CN114745183A - Alarm method and device - Google Patents
Alarm method and device Download PDFInfo
- Publication number
- CN114745183A CN114745183A CN202210390455.3A CN202210390455A CN114745183A CN 114745183 A CN114745183 A CN 114745183A CN 202210390455 A CN202210390455 A CN 202210390455A CN 114745183 A CN114745183 A CN 114745183A
- Authority
- CN
- China
- Prior art keywords
- attack
- event
- alarm
- events
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 230000002776 aggregation Effects 0.000 claims abstract description 68
- 238000004220 aggregation Methods 0.000 claims abstract description 68
- 239000000523 sample Substances 0.000 claims description 66
- 238000010586 diagram Methods 0.000 description 26
- 238000004590 computer program Methods 0.000 description 11
- 230000007547 defect Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000004927 fusion Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000006378 damage Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 2
- 239000000969 carrier Substances 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24553—Query execution of query operations
- G06F16/24554—Unary operations; Data partitioning operations
- G06F16/24556—Aggregation; Duplicate elimination
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computational Linguistics (AREA)
- Software Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the specification provides an alarm method and an alarm device, wherein the alarm method comprises the following steps: acquiring a plurality of attack events generating alarms, matching the plurality of attack events with a preset event relation map to obtain the incidence relation among the plurality of attack events, and carrying out alarm aggregation on the plurality of attack events according to the incidence relation. The relationship of each discrete event is established by presetting an event relationship map, the plurality of attack events are matched with the preset event relationship map to obtain the association relationship among the plurality of attack events, and the plurality of attack events are subjected to alarm aggregation according to the association relationship, so that the alarm aggregation efficiency and accuracy are improved.
Description
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to an alarm method.
Background
With the development of computer technology, links of information systems become more complex, and a large number of attack events are accompanied. Taking a network attack event as an example, the network attack event refers to an information security event that attacks the information system by using configuration defects, protocol defects, program defects or using brute force attacks of the information system through a network or other technical means, and causes an abnormality of the information system or potential harm to the current operation of the information system.
At present, a danger probe is generally arranged in a link, and the danger probe alarms the attack event which occurs in the link. However, as the access link becomes more and more complex, more and more alarm events are generated, so that it is difficult for people to determine the potential hazard of the current system directly through the alarm event, and therefore, an efficient and accurate alarm scheme is urgently needed.
Disclosure of Invention
In view of this, the embodiments of the present specification provide an alarm method. One or more embodiments of the present disclosure also relate to an alarm apparatus, a computing device, a computer-readable storage medium, and a computer program, so as to solve the technical problems in the prior art.
According to a first aspect of embodiments herein, there is provided an alarm method, including:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an incidence relation between the plurality of attack events;
and performing alarm aggregation on the plurality of attack events according to the incidence relation.
Optionally, before the step of obtaining a plurality of attack events generating an alarm, the method further includes:
setting a plurality of node probes on a data link;
and responding to the node probe to identify the occurrence of the attack event, and alarming the attack event.
Optionally, the step of alerting the attack event includes:
acquiring an attack event occurring in at least one preset time period;
and alarming the attack events occurring in the preset time period in a preset alarm window.
Optionally, the step of alerting an attack event occurring within a preset time period in a preset alert window includes:
acquiring an event node corresponding to an attack event and an attack direction of the attack event;
and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Optionally, the step of matching the multiple attack events with a preset event relationship graph to obtain an association relationship between the multiple attack events includes:
aiming at a plurality of attack events, searching a local relation graph corresponding to the attack events in a preset event relation graph;
and obtaining the incidence relation among a plurality of attack events according to the local relation graph.
Optionally, the step of performing alarm aggregation on multiple attack events according to the association relationship includes:
acquiring a plurality of event nodes corresponding to a plurality of attack events;
and connecting the event nodes according to the incidence relation to generate an aggregation alarm path of the attack events.
Optionally, after the step of generating an aggregated alarm path for a plurality of attack events, the method further includes:
and displaying the aggregation alarm path in a preset alarm window.
According to a second aspect of embodiments herein, there is provided an alarm device comprising:
an acquisition module configured to acquire a plurality of attack events that generate an alert;
the matching module is configured to match the plurality of attack events with a preset event relation map to obtain the incidence relation among the plurality of attack events;
and the aggregation module is configured to perform alarm aggregation on the plurality of attack events according to the incidence relation.
Optionally, the apparatus further comprises:
an alarm module configured to set a plurality of node probes on a data link; and responding to the node probe to identify the occurrence of the attack event, and alarming the attack event.
Optionally, the alarm module is further configured to obtain an attack event occurring within at least one preset time period; and alarming the attack events occurring in the preset time period in a preset alarm window.
Optionally, the alarm module is further configured to obtain an event node corresponding to the attack event and an attack direction of the attack event; and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Optionally, the matching module is further configured to, for a plurality of attack events, search a local relationship graph corresponding to the attack event in a preset event relationship graph; and obtaining the incidence relation among a plurality of attack events according to the local relation graph.
Optionally, the aggregation module is further configured to obtain a plurality of event nodes corresponding to the plurality of attack events; and connecting the event nodes according to the incidence relation to generate an aggregation alarm path of the attack events.
Optionally, the apparatus further comprises:
and the display module is configured to display the aggregation alarm path in a preset alarm window.
According to a third aspect of embodiments herein, there is provided a computing device comprising:
a memory and a processor;
the memory is to store computer-executable instructions, and the processor is to execute the computer-executable instructions to:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation graph to obtain an incidence relation among the plurality of attack events;
and performing alarm aggregation on the plurality of attack events according to the incidence relation.
According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the above-described alerting method.
According to a fifth aspect of embodiments herein, there is provided a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the above-mentioned alerting method.
In the alarm method provided in one embodiment of the present specification, a plurality of attack events that generate an alarm are acquired, the plurality of attack events are matched with a preset event relationship map, an association relationship between the plurality of attack events is acquired, and alarm aggregation is performed on the plurality of attack events according to the association relationship. The method comprises the steps of establishing a relationship for each discrete event through a preset event relationship map, matching a plurality of attack events with the preset event relationship map to obtain an incidence relationship among the plurality of attack events, and carrying out alarm aggregation on the plurality of attack events according to the incidence relationship, so that the alarm aggregation efficiency and accuracy are improved.
Drawings
FIG. 1 is a flow chart of an alert method provided by one embodiment of the present description;
FIG. 2 is a diagram illustrating a default alarm window according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of an event relationship graph provided in one embodiment of the present description;
FIG. 4a is a schematic diagram of a partial relationship diagram a provided by an embodiment of the present specification;
FIG. 4b is a diagram illustrating a partial relationship diagram b provided by an embodiment of the present disclosure;
FIG. 4c is a schematic diagram of a partial relationship diagram c provided by an embodiment of the present description;
FIG. 5 is a schematic diagram of an aggregated alarm path provided by one embodiment of the present description;
FIG. 6 is a flowchart illustrating a process of an alarm method according to an embodiment of the present disclosure;
FIG. 7 is a schematic structural diagram of an alarm device provided in an embodiment of the present disclosure;
fig. 8 is a block diagram of a computing device according to an embodiment of the present disclosure.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, as those skilled in the art will be able to make and use the present disclosure without departing from the spirit and scope of the present disclosure.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It will be understood that, although the terms first, second, etc. may be used herein in one or more embodiments to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can also be referred to as a second and, similarly, a second can also be referred to as a first without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, the noun terms to which one or more embodiments of the present specification relate are explained.
Network attack events: the network attack event is an information security event which utilizes configuration defects, protocol defects and program defects of an information system or uses violent attack to attack the information system through a network or other technical means and causes abnormity of the information system or potential damage to the current operation of the information system.
Priori knowledge: the prior knowledge (pr ior i knowledge) is prior knowledge to experience. For example, the following steps are carried out: when a person sees a building, since the concept of "cottage" and some attributes about the cottage are known in advance, it can be judged that the building in front of the person is a cottage. The concept of "villa" is the prior knowledge of people about the buildings at hand.
And (4) alarming: in the field of network management, a failure is defined as the cause of a malfunction, which is the cause of an alarm event. An alarm is an event report formed by a notification issued when a specific event occurs, and is used for transmitting alarm information.
Alarm aggregation: alarm aggregation is the merging of multiple alarms into a single alarm.
Knowledge graph: knowledge map (Knowledge Graph) is a Knowledge domain visualization or Knowledge domain mapping map, is mainly used for describing objective relations among entities, concepts and events in the real world, is a series of different graphs for displaying Knowledge development process and structure relation, describes Knowledge resources and carriers thereof by using visualization technology, and excavates, analyzes, constructs, draws and displays Knowledge and mutual relations among the Knowledge resources and the carriers. The process of constructing the knowledge graph is to extract information from unstructured data (images and the like) or semi-structured data (web pages and the like) to construct structured data (triples, entity-attribute-relations).
Graph database: graph Database (Graph Database) is a type of NoSQL Database, also known as a Graph-oriented/Graph-based Database, that applies Graph theory to store relationship information between entities. The basic meaning of graph databases is to store and query data in a data structure such as a "graph" as a logical structure.
Entity: an entity refers to something that is distinguishable and exists independently. Such as a person, a city, a plant, a commodity, etc., the entity is the most basic element in the knowledge map, and different relationships exist among different entities.
Semantic class (concept): semantic classes (concepts) are collections of entities with the same properties, such as countries, books, computers, etc. Concepts refer primarily to collections, categories, types of objects, categories of things, such as people, geographies, and the like.
The content is as follows: content is typically expressed as names, descriptions, interpretations, etc. of entities and semantic classes, which may be expressed in text, images, audio-video, etc.
Attribute (value): an attribute value pointing to it from an entity. Different attribute types correspond to edges of different types of attributes. An attribute value primarily refers to the value of an object-specified attribute. Such as "area", "population", "capital" are several different attributes. The attribute value mainly refers to a value of an object-specified attribute, for example, 960 ten thousand square kilometers or the like.
The relationship is as follows: on a knowledge graph, a relationship is a function that maps nodes (entities, semantic classes, attribute values) to boolean values.
In the present specification, an alarm method is provided, and the present specification relates to an alarm apparatus, a computing device, and a computer-readable storage medium, which are described in detail in the following embodiments one by one.
With the development of computer technology, the links of information systems become more complex, which is accompanied by a large number of attack events. In a system with a complex link, alarms of multiple monitors in the link are often triggered by the same event, and if the alarms are not aggregated, an alarm storm is easily formed, so that operation and maintenance personnel miss important alarm events. Therefore, it is very necessary for the user to perform an aggregation process on the alarm events.
For example, in practical application, an alarm aggregation rule may be formulated in advance based on a priori knowledge, and alarm aggregation may be performed on attack events occurring in a link. However, as the access link becomes more and more complex, the alarm triggered by similar attacks will also rise rapidly, the accumulation of the priori knowledge cannot meet the increase speed of the alarm, and meanwhile, the priori knowledge cannot ensure the convergence of alarm aggregation, so that aggregation errors occur. Therefore, there is a need for an automated alarm aggregation scheme that does not require a priori knowledge.
In order to improve the efficiency of alarm aggregation and the accuracy of an alarm aggregation result, the specification provides an alarm method, a plurality of node probes are arranged on a data link, an attack event which occurs in at least one preset time period is acquired in response to the node probes identifying the occurrence of the attack event, event nodes corresponding to the attack event and the attack direction of the attack event are acquired, the attack event is alarmed in a preset alarm window according to the event nodes and the attack direction, a plurality of attack events which generate alarms are acquired, a local relation graph corresponding to the attack event is searched in a preset event relation graph aiming at the attack events, the incidence relation among the attack events is acquired according to the local relation graph, a plurality of event nodes corresponding to the attack events are acquired, the event nodes are connected according to the incidence relation, and an aggregation alarm path of the attack events is generated, and displaying the aggregation alarm path in a preset alarm window. According to the alarm scheme provided by the specification, the plurality of node probes are arranged on the data link, so that the occurrence of an attack event can be accurately identified, an alarm is generated on the attack event, the relationship between the event relationship map and each discrete event is preset, the plurality of attack events and the preset event relationship map are matched to obtain the incidence relationship among the plurality of attack events, the alarm aggregation is carried out on the plurality of attack events according to the incidence relationship, the alarm aggregation problem of an unknown link is solved, and the alarm aggregation efficiency and accuracy are improved.
Referring to fig. 1, fig. 1 shows a flowchart of an alarm method provided in an embodiment of the present specification, which specifically includes the following steps:
step 102: a plurality of attack events that generate an alert are obtained.
In the embodiment of the present description, in order to merge multiple alarms into a single alarm, a plurality of attack events that generate an alarm may be obtained first, then the obtained plurality of attack events are processed, and finally the processed plurality of attack events are aggregated to obtain an aggregated alarm path.
Specifically, the attack event refers to an information security event that attacks the information system by using configuration defects, protocol defects, program defects or using brute force attacks of the information system through a network or other technical means, and causes an abnormality of the information system or potential damage to the current operation of the information system.
It should be noted that the alarm method provided in the embodiment of the present specification may be applied not only to an internet scenario but also to other non-internet scenarios, and is specifically selected according to an actual situation, and the embodiment of the present specification is not limited to this.
In practical application, there are a plurality of acquired attack events generating an alarm, which are specifically selected according to actual situations, and this is not limited in this embodiment of the present specification.
In one possible implementation, multiple attack events being alerted may be directly obtained.
Illustratively, the occurring attack events are "application 1 scans the database 1 abnormally and logs in the application 2 forcibly", at this time, the system alarms the two occurring attack events, and by applying the scheme provided by the embodiment of the present specification, directly acquiring the multiple alarming attack events, that is, "application 1 scans the database 1 abnormally and logs in the application 2 forcibly".
In another possible implementation manner, at least one attack event that is being alerted and at least one attack event that has completed alerting may be obtained.
Illustratively, within a preset time, the completed attack event is "attacker unauthorized access to application 1", the occurring attack event is "application 1 abnormally scans database 1 and forcibly logs in application 2", the system has completed an alarm on the attack event "attacker unauthorized access to application 1", the attack event "application 1 abnormally scans database 1 and forcibly logs in application 2" for alarming, and by applying the scheme provided by the embodiment of the present specification, the multiple attack events which generate alarms are acquired as "attacker unauthorized access to application 1, application 1 abnormally scans database 1 and forcibly logs in application 2".
In yet another possible implementation, multiple attack events that have completed an alarm may be obtained.
Illustratively, the completed attack events are "application 1 scans the database 1 abnormally and logs in the application 2 forcibly", the system has alarmed the two attack events, and by applying the scheme provided by the embodiment of the present specification, directly acquiring the multiple attack events that have completed the alarm, that is, "application 1 scans the database 1 abnormally, and logs in the application 2 forcibly".
By applying the scheme of the embodiment of the specification, the method and the device can process the alarming attack event, can alarm the alarming completed attack event, can aggregate the alarming attack event and the alarming completed attack event, and can link a plurality of attack events, thereby facilitating the processing of related personnel and improving the efficiency and accuracy of alarm aggregation.
In practice, node probes may be inserted in different locations of the link. When an attack event occurs, a plurality of node probes on the link are triggered, and the node probes identify the occurrence of the attack event and alarm the attack event. That is, before the step of acquiring a plurality of attack events generating an alarm, the following steps may be included:
setting a plurality of node probes on a data link;
and responding to the node probe to identify the occurrence of the attack event, and alarming the attack event.
In the embodiment of the present specification, a node probe refers to a device that is arranged on a data link and used for identifying an attack event, and when an attack event occurs on the data link, the node probe on the data link can identify the occurrence of the attack event and alarm the attack event.
In the embodiments of the present disclosure, there are various setting manners of the node probe, which are specifically selected according to actual situations, and the embodiments of the present disclosure are not limited to this.
In a possible implementation manner, a node probe may be set for each node on the data link, and the node probe corresponding to each node may identify an attack event occurring at the node.
Illustratively, four nodes are included on the data link, which are node 1, node 2, node 3, and node 4, respectively. Accordingly, four node probes, which are node probe 1, node probe 2, node probe 3, and node probe 4, are provided on the data link. It should be noted that the nodes on the data link correspond to the node probes one to one, the node probe set at the node 1 is the node probe 1, the node probe set at the node 2 is the node probe 2, the node probe set at the node 3 is the node probe 3, and the node probe set at the node 4 is the node probe 4.
By applying the scheme of the embodiment of the specification, each node on the data link can be monitored by setting the node probe corresponding to the node at each node on the data link, so that each attack event occurring on the data link is alarmed, and the alarming accuracy is improved.
In another possible implementation manner, a node probe may be set at a key node on the data link, where the key node refers to a node at both ends of a key job in the data link.
Illustratively, four nodes are included on the data link, which are node 1, node 2, node 3 and node 4, respectively, wherein the key nodes are node 2 and node 4. Accordingly, two node probes, node probe 1 and node probe 2, are provided on the data link. It should be noted that the nodes on the data link correspond to the node probes one to one, the node probe set at the node 2 is the node probe 1, and the node probe set at the node 4 is the node probe 2.
By applying the scheme of the embodiment of the specification, the node probes are arranged at the key nodes on the data link, so that the arrangement of the node probes is reduced, and the working efficiency is further improved.
In practical applications, when the node probe on the data link identifies the occurrence of an attack event, there are various ways of alarming the attack event, which are specifically selected according to actual situations.
In one possible implementation, the attack event is alerted in response to the node probe identifying the occurrence of the attack event.
Illustratively, there are three nodes in the data link, which are node 1, node 2 and node 3, respectively, where node probe 1 is disposed at node 1, node probe 2 is disposed at node 2, and node probe 3 is disposed at node 3. When the node probe 1 identifies that the attack event 1 occurs, the node probe alarms the attack event 1, when the node probe 2 identifies that the attack event 2 occurs, the node probe alarms the attack event 2, and when the node probe 3 identifies that the attack event 3 occurs, the node probe alarms the attack event 3.
In another possible implementation manner, an alarm may be given for an attack event occurring within a preset time period, where the preset time period is specifically selected according to an actual situation, and this is not limited in this embodiment of the present specification. That is, the step of alarming the attack event may include the following steps:
acquiring an attack event occurring in at least one preset time period;
and alarming the attack events occurring in the preset time period in a preset alarm window.
Specifically, the preset alarm window refers to a preset window capable of displaying alarm information corresponding to an attack event, one or more preset alarm windows may be provided, and the number of the preset alarm windows is not limited by the scheme of the embodiment of the present specification, and is specifically selected according to an actual situation.
In a possible implementation manner, only one preset alarm window is provided, and after the attack event occurring within at least one preset time period is acquired, the attack event occurring within the preset time period is directly alarmed in the preset alarm window.
Illustratively, three attack events, namely an attack event 1, an attack event 2 and an attack event 3, are acquired within a first preset time period of 12:00-12:10 and a second preset time period of 12:30-12: 40; and the attack events occur together within a second preset time period, and the attack events are attack events 4. And alarming the attack event 1, the attack event 2, the attack event 3 and the attack event 4 in a preset alarm window.
In another possible implementation manner, there are multiple preset alarm windows, each preset alarm window corresponds to a preset time period, and after an attack event occurring within at least one preset time period is acquired, an alarm is given to the attack event occurring within the preset time period in the preset alarm window corresponding to the preset time period.
Exemplarily, a first preset time period of 12:00-12:10, a second preset time period of 12:30-12:40, a first preset time period corresponding to a preset alarm window 1, a second preset time period corresponding to a preset alarm window 2 are obtained, and three attack events, namely an attack event 1, an attack event 2 and an attack event 3, occur in the first preset time period; and the attack events occur together within a second preset time period, and the attack events are attack events 4. And alarming the attack event 1, the attack event 2 and the attack event 3 in the preset alarm window 1, and alarming the attack event 4 in the preset alarm window 2.
By applying the scheme of the embodiment of the specification, the attack event occurring in the preset time period is alarmed in the preset alarm window by acquiring the attack event occurring in at least one preset time period, so that the attack event generating the alarm is clear, and the subsequent processing of the attack event is facilitated.
In practical applications, when an alarm is given for an attack event occurring within a preset time period in a preset alarm window, an event node corresponding to the attack event and an attack direction of the attack event may be displayed in the preset alarm window, that is, the step of giving an alarm for the attack event occurring within the preset time period in the preset alarm window includes:
acquiring an event node corresponding to an attack event and an attack direction of the attack event;
and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Specifically, the event node corresponding to the attack event refers to an attacker and an attacked party in the attack event, and the attack direction of the attack event refers to an attack direction in which the attacker attacks the attacked party.
Illustratively, an attack event 1 and an attack event 2 occurring within a preset time period are alarmed in a preset alarm window, the attack event 1 is 'application 1 abnormally scans a database 1', the attack event 2 is 'application 1 forcibly logs in an application 2', event nodes in the attack event 1 are obtained as the application 1 and the database 1, event nodes in the attack event 2 are obtained as the application 1 and the application 2, an attack direction in the attack event 1 is that the application 1 points to the database 1, and an attack direction in the attack event 2 is that the application 1 points to the application 2.
Specifically, as shown in fig. 2, fig. 2 shows a schematic diagram of a preset alarm window provided in an embodiment of the present specification, in fig. 2, an attack event 1 that occurs at a first preset time is acquired as an "attacker unauthorized access application 1", and the attack event 1 is alarmed in the preset alarm window according to an event node "attacker and gateway" of the attack event 1 and an attack direction "attacker points to the gateway"; acquiring an attack event 2 occurring at a second preset time as an 'application 1 abnormal scanning database 1', and alarming the attack event 2 in a preset alarm window according to an event node 'application 1 and database 1' of the attack event 2 and an attack direction 'application 1 points to the database 1'; and the attack event 3 occurring at the third preset time is 'application 1 forcibly logs in the application 2', and the attack event 3 is alarmed in a preset alarm window according to the event node 'application 1 and application 2' of the attack event 3 and the attack direction 'application 1 pointing to the application 2'.
By applying the scheme of the embodiment of the specification, the attack event is alarmed in the preset alarm window according to the event node and the attack direction by acquiring the event node corresponding to the attack event and the attack direction of the attack event, so that the alarm of the attack event is clear, and the subsequent processing of the attack event is facilitated.
Step 104: and matching the plurality of attack events with a preset event relation map to obtain the incidence relation among the plurality of attack events.
In the embodiment of the present specification, after a plurality of attack events which generate an alarm are acquired, the plurality of attack events may be matched with a preset event relationship map to obtain an association relationship between the plurality of attack events. In practical application, an event relation graph comprising events, relations, behaviors, assets and labels can be constructed based on a dynamic ontology and an attribute graph model, new contents can be continuously supplemented in the event relation graph along with the accumulation of time and experience, and the coverage range of the event relation graph is enlarged.
Specifically, the preset event relation map can be understood as a knowledge map. The knowledge graph aims to describe various entities or concepts existing in the real world and relations thereof, and forms a huge semantic network graph, wherein nodes represent the entities or concepts, and edges are formed by attributes or relations. The knowledge graph includes entities, semantic classes (concepts), content, attributes (values), and relationships. The knowledge graph can be logically divided into a mode layer and a data layer, wherein the data layer mainly comprises a series of facts, and the knowledge is stored by taking the facts as units. If facts are expressed in triplets of (entity 1, relationship, entity 2), (entity, attribute value), a graph database may be selected as the storage medium. The mode layer is built on the data layer and is the core of the knowledge graph, and the ontology base is generally adopted to manage the mode layer of the knowledge graph. The ontology is a concept template of the structured knowledge base, and the knowledge base formed by the ontology base has a strong hierarchical structure and a small redundancy degree.
It should be noted that, setting a knowledge graph includes: the method comprises five parts of knowledge modeling, knowledge acquisition, knowledge fusion, knowledge storage and knowledge application. A first part: knowledge modeling, constructing a multi-level knowledge system, defining, organizing and managing information such as abstract knowledge, attributes, incidence relations and the like, and converting the information into a real database. A second part: and acquiring knowledge, namely converting data of different sources and structures into map data, wherein the map data comprises structured data, semi-structured data (analysis), knowledge indexing, knowledge reasoning and the like, and the effectiveness and integrity of the data are guaranteed. And a third part: and the knowledge fusion is to fuse the repeated knowledge information from multiple sources, and comprises fusion calculation, a fusion calculation engine, manual operation fusion and the like. The fourth part: and the knowledge storage is realized, a reasonable knowledge storage scheme is provided according to project scenes, and the storage scheme has the characteristics of flexibility, diversification and expandability. The fifth part is that: knowledge application, which provides analysis and application capabilities of map retrieval, knowledge calculation, map visualization and the like for the constructed knowledge map, and provides SDKs of various knowledge calculations, including a map base application class, a map structure analysis class, a map semantic application class, a natural language processing class, a map data acquisition class, a map statistics class, a data set data acquisition class and a data set statistics class.
In practical application, after obtaining a plurality of attack events which generate an alarm, the method may search a preset event relationship map for a local relationship map corresponding to the plurality of attack events to obtain a plurality of local relationship maps, and analyze and obtain a relationship between the plurality of local relationship maps according to the obtained plurality of local relationship maps, so as to obtain an association relationship between the plurality of attack events, that is, the step of matching the plurality of attack events with the preset event relationship map to obtain an association relationship between the plurality of attack events may include the following steps:
aiming at a plurality of attack events, searching a local relation graph corresponding to the attack events in a preset event relation graph;
and obtaining the incidence relation among a plurality of attack events according to the local relation graph.
Exemplarily, as shown in fig. 3, fig. 3 is a schematic diagram illustrating an event relationship graph provided in an embodiment of the present specification, in the preset event relationship graph shown in fig. 3, a user may access an application 1 and an application 2 through a gateway; the application 1 can access the database 1 and the application 2; the application 2 can access the application 3 and the database 2; the application 3 has access to the database 2 and the database 3.
Referring to the embodiment in fig. 2, for an attack event 1 "an attacker gains access to an application 1 without right", a local relationship diagram corresponding to the attack event 1 is searched in a preset event relationship diagram, as shown in fig. 4a, and fig. 4a shows a schematic diagram of a local relationship diagram a provided by an embodiment of this specification; for an attack event 2, "application 1 exception scanning database 1", searching a local relationship graph corresponding to the attack event 2 in a preset event relationship graph is shown in fig. 4b, where fig. 4b shows a schematic diagram of a local relationship graph b provided in an embodiment of this specification; for an attack event 3, namely "application 1 forcibly logs in application 2", a local relationship graph corresponding to the attack event 3 is searched in a preset event relationship graph, as shown in fig. 4c, fig. 4c shows a schematic diagram of the local relationship graph c provided in an embodiment of the present specification, and the association relationships among the attack event 1, the attack event 2 and the attack event 3 are obtained as "gateway access application 1, application 1 access database 1 and application 1 access application 2" according to the local relationship graph a, the local relationship graph b and the local relationship graph c.
By applying the scheme of the embodiment of the description, the local relationship graph corresponding to the attack event is searched in the preset event relationship graph, so that the incidence relationship among a plurality of attack events obtained according to the local relationship graph is more accurate, and the alarm aggregation efficiency and accuracy are further improved.
Step 106: and performing alarm aggregation on the plurality of attack events according to the incidence relation.
In the embodiment of the present specification, after a plurality of attack events which generate an alarm are acquired, the plurality of attack events are matched with a preset event relationship map, and an incidence relation between the plurality of attack events is acquired, alarm aggregation may be performed on the plurality of attack events according to the incidence relation.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are obtained, the plurality of attack events are matched with a preset event relation map, the incidence relation among the plurality of attack events is obtained, and the alarms of the plurality of attack events are aggregated according to the incidence relation. The relationship of each discrete event is established by presetting an event relationship map, the plurality of attack events are matched with the preset event relationship map to obtain the association relationship among the plurality of attack events, and the plurality of attack events are subjected to alarm aggregation according to the association relationship, so that the alarm aggregation efficiency and accuracy are improved.
In practical application, after obtaining a plurality of attack events for generating an alarm, matching the plurality of attack events with a preset event relationship map, and obtaining an incidence relation between the plurality of attack events, event nodes of the plurality of attack events may be obtained, and the event nodes of the plurality of attack events are connected according to the incidence relation to generate an aggregated alarm path of the plurality of attack events, that is, the step of performing alarm aggregation on the plurality of attack events according to the incidence relation may include the following steps:
acquiring a plurality of event nodes corresponding to a plurality of attack events;
and connecting the event nodes according to the incidence relation to generate an aggregation alarm path of the attack events.
Exemplarily, referring to the scheme of the above embodiment, the event node that obtains the attack event 1 is "attacker and gateway", the event node that obtains the attack event 2 is "application 1 and database 1", the event node that obtains the attack event 3 is "application 1 and application 2", and the association relationships among the attack event 1, the attack event 2, and the attack event 3 are "gateway access application 1, application 1 access database 1, and application 1 access application 2" according to the local relationship diagram a, the local relationship diagram b, and the local relationship diagram c. As shown in fig. 5, fig. 5 is a schematic diagram illustrating an aggregated alarm path provided in an embodiment of this specification, where a plurality of event nodes are connected according to an association relationship, and the aggregated alarm path for generating a plurality of attack events is "an attacker attacks a gateway, and accesses an application 1 without right, the application 1 scans a database 1 abnormally, and the application 1 logs in an application 2 forcibly".
By applying the scheme of the embodiment of the description, the plurality of event nodes corresponding to the plurality of attack events are obtained, the plurality of event nodes are connected according to the incidence relation, and the aggregated alarm path of the plurality of attack events is generated, so that the alarm aggregation efficiency and accuracy are improved.
It should be noted that after generating the aggregated alarm path for a plurality of attack events, the aggregated alarm path may be displayed in a preset alarm window, that is, after the step of generating the aggregated alarm path for a plurality of attack events, the method may further include the following steps:
and displaying the aggregation alarm path in a preset alarm window.
In the embodiment of the present description, the attack event that is alarmed in the preset alarm window may be updated to the obtained aggregated alarm path, so that the user can see the complete aggregated alarm path, and the user can process the attack event subsequently.
It should be noted that the alarm method provided in this specification is applied to an alarm process in various scenarios, such as a communication scenario and a transaction scenario, and may also be applied to other scenarios, and the application scenario of the alarm method in this specification is not limited.
Fig. 6, with reference to fig. 6 below, shows a flowchart of a processing procedure of an alarm method provided in an embodiment of the present specification, which specifically includes the following steps.
Step 602: a plurality of node probes are arranged on the data link.
Step 604: and responding to the node probe to identify the occurrence of the attack event, and acquiring the attack event occurring in at least one preset time period.
Step 606: and acquiring an event node corresponding to the attack event and the attack direction of the attack event.
Step 608: and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Step 610: a plurality of attack events that generate an alert are obtained.
Step 612: aiming at a plurality of attack events, a local relation graph corresponding to the attack events is searched in a preset event relation graph.
Step 614: and obtaining the incidence relation among a plurality of attack events according to the local relation graph.
Step 616: and acquiring a plurality of event nodes corresponding to the plurality of attack events.
Step 618: and connecting the event nodes according to the incidence relation to generate an aggregation alarm path of the attack events.
Step 620: and displaying the aggregation alarm path in a preset alarm window.
By applying the scheme of the embodiment of the specification, a plurality of node probes are arranged on a data link, the node probes are responded to identify the occurrence of an attack event, the attack event occurring in at least one preset time period is obtained, the event node corresponding to the attack event and the attack direction of the attack event are obtained, alarming the attack event in a preset alarm window according to the event node and the attack direction, acquiring a plurality of attack events generating alarm, aiming at the plurality of attack events, searching a local relation graph corresponding to the attack events in a preset event relation graph, acquiring the incidence relation among a plurality of attack events according to the local relation graph, acquiring a plurality of event nodes corresponding to the attack events, and connecting a plurality of event nodes according to the incidence relation, generating an aggregated alarm path of a plurality of attack events, and displaying the aggregated alarm path in a preset alarm window. According to the alarm scheme provided by the specification, the relationship is established for each discrete event through the preset event relationship map, the multiple attack events are matched with the preset event relationship map, the incidence relationship among the multiple attack events is obtained, alarm aggregation is carried out on the multiple attack events according to the incidence relationship, the problem of alarm aggregation of an unknown link is solved, and the alarm aggregation efficiency and accuracy are improved.
The above is a schematic scheme of an alarm method according to this embodiment. It should be noted that the technical solution of the alarm method belongs to the same concept as the technical solution of the alarm method shown in fig. 1, and details that are not described in detail in the technical solution of the alarm method can be referred to the description of the technical solution of the alarm method.
Corresponding to the above method embodiment, the present specification further provides an alarm device embodiment, and fig. 7 shows a schematic structural diagram of an alarm device provided in an embodiment of the present specification. As shown in fig. 7, the apparatus includes:
an obtaining module 702 configured to obtain a plurality of attack events that generate an alert;
a matching module 704 configured to match the plurality of attack events with a preset event relationship graph to obtain an incidence relationship between the plurality of attack events;
and an aggregation module 706 configured to perform alarm aggregation on the plurality of attack events according to the association relationship.
Optionally, the apparatus further comprises:
an alarm module configured to set a plurality of node probes on a data link; and in response to the node probe identifying the occurrence of the attack event, alarming the attack event.
Optionally, the alarm module is further configured to obtain an attack event occurring within at least one preset time period; and alarming the attack events occurring in the preset time period in a preset alarm window.
Optionally, the alarm module is further configured to obtain an event node corresponding to the attack event and an attack direction of the attack event; and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Optionally, the matching module 704 is further configured to, for a plurality of attack events, search a local relationship graph corresponding to the attack event in a preset event relationship graph; and obtaining the incidence relation among a plurality of attack events according to the local relation graph.
Optionally, the aggregation module 706 is further configured to obtain a plurality of event nodes corresponding to a plurality of attack events; and connecting the event nodes according to the incidence relation to generate an aggregation alarm path of the attack events.
Optionally, the apparatus further comprises:
and the display module is configured to display the aggregation alarm path in a preset alarm window.
By applying the scheme of the embodiment of the specification, the plurality of node probes are arranged on the data link, the node probes are responded to identify the occurrence of the attack event, the attack event occurring in at least one preset time period is acquired, the event node corresponding to the attack event and the attack direction of the attack event are acquired, alarming the attack event in a preset alarm window according to the event node and the attack direction, acquiring a plurality of attack events generating the alarm, aiming at the plurality of attack events, searching a local relation graph corresponding to the attack events in a preset event relation graph, acquiring the incidence relation among a plurality of attack events according to the local relation graph, acquiring a plurality of event nodes corresponding to the attack events, and connecting the event nodes according to the incidence relation, generating an aggregated alarm path of the attack events, and displaying the aggregated alarm path in a preset alarm window. According to the alarm scheme provided by the specification, the relationship is established for each discrete event through the preset event relationship map, the multiple attack events are matched with the preset event relationship map, the incidence relationship among the multiple attack events is obtained, alarm aggregation is carried out on the multiple attack events according to the incidence relationship, the problem of alarm aggregation of an unknown link is solved, and the alarm aggregation efficiency and accuracy are improved.
The above is a schematic scheme of an alarm device of the present embodiment. It should be noted that the technical solution of the alarm device and the technical solution of the alarm method belong to the same concept, and details of the technical solution of the alarm device, which are not described in detail, can be referred to the description of the technical solution of the alarm method.
FIG. 8 illustrates a block diagram of a computing device 800, according to one embodiment of the present description. The components of the computing device 800 include, but are not limited to, memory 810 and a processor 820. The processor 820 is coupled to the memory 810 via a bus 830, and the database 850 is used to store data.
Computing device 800 also includes access device 840, access device 840 enabling computing device 800 to communicate via one or more networks 860. Examples of such networks include a Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. The Access device 540 may include one or more of any type of Network Interface (e.g., a Network Interface Card (NIC)) whether wired or Wireless, such as an IEEE802.11 Wireless Local Area Network (WLAN) Wireless Interface, a worldwide Interoperability for Microwave Access (Wi-MAX) Interface, an ethernet Interface, a Universal Serial Bus (USB) Interface, a cellular Network Interface, a bluetooth Interface, a Near Field Communication (NFC) Interface, and so forth.
In one embodiment of the present description, the above-described components of computing device 800, as well as other components not shown in FIG. 8, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device architecture shown in FIG. 8 is for purposes of example only and is not limiting as to the scope of the description. Those skilled in the art may add or replace other components as desired.
Computing device 800 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), a mobile phone (e.g., smartphone), a wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. Computing device 800 may also be a mobile or stationary server.
Wherein, the processor 820 is configured to execute the following computer-executable instructions:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an incidence relation between the plurality of attack events;
and performing alarm aggregation on the plurality of attack events according to the incidence relation.
The above is an illustrative scheme of a computing device of the present embodiment. It should be noted that the technical solution of the computing device and the technical solution of the above-mentioned alarm method belong to the same concept, and details that are not described in detail in the technical solution of the computing device can be referred to the description of the technical solution of the above-mentioned alarm method.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are obtained, the plurality of attack events are matched with a preset event relation map, the incidence relation among the plurality of attack events is obtained, and the alarms of the plurality of attack events are aggregated according to the incidence relation. The relationship of each discrete event is established by presetting an event relationship map, the plurality of attack events are matched with the preset event relationship map to obtain the association relationship among the plurality of attack events, and the plurality of attack events are subjected to alarm aggregation according to the association relationship, so that the alarm aggregation efficiency and accuracy are improved.
An embodiment of the present specification also provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an incidence relation between the plurality of attack events;
and performing alarm aggregation on the plurality of attack events according to the incidence relation.
The above is an illustrative scheme of a computer-readable storage medium of the present embodiment. It should be noted that the technical solution of the storage medium and the technical solution of the above-mentioned alarm method belong to the same concept, and details that are not described in detail in the technical solution of the storage medium can be referred to the description of the technical solution of the above-mentioned alarm method.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are obtained, the plurality of attack events are matched with a preset event relation map, the incidence relation among the plurality of attack events is obtained, and the alarms of the plurality of attack events are aggregated according to the incidence relation. The method comprises the steps of establishing a relationship for each discrete event through a preset event relationship map, matching a plurality of attack events with the preset event relationship map to obtain an incidence relationship among the plurality of attack events, and carrying out alarm aggregation on the plurality of attack events according to the incidence relationship, so that the alarm aggregation efficiency and accuracy are improved.
An embodiment of the present specification also provides a computer program, wherein when the computer program is executed in a computer, the computer program causes the computer to execute:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an incidence relation between the plurality of attack events;
and carrying out alarm aggregation on a plurality of attack events according to the association relation.
The above is an illustrative scheme of a computer program of the present embodiment. It should be noted that the technical solution of the computer program and the technical solution of the above-mentioned alarm method belong to the same concept, and details that are not described in detail in the technical solution of the computer program can be referred to the description of the technical solution of the above-mentioned alarm method.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are obtained, the plurality of attack events are matched with a preset event relation map, the incidence relation among the plurality of attack events is obtained, and the alarms of the plurality of attack events are aggregated according to the incidence relation. The method comprises the steps of establishing a relationship for each discrete event through a preset event relationship map, matching a plurality of attack events with the preset event relationship map to obtain an incidence relationship among the plurality of attack events, and carrying out alarm aggregation on the plurality of attack events according to the incidence relationship, so that the alarm aggregation efficiency and accuracy are improved.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The computer instructions comprise computer program code which may be in the form of source code, object code, an executable file or some intermediate form, or the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts, but those skilled in the art should understand that the present embodiment is not limited by the described acts, because some steps may be performed in other sequences or simultaneously according to the present embodiment. Further, those skilled in the art should also appreciate that the embodiments described in this specification are preferred embodiments and that acts and modules referred to are not necessarily required for an embodiment of the specification.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are intended only to aid in the description of the specification. Alternative embodiments are not exhaustive and do not limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the embodiments. The specification is limited only by the claims and their full scope and equivalents.
Claims (10)
1. An alarm method, comprising:
acquiring a plurality of attack events for generating an alarm;
matching the plurality of attack events with a preset event relation map to obtain an incidence relation among the plurality of attack events;
and carrying out alarm aggregation on the plurality of attack events according to the incidence relation.
2. The method of claim 1, further comprising, prior to the step of obtaining a plurality of attack events that generate an alert:
setting a plurality of node probes on a data link;
and responding to the node probe to identify the occurrence of the attack event, and alarming the attack event.
3. The method of claim 2, the step of alerting the attack event comprising:
acquiring an attack event occurring in at least one preset time period;
and alarming the attack event occurring in the preset time period in a preset alarm window.
4. The method of claim 3, wherein the step of alarming the attack event occurring within the preset time period in a preset alarm window comprises:
acquiring an event node corresponding to the attack event and an attack direction of the attack event;
and alarming the attack event in the preset alarm window according to the event node and the attack direction.
5. The method according to claim 1, wherein the step of matching the plurality of attack events with a preset event relationship graph to obtain the association relationship between the plurality of attack events comprises:
aiming at the plurality of attack events, searching a local relation graph corresponding to the attack events in the preset event relation graph;
and obtaining the incidence relation among the attack events according to the local relation graph.
6. The method of claim 1, wherein the step of alarm aggregation of the plurality of attack events according to the incidence relation comprises:
acquiring a plurality of event nodes corresponding to the plurality of attack events;
and connecting the event nodes according to the incidence relation to generate an aggregated alarm path of the attack events.
7. The method of claim 5, further comprising, after the step of generating the aggregated alarm path for the plurality of attack events:
and displaying the aggregation alarm path in a preset alarm window.
8. An alert device comprising:
an acquisition module configured to acquire a plurality of attack events that generate an alert;
the matching module is configured to match the plurality of attack events with a preset event relation graph to obtain the incidence relation among the plurality of attack events;
and the aggregation module is configured to perform alarm aggregation on the plurality of attack events according to the incidence relation.
9. A computing device, comprising:
a memory and a processor;
the memory is for storing computer-executable instructions and the processor is for executing the computer-executable instructions, which when executed by the processor implement the steps of the alerting method of any one of claims 1 to 7.
10. A computer readable storage medium storing computer executable instructions which, when executed by a processor, implement the steps of the alerting method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210390455.3A CN114745183B (en) | 2022-04-14 | 2022-04-14 | Alarm method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210390455.3A CN114745183B (en) | 2022-04-14 | 2022-04-14 | Alarm method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114745183A true CN114745183A (en) | 2022-07-12 |
| CN114745183B CN114745183B (en) | 2023-10-27 |
Family
ID=82281123
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210390455.3A Active CN114745183B (en) | 2022-04-14 | 2022-04-14 | Alarm method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745183B (en) |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100262688A1 (en) * | 2009-01-21 | 2010-10-14 | Daniar Hussain | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
| US20110055924A1 (en) * | 2009-09-02 | 2011-03-03 | Q1 Labs Inc. | Graph structures for event matching |
| US20150074806A1 (en) * | 2013-09-10 | 2015-03-12 | Symantec Corporation | Systems and methods for using event-correlation graphs to detect attacks on computing systems |
| EP3079337A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| EP3079336A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| US20170063910A1 (en) * | 2015-08-31 | 2017-03-02 | Splunk Inc. | Enterprise security graph |
| US9811866B1 (en) * | 2013-07-20 | 2017-11-07 | Relationship Science LLC | News alerts based on user analytics |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
| CN110519264A (en) * | 2019-08-26 | 2019-11-29 | 奇安信科技集团股份有限公司 | Method, device and equipment for tracing attack event |
| US20200028861A1 (en) * | 2018-07-17 | 2020-01-23 | Sap Se | Pattern creation based on an attack path |
| CN111159425A (en) * | 2019-12-30 | 2020-05-15 | 浙江大学 | Temporal knowledge graph representation method based on historical relationship and double-graph convolution network |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN111541661A (en) * | 2020-04-15 | 2020-08-14 | 全球能源互联网研究院有限公司 | Power information network attack scene reconstruction method and system based on causal knowledge |
| CN111858482A (en) * | 2020-07-15 | 2020-10-30 | 北京市燃气集团有限责任公司 | Attack event tracing and tracing method, system, terminal and storage medium |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112202817A (en) * | 2020-11-30 | 2021-01-08 | 北京微智信业科技有限公司 | Attack behavior detection method based on multi-event association and machine learning |
| CN112600800A (en) * | 2020-12-03 | 2021-04-02 | 中国电子科技网络信息安全有限公司 | Network risk assessment method based on map |
-
2022
- 2022-04-14 CN CN202210390455.3A patent/CN114745183B/en active Active
Patent Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100262688A1 (en) * | 2009-01-21 | 2010-10-14 | Daniar Hussain | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
| US20110055924A1 (en) * | 2009-09-02 | 2011-03-03 | Q1 Labs Inc. | Graph structures for event matching |
| US9811866B1 (en) * | 2013-07-20 | 2017-11-07 | Relationship Science LLC | News alerts based on user analytics |
| US20150074806A1 (en) * | 2013-09-10 | 2015-03-12 | Symantec Corporation | Systems and methods for using event-correlation graphs to detect attacks on computing systems |
| EP3079337A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| EP3079336A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| US20170063910A1 (en) * | 2015-08-31 | 2017-03-02 | Splunk Inc. | Enterprise security graph |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| US20200028861A1 (en) * | 2018-07-17 | 2020-01-23 | Sap Se | Pattern creation based on an attack path |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
| CN110519264A (en) * | 2019-08-26 | 2019-11-29 | 奇安信科技集团股份有限公司 | Method, device and equipment for tracing attack event |
| CN111159425A (en) * | 2019-12-30 | 2020-05-15 | 浙江大学 | Temporal knowledge graph representation method based on historical relationship and double-graph convolution network |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN111541661A (en) * | 2020-04-15 | 2020-08-14 | 全球能源互联网研究院有限公司 | Power information network attack scene reconstruction method and system based on causal knowledge |
| CN111858482A (en) * | 2020-07-15 | 2020-10-30 | 北京市燃气集团有限责任公司 | Attack event tracing and tracing method, system, terminal and storage medium |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112202817A (en) * | 2020-11-30 | 2021-01-08 | 北京微智信业科技有限公司 | Attack behavior detection method based on multi-event association and machine learning |
| CN112600800A (en) * | 2020-12-03 | 2021-04-02 | 中国电子科技网络信息安全有限公司 | Network risk assessment method based on map |
Non-Patent Citations (1)
| Title |
|---|
| 姜楠;崔耀辉;王健;吴晋超;: "基于上下文特征的IDS告警日志攻击场景重建方法", 信息网络安全, no. 07 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114745183B (en) | 2023-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11405301B1 (en) | Service analyzer interface with composite machine scores | |
| Böse et al. | Detecting insider threats using radish: A system for real-time anomaly detection in heterogeneous data streams | |
| US11201865B2 (en) | Change monitoring and detection for a cloud computing environment | |
| CN111885040A (en) | Distributed network situation perception method, system, server and node equipment | |
| Petrenko et al. | Problem of developing an early-warning cybersecurity system for critically important governmental information assets | |
| WO2021247752A1 (en) | Semantic map generation from natural-language-text documents | |
| CN111813960B (en) | Knowledge graph-based data security audit model device, method and terminal equipment | |
| CN110168523A (en) | Change monitoring to inquire across figure | |
| Raja et al. | Combined analysis of support vector machine and principle component analysis for IDS | |
| CN111316292B (en) | Multi-scale hierarchical clustering of customer observable objects using persistent geometric features of co-occurrence simplex complex | |
| CN112149135A (en) | Method and device for constructing security vulnerability knowledge graph | |
| US20190197432A9 (en) | Automated meta parameter search for invariant based anomaly detectors in log analytics | |
| CN114567538A (en) | Alarm information processing method and device | |
| JP2022126818A (en) | Method and apparatus of processing security information, electronic device, storage medium, and computer program | |
| Liu et al. | Multi-step attack scenarios mining based on neural network and Bayesian network attack graph | |
| Kannadhasan et al. | Intrusion detection techniques based secured data sharing system for cloud computing using msvm | |
| Stevens et al. | Foundations of network monitoring: Definitions and applications | |
| CA3211911A1 (en) | Systems and methods for creating, training, and evaluating models, scenarios, lexicons, and policies | |
| Khan et al. | Context-based irregular activity detection in event logs for forensic investigations: An itemset mining approach | |
| CN117240586A (en) | Internal threat detection method and system based on depth time map information maximization | |
| CN114745183B (en) | Alarm method and device | |
| US11763014B2 (en) | Production protection correlation engine | |
| Zamfira et al. | Developing an ontology of cyber-operations in networks of computers | |
| CN114880153A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| CN114610787A (en) | Safety object knowledge graph big data mining method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |