CN114760113A - Abnormal alarm detection method and device, electronic equipment and storage medium - Google Patents
Abnormal alarm detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114760113A CN114760113A CN202210325016.4A CN202210325016A CN114760113A CN 114760113 A CN114760113 A CN 114760113A CN 202210325016 A CN202210325016 A CN 202210325016A CN 114760113 A CN114760113 A CN 114760113A
- Authority
- CN
- China
- Prior art keywords
- alarm
- abnormal
- graph
- determining
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000002159 abnormal effect Effects 0.000 title claims abstract description 127
- 238000001514 detection method Methods 0.000 title claims abstract description 84
- 238000000034 method Methods 0.000 claims abstract description 25
- 238000012163 sequencing technique Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 11
- 238000010276 construction Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000001360 synchronised effect Effects 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 238000005422 blasting Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
- 230000002459 sustained effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Alarm Systems (AREA)
Abstract
The application discloses an abnormal alarm detection method, an abnormal alarm detection device, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring alarm events corresponding to target assets, and determining intersection features among different alarm events; constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes; performing connected branch cutting on the graph to obtain a plurality of subgraphs, and extracting the statistical characteristics of the subgraphs; and inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an abnormal value corresponding to the subgraph, and determining a target subgraph according to the abnormal value. The abnormal alarm detection method provided by the application improves the accuracy of abnormal alarm detection.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an abnormal alarm detection method and apparatus, an electronic device, and a computer-readable storage medium.
Background
The internet is flooded with various network attacks, and many large and medium-sized enterprises with a large amount of network assets often become the first attack targets of hackers, so that the enterprises often deploy various security devices. Under the background, a large amount of safety alarms are generated by various safety protection devices in an enterprise every day, and enterprise safety operators are difficult to analyze and investigate the safety alarms one by one and cannot position the alarms with real high threats.
In the related art, first, security events of each IP are aggregated to generate an event sequence as a sample of anomaly detection. Secondly, calculating the statistical characteristics of each event sequence, and converting the security events occurring in a certain period of time of each IP into a feature vector by calculating the statistical characteristics. And then, inputting the feature vector into an abnormal detection model, outputting an event sequence of the abnormal value score top k, and further screening abnormal alarm segments from a large number of original alarms. However, in the above solution, only the characteristics of the alarm event events are considered, and the correlation between different alarm events is not considered, so that the accuracy of detecting an abnormal alarm is low.
Therefore, how to improve the accuracy of the abnormal alarm detection is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide an abnormal alarm detection method and device, an electronic device and a computer readable storage medium, and accuracy of abnormal alarm detection is improved.
In order to achieve the above object, the present application provides an abnormal alarm detection method, including:
acquiring alarm events corresponding to target assets, and determining intersection features among different alarm events;
Constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes;
performing connected branch cutting on the graph to obtain a plurality of sub-graphs, and extracting statistical characteristics of the sub-graphs;
inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an abnormal value corresponding to the subgraph, and determining a target subgraph according to the abnormal value;
and determining the alarm event in the target subgraph as an abnormal alarm.
Wherein the determining a target subgraph according to the outliers comprises:
and sequencing the sub-graphs according to the sequence of the abnormal values from large to small, and determining the top K sub-graphs in the sequencing result as target sub-graphs.
The acquiring of the alarm event corresponding to the target asset and the determining of the intersection characteristics between different alarm events includes:
acquiring an alarm event and extracting the characteristics of the alarm event;
associating the alarm events corresponding to the same assets to determine the alarm event corresponding to the target asset;
and determining intersection characteristics among different alarm events corresponding to the target assets based on the characteristics of the alarm events corresponding to the target assets.
After the alarm event corresponding to the target asset is obtained, the method further includes:
determining an original log set of the alarm event; wherein the set of original logs includes an identification of an original log that generated the alarm event;
combining different alarm events with the similarity between corresponding original log sets larger than a preset value, and combining corresponding characteristics;
correspondingly, the determining the intersection characteristics between different alarm events includes:
determining intersection features among different alarm events after combination based on the combined features corresponding to the alarm events after combination;
correspondingly, the graph is constructed based on the alarm event, and the graph comprises the following steps:
constructing a graph based on the combined alarm events; the nodes in the graph are alarm names of the combined alarm events, and the edges between the two nodes are intersection features between the combined alarm events corresponding to the two nodes.
Performing connected branch cutting on the graph to obtain a plurality of subgraphs, and extracting statistical characteristics of the subgraphs, wherein the method comprises the following steps:
performing connected branch cutting on the graph to obtain a plurality of candidate subgraphs;
determining sub-images meeting preset conditions in the candidate sub-images; the preset condition is that the number of included nodes is greater than 1 or at least one node corresponding to the alarm event of the target level is included;
And extracting the statistical characteristics of the subgraph.
Inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, wherein the method comprises the following steps:
inputting the statistical characteristics of the subgraph into a plurality of abnormal detection models to obtain a middle abnormal value output by each abnormal detection model;
voting is carried out on the intermediate abnormal value based on the weight of the abnormal detection model, and an abnormal value corresponding to the subgraph is obtained.
After determining the first K sub-graphs in the sorting result as target sub-graphs, the method further includes:
calculating deviation degree scores corresponding to the statistical characteristics of the target subgraph;
sequencing the statistical features of the target subgraphs in a sequence from large deviation degree scores to small deviation degree scores, and determining the first L statistical features in a sequencing result;
and carrying out abnormal positioning based on the first L statistical characteristics.
In order to achieve the above object, the present application provides an abnormality warning detecting apparatus, including:
the acquisition module is used for acquiring the alarm events corresponding to the target assets and determining intersection features among different alarm events;
the construction module is used for constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes;
The cutting module is used for performing connected branch cutting on the graph to obtain a plurality of subgraphs and extracting the statistical characteristics of the subgraphs;
the detection module is used for inputting the statistical characteristics of the subgraph into an abnormal detection model to obtain abnormal values corresponding to the subgraph, sequencing the subgraph according to the sequence of the abnormal values from large to small, and determining the first K subgraphs in the sequencing result as target subgraphs;
and the first determining module is used for determining the alarm event in the target sub-graph as an abnormal alarm.
To achieve the above object, the present application provides an electronic device, comprising:
a memory for storing a computer program;
and the processor is used for realizing the steps of the abnormal alarm detection method when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the above-mentioned abnormal alert detection method.
According to the scheme, the abnormal alarm detection method provided by the application comprises the following steps: acquiring alarm events corresponding to target assets, and determining intersection features among different alarm events; constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes; performing connected branch cutting on the graph to obtain a plurality of sub-graphs, and extracting statistical characteristics of the sub-graphs; and inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an abnormal value corresponding to the subgraph, and determining a target subgraph according to the abnormal value.
The abnormal alarm detection method provided by the application constructs a graph corresponding to the target asset based on the alarm event corresponding to the target asset, wherein the node is the alarm name of the alarm event, and the edge between the two nodes is the intersection characteristic between the alarm events corresponding to the two nodes. Furthermore, the graph is cut to obtain a plurality of sub-graphs, and the statistical characteristics of the sub-graphs are extracted, so that the extracted statistical characteristics of the sub-graphs not only comprise the characteristics of the alarm events, but also comprise the intersection characteristics of different alarm events, the relevance of different alarm events can be described, the abnormal alarm is determined based on the statistical characteristics of the sub-graphs, and the accuracy of the abnormal alarm detection is improved. The application also discloses an abnormal alarm detection device, an electronic device and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure, but do not constitute a limitation of the disclosure. In the drawings:
FIG. 1 is a flow diagram illustrating a method for abnormal alert detection in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating another abnormal alert detection method in accordance with an exemplary embodiment;
FIG. 3 is a block diagram illustrating an abnormal alert detection apparatus in accordance with one exemplary embodiment;
FIG. 4 is a block diagram illustrating an electronic device in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. In addition, in the embodiments of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
The embodiment of the application discloses an abnormal alarm detection method, which improves the accuracy of abnormal alarm detection.
Referring to fig. 1, a flowchart of an abnormal alarm detection method according to an exemplary embodiment is shown, and as shown in fig. 1, the method includes:
S101: acquiring alarm events corresponding to target assets, and determining intersection features among different alarm events;
in a specific implementation, firstly, a large number of original alarm events are obtained, and since the original alarm event formats are inconsistent, for example, alarm time formats generated by threadtrace and WAF (Web Application level intrusion prevention system, Web Application Firewall) are not consistent, the original alarm events are standardized, and the standardized formats may include any one or a combination of alarm type (threshold _ type), level (level), kill chain step (kill _ chain _ phase), source IPTOP20 statistic (srcIp _ list), destination IP TOP20 statistic (dstIp _ list), source port TOP20 statistic (srctjtjlist), destination port TOP20 statistic (dstPort _ list), srcIp: srcPort _ dstIp: dstPort. For example, a standardized format for an alarm event includes: the alarm types are Attack and Recon Tools, class 2-interrupting Behavior, kill chain steps are { 'name': user experience ',' tacts ': execution' }, the source IP TOP20 statistic is ('10.1.77.12',2), the destination IP TOP20 statistic is ('10.1.1.31',2), the source port TOP20 statistic is (50118,2), the destination port TOP20 statistic is (53,2), the srcPort _ dst: dstPort is ('10.1.77.12:50118_10.1.1.31:53', 2).
Next, the feature in the alarm event is extracted, which may be understood as performing overlay deduplication processing on the content in the standardized format, and the extracted feature may include any one of or a combination of any several items of an alarm type (hreat _ type), an asset IP (host _ IP), an alarm level (level), a Domain Name System (Domain System) Domain Name (Domain), a Domain core Domain Name (core _ Domain), and a Domain resolution result (Domain _ resolved _ IP). For example, extracting features in an alarm event includes: the alarm type is 1GB Outbound, the asset IP is 10.1.77.12, the alarm level is 1-Low Impact, and the results of DNS domain name, DNS core domain name and domain name resolution are all null, namely set ().
And then, associating the alarm events according to the asset IP, namely associating the corresponding alarm events of the same asset, wherein for each asset IP, whether the asset IP is attacked or is attacked, the asset IP and the asset IP are put together for association, and the alarm event corresponding to each asset IP is generated.
Further, for the alarm event corresponding to the target asset, determining an intersection feature between different alarm events based on the features of the alarm events may be understood as the same feature between different alarm events, where the intersection feature may include any one or a combination of domain name (domain) intersection, core domain name (core _ domain) intersection, and resolution (domain _ resolved _ IP) IP intersection.
For example, the attack IP may be used as an intersection feature between most alarm events, the feature of the IP address is also obvious, and the intersection feature of the IP address may be locked by the respective features of two alarm events. For another example, for a combined alarm of scanning and blasting, there may be an association between a destination port and an ips (Internet Protocol Suite) feature, that is, there may be an intersection feature of the destination port and the ips between the combined alarms of scanning and blasting.
Preferably, the intersection feature may further include a time feature, that is, if the time interval between two different alarm events is smaller than a preset value, it is determined that the intersection feature of the time feature exists between the two alarm events.
S102: constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes;
in this step, a weighted graph is constructed, which may be an undirected homograph, where a node is an alarm name of an alarm event, and an edge between two nodes is an intersection feature between alarm events corresponding to the two nodes. That is, if two different alarm events have an intersection feature, an edge exists between two nodes corresponding to the two alarm events, and the weight of the edge is not a value, but a significant feature vector, that is, the intersection feature.
S103: performing connected branch cutting on the graph to obtain a plurality of subgraphs, and extracting the statistical characteristics of the subgraphs;
in this step, the graph is cut into connected branches, that is, the graph is cut into a plurality of subgraphs based on whether a communication path exists between two nodes, if the communication path exists between the two nodes, the two nodes are divided into the same subgraph, otherwise, the two nodes belong to different subgraphs respectively. After the connected branch is cut, each sub-graph comprises one or more nodes, and a communication path exists between any two nodes in each sub-graph, that is, if the sub-graph comprises a plurality of nodes, no isolated node is contained in the sub-graph. Each subgraph is an alarm set of assets and represents an interconnected behavior.
Further, the statistical characteristics of each sub-graph are extracted, which may include any one or a combination of any several of whether a high-risk alarm (is _ high _ level) is included, the number of occurrences of the included alarm event in the global data (pattern _ count), the included number of assets for association (total _ IP _ info), and the included proportion of overseas IP (IP _ overrule _ ratio). The feature value of each sub-graph is a value of the total IP _ info, and the total IP _ info describes the number of associated IPs, wherein the less the number of occurrences of the alarm combination of the pattern _ count description sub-graph in the global data represents the rarity of the alarm combination, the more the attention is worth, the less the alarm is represented, and the more the attention is worth.
As a preferred embodiment, this step comprises: performing connected branch cutting on the graph to obtain a plurality of candidate subgraphs; determining sub-images meeting preset conditions in the candidate sub-images; the preset condition is that the number of included nodes is greater than 1 or at least one node corresponding to the alarm event of the target level is included; and extracting the statistical characteristics of the subgraph. In specific implementation, after the graph is cut into a plurality of candidate subgraphs, the subgraphs are obtained by screening based on preset conditions, and the subgraphs contain nodes with the number larger than 1 or at least contain nodes corresponding to alarm events of one target level, such as a 5-High Impact level.
S104: inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an abnormal value corresponding to the subgraph, and determining a target subgraph according to the abnormal value;
s105: and determining the alarm event in the target subgraph as an abnormal alarm.
In specific implementation, statistical characteristics of the subgraph are input into an anomaly detection model to obtain abnormal values, the subgraph is sequenced according to the sequence of the abnormal values from large to small, the top K subgraphs in the sequencing result are determined as target subgraphs, and alarm events contained in the target subgraph are output as abnormal alarms, wherein the abnormal alarms comprise one or more alarm events.
As a preferred embodiment, inputting the statistical features of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph includes: inputting the statistical characteristics of the subgraph into a plurality of abnormal detection models to obtain a middle abnormal value output by each abnormal detection model; voting is carried out on the intermediate abnormal value based on the weight of the abnormal detection model, and an abnormal value corresponding to the subgraph is obtained. In specific implementation, multiple unsupervised anomaly detection algorithms can be adopted to perform anomaly value mining on sub-graph features, namely, statistical features of sub-graphs are input into multiple anomaly detection models, and intermediate anomaly values output by each anomaly detection model are summarized based on a voting integration mode to obtain final anomaly values. The anomaly detection model herein may include elipticienvelope, One Class SVM (support vector machine of the same kind), Isolation Forest, LOF (Local anomaly Factor algorithm), and the like, and is not limited herein.
Furthermore, characteristics of the target subgraph, such as an abnormal value, is _ high _ level, pattern _ count, total _ ip _ info, and ip _ overrule _ ratio, output by the abnormality detection model can be output according to the importance degree, wherein the importance degree is from front to back, and the output sequence is from front to back.
As a preferred embodiment, after determining the top K sub-graphs in the sorting result as the target sub-graphs, the method further includes: calculating a deviation degree score corresponding to the statistical characteristics of the target subgraph; sequencing the statistical features of the target subgraphs in a sequence of the deviation degree scores from large to small, and determining the front L statistical features in a sequencing result; and carrying out abnormal positioning based on the first L statistical characteristics. In specific implementation, in order to increase the interpretability of the output abnormal alarm, the deviation degree score (z-score value) of each statistical feature of each target sub-graph is calculated, the statistical features of the target sub-graphs are sorted according to the sequence of the deviation degree scores from large to small, the first L statistical features in the sorting result are determined and output, and the positioning and interpretation of the abnormal alarm are facilitated, namely the abnormal position is determined.
The abnormal alarm detection method provided by the embodiment of the application constructs a graph corresponding to a target asset based on an alarm event corresponding to the target asset, wherein a node is an alarm name of the alarm event, and an edge between two nodes is an intersection feature between the alarm events corresponding to the two nodes. Furthermore, the graph is cut to obtain a plurality of sub-graphs, and the statistical characteristics of the sub-graphs are extracted, so that the extracted statistical characteristics of the sub-graphs not only comprise the characteristics of the alarm events, but also comprise the intersection characteristics of different alarm events, the relevance of the different alarm events can be described, the abnormal alarm is determined based on the statistical characteristics of the sub-graphs, and the accuracy of abnormal alarm detection is improved.
The embodiment of the application discloses an abnormal alarm detection method, and compared with the previous embodiment, the embodiment further explains and optimizes the technical scheme. Specifically, the method comprises the following steps:
referring to fig. 2, a flowchart of another abnormal alarm detection method according to an exemplary embodiment is shown, and as shown in fig. 2, the method includes:
s201: acquiring an alarm event, carrying out standardization processing on the alarm event, and extracting the characteristics of the alarm event;
s202: associating the alarm events corresponding to the same assets to determine the alarm event corresponding to the target asset;
s203: determining an original log set of the alarm event; wherein the set of original logs includes an identification of an original log that generated the alarm event;
s204: combining different alarm events with the similarity between corresponding original log sets larger than a preset value, and combining corresponding characteristics;
in the embodiment, in order to reduce the complexity of the subsequently constructed graph, similar alarm events are subjected to merging processing. In particular implementations, each alarm event feature stores a set of raw logs for the alarm event, in which an identification of the raw log that generated the alarm event is recorded. And if the similarity between the original log sets of the two different alarm events is high, merging the two alarm events.
For example, Increase in SSL or HTTP Connections to New IP and Sustained SSL or HTTP Increase are highly similar, Multiple Connections to New External TCP Port and WLB # Multiple Connections to New External TCP Port (Not active) are highly similar, and EXE URL Content Not Dosexec and increasing EXE from random External Location are highly similar.
It should be noted that after different alarm events are combined, their corresponding features also need to be correspondingly combined, that is, the combined alarm event and the corresponding combined features are used to replace the original two alarm events and the corresponding features.
S205: determining intersection features among different alarm events after combination based on the combined features corresponding to the alarm events after combination;
s206: constructing a graph based on the combined alarm events; wherein, the nodes in the graph are the alarm names of the combined alarm events, and the edges between the two nodes are the intersection characteristics between the combined alarm events corresponding to the two nodes;
s207: performing connected branch cutting on the graph to obtain a plurality of candidate subgraphs, determining subgraphs meeting preset conditions in the candidate subgraphs, and extracting statistical characteristics of the subgraphs; the preset condition is that the number of included nodes is greater than 1 or at least one node corresponding to the alarm event of the target level is included;
S208: inputting the statistical characteristics of the subgraph into a plurality of abnormal detection models to obtain a middle abnormal value output by each abnormal detection model;
s209: voting the intermediate abnormal value based on the weight of the abnormal detection model to obtain an abnormal value corresponding to the sub-graph;
s210: sequencing the sub-graphs according to the sequence of abnormal values from large to small, determining the first K sub-graphs in the sequencing result as target sub-graphs, and determining alarm events in the target sub-graphs as abnormal alarms;
s211: calculating deviation degree scores corresponding to the statistical features of the target sub-images, sorting the statistical features of the target sub-images according to the sequence of the deviation degree scores from large to small, determining the first L statistical features in the sorting result, and performing abnormal positioning based on the first L statistical features.
Therefore, the embodiment reduces the generation of similar edges during subsequent graph construction by combining similar alarm events, improves the graph composition efficiency, and further improves the abnormal alarm detection efficiency.
In the following, an abnormal alarm detection device provided in the embodiments of the present application is introduced, and an abnormal alarm detection device described below and an abnormal alarm detection method described above may be referred to each other.
Referring to fig. 3, a block diagram of an abnormal alert detection apparatus according to an exemplary embodiment is shown, as shown in fig. 3, including:
the acquisition module 301 is configured to acquire an alarm event corresponding to a target asset and determine intersection features between different alarm events;
a construction module 302 for constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes;
the cutting module 303 is configured to perform connected branch cutting on the graph to obtain a plurality of subgraphs, and extract statistical characteristics of the subgraphs;
the detection module 304 is configured to input the statistical characteristics of the sub-graph into an anomaly detection model to obtain an abnormal value corresponding to the sub-graph, and determine a target sub-graph according to the abnormal value;
a first determining module 305, configured to determine an alarm event in the target sub-graph as an abnormal alarm.
The abnormal alarm detection device provided by the embodiment of the application constructs a graph corresponding to a target asset based on an alarm event corresponding to the target asset, wherein a node is an alarm name of the alarm event, and an edge between two nodes is an intersection feature between the alarm events corresponding to the two nodes. Furthermore, the graph is cut to obtain a plurality of sub-graphs, and the statistical characteristics of the sub-graphs are extracted, so that the extracted statistical characteristics of the sub-graphs not only comprise the characteristics of the alarm events, but also comprise the intersection characteristics of different alarm events, the relevance of the different alarm events can be described, the abnormal alarm is determined based on the statistical characteristics of the sub-graphs, and the accuracy of abnormal alarm detection is improved.
On the basis of the foregoing embodiment, as a preferred implementation manner, the detecting module 304 is specifically configured to: and inputting the statistical characteristics of the subgraphs into an anomaly detection model to obtain abnormal values corresponding to the subgraphs, sorting the subgraphs according to the sequence of the abnormal values from large to small, and determining the first K subgraphs in the sorting result as target subgraphs.
On the basis of the foregoing embodiment, as a preferred implementation, the obtaining module 301 includes:
the acquisition unit is used for acquiring the alarm event;
the first extraction unit is used for extracting the characteristics of the alarm event;
the correlation unit is used for correlating the alarm events corresponding to the same assets so as to determine the alarm event corresponding to the target asset;
and the first determination unit is used for determining intersection characteristics among different alarm events corresponding to the target asset based on the characteristics of the alarm events corresponding to the target asset.
On the basis of the foregoing embodiment, as a preferred implementation, the obtaining module 301 includes:
the acquisition unit is used for acquiring an alarm event;
the second determination unit is used for determining an original log set of the alarm event; wherein the set of original logs includes an identification of an original log that generated the alarm event;
The merging unit is used for merging different alarm events of which the similarity between corresponding original log sets is greater than a preset value and merging corresponding characteristics;
a third determining unit, configured to determine intersection features between different combined alarm events based on the combined features corresponding to the combined alarm events;
correspondingly, the building module 302 is specifically configured to: constructing a graph based on the combined alarm events; the nodes in the graph are alarm names of the combined alarm events, and the edges between the two nodes are intersection features between the combined alarm events corresponding to the two nodes.
On the basis of the above embodiment, as a preferred implementation, the cutting module 303 includes:
the cutting unit is used for performing connected branch cutting on the graph to obtain a plurality of candidate subgraphs;
a third determining unit, configured to determine, from the candidate subgraphs, a subgraph that satisfies a preset condition; the preset condition is that the number of included nodes is greater than 1 or at least one node corresponding to the alarm event of the target level is included;
and the second extraction unit is used for extracting the statistical characteristics of the subgraph.
On the basis of the foregoing embodiment, as a preferred implementation manner, the detection module 304 includes:
the input unit is used for inputting the statistical characteristics of the subgraph into a plurality of abnormality detection models to obtain a middle abnormal value output by each abnormality detection model;
and the voting unit is used for voting the intermediate abnormal value based on the weight of the abnormal detection model to obtain the abnormal value corresponding to the subgraph.
On the basis of the above embodiment, as a preferred embodiment, the method further includes:
and the second determining module is used for calculating deviation degree scores corresponding to the statistical features of the target subgraph, sequencing the statistical features of the target subgraph according to the sequence of the deviation degree scores from large to small, determining the first L statistical features in the sequencing result, and performing abnormal positioning based on the first L statistical features.
With regard to the apparatus in the above embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be described in detail here.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present application, an embodiment of the present application further provides an electronic device, and fig. 4 is a structural diagram of an electronic device according to an exemplary embodiment, where as shown in fig. 4, the electronic device includes:
A communication interface 1 capable of performing information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the abnormal alarm detection method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by means of the bus system 4. It will be appreciated that the bus system 4 is used to enable the communication of connections between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. For clarity of illustration, however, the various buses are labeled as bus system 4 in fig. 4.
The memory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 3 described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present application may be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present application are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present application further provides a storage medium, i.e. a computer storage medium, specifically a computer readable storage medium, for example, including a memory 3 storing a computer program, which can be executed by a processor 2 to implement the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof that contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. An abnormal alarm detection method is characterized by comprising the following steps:
acquiring alarm events corresponding to target assets, and determining intersection features among different alarm events;
constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes;
performing connected branch cutting on the graph to obtain a plurality of subgraphs, and extracting the statistical characteristics of the subgraphs;
inputting the statistical characteristics of the subgraph into an abnormal detection model to obtain an abnormal value corresponding to the subgraph, and determining a target subgraph according to the abnormal value;
and determining the alarm event in the target sub-graph as an abnormal alarm.
2. The abnormal alarm detection method of claim 1, wherein said determining a target sub-graph based on the abnormal values comprises:
And sequencing the subgraphs in a descending order of the abnormal values, and determining the first K subgraphs in the sequencing result as target subgraphs.
3. The abnormal alarm detection method of claim 1, wherein the obtaining of the alarm events corresponding to the target asset and the determining of the intersection characteristics between different alarm events comprises:
acquiring an alarm event and extracting the characteristics of the alarm event;
associating the alarm events corresponding to the same assets to determine the alarm event corresponding to the target asset;
and determining intersection characteristics among different alarm events corresponding to the target asset based on the characteristics of the alarm events corresponding to the target asset.
4. The abnormal alarm detection method according to claim 1, further comprising, after the obtaining the alarm event corresponding to the target asset:
determining an original log set of the alarm event; wherein the set of original logs includes an identification of an original log that generated the alarm event;
combining different alarm events with the similarity between corresponding original log sets larger than a preset value, and combining corresponding characteristics;
correspondingly, the determining the intersection characteristics between different alarm events includes:
Determining intersection features among different alarm events after combination based on the combined features corresponding to the alarm events after combination;
correspondingly, the graph is constructed based on the alarm event, and the graph comprises the following steps:
constructing a graph based on the combined alarm events; the nodes in the graph are the alarm names of the combined alarm events, and the edges between the two nodes are the intersection characteristics of the combined alarm events corresponding to the two nodes.
5. The abnormal alarm detection method according to claim 1, wherein performing connected branch cutting on the graph to obtain a plurality of subgraphs, and extracting statistical features of the subgraphs, comprises:
performing connected branch cutting on the graph to obtain a plurality of candidate subgraphs;
determining sub-images meeting preset conditions in the candidate sub-images; the preset condition is that the number of included nodes is greater than 1 or at least one node corresponding to the alarm event of the target level is included;
and extracting the statistical characteristics of the subgraph.
6. The abnormal alarm detection method of claim 1, wherein inputting the statistical features of the sub-graph into an abnormal detection model to obtain the abnormal values corresponding to the sub-graph comprises:
Inputting the statistical characteristics of the subgraph into a plurality of abnormal detection models to obtain a middle abnormal value output by each abnormal detection model;
voting is carried out on the intermediate abnormal value based on the weight of the abnormal detection model, and an abnormal value corresponding to the subgraph is obtained.
7. The abnormal alarm detection method according to claim 1, wherein after determining the top K sub-graphs in the ranking result as the target sub-graphs, the method further comprises:
calculating a deviation degree score corresponding to the statistical characteristics of the target subgraph;
sequencing the statistical features of the target subgraphs in a sequence from large deviation degree scores to small deviation degree scores, and determining the first L statistical features in a sequencing result;
and carrying out abnormal positioning based on the first L statistical characteristics.
8. An abnormal alarm detection device, comprising:
the acquisition module is used for acquiring the alarm events corresponding to the target assets and determining intersection features among different alarm events;
the construction module is used for constructing a graph based on the alarm event; wherein, the nodes in the graph are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes;
The cutting module is used for performing connected branch cutting on the graph to obtain a plurality of subgraphs and extracting the statistical characteristics of the subgraphs;
the detection module is used for inputting the statistical characteristics of the subgraph into an abnormal detection model to obtain an abnormal value corresponding to the subgraph and determining a target subgraph according to the abnormal value;
and the first determining module is used for determining the alarm event in the target sub-graph as an abnormal alarm.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the abnormal alert detection method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the abnormal alert detection method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210325016.4A CN114760113B (en) | 2022-03-30 | 2022-03-30 | Abnormality alarm detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210325016.4A CN114760113B (en) | 2022-03-30 | 2022-03-30 | Abnormality alarm detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760113A true CN114760113A (en) | 2022-07-15 |
| CN114760113B CN114760113B (en) | 2024-02-23 |
Family
ID=82329806
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210325016.4A Active CN114760113B (en) | 2022-03-30 | 2022-03-30 | Abnormality alarm detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760113B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116708036A (en) * | 2023-08-07 | 2023-09-05 | 北京升鑫网络科技有限公司 | Scoring method and scoring system for alarm data and electronic equipment |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170187586A1 (en) * | 2015-12-29 | 2017-06-29 | Oracle International Corporation | Determining the causation of events across multiple nodes using message properties |
| WO2017176676A1 (en) * | 2016-04-04 | 2017-10-12 | Nec Laboratories America, Inc | Graph-based fusing of heterogeneous alerts |
| US10129276B1 (en) * | 2016-03-29 | 2018-11-13 | EMC IP Holding Company LLC | Methods and apparatus for identifying suspicious domains using common user clustering |
| CN108964960A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of processing method and processing device of alarm event |
| CN110807104A (en) * | 2019-11-08 | 2020-02-18 | 上海秒针网络科技有限公司 | Method and device for determining abnormal information, storage medium and electronic device |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| US20200084235A1 (en) * | 2018-09-12 | 2020-03-12 | Siemens Ltd., China | Method and device for identifying security threats, storage medium, processor and terminal |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN112650968A (en) * | 2020-11-18 | 2021-04-13 | 天津大学 | Abnormal subgraph detection method based on abnormal alignment model for multiple networks |
| CN112988501A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Alarm information generation method and device, electronic equipment and storage medium |
| CN113259176A (en) * | 2021-06-11 | 2021-08-13 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
| CN113469696A (en) * | 2021-06-29 | 2021-10-01 | 中国银联股份有限公司 | User abnormality degree evaluation method and device and computer readable storage medium |
| CN113572719A (en) * | 2020-04-29 | 2021-10-29 | 深信服科技股份有限公司 | Domain name detection method, device, equipment and readable storage medium |
| CN114006727A (en) * | 2021-09-28 | 2022-02-01 | 北京六方云信息技术有限公司 | Alarm correlation analysis method, device, equipment and storage medium |
-
2022
- 2022-03-30 CN CN202210325016.4A patent/CN114760113B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170187586A1 (en) * | 2015-12-29 | 2017-06-29 | Oracle International Corporation | Determining the causation of events across multiple nodes using message properties |
| US10129276B1 (en) * | 2016-03-29 | 2018-11-13 | EMC IP Holding Company LLC | Methods and apparatus for identifying suspicious domains using common user clustering |
| WO2017176676A1 (en) * | 2016-04-04 | 2017-10-12 | Nec Laboratories America, Inc | Graph-based fusing of heterogeneous alerts |
| CN108964960A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of processing method and processing device of alarm event |
| US20200084235A1 (en) * | 2018-09-12 | 2020-03-12 | Siemens Ltd., China | Method and device for identifying security threats, storage medium, processor and terminal |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN110807104A (en) * | 2019-11-08 | 2020-02-18 | 上海秒针网络科技有限公司 | Method and device for determining abnormal information, storage medium and electronic device |
| CN112988501A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Alarm information generation method and device, electronic equipment and storage medium |
| WO2021121244A1 (en) * | 2019-12-17 | 2021-06-24 | 深信服科技股份有限公司 | Alarm information generation method and apparatus, electronic device, and storage medium |
| CN113572719A (en) * | 2020-04-29 | 2021-10-29 | 深信服科技股份有限公司 | Domain name detection method, device, equipment and readable storage medium |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN112650968A (en) * | 2020-11-18 | 2021-04-13 | 天津大学 | Abnormal subgraph detection method based on abnormal alignment model for multiple networks |
| CN113259176A (en) * | 2021-06-11 | 2021-08-13 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
| CN113469696A (en) * | 2021-06-29 | 2021-10-01 | 中国银联股份有限公司 | User abnormality degree evaluation method and device and computer readable storage medium |
| CN114006727A (en) * | 2021-09-28 | 2022-02-01 | 北京六方云信息技术有限公司 | Alarm correlation analysis method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 罗凡波;王平;梁思源;徐桂菲;王伟;: "基于深度学习与稀疏光流的人群异常行为识别", 计算机工程, no. 04, pages 293 - 299 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116708036A (en) * | 2023-08-07 | 2023-09-05 | 北京升鑫网络科技有限公司 | Scoring method and scoring system for alarm data and electronic equipment |
| CN116708036B (en) * | 2023-08-07 | 2023-11-03 | 北京升鑫网络科技有限公司 | Scoring method and scoring system for alarm data and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760113B (en) | 2024-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6201614B2 (en) | Log analysis apparatus, method and program | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| EP3258409A1 (en) | Device for detecting terminal infected by malware, system for detecting terminal infected by malware, method for detecting terminal infected by malware, and program for detecting terminal infected by malware | |
| CN113676484B (en) | Attack tracing method and device and electronic equipment | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| Stewart et al. | A novel intrusion detection mechanism for scada systems which automatically adapts to network topology changes | |
| US20160269431A1 (en) | Predictive analytics utilizing real time events | |
| CN113259176B (en) | Alarm event analysis method and device | |
| CN112511561A (en) | Network attack path determination method, equipment, storage medium and device | |
| JP7005936B2 (en) | Evaluation program, evaluation method and information processing equipment | |
| GhasemiGol et al. | E‐correlator: an entropy‐based alert correlation system | |
| CN113098828A (en) | Network security alarm method and device | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| Macas et al. | Data Mining model in the discovery of trends and patterns of intruder attacks on the data network as a public-sector innovation | |
| US20230087309A1 (en) | Cyberattack identification in a network environment | |
| Abdulrazaq et al. | Combination of multi classification algorithms for intrusion detection system | |
| CN114760113A (en) | Abnormal alarm detection method and device, electronic equipment and storage medium | |
| CN113098827B (en) | Network security early warning method and device based on situation awareness | |
| Sushmakar et al. | An unsupervised based enhanced anomaly detection model using features importance | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium | |
| CN115955323A (en) | Network security situation sensing method and device and electronic equipment | |
| CN115098602B (en) | Data processing method, device and equipment based on big data platform and storage medium | |
| CN115514582B (en) | Industrial Internet attack chain correlation method and system based on ATT & CK | |
| JP7159552B2 (en) | Data output program, device and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |