CN114745183B - Alarm method and device - Google Patents
Alarm method and device Download PDFInfo
- Publication number
- CN114745183B CN114745183B CN202210390455.3A CN202210390455A CN114745183B CN 114745183 B CN114745183 B CN 114745183B CN 202210390455 A CN202210390455 A CN 202210390455A CN 114745183 B CN114745183 B CN 114745183B
- Authority
- CN
- China
- Prior art keywords
- attack
- event
- relation
- events
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000002776 aggregation Effects 0.000 claims abstract description 60
- 238000004220 aggregation Methods 0.000 claims abstract description 60
- 239000000523 sample Substances 0.000 claims description 66
- 238000010586 diagram Methods 0.000 claims description 57
- 238000004590 computer program Methods 0.000 description 10
- 230000007547 defect Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 230000004927 fusion Effects 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000005856 abnormality Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24553—Query execution of query operations
- G06F16/24554—Unary operations; Data partitioning operations
- G06F16/24556—Aggregation; Duplicate elimination
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the specification provides an alarm method and device, wherein the alarm method comprises the following steps: acquiring a plurality of attack events generating alarms, matching the plurality of attack events with a preset event relation map, acquiring association relations among the plurality of attack events, and carrying out alarm aggregation on the plurality of attack events according to the association relations. The relation is created for each discrete event by presetting an event relation map, a plurality of attack events are matched with the preset event relation map, the incidence relation among the plurality of attack events is obtained, the plurality of attack events are subjected to alarm aggregation according to the incidence relation, and the efficiency and the accuracy of alarm aggregation are improved.
Description
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to an alarm method.
Background
With the development of computer technology, the links of the information system are more and more complex, and a large number of attack events are accompanied therewith. Taking a network attack event as an example, the network attack event refers to an information security event that utilizes configuration defects, protocol defects, program defects or using brute force attacks of an information system to implement the attack on the information system through a network or other technical means, and causes abnormality of the information system or causes potential harm to the current operation of the information system.
Currently, a hazard probe is typically arranged in the link, and the hazard probe alerts an attack event occurring in the link. However, as the access link becomes more and more complex, the alarm event becomes more and more, so that it is difficult for people to determine the potential hazard of the current system directly through the alarm event, and therefore, an efficient and accurate alarm scheme is needed.
Disclosure of Invention
In view of this, the present embodiments provide an alert method. One or more embodiments of the present specification also relate to an alarm device, a computing apparatus, a computer-readable storage medium, and a computer program that solve the technical drawbacks of the prior art.
According to a first aspect of embodiments of the present disclosure, there is provided an alarm method, including:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events;
and carrying out alarm aggregation on a plurality of attack events according to the association relation.
Optionally, before the step of acquiring the plurality of attack events generating the alarm, the method further comprises:
setting a plurality of node probes on a data link;
And responding to the node probe identifying the occurrence of the attack event, and alarming the attack event.
Optionally, the step of alerting the attack event comprises:
acquiring at least one attack event occurring in a preset time period;
and alarming the attack event occurring in a preset time period in a preset alarm window.
Optionally, the step of alarming the attack event occurring in the preset time period in the preset alarm window includes:
acquiring an event node corresponding to an attack event and an attack direction of the attack event;
and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Optionally, the step of matching the plurality of attack events with a preset event relationship map to obtain an association relationship between the plurality of attack events includes:
for a plurality of attack events, searching a local relation diagram corresponding to the attack event in a preset event relation diagram;
and obtaining the association relation among a plurality of attack events according to the local relation graph.
Optionally, the step of performing alarm aggregation on the plurality of attack events according to the association relationship includes:
acquiring a plurality of event nodes corresponding to a plurality of attack events;
And connecting a plurality of event nodes according to the association relation to generate an aggregate alarm path of a plurality of attack events.
Optionally, after the step of generating the aggregated alert path for the plurality of attack events, further comprising:
and displaying the aggregated alarm path in a preset alarm window.
According to a second aspect of embodiments of the present specification, there is provided an alarm device comprising:
an acquisition module configured to acquire a plurality of attack events that generate alarms;
the matching module is configured to match the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events;
and the aggregation module is configured to aggregate the plurality of attack events according to the association relation.
Optionally, the apparatus further comprises:
an alarm module configured to set a plurality of node probes on a data link; and responding to the node probe identifying the occurrence of the attack event, and alarming the attack event.
Optionally, the alarm module is further configured to acquire an attack event occurring in at least one preset time period; and alarming the attack event occurring in a preset time period in a preset alarm window.
Optionally, the alarm module is further configured to acquire an event node corresponding to the attack event and an attack direction of the attack event; and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Optionally, the matching module is further configured to search a local relationship graph corresponding to the attack event in a preset event relationship graph for a plurality of attack events; and obtaining the association relation among a plurality of attack events according to the local relation graph.
Optionally, the aggregation module is further configured to acquire a plurality of event nodes corresponding to the plurality of attack events; and connecting a plurality of event nodes according to the association relation to generate an aggregate alarm path of a plurality of attack events.
Optionally, the apparatus further comprises:
and the display module is configured to display the aggregation alarm path in a preset alarm window.
According to a third aspect of embodiments of the present specification, there is provided a computing device comprising:
a memory and a processor;
the memory is for storing computer-executable instructions, and the processor is for executing the computer-executable instructions:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events;
and carrying out alarm aggregation on a plurality of attack events according to the association relation.
According to a fourth aspect of embodiments of the present description, there is provided a computer-readable storage medium storing computer-executable instructions which, when executed by a processor, implement the steps of the alert method described above.
According to a fifth aspect of embodiments of the present specification, there is provided a computer program, wherein the computer program, when executed in a computer, causes the computer to perform the steps of the alert method described above.
According to the alarm method provided by the embodiment of the specification, the plurality of attack events generating the alarm are obtained, the plurality of attack events are matched with the preset event relation graph, the association relation among the plurality of attack events is obtained, and the plurality of attack events are subjected to alarm aggregation according to the association relation. The relation is created for each discrete event by presetting an event relation map, a plurality of attack events are matched with the preset event relation map, the incidence relation among the plurality of attack events is obtained, the plurality of attack events are subjected to alarm aggregation according to the incidence relation, and the efficiency and the accuracy of alarm aggregation are improved.
Drawings
FIG. 1 is a flow chart of an alert method provided by one embodiment of the present description;
FIG. 2 is a schematic diagram of a preset alert window provided in one embodiment of the present disclosure;
FIG. 3 is a schematic illustration of an event relationship graph provided in one embodiment of the present disclosure;
FIG. 4a is a schematic diagram of a partial relationship diagram a provided by one embodiment of the present disclosure;
FIG. 4b is a schematic diagram of a partial relationship diagram b provided by one embodiment of the present disclosure;
FIG. 4c is a schematic diagram of a partial relationship graph c provided by one embodiment of the present disclosure;
FIG. 5 is a schematic diagram of an aggregate alert path provided by one embodiment of the present description;
FIG. 6 is a process flow diagram of an alert method provided in one embodiment of the present disclosure;
FIG. 7 is a schematic structural diagram of an alarm device according to an embodiment of the present disclosure;
FIG. 8 is a block diagram of a computing device provided in one embodiment of the present description.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many other forms than described herein and similarly generalized by those skilled in the art to whom this disclosure pertains without departing from the spirit of the disclosure and, therefore, this disclosure is not limited by the specific implementations disclosed below.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that, although the terms first, second, etc. may be used in one or more embodiments of this specification to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first may also be referred to as a second, and similarly, a second may also be referred to as a first, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
First, terms related to one or more embodiments of the present specification will be explained.
Network attack event: the network attack event refers to an information security event that attacks the information system by using configuration defects, protocol defects, program defects or using brute force attacks of the information system through a network or other technical means, and causes abnormality of the information system or causes potential harm to the current operation of the information system.
Priori knowledge: the a priori knowledge (pr ior i knowledge) is knowledge that precedes experience. Illustrating: when a person sees a building, it can be judged that the building in front of the eye is a villa because the person knows the concept of "villa" in advance and some attributes about the villa. The concept of villa is the prior knowledge of people on buildings in front of eyes.
Alarming: in the field of network management, a fault is defined as a cause of a malfunction, and is a cause of an alarm event. An alarm is an event report formed by a notification issued when a specific event occurs, for delivering alarm information.
Alarm aggregation: the alarm aggregation is to combine multiple alarms into a single alarm.
Knowledge graph: the Knowledge Graph (knowledgegraph) is a Knowledge domain visualization or Knowledge domain mapping map, and is mainly used for describing objective relationships among entities, concepts and events in the real world, and is a series of different graphs for displaying Knowledge development processes and structural relationships, and Knowledge resources and carriers thereof are described by using a visualization technology, and Knowledge and correlations among the Knowledge resources, the concepts and the events are mined, analyzed, constructed, drawn and displayed. The knowledge graph construction process is a process of extracting information from unstructured data (images and the like) or semi-structured data (web pages and the like) and constructing structured data (triples, entity-attribute-relation).
Graph database: graph Database (graphdatabase) is a type of NoSQL Database, which may also be referred to as a Graph-oriented/Graph-based Database, that applies Graph theory to store relational information between entities. The basic meaning of the graph database is to store and query data in a data structure such as a "graph" as a logical structure.
Entity: an entity refers to something that is distinguishable and exists independently. Such as a person, a city, a plant, a commodity, etc., where entities are the most basic elements in the knowledge graph, and different relationships exist between different entities.
Semantic class (concept): semantic classes (concepts) are collections of entities with the same kind of properties, such as countries, books, computers, etc. Concepts refer primarily to collections, categories, object types, categories of things, such as people, geographies, and the like.
The content is as follows: content is typically expressed as names, descriptions, interpretations, etc. of entities and semantic classes, which can be expressed by text, images, audio-video, etc.
Attribute (value): from an entity to its attribute value. The different attribute types correspond to edges of the different types of attributes. The attribute value mainly refers to a value of an object specified attribute. Such as "area", "population", "capital" are several different attributes. The attribute value mainly refers to a value of an object specified attribute, for example 960 ten thousand square kilometers or the like.
Relationship: on the knowledge graph, the relationship is a function that maps nodes (entities, semantic classes, attribute values) to boolean values.
In the present specification, an alarm method is provided, and the present specification relates to an alarm apparatus, a computing device, and a computer-readable storage medium, which are described in detail in the following embodiments one by one.
With the development of computer technology, the links of the information system are more and more complex, and a large number of attack events are accompanied therewith. In a system with a complex link, alarms of multiple monitors in the link are often triggered by the same event, and if the alarms are not aggregated, alarm storm is easily formed, so that an operation and maintenance person can miss important alarm events. Therefore, it is necessary for the user to aggregate alarm events.
For example, in practical application, an alarm aggregation rule may be formulated in advance based on priori knowledge, so as to aggregate the attacks occurring in the link. However, as the access link becomes more and more complex, the alarm triggered by similar attack also rises rapidly, the accumulation of priori knowledge cannot meet the increasing speed of the alarm, and the convergence degree of alarm aggregation cannot be ensured by the priori knowledge, so that the aggregation error occurs. Therefore, there is a need for an automated alert aggregation scheme that does not require a priori knowledge.
In order to improve the efficiency of alarm aggregation and the accuracy of alarm aggregation results, the specification provides an alarm method, by setting a plurality of node probes on a data link, responding to the node probes to identify the occurrence of an attack event, acquiring the attack event occurring in at least one preset time period, acquiring the event node corresponding to the attack event and the attack direction of the attack event, alarming the attack event in a preset alarm window according to the event node and the attack direction, acquiring a plurality of attack events generating alarms, searching a local relation diagram corresponding to the attack event in a preset event relation diagram aiming at the plurality of attack events, acquiring the association relation among the plurality of attack events according to the local relation diagram, acquiring a plurality of event nodes corresponding to the plurality of attack events, connecting the plurality of event nodes according to the association relation, generating an aggregation alarm path of the plurality of attack events, and displaying the aggregation alarm path in the preset alarm window. According to the alarm scheme provided by the specification, through the arrangement of the plurality of node probes on the data link, the occurrence of the attack event can be accurately identified, the alarm is generated for the attack event, the event relation graph is preset to create a relation for each discrete event, the plurality of attack events are matched with the event relation graph which is preset, the incidence relation among the plurality of attack events is obtained, the plurality of attack events are subjected to alarm aggregation according to the incidence relation, the alarm aggregation problem of the unknown link is solved, and the efficiency and the accuracy of the alarm aggregation are improved.
Referring to fig. 1, fig. 1 shows a flowchart of an alarm method according to an embodiment of the present disclosure, which specifically includes the following steps:
step 102: a plurality of attack events that generate alarms are acquired.
In the embodiment of the present disclosure, in order to combine multiple alarms into a single alarm, multiple attack events that generate the alarm may be first acquired, then the acquired multiple attack events are processed, and finally the processed multiple attack events are subjected to alarm aggregation, so as to obtain an aggregated alarm path.
Specifically, the attack event refers to an information security event that attacks the information system by using configuration defects, protocol defects, program defects or using brute force attacks of the information system through a network or other technical means, and causes abnormality of the information system or causes potential hazard to the current operation of the information system.
It should be noted that, the alarm method provided in the embodiment of the present disclosure may be applied not only in an internet scene, but also in other non-internet scenes, and specifically, the alarm method is selected according to the actual situation, which is not limited in any way in the embodiment of the present disclosure.
In practical application, the plurality of attack events for generating the alarm are multiple, and are specifically selected according to practical situations, which is not limited in any way in the embodiment of the present specification.
In one possible implementation, multiple attack events that are alerting may be obtained directly.
The system alerts the two occurring attack events, and directly obtains the multiple attack events that are being alerted, that is, "application 1 is abnormally scanning database 1, and forcedly logging into application 2".
In another possible implementation, at least one attack event that is alerting and at least one attack event that has completed alerting may be acquired.
For example, in the preset time, the attack event that has ended is "attack override access application 1", the attack event that is happening is "application 1 abnormally scans database 1 and forced login application 2", the system has completed alarming the attack event "attack override access application 1", is actively scanning database 1 and forced login application 2", and the scheme provided in the embodiment of the present specification is applied to acquire a plurality of attack events that generate alarms, namely" attack override access application 1, application 1 is abnormally scanning database 1 and forced login application 2".
In yet another possible implementation, multiple attack events for which an alarm has been completed may be obtained.
The attack event that has been completed is, for example, "application 1 abnormally scans database 1 and forced logs in to application 2", and the system has alerted both attack events, and by applying the scheme provided in the embodiments of the present specification, multiple attack events that have completed the alert are obtained directly, that is, "application 1 is abnormally scanning database 1 and forced logs in to application 2".
By applying the scheme of the embodiment of the specification, not only the attack event which is being alarmed can be processed, but also the attack event which is ending the alarm can be alarmed, the attack event which is being alarmed and the attack event which is finishing the alarm are aggregated, a plurality of attack events are connected, the processing of related personnel is facilitated, and the efficiency and the accuracy of alarm aggregation are improved.
In practice, the node probes may be inserted in different locations of the link. When an attack event occurs, a plurality of node probes on the link are triggered, the node probes recognize the occurrence of the attack event and alarm the attack event. That is, before the step of acquiring the plurality of attack events generating the alarm, the following steps may be included:
Setting a plurality of node probes on a data link;
and responding to the node probe identifying the occurrence of the attack event, and alarming the attack event.
In this embodiment of the present disclosure, the node probe refers to a device that is disposed on a data link and is configured to identify an attack event, and when the attack event occurs on the data link, the node probe on the data link may identify the occurrence of the attack event and alarm the attack event.
In the embodiment of the present disclosure, the node probe is configured in various ways, and is specifically selected according to actual situations, which is not limited in any way.
In one possible implementation, a node probe may be set for each node on the data link, and the node probe corresponding to each node may identify an attack event occurring at that node.
Illustratively, the data link includes four nodes, node 1, node 2, node 3, and node 4, respectively. Accordingly, four node probes are provided on the data link, namely node probe 1, node probe 2, node probe 3 and node probe 4, respectively. It should be noted that, the nodes on the data link are in one-to-one correspondence with the node probes, the node probe set at the node 1 is the node probe 1, the node probe set at the node 2 is the node probe 2, the node probe set at the node 3 is the node probe 3, and the node probe set at the node 4 is the node probe 4.
By applying the scheme of the embodiment of the specification, each node on the data link can be monitored by arranging the node probe corresponding to the node at each node on the data link, so that each attack event on the data link is warned, and the accuracy of the warning is improved.
In another possible implementation, the node probes may be placed at critical nodes on the data link, where a critical node is a node at both ends of a critical job in the data link.
Illustratively, the data link includes four nodes, node 1, node 2, node 3, and node 4, respectively, wherein the critical nodes are node 2 and node 4. Accordingly, two node probes are provided on the data link, node probe 1 and node probe 2, respectively. It should be noted that, the nodes on the data link are in one-to-one correspondence with the node probes, the node probe set at the node 2 is the node probe 1, and the node probe set at the node 4 is the node probe 2.
By applying the scheme of the embodiment of the specification, the node probes are arranged at the key nodes on the data link, so that the arrangement of the node probes is reduced, and the working efficiency is further improved.
In practical applications, when the node probe on the data link identifies the occurrence of the attack event, there are various ways of alarming the attack event, specifically, selecting according to the actual situation, which is not limited in the embodiment of the present disclosure.
In one possible implementation, the node probe is responsive to identifying the occurrence of an attack event while alerting the attack event.
Illustratively, there are three nodes in the data link, node 1, node 2 and node 3, respectively, node 1 being provided with node probe 1, node 2 being provided with node probe 2, node 3 being provided with node probe 3. When the node probe 1 recognizes that the attack event 1 occurs, the node probe 1 alarms the attack event 1, when the node probe 2 recognizes that the attack event 2 occurs, the node probe 2 alarms the attack event 2, and when the node probe 3 recognizes that the attack event 3 occurs, the node probe 3 alarms the attack event 3.
In another possible implementation manner, an alarm may be given to an attack event occurring within a preset period, where the preset period is specifically selected according to an actual situation, and the embodiment of the present disclosure does not limit this in any way. That is, the step of alerting the attack event may include the steps of:
Acquiring at least one attack event occurring in a preset time period;
and alarming the attack event occurring in a preset time period in a preset alarm window.
Specifically, the preset alarm window is a preset window capable of displaying alarm information corresponding to an attack event, and the number of the preset alarm windows can be one or more, so that the number of the preset alarm windows is not limited, and the preset alarm windows are specifically selected according to actual situations.
In one possible implementation manner, only one preset alarm window is provided, and after at least one attack event occurring in a preset time period is acquired, the attack event occurring in the preset time period is directly alarmed in the preset alarm window.
The method includes the steps that a first preset time period is 12:00-12:10, a second preset time period is 12:30-12:40, and three attack events are respectively an attack event 1, an attack event 2 and an attack event 3 and occur in the first preset time period; a common attack event occurs within a second preset time period, which is attack event 4. And alarming the attack event 1, the attack event 2, the attack event 3 and the attack event 4 in a preset alarm window.
In another possible implementation manner, there are a plurality of preset alarm windows, each preset alarm window corresponds to a preset time period, and after an attack event occurring in at least one preset time period is acquired, an alarm is given to the attack event occurring in the preset time period in the preset alarm window corresponding to the preset time period.
The exemplary embodiment obtains a first preset time period from 12:00 to 12:10, and a second preset time period from 12:30 to 12:40, wherein the first preset time period corresponds to a preset alarm window 1, the second preset time period corresponds to a preset alarm window 2, and three attack events are respectively attack event 1, attack event 2 and attack event 3 in the first preset time period; a common attack event occurs within a second preset time period, which is attack event 4. The attack event 1, the attack event 2 and the attack event 3 are alarmed in a preset alarm window 1, and the attack event 4 is alarmed in the preset alarm window 2.
By applying the scheme of the embodiment of the specification, the attack event which occurs in the preset time period is alarmed in the preset alarm window by acquiring at least one attack event which occurs in the preset time period, so that the attack event which generates the alarm is clear, and the subsequent processing of the attack event is convenient.
In practical application, when an attack event occurring in a preset time period is alarmed in a preset alarm window, an event node corresponding to the attack event and an attack direction of the attack event can be displayed in the preset alarm window, that is, the step of alarming the attack event occurring in the preset time period in the preset alarm window includes:
acquiring an event node corresponding to an attack event and an attack direction of the attack event;
and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Specifically, the event node corresponding to the attack event refers to an attacker and an attacked party in the attack event, and the attack direction of the attack event refers to the attack direction of the attacker to attack the attacked party.
In an exemplary embodiment, an attack event 1 and an attack event 2 occurring in a preset time period are alarmed in a preset alarm window, wherein the attack event 1 is an "application 1 exception scan database 1", the attack event 2 is an "application 1 forced login application 2", event nodes in the attack event 1 are application 1 and database 1 are obtained, event nodes in the attack event 2 are application 1 and application 2 are obtained, an attack direction in the attack event 1 is that the application 1 points to the database 1, and an attack direction in the attack event 2 is that the application 1 points to the application 2.
Specifically, as shown in fig. 2, fig. 2 shows a schematic diagram of a preset alarm window provided by an embodiment of the present disclosure, in fig. 2, an attack event 1 occurring at a first preset time is acquired to be "an attacker override access application 1", and an attack event 1 is alarmed in the preset alarm window according to an event node "attacker and gateway" of the attack event 1 and an attack direction "attacker-directed gateway"; acquiring an attack event 2 occurring in a second preset time as an application 1 abnormal scanning database 1, and alarming the attack event 2 in a preset alarm window according to an event node of the attack event 2, namely an application 1 and database 1 and an attack direction, namely an application 1 pointing database 1; the attack event 3 occurring in the third preset time is "application 1 forced login application 2", and the attack event 3 is alerted in a preset alert window according to the event nodes "application 1 and application 2" of the attack event 3 and the attack direction "application 1 directs to application 2".
By applying the scheme of the embodiment of the specification, the attack event is alarmed in the preset alarm window according to the event node and the attack direction of the attack event by acquiring the event node and the attack direction corresponding to the attack event, so that the alarm on the attack event is clear, and the subsequent processing of the attack event is facilitated.
Step 104: matching the plurality of attack events with a preset event relation map to obtain the association relation among the plurality of attack events.
In the embodiment of the present disclosure, after acquiring a plurality of attack events that generate an alarm, the plurality of attack events may be matched with a preset event relationship map, so as to obtain an association relationship between the plurality of attack events. In practical application, an event relation graph comprising 'event', 'relation', 'behavior', 'asset', 'label' can be constructed based on the dynamic ontology and the attribute graph model, new contents can be continuously supplemented into the event relation graph along with accumulation of time and experience, and the coverage range of the event relation graph is larger and larger.
Specifically, the preset event relationship graph may be understood as a knowledge graph. Knowledge graph aims at describing various entities or concepts and relations thereof existing in the real world, and forms a huge semantic network graph, wherein nodes represent the entities or concepts, and edges are formed by attributes or relations. The knowledge graph comprises entities, semantic classes (concepts), contents, attributes (values) and relations. Knowledge maps can be logically divided into two layers, a schema layer and a data layer, the data layer is mainly composed of a series of facts, and knowledge is stored in units of facts. If the fact is expressed in triples of (entity 1, relationship, entity 2), (entity, attribute value), the graph database may be selected as the storage medium. The schema layer is built on the data layer, is the core of the knowledge graph, and generally adopts an ontology base to manage the schema layer of the knowledge graph. The ontology is a conceptual template of the structured knowledge base, and the knowledge base formed by the ontology base has a strong hierarchical structure and a small redundancy degree.
It should be noted that setting a knowledge graph includes: knowledge modeling, knowledge acquisition, knowledge fusion, knowledge storage and knowledge application. A first part: knowledge modeling, constructing a multi-level knowledge system, defining, organizing and managing abstract knowledge, attributes, association relations and other information, and converting the abstract knowledge, attributes, association relations and other information into a real database. A second part: knowledge acquisition, which converts data with different sources and different structures into map data, including structured data, semi-structured data (analysis), knowledge indexing, knowledge reasoning and the like, and ensures the validity and the integrity of the data. Third section: knowledge fusion, which is to fuse multiple sources and repeated knowledge information, including fusion calculation, fusion calculation engine, manual operation fusion and the like. Fourth part: and the knowledge storage provides a reasonable knowledge storage scheme according to project scenes, and the storage scheme has the characteristics of flexibility, diversity and expandability. Fifth part: the knowledge application provides analysis and application capabilities such as map retrieval, knowledge calculation, map visualization and the like for the constructed knowledge map, and provides SDKs of various knowledge calculations, including a map basic application class, a map structure analysis class, a map semantic application class, a natural language processing class, a map data acquisition class, a map statistics class, a data set data acquisition class and a data set statistics class.
In practical application, after acquiring a plurality of attack events generating an alarm, a local relationship graph corresponding to the plurality of attack events may be searched in a preset event relationship graph to obtain a plurality of local relationship graphs, and according to the obtained plurality of local relationship graphs, the relationship between the plurality of local relationship graphs is obtained by analysis, so as to obtain a correlation between the plurality of attack events, that is, the step of matching the plurality of attack events with the preset event relationship graph to obtain a correlation between the plurality of attack events may include the following steps:
for a plurality of attack events, searching a local relation diagram corresponding to the attack event in a preset event relation diagram;
and obtaining the association relation among a plurality of attack events according to the local relation graph.
Illustratively, as shown in fig. 3, fig. 3 shows a schematic diagram of an event relationship graph provided in an embodiment of the present specification, where in the preset event relationship graph shown in fig. 3, a user may access an application 1 and an application 2 through a gateway; application 1 can access database 1, application 2; application 2 can access application 3, database 2; the application 3 has access to the database 2 and the database 3.
Referring to the embodiment in fig. 2, for an attack event 1 "an attacker override accesses an application 1", a local relationship diagram corresponding to the attack event 1 is searched in a preset event relationship diagram, as shown in fig. 4a, and fig. 4a is a schematic diagram of a local relationship diagram a provided in one embodiment of the present specification; for an attack event 2', an application 1 abnormally scans a database 1", a local relation diagram corresponding to the attack event 2 is searched in a preset event relation diagram, as shown in fig. 4b, and fig. 4b shows a schematic diagram of a local relation diagram b provided by an embodiment of the present specification; for the attack event 3, namely the application 1 is forced to log in the application 2', a local relation diagram corresponding to the attack event 3 is searched in a preset event relation diagram, as shown in fig. 4c, fig. 4c shows a schematic diagram of a local relation diagram c provided by one embodiment of the present specification, and the association relationship between the attack event 1, the attack event 2 and the attack event 3 is "gateway access application 1, application 1 access database 1, application 1 access application 2" according to the local relation diagram a, the local relation diagram b and the local relation diagram c.
By applying the scheme of the embodiment of the specification, the local relation diagram corresponding to the attack event is searched in the preset event relation diagram, so that the incidence relation among a plurality of attack events is more accurate according to the local relation diagram, and the efficiency and accuracy of alarm aggregation are further improved.
Step 106: and carrying out alarm aggregation on a plurality of attack events according to the association relation.
In the embodiment of the present disclosure, after acquiring a plurality of attack events that generate an alarm, matching the plurality of attack events with a preset event relationship map, and obtaining an association relationship between the plurality of attack events, the plurality of attack events may be alarm aggregated according to the association relationship.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are acquired, the plurality of attack events are matched with a preset event relation map, the association relation among the plurality of attack events is acquired, and the alarms are aggregated according to the association relation. The relation is created for each discrete event by presetting an event relation map, a plurality of attack events are matched with the preset event relation map, the incidence relation among the plurality of attack events is obtained, the plurality of attack events are subjected to alarm aggregation according to the incidence relation, and the efficiency and the accuracy of alarm aggregation are improved.
In practical application, after acquiring a plurality of attack events generating alarms, matching the plurality of attack events with a preset event relationship graph to obtain an association relationship between the plurality of attack events, obtaining event nodes of the plurality of attack events, connecting the event nodes of the plurality of attack events according to the association relationship, and generating an aggregated alarm path of the plurality of attack events, that is, the step of performing alarm aggregation on the plurality of attack events according to the association relationship, may include the following steps:
Acquiring a plurality of event nodes corresponding to a plurality of attack events;
and connecting a plurality of event nodes according to the association relation to generate an aggregate alarm path of a plurality of attack events.
Illustratively, referring to the scheme of the foregoing embodiment, the event node for obtaining the attack event 1 is an "attacker and gateway", the event node for obtaining the attack event 2 is an "application 1 and database 1", the event node for obtaining the attack event 3 is an "application 1 and application 2", and the association relationship between the attack event 1, the attack event 2 and the attack event 3 is a "gateway access application 1, an application 1 access database 1, and an application 1 access application 2" according to the local relationship diagram a, the local relationship diagram b, and the local relationship diagram c. As shown in fig. 5, fig. 5 shows a schematic diagram of an aggregate alarm path provided in an embodiment of the present disclosure, where a plurality of event nodes are connected according to an association relationship, and the aggregate alarm path for generating a plurality of attack events is "an attacker attack gateway, unauthorized access to application 1, application 1 abnormal scan database 1, and application 1 forced login application 2".
By applying the scheme of the embodiment of the specification, the plurality of event nodes corresponding to the plurality of attack events are obtained, the plurality of event nodes are connected according to the association relation, and the aggregated alarm paths of the plurality of attack events are generated, so that the efficiency and the accuracy of alarm aggregation are improved.
It should be noted that, after the step of generating the aggregate alarm paths of the plurality of attack events, the aggregate alarm paths may be displayed in the preset alarm window, that is, after the step of generating the aggregate alarm paths of the plurality of attack events, the method may further include the following steps:
and displaying the aggregated alarm path in a preset alarm window.
In the embodiment of the specification, the attack event for alarming in the preset alarm window can be updated to the acquired aggregated alarm path, so that a user can see the complete aggregated alarm path, and the subsequent processing of the attack event by the user is facilitated.
It should be noted that, the alarm method provided in the present specification is applied to alarm processes in various scenes, such as a communication scene and a transaction scene, and of course, may also be applied to other scenes, where the application scene of the alarm method is not limited in the present specification.
The following is a flowchart of a processing procedure of an alarm method provided in an embodiment of the present disclosure in connection with fig. 6, and specifically includes the following steps.
Step 602: a plurality of node probes are disposed on the data link.
Step 604: and responding to the node probe identifying the occurrence of the attack event, and acquiring the attack event occurring in at least one preset time period.
Step 606: and acquiring an event node corresponding to the attack event and an attack direction of the attack event.
Step 608: and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Step 610: a plurality of attack events that generate alarms are acquired.
Step 612: and searching a local relation diagram corresponding to the attack event in a preset event relation diagram aiming at a plurality of attack events.
Step 614: and obtaining the association relation among a plurality of attack events according to the local relation graph.
Step 616: and acquiring a plurality of event nodes corresponding to the plurality of attack events.
Step 618: and connecting a plurality of event nodes according to the association relation to generate an aggregate alarm path of a plurality of attack events.
Step 620: and displaying the aggregated alarm path in a preset alarm window.
By applying the scheme of the embodiment of the specification, a plurality of node probes are arranged on a data link, the occurrence of an attack event is identified by the node probes, the attack event which occurs in at least one preset time period is acquired, the event node corresponding to the attack event and the attack direction of the attack event are acquired, the attack event is alarmed in a preset alarm window according to the event node and the attack direction, a plurality of attack events which generate an alarm are acquired, a local relation diagram corresponding to the attack event is searched in a preset event relation diagram aiming at the plurality of attack events, the association relation among the plurality of attack events is acquired according to the local relation diagram, a plurality of event nodes corresponding to the plurality of attack events are acquired, the plurality of event nodes are connected according to the association relation, an aggregation alarm path of the plurality of attack events is generated, and the aggregation alarm path is displayed in the preset alarm window. According to the alarm scheme provided by the specification, the event relation map is preset to create a relation for each discrete event, a plurality of attack events are matched with the event relation map which is preset, the association relation among the attack events is obtained, and the alarm aggregation is carried out on the attack events according to the association relation, so that the problem of the alarm aggregation of an unknown link is solved, and the efficiency and the accuracy of the alarm aggregation are improved.
The foregoing is a schematic scheme of an alarm method in this embodiment. It should be noted that, the technical solution of the alarm method and the technical solution of the alarm method shown in fig. 1 belong to the same concept, and details of the technical solution of the alarm method which are not described in detail can be referred to the description of the technical solution of the alarm method.
Corresponding to the above method embodiments, the present disclosure further provides an embodiment of an alarm device, and fig. 7 shows a schematic structural diagram of an alarm device provided in one embodiment of the present disclosure. As shown in fig. 7, the apparatus includes:
an acquisition module 702 configured to acquire a plurality of attack events that generate alarms;
the matching module 704 is configured to match the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events;
the aggregation module 706 is configured to aggregate the alarms for the plurality of attack events according to the association relationship.
Optionally, the apparatus further comprises:
an alarm module configured to set a plurality of node probes on a data link; and responding to the node probe identifying the occurrence of the attack event, and alarming the attack event.
Optionally, the alarm module is further configured to acquire an attack event occurring in at least one preset time period; and alarming the attack event occurring in a preset time period in a preset alarm window.
Optionally, the alarm module is further configured to acquire an event node corresponding to the attack event and an attack direction of the attack event; and alarming the attack event in a preset alarm window according to the event node and the attack direction.
Optionally, the matching module 704 is further configured to search a local relationship graph corresponding to the attack event in a preset event relationship graph for a plurality of attack events; and obtaining the association relation among a plurality of attack events according to the local relation graph.
Optionally, the aggregation module 706 is further configured to obtain a plurality of event nodes corresponding to a plurality of attack events; and connecting a plurality of event nodes according to the association relation to generate an aggregate alarm path of a plurality of attack events.
Optionally, the apparatus further comprises:
and the display module is configured to display the aggregation alarm path in a preset alarm window.
By applying the scheme of the embodiment of the specification, a plurality of node probes are arranged on a data link, the occurrence of an attack event is identified by the node probes, the attack event which occurs in at least one preset time period is acquired, the event node corresponding to the attack event and the attack direction of the attack event are acquired, the attack event is alarmed in a preset alarm window according to the event node and the attack direction, a plurality of attack events which generate an alarm are acquired, a local relation diagram corresponding to the attack event is searched in a preset event relation diagram aiming at the plurality of attack events, the association relation among the plurality of attack events is acquired according to the local relation diagram, a plurality of event nodes corresponding to the plurality of attack events are acquired, the plurality of event nodes are connected according to the association relation, an aggregation alarm path of the plurality of attack events is generated, and the aggregation alarm path is displayed in the preset alarm window. According to the alarm scheme provided by the specification, the event relation map is preset to create a relation for each discrete event, a plurality of attack events are matched with the event relation map which is preset, the association relation among the attack events is obtained, and the alarm aggregation is carried out on the attack events according to the association relation, so that the problem of the alarm aggregation of an unknown link is solved, and the efficiency and the accuracy of the alarm aggregation are improved.
The foregoing is a schematic solution of an alarm device of this embodiment. It should be noted that, the technical solution of the alarm device and the technical solution of the alarm method belong to the same concept, and details of the technical solution of the alarm device which are not described in detail can be referred to the description of the technical solution of the alarm method.
Fig. 8 illustrates a block diagram of a computing device 800 provided in accordance with one embodiment of the present description. The components of computing device 800 include, but are not limited to, memory 810 and processor 820. Processor 820 is coupled to memory 810 through bus 830 and database 850 is used to hold data.
Computing device 800 also includes access device 840, access device 840 enabling computing device 800 to communicate via one or more networks 860. Examples of such networks include public switched telephone networks (PSTN, public Switched Telephone Network), local area networks (LAN, local Area Network), wide area networks (WAN, wide Area Network), personal area networks (PAN, personal Area Network), or combinations of communication networks such as the internet. The access device 540 may include one or more of any type of network interface, wired or wireless (e.g., network interface card (NIC, network Interface Card)), such as an IEEE802.11 wireless local area network (WLAN, wireless Local Area Networks) wireless interface, a worldwide interoperability for microwave access (Wi-MAX, world Interoperability for Microwave Access) interface, an ethernet interface, a universal serial bus (USB, universal Serial Bus) interface, a cellular network interface, a bluetooth interface, a near field communication (NFC, near Field Communication) interface, and so forth.
In one embodiment of the present description, the above-described components of computing device 800, as well as other components not shown in FIG. 8, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device illustrated in FIG. 8 is for exemplary purposes only and is not intended to limit the scope of the present description. Those skilled in the art may add or replace other components as desired.
Computing device 800 may be any type of stationary or mobile computing device including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smart phone), wearable computing device (e.g., smart watch, smart glasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. Computing device 800 may also be a mobile or stationary server.
Wherein processor 820 is configured to execute computer-executable instructions for:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events;
And carrying out alarm aggregation on a plurality of attack events according to the association relation.
The foregoing is a schematic illustration of a computing device of this embodiment. It should be noted that, the technical solution of the computing device and the technical solution of the foregoing alarm method belong to the same concept, and details of the technical solution of the computing device that are not described in detail may be referred to the description of the technical solution of the foregoing alarm method.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are acquired, the plurality of attack events are matched with a preset event relation map, the association relation among the plurality of attack events is acquired, and the alarms are aggregated according to the association relation. The relation is created for each discrete event by presetting an event relation map, a plurality of attack events are matched with the preset event relation map, the incidence relation among the plurality of attack events is obtained, the plurality of attack events are subjected to alarm aggregation according to the incidence relation, and the efficiency and the accuracy of alarm aggregation are improved.
An embodiment of the present disclosure also provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement:
Acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events;
and carrying out alarm aggregation on a plurality of attack events according to the association relation.
The above is an exemplary version of a computer-readable storage medium of the present embodiment. It should be noted that, the technical solution of the storage medium and the technical solution of the alarm method belong to the same concept, and details of the technical solution of the storage medium which are not described in detail can be referred to the description of the technical solution of the alarm method.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are acquired, the plurality of attack events are matched with a preset event relation map, the association relation among the plurality of attack events is acquired, and the alarms are aggregated according to the association relation. The relation is created for each discrete event by presetting an event relation map, a plurality of attack events are matched with the preset event relation map, the incidence relation among the plurality of attack events is obtained, the plurality of attack events are subjected to alarm aggregation according to the incidence relation, and the efficiency and the accuracy of alarm aggregation are improved.
An embodiment of the present specification also provides a computer program, wherein the computer program, when executed in a computer, causes the computer to perform:
acquiring a plurality of attack events generating alarms;
matching the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events;
and carrying out alarm aggregation on a plurality of attack events according to the association relation.
The above is an exemplary version of a computer program of the present embodiment. It should be noted that, the technical solution of the computer program and the technical solution of the alarm method belong to the same concept, and details of the technical solution of the computer program, which are not described in detail, can be referred to the description of the technical solution of the alarm method.
By applying the scheme of the embodiment of the specification, a plurality of attack events generating alarms are acquired, the plurality of attack events are matched with a preset event relation map, the association relation among the plurality of attack events is acquired, and the alarms are aggregated according to the association relation. The relation is created for each discrete event by presetting an event relation map, a plurality of attack events are matched with the preset event relation map, the incidence relation among the plurality of attack events is obtained, the plurality of attack events are subjected to alarm aggregation according to the incidence relation, and the efficiency and the accuracy of alarm aggregation are improved.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The computer instructions include computer program code that may be in source code form, object code form, executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, a software distribution medium, and so forth. It should be noted that the computer readable medium contains content that can be appropriately scaled according to the requirements of jurisdictions in which such content is subject to legislation and patent practice, such as in certain jurisdictions in which such content is subject to legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunication signals.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the embodiments are not limited by the order of actions described, as some steps may be performed in other order or simultaneously according to the embodiments of the present disclosure. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the embodiments described in the specification.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are merely used to help clarify the present specification. Alternative embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the teaching of the embodiments. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. This specification is to be limited only by the claims and the full scope and equivalents thereof.
Claims (8)
1. An alert method comprising:
acquiring a plurality of attack events for generating alarms, wherein the attack events comprise an attack event which is alarming and an attack event which has completed the alarms;
matching the plurality of attack events with a preset event relation map to obtain an incidence relation among the plurality of attack events, wherein the event relation map is obtained based on the relation among discrete events, the incidence relation among the attack events comprises an incidence relation among event nodes, and the event nodes are an attacker and an attacked party in the attack events; the matching the plurality of attack events with a preset event relation map to obtain an association relation among the plurality of attack events comprises the following steps: searching local relation diagrams corresponding to the plurality of attack events in the preset event relation diagram, obtaining a plurality of local relation diagrams, analyzing and obtaining the relation among the plurality of local relation diagrams according to the plurality of obtained local relation diagrams, and obtaining the association relation among the plurality of attack events;
performing alarm aggregation on the plurality of attack events according to the association relationship, wherein the performing alarm aggregation on the plurality of attack events according to the association relationship comprises: and connecting an attacker and an attacked party in the plurality of attack events according to the association relation, and generating an aggregate alarm path of the plurality of attack events.
2. The method of claim 1, further comprising, prior to the step of acquiring the plurality of attack events that generated the alert:
setting a plurality of node probes on a data link;
and responding to the node probe identifying the occurrence of the attack event, and alarming the attack event.
3. The method of claim 2, the step of alerting the attack event comprising:
acquiring at least one attack event occurring in a preset time period;
and alarming the attack event occurring in the preset time period in a preset alarm window.
4. A method according to claim 3, said step of alerting, in a preset alert window, an attack event occurring within said preset time period, comprising:
acquiring an event node corresponding to the attack event and an attack direction of the attack event;
and alarming the attack event in the preset alarm window according to the event node and the attack direction.
5. The method of claim 1, further comprising, after the step of generating an aggregate alert path for the plurality of attack events:
and displaying the aggregation alarm path in a preset alarm window.
6. An alert device comprising:
an acquisition module configured to acquire a plurality of attack events that generate alarms, wherein the attack events include an attack event that is alarming and an attack event that has completed an alarm;
the matching module is configured to match the plurality of attack events with a preset event relation graph to obtain an incidence relation among the plurality of attack events, wherein the event relation graph is obtained based on the relation among discrete events, the incidence relation among the attack events comprises an incidence relation among event nodes, and the event nodes are an attacker and an attacked party in the attack events; the matching module is further configured to search local relationship graphs corresponding to the plurality of attack events in the preset event relationship graph, obtain a plurality of local relationship graphs, analyze and obtain relationships among the plurality of local relationship graphs according to the obtained plurality of local relationship graphs, and obtain association relationships among the plurality of attack events;
the aggregation module is configured to aggregate the plurality of attack events according to the association relation, wherein the aggregation module is further configured to connect an attacker and an attacked party in the plurality of attack events according to the association relation and generate an aggregated alarm path of the plurality of attack events.
7. A computing device, comprising:
a memory and a processor;
the memory is configured to store computer executable instructions, and the processor is configured to execute the computer executable instructions, which when executed by the processor, implement the steps of the alert method of any one of claims 1 to 5.
8. A computer readable storage medium storing computer executable instructions which when executed by a processor implement the steps of the alert method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210390455.3A CN114745183B (en) | 2022-04-14 | 2022-04-14 | Alarm method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210390455.3A CN114745183B (en) | 2022-04-14 | 2022-04-14 | Alarm method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114745183A CN114745183A (en) | 2022-07-12 |
| CN114745183B true CN114745183B (en) | 2023-10-27 |
Family
ID=82281123
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210390455.3A Active CN114745183B (en) | 2022-04-14 | 2022-04-14 | Alarm method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745183B (en) |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3079336A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| EP3079337A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| US9811866B1 (en) * | 2013-07-20 | 2017-11-07 | Relationship Science LLC | News alerts based on user analytics |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
| CN110519264A (en) * | 2019-08-26 | 2019-11-29 | 奇安信科技集团股份有限公司 | Tracking source tracing method, device and the equipment of attack |
| CN111159425A (en) * | 2019-12-30 | 2020-05-15 | 浙江大学 | Temporal knowledge graph representation method based on historical relationship and double-graph convolution network |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN111541661A (en) * | 2020-04-15 | 2020-08-14 | 全球能源互联网研究院有限公司 | Power information network attack scene reconstruction method and system based on causal knowledge |
| CN111858482A (en) * | 2020-07-15 | 2020-10-30 | 北京市燃气集团有限责任公司 | Attack event tracing and tracing method, system, terminal and storage medium |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112202817A (en) * | 2020-11-30 | 2021-01-08 | 北京微智信业科技有限公司 | Attack behavior detection method based on multi-event association and machine learning |
| CN112600800A (en) * | 2020-12-03 | 2021-04-02 | 中国电子科技网络信息安全有限公司 | Network risk assessment method based on map |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100262688A1 (en) * | 2009-01-21 | 2010-10-14 | Daniar Hussain | Systems, methods, and devices for detecting security vulnerabilities in ip networks |
| US9413598B2 (en) * | 2009-09-02 | 2016-08-09 | International Business Machines Corporation | Graph structures for event matching |
| JP6101408B2 (en) * | 2013-09-10 | 2017-03-22 | シマンテック コーポレーションSymantec Corporation | System and method for detecting attacks on computing systems using event correlation graphs |
| US9699205B2 (en) * | 2015-08-31 | 2017-07-04 | Splunk Inc. | Network security system |
| US10826926B2 (en) * | 2018-07-17 | 2020-11-03 | Sap Se | Pattern creation based on an attack path |
-
2022
- 2022-04-14 CN CN202210390455.3A patent/CN114745183B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9811866B1 (en) * | 2013-07-20 | 2017-11-07 | Relationship Science LLC | News alerts based on user analytics |
| EP3079336A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| EP3079337A1 (en) * | 2015-04-09 | 2016-10-12 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
| CN108696473A (en) * | 2017-04-05 | 2018-10-23 | 中国移动通信集团广东有限公司 | Attack path restoring method and device |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN109922075A (en) * | 2019-03-22 | 2019-06-21 | 中国南方电网有限责任公司 | Network security knowledge map construction method and apparatus, computer equipment |
| CN110519264A (en) * | 2019-08-26 | 2019-11-29 | 奇安信科技集团股份有限公司 | Tracking source tracing method, device and the equipment of attack |
| CN111159425A (en) * | 2019-12-30 | 2020-05-15 | 浙江大学 | Temporal knowledge graph representation method based on historical relationship and double-graph convolution network |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN111541661A (en) * | 2020-04-15 | 2020-08-14 | 全球能源互联网研究院有限公司 | Power information network attack scene reconstruction method and system based on causal knowledge |
| CN111858482A (en) * | 2020-07-15 | 2020-10-30 | 北京市燃气集团有限责任公司 | Attack event tracing and tracing method, system, terminal and storage medium |
| CN111935192A (en) * | 2020-10-12 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Network attack event tracing processing method, device, equipment and storage medium |
| CN112202817A (en) * | 2020-11-30 | 2021-01-08 | 北京微智信业科技有限公司 | Attack behavior detection method based on multi-event association and machine learning |
| CN112600800A (en) * | 2020-12-03 | 2021-04-02 | 中国电子科技网络信息安全有限公司 | Network risk assessment method based on map |
Non-Patent Citations (1)
| Title |
|---|
| 基于上下文特征的IDS告警日志攻击场景重建方法;姜楠;崔耀辉;王健;吴晋超;;信息网络安全(07);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114745183A (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10977293B2 (en) | Technology incident management platform | |
| US10439922B2 (en) | Service analyzer interface | |
| US20200160230A1 (en) | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs | |
| CN111885040A (en) | Distributed network situation perception method, system, server and node equipment | |
| CN111538842A (en) | Intelligent sensing and predicting method and device for network space situation and computer equipment | |
| CN111813960B (en) | Knowledge graph-based data security audit model device, method and terminal equipment | |
| EP3872637A1 (en) | Application programming interface assessment | |
| CN112149135A (en) | Method and device for constructing security vulnerability knowledge graph | |
| CN113642023A (en) | Data security detection model training method, data security detection device and equipment | |
| Raja et al. | Combined analysis of support vector machine and principle component analysis for IDS | |
| Shi et al. | STenSr: Spatio-temporal tensor streams for anomaly detection and pattern discovery | |
| CN115632839B (en) | Intelligent campus environment network supervision method and system | |
| US20180276566A1 (en) | Automated meta parameter search for invariant based anomaly detectors in log analytics | |
| Liu et al. | Multi-step attack scenarios mining based on neural network and Bayesian network attack graph | |
| CN109784525A (en) | Method for early warning and device based on day vacant lot integration data | |
| CN114745183B (en) | Alarm method and device | |
| CN114143015A (en) | Abnormal access behavior detection method and electronic equipment | |
| CN115619245A (en) | Portrait construction and classification method and system based on data dimension reduction method | |
| JP2022126818A (en) | Method and apparatus of processing security information, electronic device, storage medium, and computer program | |
| CN115408236A (en) | Log data auditing system, method, equipment and medium | |
| US20210406391A1 (en) | Production Protection Correlation Engine | |
| CN112989403B (en) | Database damage detection method, device, equipment and storage medium | |
| Kostadinov et al. | Reducing the number of incidents in converged IT infrastructure using correlation approach | |
| Dong et al. | Security Situation Assessment Algorithm for Industrial Control Network Nodes Based on Improved Text SimHash | |
| Zhao et al. | Identifying Root-Cause Changes for User-Reported Incidents in Online Service Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |