CN114760113B - Abnormality alarm detection method and device, electronic equipment and storage medium - Google Patents
Abnormality alarm detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114760113B CN114760113B CN202210325016.4A CN202210325016A CN114760113B CN 114760113 B CN114760113 B CN 114760113B CN 202210325016 A CN202210325016 A CN 202210325016A CN 114760113 B CN114760113 B CN 114760113B
- Authority
- CN
- China
- Prior art keywords
- alarm
- determining
- subgraph
- nodes
- subgraphs
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 87
- 230000005856 abnormality Effects 0.000 title claims abstract description 24
- 230000002159 abnormal effect Effects 0.000 claims abstract description 50
- 238000000034 method Methods 0.000 claims description 22
- 238000012163 sequencing technique Methods 0.000 claims description 20
- 238000004891 communication Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 5
- 230000001360 synchronised effect Effects 0.000 description 9
- 230000005291 magnetic effect Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
- 230000002459 sustained effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Abstract
The application discloses an abnormality alarm detection method, an abnormality alarm detection device, an electronic device and a computer readable storage medium, wherein the abnormality alarm detection method comprises the following steps: acquiring alarm events corresponding to the target asset, and determining intersection characteristics among different alarm events; constructing a graph based on the alarm event; the nodes in the graph are alarm names of alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes; cutting the connected branches of the graph to obtain a plurality of subgraphs, and extracting statistical characteristics of the subgraphs; inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, and determining a target subgraph according to the anomaly value. The abnormal alarm detection method improves the accuracy of abnormal alarm detection.
Description
Technical Field
The present invention relates to the field of computer technology, and more particularly, to an abnormality alert detection method and apparatus, and an electronic device and a computer readable storage medium.
Background
The internet is full of various network attacks, and many large and medium-sized enterprises with a large amount of network assets often become primary attack targets of hackers, so that the enterprises often deploy various security devices. Under such a background, a large number of security alarms are generated by various security protection devices inside an enterprise every day, and it is difficult for enterprise security operators to analyze and investigate the security alarms one by one, and it is also impossible to locate truly high-threat alarms.
In the related art, first, security events for each IP are aggregated to generate an event sequence as a sample of anomaly detection. Secondly, calculating the statistical characteristics of each event sequence, and converting the security event occurring in a certain period of time of each IP into a feature vector by calculating the statistical characteristics. Then, the feature vector is input into an anomaly detection model, an event sequence of an anomaly score top k is output, and further an anomaly alarm segment is screened out from a large number of original alarms. However, in the above scheme, only the features of the alarm event itself are considered, and the relevance between different alarm events is not considered, so that the abnormal alarm detection accuracy is low.
Therefore, how to improve the accuracy of the abnormal alarm detection is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The invention aims to provide an abnormal alarm detection method and device, electronic equipment and a computer readable storage medium, and the accuracy of abnormal alarm detection is improved.
In order to achieve the above object, the present application provides an anomaly alarm detection method, including:
acquiring alarm events corresponding to the target asset, and determining intersection characteristics among different alarm events;
constructing a graph based on the alarm event; the nodes in the graph are alarm names of the alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes;
cutting the graph through communication branches to obtain a plurality of subgraphs, and extracting statistical features of the subgraphs;
inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, and determining a target subgraph according to the anomaly value;
and determining the alarm event in the target subgraph as an abnormal alarm.
Wherein the determining the target subgraph according to the outlier includes:
and sequencing the subgraphs according to the sequence from the big value to the small value, and determining the first K subgraphs in the sequencing result as target subgraphs.
The method for acquiring the alarm event corresponding to the target asset and determining the intersection characteristic between different alarm events comprises the following steps:
acquiring an alarm event and extracting characteristics of the alarm event;
correlating the alarm events corresponding to the same asset to determine the alarm event corresponding to the target asset;
and determining intersection characteristics between different alarm events corresponding to the target asset based on the characteristics of the alarm events corresponding to the target asset.
After the alarm event corresponding to the target asset is acquired, the method further comprises:
determining an original log set of the alarm event; wherein the original log set includes an identification of an original log that generated the alarm event;
combining different alarm events with the similarity between the corresponding original log sets being larger than a preset value, and combining corresponding features;
accordingly, the determining the intersection characteristic between different alarm events includes:
determining intersection characteristics between different combined alarm events based on the combined characteristics corresponding to the combined alarm events;
correspondingly, the construction diagram based on the alarm event comprises the following steps:
constructing a graph based on the combined alarm events; the nodes in the graph are alarm names of the combined alarm events, and the edges between the two nodes are intersection features between the combined alarm events corresponding to the two nodes.
The method for extracting the statistical characteristics of the subgraphs comprises the following steps of:
carrying out communication branch cutting on the graph to obtain a plurality of candidate subgraphs;
determining subgraphs meeting preset conditions from the candidate subgraphs; the preset condition is that the number of the included nodes is larger than 1 or at least the node corresponding to the alarm event of one target level is included;
and extracting the statistical characteristics of the subgraph.
Inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, wherein the method comprises the following steps:
inputting the statistical characteristics of the subgraph into a plurality of anomaly detection models to obtain intermediate anomaly values output by each anomaly detection model;
voting the intermediate abnormal value based on the weight of the abnormal detection model to obtain an abnormal value corresponding to the subgraph.
Wherein after the first K sub-graphs in the sorting result are determined as the target sub-graphs, the method further comprises:
calculating a deviation degree score corresponding to the statistical characteristics of the target subgraph;
sequencing the statistical features of the target subgraph according to the sequence of the deviation degree scores from large to small, and determining the first L statistical features in the sequencing result;
and performing abnormality positioning based on the first L statistical features.
To achieve the above object, the present application provides an abnormality alert detection apparatus including:
the acquisition module is used for acquiring alarm events corresponding to the target asset and determining intersection characteristics among different alarm events;
the construction module is used for constructing a graph based on the alarm event; the nodes in the graph are alarm names of the alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes;
the cutting module is used for carrying out communication branch cutting on the graph to obtain a plurality of subgraphs and extracting statistical characteristics of the subgraphs;
the detection module is used for inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, sequencing the subgraph according to the sequence from the high anomaly value to the low anomaly value, and determining the first K subgraphs in the sequencing result as target subgraphs;
and the first determining module is used for determining the alarm event in the target subgraph as an abnormal alarm.
To achieve the above object, the present application provides an electronic device, including:
a memory for storing a computer program;
and a processor for implementing the steps of the abnormal alarm detection method when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the abnormality alert detection method as described above.
According to the scheme, the abnormality alarm detection method provided by the application comprises the following steps: acquiring alarm events corresponding to the target asset, and determining intersection characteristics among different alarm events; constructing a graph based on the alarm event; the nodes in the graph are alarm names of the alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes; cutting the graph through communication branches to obtain a plurality of subgraphs, and extracting statistical features of the subgraphs; inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, and determining a target subgraph according to the anomaly value.
According to the abnormal alarm detection method, the map corresponding to the target asset is constructed based on the alarm event corresponding to the target asset, wherein the nodes are alarm names of the alarm events, and the edges between the two nodes are intersection features between the alarm events corresponding to the two nodes. Further, the graph is cut to obtain a plurality of sub-graphs, and the statistical features of the sub-graphs are extracted, so that the statistical features of the sub-graphs are extracted to not only comprise the features of alarm events, but also comprise intersection features among different alarm events, the relevance of different alarm events can be described, abnormal alarms are determined based on the statistical features of the sub-graphs, and the accuracy of abnormal alarm detection is improved. The application also discloses an abnormality alarm detection device, an electronic device and a computer readable storage medium, and the technical effects can be achieved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. The accompanying drawings are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification, illustrate the disclosure and together with the description serve to explain, but do not limit the disclosure. In the drawings:
FIG. 1 is a flowchart illustrating an anomaly alert detection method according to an exemplary embodiment;
FIG. 2 is a flowchart illustrating another anomaly alert detection method according to an exemplary embodiment;
FIG. 3 is a block diagram of an anomaly alert detection apparatus according to an exemplary embodiment;
fig. 4 is a block diagram of an electronic device, according to an example embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application. In addition, in the embodiments of the present application, "first," "second," and the like are used to distinguish similar objects, and are not necessarily used to describe a particular order or sequence.
The embodiment of the application discloses an abnormal alarm detection method, which improves the accuracy of abnormal alarm detection.
Referring to fig. 1, a flowchart of an abnormality alert detection method according to an exemplary embodiment is shown, as shown in fig. 1, including:
s101: acquiring alarm events corresponding to the target asset, and determining intersection characteristics among different alarm events;
in a specific implementation, firstly, a large number of original alarm events are acquired, and because the original alarm event format has non-uniform conditions, such as inconsistent alarm time formats generated by thread and WAF (website application level intrusion prevention system, web Application Firewall), the original alarm events are standardized, and the standardized format may include any one of alarm type (thread_type), level (level), kill_chain step (kill_chain_phase), source ipt 20 statistic (srip_list), destination IP TOP20 statistic (dsip_list), source port TOP20 statistic (srcport_list), destination port TOP20 statistic (dstport_list), srip: srcport_dstport, or a combination of any of the above. For example, the standardized format for a certain alarm event includes: the alarm type is Attack and Recon Tools, the rank is 2-Interesting Behavior, the kill chain step is { 'name': 'user selection', 'Tactics': execution ',' source IP TOP20 statistic is ('10.1.77.12', 2), destination IP TOP20 statistic is ('10.1.1.31', 2), source port TOP20 statistic is (50118,2), destination port TOP20 statistic is (53,2), srcIP: srcPort_dstip: dstPort is ('10.1.77.12:50118_10.1.1.31:53', 2).
Secondly, extracting features in the alarm event can be understood as performing superposition de-duplication processing on the content in the standardized format, and the extracted features can include any one of alarm type (alarm_type), asset IP (host_ip), alarm level (level), domain Name (DNS) of DNS (domain name system ), domain core domain name (core_domain), and domain name resolution result (domain_resolved_ip) or any combination of any two of the above. For example, extracting features in a certain alarm event includes: the alarm type is 1GB outlound, the asset IP is 10.1.77.12, the alarm grade is 1-Low Impact, the DNS domain name, the DNS core domain name and the domain name resolution result are all null, namely set ().
Then, the alarm event is associated according to the asset IP, namely, the corresponding alarm event of the same asset is associated, and for each asset IP, the corresponding alarm event of each asset IP is generated after being associated with each other whether the asset IP is attacked or the attack is initiated.
Further, for the alarm event corresponding to the target asset, the intersection feature between different alarm events is determined based on the feature of the alarm event, which may be understood as the same feature between different alarm events, and the intersection feature may include any one or a combination of any several of domain name (domain) intersection, core domain name (core_domain) intersection, and resolution (domain_resolved_ip) IP intersection.
For example, the attack IP may be used as an intersection feature between most alarm events, and the feature of the IP address is also obvious, and the intersection feature of the IP address may be locked by the respective features of the two alarm events. As another example, there may be a correlation between destination port, ips (internet protocol stack, internet Protocol Suite) features for a scanned, blasted combined alarm, i.e., there may be intersection features of destination port, ips between scanned, blasted combined alarms.
Preferably, the intersection feature may further include a time feature, that is, an intersection feature that a time feature exists between two different alarm events when a time interval between the two alarm events is smaller than a preset value.
S102: constructing a graph based on the alarm event; the nodes in the graph are alarm names of the alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes;
in the step, a weighted graph is constructed, which can be an undirected isomorphic graph, wherein the nodes are the alarm names of the alarm events, and the edges between the two nodes are the intersection characteristics between the alarm events corresponding to the two nodes. That is, if there is an intersection feature of two different alarm events, there is an edge between two nodes corresponding to the two alarm events, and the weight of the edge is not a value, but a significant feature vector, that is, the intersection feature.
S103: cutting the graph through communication branches to obtain a plurality of subgraphs, and extracting statistical features of the subgraphs;
in this step, the graph is cut into multiple sub-graphs based on whether there is a communication path between two nodes, if there is a communication path between two nodes, the two nodes are divided into the same sub-graph, otherwise, the two nodes belong to different sub-graphs respectively. After the connected branches are cut, each sub-graph comprises one or more nodes, and a connected path exists between any two nodes in each sub-graph, namely if the sub-graph comprises a plurality of nodes, the sub-graph does not comprise isolated nodes. Each sub-graph is an alarm set of an asset, characterizing a behavior that is interrelated.
Further, extracting the statistical feature of each sub-graph may include any one or a combination of any of the high-risk alarms (is_high_level), the number of occurrences of the included alarm event in the global data (pattern_count), the number of assets for association (total_ip_info) included, and the ratio of the included overseas IP (ip_oversea_ratio). The method comprises the steps of determining whether an is_high_level description subgraph contains high-risk alarms, determining the occurrence times of alarm combinations of the pattern_count description subgraph in global data, representing the rarity degree of the alarm combinations, wherein the less the alarm combinations are more interesting, the less the total_ip_info description subgraph is used for the associated IP quantity, the less the alarms are represented more tightly, and the greater the ratio of overseas IP in the ip_oversea_ratio description subgraph is more interesting.
As a preferred embodiment, the present step includes: carrying out communication branch cutting on the graph to obtain a plurality of candidate subgraphs; determining subgraphs meeting preset conditions from the candidate subgraphs; the preset condition is that the number of the included nodes is larger than 1 or at least the node corresponding to the alarm event of one target level is included; and extracting the statistical characteristics of the subgraph. In a specific implementation, after the graph is cut into a plurality of candidate subgraphs, screening is performed based on preset conditions to obtain subgraphs, wherein the number of nodes included in the subgraphs is greater than 1 or at least includes a node corresponding to an alarm event with a target level, for example, a 5-High Impact level.
S104: inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, and determining a target subgraph according to the anomaly value;
s105: and determining the alarm event in the target subgraph as an abnormal alarm.
In specific implementation, inputting statistical features of the subgraphs into an anomaly detection model to obtain anomaly values, sorting the subgraphs according to the sequence of the anomaly values from large to small, determining the first K subgraphs in the sorting result as target subgraphs, and outputting alarm events contained in the target subgraphs as anomaly alarms, wherein one or more alarm events are contained in the anomaly alarms.
As a preferred embodiment, inputting the statistical feature of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph includes: inputting the statistical characteristics of the subgraph into a plurality of anomaly detection models to obtain intermediate anomaly values output by each anomaly detection model; voting the intermediate abnormal value based on the weight of the abnormal detection model to obtain an abnormal value corresponding to the subgraph. In specific implementation, various unsupervised anomaly detection algorithms can be adopted to perform anomaly value mining on the sub-graph features, namely, the statistical features of the sub-graph are input into a plurality of anomaly detection models, and the intermediate anomaly values output by each anomaly detection model are summarized based on a voting integration mode to obtain final anomaly values. The anomaly detection model herein may include eliptic environment, one Class SVM (a type of support vector machine), isolation Forest, LOF (local anomaly factor algorithm, local Outlier Factor), etc., and is not particularly limited herein.
Further, the characteristics of the target subgraph may also be output according to the importance level, for example, the anomaly value, is_high_ level, pattern _count, total_ip_info, ip_oversea_ratio, which are output by the anomaly detection model, and the importance level is from front to back, and the output order is from front to back.
As a preferred embodiment, after determining the first K sub-graphs in the sorting result as the target sub-graphs, the method further includes: calculating a deviation degree score corresponding to the statistical characteristics of the target subgraph; sequencing the statistical features of the target subgraph according to the sequence of the deviation degree scores from large to small, and determining the first L statistical features in the sequencing result; and performing abnormality positioning based on the first L statistical features. In a specific implementation, in order to increase the interpretability of the output abnormal alarm, the calculation of the deviation degree score (z-score value) is performed on each statistical feature of each target subgraph, the statistical features of the target subgraphs are ordered according to the order of the deviation degree score from high to low, and the first L statistical features in the ordering result are determined and output, so that the abnormal alarm is favorably positioned and interpreted, namely the abnormal position is determined.
According to the abnormal alarm detection method, a map corresponding to a target asset is constructed based on an alarm event corresponding to the target asset, wherein nodes are alarm names of the alarm event, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes. Further, the graph is cut to obtain a plurality of sub-graphs, and the statistical features of the sub-graphs are extracted, so that the statistical features of the sub-graphs are extracted to not only comprise the features of alarm events, but also comprise intersection features among different alarm events, the relevance of different alarm events can be described, abnormal alarms are determined based on the statistical features of the sub-graphs, and the accuracy of abnormal alarm detection is improved.
The embodiment of the application discloses an abnormal alarm detection method, and compared with the previous embodiment, the technical scheme is further described and optimized. Specific:
referring to fig. 2, a flowchart of another abnormality alert detection method according to an exemplary embodiment is shown, as shown in fig. 2, including:
s201: acquiring an alarm event, carrying out standardized processing on the alarm event, and extracting the characteristics of the alarm event;
s202: correlating the alarm events corresponding to the same asset to determine the alarm event corresponding to the target asset;
s203: determining an original log set of the alarm event; wherein the original log set includes an identification of an original log that generated the alarm event;
s204: combining different alarm events with the similarity between the corresponding original log sets being larger than a preset value, and combining corresponding features;
in this embodiment, in order to reduce complexity of the subsequently constructed graphs, similar alarm events are merged. In particular implementations, an original set of logs for each alarm event is maintained in a feature of the alarm event, where an identification of the original log that generated the alarm event is recorded. And if the similarity between the original log sets of the two different alarm events is the same, merging the two alarm events.
For example, increase in SSL or HTTP connections to New IP and Sustained SSL or HTTP Increase are highly similar, multiple Connections to New External TCP Port and wlb# Multiple Connections to New External TCP Port (non active) are highly similar, EXE URL Content Not Dosexec and Incoming EXE from Rare External Location are highly similar.
It should be noted that, after different alarm events are combined, their corresponding features also need to be combined correspondingly, that is, the combined alarm events and the corresponding combined features are used to replace the original two alarm events and the corresponding features.
S205: determining intersection characteristics between different combined alarm events based on the combined characteristics corresponding to the combined alarm events;
s206: constructing a graph based on the combined alarm events; the nodes in the graph are alarm names of the combined alarm events, and the edges between the two nodes are intersection features between the combined alarm events corresponding to the two nodes;
s207: carrying out communication branch cutting on the graph to obtain a plurality of candidate subgraphs, determining subgraphs meeting preset conditions in the candidate subgraphs, and extracting statistical features of the subgraphs; the preset condition is that the number of the included nodes is larger than 1 or at least the node corresponding to the alarm event of one target level is included;
s208: inputting the statistical characteristics of the subgraph into a plurality of anomaly detection models to obtain intermediate anomaly values output by each anomaly detection model;
s209: voting the intermediate abnormal value based on the weight of the abnormal detection model to obtain an abnormal value corresponding to the subgraph;
s210: sequencing the subgraphs according to the sequence of the abnormal values from large to small, determining the first K subgraphs in the sequencing result as a target subgraph, and determining the alarm event in the target subgraph as an abnormal alarm;
s211: calculating the deviation degree score corresponding to the statistical features of the target subgraph, sequencing the statistical features of the target subgraph according to the sequence from the big deviation degree score to the small deviation degree score, determining the first L statistical features in the sequencing result, and carrying out abnormal positioning based on the first L statistical features.
Therefore, by combining similar alarm events, the embodiment reduces similar edges generated in the process of constructing the subsequent graph, improves the composition efficiency, and further improves the abnormal alarm detection efficiency.
An abnormality alert detection apparatus according to an embodiment of the present application is described below, and an abnormality alert detection apparatus described below and an abnormality alert detection method described above may be referred to each other.
Referring to fig. 3, a structural diagram of an abnormality alert detection apparatus according to an exemplary embodiment is shown, as shown in fig. 3, including:
the acquisition module 301 is configured to acquire alarm events corresponding to the target asset, and determine intersection characteristics between different alarm events;
a building module 302, configured to build a graph based on the alarm event; the nodes in the graph are alarm names of the alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes;
a cutting module 303, configured to perform a connected branch cutting on the graph to obtain a plurality of subgraphs, and extract statistical features of the subgraphs;
the detection module 304 is configured to input the statistical feature of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, and determine a target subgraph according to the anomaly value;
a first determining module 305 is configured to determine an alarm event in the target subgraph as an abnormal alarm.
According to the abnormal alarm detection device provided by the embodiment of the application, the map corresponding to the target asset is constructed based on the alarm event corresponding to the target asset, wherein the node is the alarm name of the alarm event, and the edge between the two nodes is the intersection characteristic between the alarm events corresponding to the two nodes. Further, the graph is cut to obtain a plurality of sub-graphs, and the statistical features of the sub-graphs are extracted, so that the statistical features of the sub-graphs are extracted to not only comprise the features of alarm events, but also comprise intersection features among different alarm events, the relevance of different alarm events can be described, abnormal alarms are determined based on the statistical features of the sub-graphs, and the accuracy of abnormal alarm detection is improved.
Based on the above embodiment, as a preferred implementation manner, the detection module 304 is specifically configured to: inputting the statistical characteristics of the subgraph into an anomaly detection model to obtain an anomaly value corresponding to the subgraph, sequencing the subgraph according to the sequence from the high anomaly value to the low anomaly value, and determining the first K subgraphs in the sequencing result as target subgraphs.
On the basis of the above embodiment, as a preferred implementation manner, the obtaining module 301 includes:
the acquisition unit is used for acquiring the alarm event;
the first extraction unit is used for extracting the characteristics of the alarm event;
the association unit is used for associating the alarm events corresponding to the same asset so as to determine the alarm event corresponding to the target asset;
and the first determining unit is used for determining intersection characteristics between different alarm events corresponding to the target asset based on the characteristics of the alarm events corresponding to the target asset.
On the basis of the above embodiment, as a preferred implementation manner, the obtaining module 301 includes:
the acquisition unit is used for acquiring the alarm event;
a second determining unit, configured to determine an original log set of the alarm event; wherein the original log set includes an identification of an original log that generated the alarm event;
the merging unit is used for merging different alarm events with the similarity between the corresponding original log sets being larger than a preset value and merging corresponding features;
a third determining unit, configured to determine intersection features between different alarm events after merging based on the merged features corresponding to the alarm events after merging;
accordingly, the construction module 302 is specifically configured to: constructing a graph based on the combined alarm events; the nodes in the graph are alarm names of the combined alarm events, and the edges between the two nodes are intersection features between the combined alarm events corresponding to the two nodes.
On the basis of the above embodiment, as a preferred implementation manner, the cutting module 303 includes:
the cutting unit is used for carrying out communication branch cutting on the graph to obtain a plurality of candidate subgraphs;
a third determining unit, configured to determine a sub-graph that meets a preset condition from the candidate sub-graphs; the preset condition is that the number of the included nodes is larger than 1 or at least the node corresponding to the alarm event of one target level is included;
and the second extraction unit is used for extracting the statistical characteristics of the subgraph.
Based on the above embodiment, as a preferred implementation manner, the detection module 304 includes:
the input unit is used for inputting the statistical characteristics of the subgraph into a plurality of anomaly detection models to obtain an intermediate anomaly value output by each anomaly detection model;
and the voting unit is used for voting the intermediate abnormal value based on the weight of the abnormal detection model to obtain the abnormal value corresponding to the subgraph.
On the basis of the above embodiment, as a preferred implementation manner, the method further includes:
and the second determining module is used for calculating the deviation degree score corresponding to the statistical features of the target subgraph, sequencing the statistical features of the target subgraph according to the sequence of the deviation degree score from large to small, determining the first L statistical features in the sequencing result, and carrying out abnormal positioning based on the first L statistical features.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
Based on the hardware implementation of the program modules, and in order to implement the method of the embodiments of the present application, the embodiments of the present application further provide an electronic device, fig. 4 is a block diagram of an electronic device according to an exemplary embodiment, and as shown in fig. 4, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment and is used for executing the abnormal alarm detection method provided by one or more technical schemes when running the computer program. And the computer program is stored on the memory 3.
Of course, in practice, the various components in the electronic device are coupled together by a bus system 4. It will be appreciated that the bus system 4 is used to enable connected communications between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for clarity of illustration the various buses are labeled as bus system 4 in fig. 4.
The memory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Wherein the nonvolatile Memory may be Read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electrically Erasable Programmable Read-Only Memory), magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), double data rate synchronous dynamic random access memory (ddr SDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory 3 described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiments of the present application may be applied to the processor 2 or implemented by the processor 2. The processor 2 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 2 or by instructions in the form of software. The processor 2 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the memory 3 and the processor 2 reads the program in the memory 3 to perform the steps of the method described above in connection with its hardware.
The processor 2 implements corresponding flows in the methods of the embodiments of the present application when executing the program, and for brevity, will not be described in detail herein.
In an exemplary embodiment, the present application also provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program executable by the processor 2 for performing the steps of the method described above. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Alternatively, the integrated units described above may be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partly contributing to the prior art, and the computer software product may be stored in a storage medium, and include several instructions to cause an electronic device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (9)
1. An anomaly alert detection method, comprising:
acquiring alarm events corresponding to the target asset, and determining intersection characteristics among different alarm events;
constructing a graph based on the alarm event; the nodes in the graph are alarm names of the alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes;
cutting the graph through communication branches to obtain a plurality of subgraphs, and extracting statistical features of the subgraphs;
inputting the statistical characteristics of the subgraph into a plurality of anomaly detection models to obtain intermediate anomaly values output by each anomaly detection model, voting the intermediate anomaly values based on the weights of the anomaly detection models to obtain anomaly values corresponding to the subgraph, and determining a target subgraph according to the anomaly values;
and determining the alarm event in the target subgraph as an abnormal alarm.
2. The abnormality alert detection method according to claim 1, wherein said determining a target subgraph from said abnormal value includes:
and sequencing the subgraphs according to the sequence from the big value to the small value, and determining the first K subgraphs in the sequencing result as target subgraphs.
3. The abnormal alert detection method according to claim 1, wherein the acquiring alert events corresponding to the target asset and determining intersection characteristics between different alert events comprises:
acquiring an alarm event and extracting characteristics of the alarm event;
correlating the alarm events corresponding to the same asset to determine the alarm event corresponding to the target asset;
and determining intersection characteristics between different alarm events corresponding to the target asset based on the characteristics of the alarm events corresponding to the target asset.
4. The abnormal alert detection method according to claim 1, further comprising, after the obtaining the alert event corresponding to the target asset:
determining an original log set of the alarm event; wherein the original log set includes an identification of an original log that generated the alarm event;
combining different alarm events with the similarity between the corresponding original log sets being larger than a preset value, and combining corresponding features;
accordingly, the determining the intersection characteristic between different alarm events includes:
determining intersection characteristics between different combined alarm events based on the combined characteristics corresponding to the combined alarm events;
correspondingly, the construction diagram based on the alarm event comprises the following steps:
constructing a graph based on the combined alarm events; the nodes in the graph are alarm names of the combined alarm events, and the edges between the two nodes are intersection features between the combined alarm events corresponding to the two nodes.
5. The abnormality alert detection method according to claim 1, characterized in that performing a connected branch cut on the graph to obtain a plurality of subgraphs, and extracting statistical features of the subgraphs, comprising:
carrying out communication branch cutting on the graph to obtain a plurality of candidate subgraphs;
determining subgraphs meeting preset conditions from the candidate subgraphs; the preset condition is that the number of the included nodes is larger than 1 or at least the node corresponding to the alarm event of one target level is included;
and extracting the statistical characteristics of the subgraph.
6. The abnormal alarm detection method according to claim 2, wherein after determining the first K sub-graphs in the ranking result as the target sub-graphs, the method further comprises:
calculating a deviation degree score corresponding to the statistical characteristics of the target subgraph;
sequencing the statistical features of the target subgraph according to the sequence of the deviation degree scores from large to small, and determining the first L statistical features in the sequencing result;
and performing abnormality positioning based on the first L statistical features.
7. An abnormality alert detection apparatus, characterized by comprising:
the acquisition module is used for acquiring alarm events corresponding to the target asset and determining intersection characteristics among different alarm events;
the construction module is used for constructing a graph based on the alarm event; the nodes in the graph are alarm names of the alarm events, and edges between two nodes are intersection features between the alarm events corresponding to the two nodes;
the cutting module is used for carrying out communication branch cutting on the graph to obtain a plurality of subgraphs and extracting statistical characteristics of the subgraphs;
the detection module is used for inputting the statistical characteristics of the subgraph into a plurality of anomaly detection models to obtain intermediate anomaly values output by each anomaly detection model, voting the intermediate anomaly values based on the weights of the anomaly detection models to obtain anomaly values corresponding to the subgraph, and determining a target subgraph according to the anomaly values;
and the first determining module is used for determining the alarm event in the target subgraph as an abnormal alarm.
8. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the abnormality alert detection method according to any one of claims 1 to 6 when executing the computer program.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the abnormality alert detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210325016.4A CN114760113B (en) | 2022-03-30 | 2022-03-30 | Abnormality alarm detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210325016.4A CN114760113B (en) | 2022-03-30 | 2022-03-30 | Abnormality alarm detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114760113A CN114760113A (en) | 2022-07-15 |
| CN114760113B true CN114760113B (en) | 2024-02-23 |
Family
ID=82329806
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210325016.4A Active CN114760113B (en) | 2022-03-30 | 2022-03-30 | Abnormality alarm detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114760113B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116708036B (en) * | 2023-08-07 | 2023-11-03 | 北京升鑫网络科技有限公司 | Scoring method and scoring system for alarm data and electronic equipment |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017176676A1 (en) * | 2016-04-04 | 2017-10-12 | Nec Laboratories America, Inc | Graph-based fusing of heterogeneous alerts |
| US10129276B1 (en) * | 2016-03-29 | 2018-11-13 | EMC IP Holding Company LLC | Methods and apparatus for identifying suspicious domains using common user clustering |
| CN108964960A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of processing method and processing device of alarm event |
| CN110807104A (en) * | 2019-11-08 | 2020-02-18 | 上海秒针网络科技有限公司 | Method and device for determining abnormal information, storage medium and electronic device |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN112650968A (en) * | 2020-11-18 | 2021-04-13 | 天津大学 | Abnormal subgraph detection method based on abnormal alignment model for multiple networks |
| CN112988501A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Alarm information generation method and device, electronic equipment and storage medium |
| CN113259176A (en) * | 2021-06-11 | 2021-08-13 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
| CN113469696A (en) * | 2021-06-29 | 2021-10-01 | 中国银联股份有限公司 | User abnormality degree evaluation method and device and computer readable storage medium |
| CN113572719A (en) * | 2020-04-29 | 2021-10-29 | 深信服科技股份有限公司 | Domain name detection method, device, equipment and readable storage medium |
| CN114006727A (en) * | 2021-09-28 | 2022-02-01 | 北京六方云信息技术有限公司 | Alarm correlation analysis method, device, equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10419306B2 (en) * | 2015-12-29 | 2019-09-17 | Oracle International Corporation | Determining the causation of events across multiple nodes using message properties |
| CN110896386B (en) * | 2018-09-12 | 2022-05-10 | 西门子(中国)有限公司 | Method, device, storage medium, processor and terminal for identifying security threat |
-
2022
- 2022-03-30 CN CN202210325016.4A patent/CN114760113B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10129276B1 (en) * | 2016-03-29 | 2018-11-13 | EMC IP Holding Company LLC | Methods and apparatus for identifying suspicious domains using common user clustering |
| WO2017176676A1 (en) * | 2016-04-04 | 2017-10-12 | Nec Laboratories America, Inc | Graph-based fusing of heterogeneous alerts |
| CN108964960A (en) * | 2017-05-27 | 2018-12-07 | 阿里巴巴集团控股有限公司 | A kind of processing method and processing device of alarm event |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN110807104A (en) * | 2019-11-08 | 2020-02-18 | 上海秒针网络科技有限公司 | Method and device for determining abnormal information, storage medium and electronic device |
| CN112988501A (en) * | 2019-12-17 | 2021-06-18 | 深信服科技股份有限公司 | Alarm information generation method and device, electronic equipment and storage medium |
| WO2021121244A1 (en) * | 2019-12-17 | 2021-06-24 | 深信服科技股份有限公司 | Alarm information generation method and apparatus, electronic device, and storage medium |
| CN113572719A (en) * | 2020-04-29 | 2021-10-29 | 深信服科技股份有限公司 | Domain name detection method, device, equipment and readable storage medium |
| CN112039841A (en) * | 2020-07-23 | 2020-12-04 | 北京天融信网络安全技术有限公司 | Security event merging processing method and device, electronic equipment and storage medium |
| CN112650968A (en) * | 2020-11-18 | 2021-04-13 | 天津大学 | Abnormal subgraph detection method based on abnormal alignment model for multiple networks |
| CN113259176A (en) * | 2021-06-11 | 2021-08-13 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
| CN113469696A (en) * | 2021-06-29 | 2021-10-01 | 中国银联股份有限公司 | User abnormality degree evaluation method and device and computer readable storage medium |
| CN114006727A (en) * | 2021-09-28 | 2022-02-01 | 北京六方云信息技术有限公司 | Alarm correlation analysis method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于深度学习与稀疏光流的人群异常行为识别;罗凡波;王平;梁思源;徐桂菲;王伟;;计算机工程(04);第293-299、306页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114760113A (en) | 2022-07-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200013065A1 (en) | Method and Apparatus of Identifying a Transaction Risk | |
| CN110535702B (en) | Alarm information processing method and device | |
| US11240263B2 (en) | Responding to alerts | |
| US20160226893A1 (en) | Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof | |
| CN109191021B (en) | Association rule matching method and device for power grid abnormal event | |
| CN112511561A (en) | Network attack path determination method, equipment, storage medium and device | |
| EP3584990A1 (en) | Data processing method, device, and system | |
| US20160269431A1 (en) | Predictive analytics utilizing real time events | |
| GhasemiGol et al. | E‐correlator: an entropy‐based alert correlation system | |
| CN113676484A (en) | Attack tracing method and device and electronic equipment | |
| CN113259176B (en) | Alarm event analysis method and device | |
| CN112769775B (en) | Threat information association analysis method, system, equipment and computer medium | |
| CN113162794A (en) | Next-step attack event prediction method and related equipment | |
| CN114760113B (en) | Abnormality alarm detection method and device, electronic equipment and storage medium | |
| JP2019159431A (en) | Evaluation program, evaluation method, and evaluation device | |
| CN114978757A (en) | Alarm aggregation method and device, electronic equipment and storage medium | |
| CN114944956A (en) | Attack link detection method and device, electronic equipment and storage medium | |
| Umbarkar et al. | Analysis of heuristic based feature reduction method in intrusion detection system | |
| US20230087309A1 (en) | Cyberattack identification in a network environment | |
| US20230017839A1 (en) | Risk analysis result display apparatus, method, and computer readable media | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN114039765A (en) | Safety management and control method and device for power distribution Internet of things and electronic equipment | |
| CN114398633A (en) | Portrait analysis method and device for honeypot attackers | |
| CN115955323A (en) | Network security situation sensing method and device and electronic equipment | |
| CN113553370A (en) | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |