mainly based on a single event, and the analysis capability of performing time sequence pattern matching on a plurality of continuously transmitted different events is lacked.
4. At present, conventional event analysis means are limited (limited to filtering, conversion, aggregation, connection and the like) in conventional operation, and the analysis capability of a series of complex events is lacked.
Disclosure of Invention
The invention provides an event analysis method, an event analysis device, electronic equipment and a storage medium, which are used for solving the defects of single data source and insufficient event analysis capability in the prior art and achieving the purpose of accurately analyzing various data.
The invention provides an event analysis method, which comprises the following steps:
acquiring a mode rule, associating the mode rule and generating a mode matching link;
acquiring an input event stream, and matching an event source in the input event stream with the mode matching link;
if the event source is successfully matched with the pattern matching link, acquiring a pattern matching state link;
and obtaining an event link analysis result of the input event stream based on the mode matching state link.
According to an event analysis method provided by the present invention, matching an event source in the input event stream with the pattern matching link includes:
acquiring configuration conditions of the mode rule;
matching an event source in the input event stream with the pattern matching link based on the configuration condition.
According to an event analysis method provided by the present invention, matching an event source in the input event stream with the pattern matching link includes:
acquiring configuration conditions and configuration quantifier of the mode rule;
matching an event source in the input event stream with the pattern matching link based on the configuration condition and the configuration quantifier.
According to an event analysis method provided by the present invention, the associating the pattern rule to generate a pattern matching link includes:
creating a starting node of the pattern matching link;
associating the mode rules with the business logic relationship to generate an initial mode matching link;
generating a pattern matching link based on the starting node and the initial pattern matching link.
According to an event analysis method provided by the present invention, the associating the pattern rule having a business logic relationship to generate an initial pattern matching link includes:
associating the mode rule according to at least one of a first link triggering strategy, a second link triggering strategy and a third link triggering strategy, and generating an initial mode matching link;
wherein the first link triggering policy comprises: the pattern rules in the initial pattern matching link, after initial matching to a first corresponding event source, each of the pattern rules matches each corresponding event source in the input event stream;
the second link triggering policy includes: the pattern rule in the initial pattern matching link ignores the non-corresponding event source after being matched to the second corresponding event source for the first time until being successfully matched with the other corresponding event source;
the third link triggering policy includes: and after the pattern rule in the initial pattern matching link is matched to a third corresponding event source for the first time, ignoring the non-corresponding event source and acquiring all the corresponding event sources which are successfully matched.
According to an event analysis method provided by the present invention, matching an event source in the input event stream with the pattern matching link includes:
according to the non-determined limited automatic object, performing state conversion on the mode matching link to generate an initial mode matching state link;
matching event sources in the input event stream with the initial pattern matching state link.
The present invention also provides an event analysis device, including:
the rule association module is used for acquiring a mode rule, associating the mode rule and generating a mode matching link;
the data input module is used for acquiring an input event stream and matching an event source in the input event stream with the pattern matching link;
the event matching module is used for acquiring a mode matching state link if the event source is successfully matched with the mode matching link;
and the result output module is used for obtaining an event link output result of the input event stream based on the mode matching state link.
The present invention also provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the steps of the event analysis method as described in any one of the above when executing the computer program.
The invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the event analysis method as described in any one of the above.
The invention also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the event analysis method as described in any one of the above.
According to the event analysis method, the event analysis device, the electronic equipment and the storage medium, the pattern rule is obtained, and then the obtained pattern rule is associated in time sequence to generate the pattern matching link; matching an event source in the input event stream to be analyzed with the pattern matching link, and acquiring a pattern matching state link when the event source in the input event stream is successfully matched with the pattern matching link; by analyzing the pattern matching state link, events can be traced back completely and accurately, and accurate analysis can be made.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow diagram of an event analysis method provided by the present invention;
FIG. 2 is a schematic structural diagram of a pattern rule of the event analysis method provided by the present invention;
FIG. 3 is a schematic diagram of a pattern matching state link provided by the present invention;
FIG. 4 is a schematic structural diagram of an event analysis device provided in the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and the like in the description of the invention are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that embodiments of the invention may be practiced otherwise than as specifically illustrated and described herein. In addition, "and/or" in the specification means at least one of the connected objects, a character "/", and generally means that the former and latter related objects are in an "or" relationship.
The following describes an event analysis method, an event analysis device, an electronic device, and a storage medium according to the present invention with reference to fig. 1 to 5.
Fig. 1 is a schematic flow chart of an event analysis method provided by the present invention. As shown in fig. 1, the present invention provides an event analysis method, where an execution subject may be a terminal or a server, where the terminal: computer, vehicle carried terminal, etc., the method includes the following steps:
It can be understood that the invention is based on a big data real-time stream analysis engine (Flink stream analysis engine), and the Flink stream analysis engine has the characteristics of high throughput and low delay correlation and is very suitable for processing stream data.
Specifically, a specific event is usually composed of a plurality of events, i.e. an event stream can be composed by a plurality of event sources with time sequence. Before an event is analyzed, target data are collected in advance according to a scene of the event to be analyzed, a target event stream is obtained, target event sources forming the target event stream are obtained, and corresponding mode rules are created according to the obtained target event sources.
The pattern rule refers to a rule for identifying an event source in the present invention.
For example, when a company has a network compromise event, a related network security event stream may be collected in advance by means of weblog recording and the like according to a network compromise scenario, in a network security event, a security file of an administrator is stolen, and in the network security event, three different event sources are involved: the method comprises the following steps of login events of an administrator secret-related machine, copying events of secret-related files of the administrator secret-related machine and login events of the administrator secret-related machine.
Three pattern rules may be created from three different event sources: a login matching mode, a secret-related file copy mode and a logout matching mode. The login matching mode is used for detecting whether the acquired event source contains a behavior action of logging in the secret-involved machine; the secret-related file copying mode is used for detecting whether the acquired event source contains abnormal secret-related file copying actions; the logout matching mode is used for detecting whether the acquired event source contains behavior actions of logging out the classified machine.
Fig. 2 is a schematic structural diagram of the pattern rule of the event analysis method provided by the present invention, and as shown in fig. 2, after a plurality of pattern rules are created, the plurality of pattern rules may be associated and connected according to a relationship such as a chronological property and a logical property, so as to generate a pattern matching link.
For example, in the above network security event, after three pattern rules, such as a login matching pattern, a secret-related file copy pattern, and a logout matching pattern, are created, the login matching pattern, the secret-related file copy pattern, and the logout matching pattern are sequentially associated according to the sequence of events, so as to form a pattern matching link.
And 102, acquiring an input event stream, and matching an event source in the input event stream with the pattern matching link.
It is to be understood that after the pattern matching link is generated, an input event stream to be analyzed is obtained, the input event stream including a plurality of event sources. Inputting the input event stream into the pattern matching link, and judging whether the event source in the input event stream accords with the pattern rule in the pattern matching link, namely whether the event source can be matched with the pattern rule in the pattern matching link.
And 103, if the event source is successfully matched with the pattern matching link, acquiring a pattern matching state link.
It can be understood that a pattern matching state link is generated when each event source in the input event stream to be analyzed can match a pattern rule in the corresponding pattern matching link. And when each event source in the input event stream cannot be matched with the pattern rule in the corresponding pattern matching link, the input event stream is considered to be not satisfied with the condition, and the information is discarded.
And 104, obtaining an event link analysis result of the input event stream based on the mode matching state link.
It can be understood that after the pattern matching state link is obtained, the pattern matching state link includes the complete information of the input event stream, and the trace back and the analysis can be performed according to the complete information of the input event stream.
According to the event analysis method provided by the invention, the pattern rule is obtained, and then the obtained pattern rule is associated in a time sequence manner to generate a pattern matching link; matching an event source in the input event stream to be analyzed with the pattern matching link, and acquiring a pattern matching state link when the event source in the input event stream is successfully matched with the pattern matching link; by analyzing the pattern matching state link, events can be traced back completely and accurately, and accurate analysis can be made.
Further, the matching the event source in the input event stream with the pattern matching link includes:
acquiring configuration conditions of the mode rule;
matching an event source in the input event stream with the pattern matching link based on the configuration condition.
It can be understood that, in this embodiment, a configuration condition is set for each pattern rule in the pattern matching link, and an input event source can be matched with the pattern rule only if the event source meets the requirement of the configuration condition. And after the event source in the input event stream is successfully matched with the pattern rule in the pattern matching link for the first time, further continuously matching other event sources in the input event stream with the pattern matching link.
For example, the configuration conditions may include the following:
firstly, when an event source is acquired, matching is performed by judging whether the event source contains a specific condition.
Second, matching is performed by determining whether an event source includes any one of a plurality of specific conditions when the event source is acquired.
Thirdly, when an event source is acquired, a stop condition is specified, that is, after a given condition is met, no corresponding event source is matched.
According to the method and the device, the configuration conditions of the pattern rules are obtained, the event sources in the input event stream are matched, and the accuracy of event analysis is further improved.
Further, the matching the event source in the input event stream with the pattern matching link includes:
acquiring configuration conditions and configuration quantifier of the mode rule;
matching an event source in the input event stream with the pattern matching link based on the configuration condition and the configuration quantifier.
It can be understood that, in this embodiment, a configuration condition and a configuration quantifier are set for each pattern rule in the pattern matching link, and an event source can be matched with the pattern rule only if the input event source meets the requirements of the configuration condition and the configuration quantifier. And after the event source in the input event stream is successfully matched with the pattern rule in the pattern matching link for the first time, further continuously matching other event sources of the input event stream with the pattern matching link.
For example, the configuration conditions may include the following:
firstly, when an event source is acquired, matching is performed by judging whether the event source contains a specific condition.
Second, matching is performed by determining whether an event source includes any one of a plurality of specific conditions when the event source is acquired.
Thirdly, when an event source is acquired, a stop condition is specified, that is, after a given condition is met, no corresponding event source is matched.
As another example, a configuration quantifier may include the following:
first, when an event source is obtained, the event source is matched 4 times in the pattern rule.
Second, when an event source is obtained, the event source is matched 4 times or more than 4 times in the pattern rule matching.
Third, when an event source is obtained, the event source is matched 2, 3 or 4 times in the pattern rule.
Fourthly, when the event source is obtained, a limit time is set, and the event source is not matched outside the limit time range.
For example, in a network security event, after three pattern rules such as a login matching pattern, a secret-related file copy pattern and a logout matching pattern are created, the login matching pattern detects a secret-related machine login event of an administrator, and when the triggering frequency of the secret-related machine login event of the administrator is detected to reach four times and the time is within ten minutes, the event is considered to be matched with the pattern rules.
According to the method and the device, the configuration conditions and the configuration quantifier of the mode rule are obtained, the event sources in the input event stream are matched, and the accuracy of event analysis is further improved.
Further, the associating the pattern rule to generate a pattern matching link includes:
creating a starting node of the pattern matching link;
associating the mode rules with the business logic relationship to generate an initial mode matching link;
generating a pattern-matched link based on the starting node and the initial pattern-matched link.
It can be understood that after the pattern rule corresponding to the event source is created, the matching action is performed on the event source, and an initial node is created, and the pattern rules with the business logic relationship are sequentially associated to generate an initial pattern matching link.
Wherein, the service logic relationship can be understood for different services. For example, in a network security event, according to three different event sources: the method comprises the following steps of creating three mode rules, namely an administrator secret-related machine login event, an administrator secret-related machine secret-related file copy event and an administrator secret-related machine logout event: a login matching mode, a secret-related file copy mode and a logout matching mode. The three pattern rules are a login matching pattern, a secret-related file copy pattern and a logout matching pattern according to the sequence of the business logic relationship. After associating the associated pattern rules, a pattern matching link may be composed.
The invention associates the mode rules with the business logic relationship and associates a plurality of event sources, thereby further improving the accuracy of event analysis.
Further, the associating the pattern rule with the business logic relationship to generate an initial pattern matching link includes:
associating the mode rule according to at least one of a first link triggering strategy, a second link triggering strategy and a third link triggering strategy, and generating an initial mode matching link;
wherein the first link trigger policy comprises: the pattern rules in the initial pattern matching link, after initial matching to a first corresponding event source, each of the pattern rules matches each corresponding event source in the input event stream;
the second link triggering policy includes: after the initial pattern matching link is matched with a second corresponding event source for the first time, the pattern rule in the initial pattern matching link ignores a non-corresponding event source until the initial pattern matching link is successfully matched with another corresponding event source;
the third link triggering policy includes: and after the pattern rule in the initial pattern matching link is matched to a third corresponding event source for the first time, ignoring the non-corresponding event source and acquiring all the corresponding event sources which are successfully matched.
It can be understood that after the mode rule corresponding to the event source is created, the mode rule may be specifically associated through at least one of the first link trigger policy, the second link trigger policy, and the third link trigger policy.
Wherein the first link triggering strategy comprises: after the pattern rule in the initial pattern matching link is matched with the first corresponding event source for the first time, the pattern rule in the initial pattern matching link is matched with each corresponding event source in the input event stream, and the matching is stopped until the pattern rule in the initial pattern matching link is matched.
For example, the pattern rule is preset to be "A follows Bn", after the matching of the A event source is successful, the event stream [ A, B1, B2] can be successfully matched, and the event stream [ A, C, B1, B2] cannot be successfully matched.
The second link triggering policy includes: the pattern rule in the initial pattern matching link ignores the non-corresponding event source after the initial matching to the second corresponding event source until matching to another corresponding event source.
For example, the preset pattern rule is "a follows Bn", after the event source a is successfully matched, the event stream [ a, C, B1, B2] may be successfully matched, and the event stream [ a, B1] is matched, that is, the event stream C which does not correspond to the event source C is omitted until the next event source which meets Bn is successfully matched.
The third link triggering policy includes: and after the pattern rule in the initial pattern matching link is matched to the third corresponding event source for the first time, ignoring the non-corresponding event source and acquiring all matched corresponding event sources.
For example, the pattern rule is preset to "include a and Bn", after the event source a is successfully matched, the event stream [ a, C, B1, B2] may be matched, that is, the event source C that does not correspond to is ignored, each event source that conforms to Bn, such as B1, B2, is acquired, and is matched to the event stream [ a, B1] and the event stream [ a, B2 ].
According to the method and the device, the mode rules are correlated through at least one of the first link triggering strategy, the second link triggering strategy and the third link triggering strategy, the initial mode matching link is generated, the range of event analysis can be enlarged, and the analysis of complex events is facilitated.
Further, the matching the event source in the input event stream with the pattern matching link includes:
according to the non-determined limited automatic object, performing state conversion on the mode matching link to generate an initial mode matching state link;
matching event sources in the input event stream with the initial pattern matching state link.
It should be understood that fig. 3 is a schematic diagram of the pattern matching state link provided by the present invention. As shown in fig. 3, in the operation process, the relationship between the upper and lower nodes of the upper link of the pattern matching link is completed through the non-deterministic finite automation object, and the expressions of each state and state transition among each pattern rule in the secondary pattern matching link are completed, so as to generate the initial pattern matching state link.
And then matching the event source in the input event stream with the initial pattern matching state link, and if the event source in the input event stream is successfully matched with the initial pattern matching state link, namely the event source in the input event stream can be successfully matched with the pattern rule in the initial pattern matching state link, generating the pattern matching state link. And if the event source in the input event stream is unsuccessfully matched with the initial pattern matching state link, namely the event source in the input event stream is unsuccessfully matched with the pattern rule in the initial pattern matching state link, abandoning the input event stream.
There are three ways of state transition:
first, the updating mode: and indicating that one event source in the event stream is successfully matched with the pattern rule, updating the state of the current pattern rule to a new state, and advancing to the next pattern rule for matching.
Second, direct propulsion: when the event source is matched with the pattern rule, the state of the current pattern rule is not changed, and the event source is directly advanced to be matched with the next pattern rule.
Third, the ignore mode: when the event source is matched with the pattern rule, if the matching is unsuccessful, the current event source is ignored, and the state of the current pattern rule is not changed.
For example, in a network security event, after a plurality of pattern rules are associated and state conversion is performed to generate an initial pattern matching state link, an initial pattern matching state link in the order of a login matching pattern, a secret-related file copy pattern, and a logout matching pattern is obtained.
And then inputting an event stream containing an administrator secret-related machine login event, an administrator secret-related machine secret-related file copy event and an administrator secret-related machine login event into the initial pattern matching state link, and identifying and matching pattern rules in the initial pattern matching state link to generate a pattern matching state link.
According to the invention, the event source in the input event stream is matched with the initial mode matching link to obtain the mode matching state link, so that the input event can be accurately analyzed, and the high-order characteristics of the event can be obtained.
The event analysis device provided by the present invention is described below, and the event analysis device described below and the event analysis method described above may be referred to in correspondence with each other.
Fig. 4 is a schematic structural diagram of an event analysis apparatus provided by the present invention, and as shown in fig. 4, the present invention provides an event analysis apparatus, which includes a rule association module 401, a data input module 402, an event matching module 403, and a result output module 404, where:
a rule association module 401, configured to obtain a pattern rule, associate the pattern rule, and generate a pattern matching link; a data input module 402, configured to obtain an input event stream, and match an event source in the input event stream with the pattern matching link; an event matching module 403, configured to obtain a mode matching status link if the event source is successfully matched with the mode matching link; a result output module 404, configured to obtain an event link output result of the input event stream based on the pattern matching state link.
The event analysis device provided by the invention generates a pattern matching link by acquiring the pattern rule and then performing time-sequence association on the acquired pattern rule; matching an event source in the input event stream to be analyzed with the pattern matching link, and acquiring a pattern matching state link when the event source in the input event stream is successfully matched with the pattern matching link; by analyzing the pattern matching state link, events can be traced back completely and accurately, and accurate analysis can be made.
Optionally, the event matching module is further configured to:
acquiring configuration conditions of the mode rule;
and matching the event source in the input event stream with the pattern matching link based on the configuration condition to obtain a pattern matching state link.
Optionally, the event matching module is further configured to:
acquiring configuration conditions and configuration quantifier of the mode rule;
and matching the event source in the input event stream with the pattern matching link based on the configuration condition and the configuration quantifier to obtain a pattern matching state link.
Optionally, the rule association module is further configured to:
creating a starting node of the pattern matching link;
associating the mode rules with the business logic relationship to generate an initial mode matching link;
generating a pattern matching link based on the starting node and the initial pattern matching link.
Optionally, the rule association module is further configured to:
associating the mode rule according to at least one of a first link triggering strategy, a second link triggering strategy and a third link triggering strategy, and generating an initial mode matching link;
wherein the first link triggering policy comprises: the pattern rules in the initial pattern matching link, after initial matching to a first corresponding event source, each of the pattern rules matches each corresponding event source in the input event stream;
the second link triggering policy includes: the pattern rule in the initial pattern matching link ignores the non-corresponding event source after being matched to the second corresponding event source for the first time until being successfully matched with the other corresponding event source;
the third link triggering policy includes: and after the pattern rule in the initial pattern matching link is matched to a third corresponding event source for the first time, ignoring the non-corresponding event source and acquiring all the corresponding event sources which are successfully matched.
Optionally, the event matching module is further configured to:
according to the non-determined limited automatic object, performing state conversion on the mode matching link to generate an initial mode matching state link;
matching event sources in the input event stream with the initial pattern matching state link.
Fig. 5 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 5, the electronic device may include: a processor (processor)501, a communication Interface (Communications Interface)502, a memory (memory)503 and a communication bus 504, wherein the processor 501, the communication Interface 502 and the memory 503 are communicated with each other through the communication bus 504. Processor 501 may call logic instructions in memory 503 to perform the event analysis methods provided by the above-described method embodiments, which include, for example: acquiring a mode rule, associating the mode rule and generating a mode matching link; acquiring an input event stream, and matching an event source in the input event stream with the mode matching link; if the event source is successfully matched with the pattern matching link, acquiring a pattern matching state link; and obtaining an event link analysis result of the input event stream based on the mode matching state link.
In addition, the logic instructions in the memory 503 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product including a computer program, the computer program being storable on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer being capable of executing the event analysis method provided by the above method embodiments, the method for example including: acquiring a mode rule, associating the mode rule and generating a mode matching link; acquiring an input event stream, and matching an event source in the input event stream with the mode matching link; if the event source is successfully matched with the pattern matching link, acquiring a pattern matching state link; and obtaining an event link analysis result of the input event stream based on the mode matching state link.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to perform the event analysis method provided by the above method embodiments, the method for example comprising: acquiring a mode rule, associating the mode rule and generating a mode matching link; acquiring an input event stream, and matching an event source in the input event stream with the mode matching link; if the event source is successfully matched with the pattern matching link, acquiring a pattern matching state link; and obtaining an event link analysis result of the input event stream based on the mode matching state link.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An event analysis method, comprising:
acquiring a mode rule, associating the mode rule and generating a mode matching link;
acquiring an input event stream, and matching an event source in the input event stream with the mode matching link;
if the event source is successfully matched with the pattern matching link, acquiring a pattern matching state link;
and obtaining an event link analysis result of the input event stream based on the mode matching state link.
2. The event analysis method of claim 1, wherein the matching the event source in the input event stream with the pattern matching link comprises:
acquiring configuration conditions of the mode rule;
matching an event source in the input event stream with the pattern matching link based on the configuration condition.
3. The event analysis method of claim 1, wherein the matching the event source in the input event stream with the pattern matching link comprises:
acquiring configuration conditions and configuration quantifier of the mode rule;
matching an event source in the input event stream with the pattern matching link based on the configuration condition and the configuration quantifier.
4. The event analysis method according to claim 1, wherein the associating the pattern rule to generate a pattern matching link comprises:
creating a starting node of the pattern matching link;
associating the mode rules with the business logic relationship to generate an initial mode matching link;
generating a pattern-matched link based on the starting node and the initial pattern-matched link.
5. The event analysis method according to claim 4, wherein the associating the pattern rule having the business logic relationship to generate an initial pattern matching link comprises:
associating the mode rule according to at least one of a first link triggering strategy, a second link triggering strategy and a third link triggering strategy, and generating an initial mode matching link;
wherein the first link triggering policy comprises: the pattern rules in the initial pattern matching link, after initial matching to a first corresponding event source, each of the pattern rules matches each corresponding event source in the input event stream;
the second link trigger policy includes: the pattern rule in the initial pattern matching link ignores the non-corresponding event source after being matched to the second corresponding event source for the first time until being successfully matched with the other corresponding event source;
the third link triggering policy includes: and after the initial pattern matching link is matched with a third corresponding event source for the first time, the pattern rule in the initial pattern matching link ignores the non-corresponding event source, and acquires all the corresponding event sources which are successfully matched.
6. The event analysis method of claim 1, wherein the matching the event source in the input event stream with the pattern matching link comprises:
according to the non-determined limited automatic object, performing state conversion on the mode matching link to generate an initial mode matching state link;
matching event sources in the input event stream with the initial pattern matching state link.
7. An event analysis device, comprising:
the rule association module is used for acquiring a mode rule, associating the mode rule and generating a mode matching link;
the data input module is used for acquiring an input event stream and matching an event source in the input event stream with the pattern matching link;
the event matching module is used for acquiring a mode matching state link if the event source is successfully matched with the mode matching link;
and the result output module is used for obtaining an event link output result of the input event stream based on the mode matching state link.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the event analysis method according to any of claims 1 to 6 are implemented when the processor executes the program.
9. A non-transitory computer readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the event analysis method according to any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the event analysis method according to any one of claims 1 to 6 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210088238.9A CN114579809A (en) | 2022-01-25 | 2022-01-25 | Event analysis method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210088238.9A CN114579809A (en) | 2022-01-25 | 2022-01-25 | Event analysis method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114579809A true CN114579809A (en) | 2022-06-03 |
Family
ID=81771795
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210088238.9A Pending CN114579809A (en) | 2022-01-25 | 2022-01-25 | Event analysis method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114579809A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116974876A (en) * | 2023-09-20 | 2023-10-31 | 云筑信息科技(成都)有限公司 | Method for realizing millisecond-level monitoring alarm based on real-time flow frame |
-
2022
- 2022-01-25 CN CN202210088238.9A patent/CN114579809A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116974876A (en) * | 2023-09-20 | 2023-10-31 | 云筑信息科技(成都)有限公司 | Method for realizing millisecond-level monitoring alarm based on real-time flow frame |
| CN116974876B (en) * | 2023-09-20 | 2024-02-23 | 云筑信息科技(成都)有限公司 | Method for realizing millisecond-level monitoring alarm based on real-time flow frame |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881265B (en) | Network attack detection method and system based on artificial intelligence | |
| US20180307576A1 (en) | Field content based pattern generation for heterogeneous logs | |
| EP3534263A1 (en) | Systems and methods for web analytics testing and web development | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN112579603B (en) | CDC-based data model dynamic information perception monitoring method and device | |
| CN113409555B (en) | Real-time alarm linkage method and system based on Internet of things | |
| CN111447224A (en) | Web vulnerability scanning method and vulnerability scanner | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN113051308A (en) | Alarm information processing method, equipment, storage medium and device | |
| CN114528457A (en) | Web fingerprint detection method and related equipment | |
| EP3789882B1 (en) | Automatic configuration of logging infrastructure for software deployments using source code | |
| US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
| CN114579809A (en) | Event analysis method and device, electronic equipment and storage medium | |
| CN114385668A (en) | Cold data cleaning method, device, equipment and storage medium | |
| US11539730B2 (en) | Method, device, and computer program product for abnormality detection | |
| CN113434855A (en) | Security event processing method and device and readable storage medium | |
| CN111917848A (en) | Data processing method based on edge computing and cloud computing cooperation and cloud server | |
| CN114465875B (en) | Fault processing method and device | |
| CN116248393A (en) | Intranet data transmission loophole scanning device and system | |
| CN112688947B (en) | Internet-based network communication information intelligent monitoring method and system | |
| CN114615036A (en) | Abnormal behavior detection method, device, equipment and storage medium | |
| CN114510717A (en) | ELF file detection method and device and storage medium | |
| Dik et al. | Web attacks detection based on patterns of sessions | |
| CN115544202A (en) | Alarm processing method, device and storage medium | |
| CN112579833A (en) | Service association relation obtaining method and device based on user operation data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |