CN114826874A

CN114826874A - Automatic processing method, system and storage medium for safety alarm log

Info

Publication number: CN114826874A
Application number: CN202210456789.6A
Authority: CN
Inventors: 刘光磊
Original assignee: Shanghai Carbon Information Technology Co ltd
Current assignee: Shanghai Carbon Information Technology Co ltd
Priority date: 2022-04-24
Filing date: 2022-04-24
Publication date: 2022-07-29

Abstract

The application relates to an automatic processing method for a safety alarm log, which comprises the steps of firstly obtaining original alarm data by a receiver, converting the original alarm data into standard format alarm data, then carrying out data filtration, data normalization and data merging on the standard format alarm data, and then carrying out alarm processing on the merged alarm data by an actuator.

Description

Automatic processing method, system and storage medium for safety alarm log

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method, a system, and a storage medium for automatically handling a security alarm log.

Background

With the increasing enlargement of information construction scale of enterprises and organizations, security architecture is becoming more and more complex, security data and alarm events generated by various security devices, operation and maintenance systems and business systems in the organizations are increasing, the security operation and maintenance pressure of the enterprises and the organizations is increasing, and the security operation and maintenance complexity is increasing. In today's enterprise security management systems, automation solutions have focused more on security event alarm monitoring and collection. A security event monitoring and analyzing system represented by solutions such as SOC (system on chip), SIEM (site information technology) and the like collects massive security event information every day and generates a large number of alarm logs, and most alarms belong to repeated or false alarm information. The alarm information needs the safety operation and maintenance personnel to manually judge the risk level and whether necessary measures need to be taken to handle the alarm. Usually, most alarms have corresponding emergency processing schemes, and the security operation and maintenance personnel find the alarms and manually perform corresponding operations according to the processing schemes, such as sealing and prohibiting illegal IP on a firewall, logging in a server with bugs, making security patches, deleting discovered risk programs and files, and the like.

With respect to the related art among the above, the inventors consider that the following drawbacks exist: daily safe operation and maintenance work faces the current situations of being scattered, repeated, tedious and easy to miss and make mistakes, and the time of safe operation and maintenance personnel is put into a large amount of simple, repeated and time-consuming manual alarm processing, so that the safety problems that the safe operation and maintenance experience is really needed and the time analysis is needed are covered.

Disclosure of Invention

The application provides a safety alarm log automatic processing method, a system and a storage medium, aiming at the problems that the daily safety operation and maintenance work faces the current situations of scattered, repeated, fussy and easy omission and error, and the time of safety operation and maintenance personnel is input into a large amount of simple, repeated and time-consuming manual alarm processing.

In a first aspect, the present application provides an automated handling method for a safety alarm log, including the following steps:

s1: acquiring original alarm data by using a receiver, and converting the original alarm data into alarm data in a standard format;

s2: and performing data preprocessing on the standard format alarm data, wherein the data preprocessing specifically comprises the following steps:

and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to obtain filtered alarm data;

normalizing data: modifying the attributes in the filtered alarm data by using data operational characters to obtain normalized alarm data;

merging data: merging the repeated normalized alarm data in a specified time period into one piece of data to obtain merged alarm data;

s3: and performing alarm treatment on the merged alarm data by using an actuator.

By adopting the technical scheme, the original alarm data is obtained by the receiver, the original alarm data is converted into the alarm data in the standard format, then the data filtration, data normalization and data merging are carried out on the alarm data in the standard format for data preprocessing, then the alarm processing is carried out on the merged alarm data by the actuator, the three steps of receiving, standardization and processing are unified into a whole by the method, scattered and immediate work is brought into a standardized processing system, thus the high automation of alarm processing is realized, the problem of insufficient processing capacity of a security event analysis system is solved, a short automatic processing plate for security alarm is complemented, repeated alarms are processed quickly, the processing efficiency is improved, and the workload of security operation and maintenance personnel is reduced.

Preferably, in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver obtains data from the alert source interface based on a particular policy or frequency, the particular policy including a timed task policy and a Socket-based long connection policy. Therefore, the alarm data can be actively acquired.

Preferably, the alert source comprises a SoC and a SIEM. The alarm data storage performance of the SoC and the SIEM is strong.

Preferably, in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver is utilized to provide a standard API interface through which raw alert data is actively pushed into the receiver by a third party alert source. Thus realizing passive receiving of alarm data.

Preferably, in the step S2, the value of the attribute in the alarm information is obtained by using a variable $ alarm in the standard format alarm data.

Preferably, in step S2, the data operator includes Get, HashGet, HashSet, HashDel, or appendix.

Preferably, the step S3 specifically includes: and performing alarm processing on the merged alarm data by using an actuator, and executing corresponding processing actions, wherein the processing actions comprise executing a section of script, accessing a firewall to add a blocking strategy and calling a certain missed scanning device to initiate scanning.

Preferably, in step S3, the treatment action of each of the merged alarm data is packaged in an executor and is treated independently, so as to reduce the functional coupling degree of different treatment actions.

In a second aspect, the present application further provides an automated handling system for a safety alarm log, where the system includes:

the alarm data receiving module is configured to acquire original alarm data and convert the original alarm data into alarm data in a standard format;

the data preprocessing module is configured to perform data preprocessing on the standard format alarm data, and the data preprocessing specifically includes: and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to form filtered alarm data; normalizing data: modifying the attributes in the filtered alarm data by using the data operational characters to form normalized alarm data; merging data: combining repeated normalized alarm data in a specified time period into one piece of data to obtain the combined alarm data;

and the alarm processing module is configured to perform alarm processing on the merged alarm data.

In a third aspect, the present application also proposes a computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the computing method according to the first aspect.

In summary, the present application at least includes the following beneficial technical effects:

1. firstly, acquiring original alarm data by using a receiver, converting the original alarm data into standard format alarm data, then carrying out data filtration, data normalization and data merging data preprocessing on the standard format alarm data, then carrying out alarm treatment on the merged alarm data by using an actuator, unifying the three steps of receiving, standardizing and treating into a whole by using the method, and bringing scattered and immediate work into a standardized processing system, thereby realizing high automation of alarm treatment;

2. the problem of insufficient handling capacity of a security event analysis system is solved, and a security alarm automatic handling short board is complemented;

3. repeated alarm is rapidly handled, handling efficiency is improved, and the workload of safe operation and maintenance personnel is reduced.

Drawings

The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and together with the description serve to explain the principles of the application. Other embodiments and many of the intended advantages of embodiments will be readily appreciated as they become better understood by reference to the following detailed description. The elements of the drawings are not necessarily to scale relative to each other. Like reference numerals designate corresponding similar parts.

Fig. 1 is a flowchart of a method for automatically handling a security alarm log in an embodiment of the present application.

FIG. 2 is a schematic diagram illustrating a specific embodiment of a method for automated handling of a security alarm log according to the present application.

Fig. 3 is a schematic diagram of a receiver structure in one embodiment of the present application.

FIG. 4 is a schematic diagram of data filtering in one embodiment of the present application.

FIG. 5 is a schematic illustration of data normalization in one embodiment of the present application.

FIG. 6 is a schematic illustration of data merging in one embodiment of the present application.

FIG. 7 is a diagram of a chain of data pre-processing rules in one embodiment of the present application.

FIG. 8 is a schematic view of an actuator action chain according to an embodiment of the present application.

FIG. 9 is a schematic illustration of actuator chain parameter delivery in one embodiment of the present application.

FIG. 10 is a block diagram of an automated processing system for a safety alarm log according to an embodiment of the present application.

FIG. 11 is a block diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.

It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.

Fig. 1 shows a flowchart of an automated handling method based on a security alarm log, to which an embodiment of the present application may be applied, and fig. 2 shows a schematic diagram of a specific embodiment of the automated handling method based on a security alarm log according to the present application, which, with reference to fig. 1 and fig. 2, specifically includes the following steps:

wherein the receiver can be developed in any programming language that conforms to a set of standard input-output formats to enable unified call management and unified data processing.

Referring to fig. 3, the receiver is resident in the background and operates independently, and supports two modes of actively acquiring alarm data or passively receiving alarm data. The active acquisition mode is to pull the needed alarm data from the alarm source system (such as SoC or SIEM) interface through a certain strategy (such as timing task), while the passive reception mode is to provide an API interface externally, and the third party alarm source actively pushes the alarm log data into the interface to be acquired by the plug-in receiver.

When the operation mode of the receiver is a passive alarm data receiving mode, the receiver starts up in an HTTP service mode and provides a standard API interface, and the alarm data is actively pushed into the receiver by a third party alarm source through the interface. The mode is mainly aimed at warning sources with data push capability or the butt joint of a third-party platform and a current framework. Alert sources include, but are not limited to, SoC and SIEM, among others.

When the receiver operation mode is an active acquisition alarm data mode, the receiver acquires data from the alarm source interface based on a specific strategy or frequency, wherein the specific strategy comprises the following steps: timing tasks, such as accessing the alert source interface to obtain data every 1 hour; based on the Socket long connection, the alert source transmits incremental data to the receiver in real time; and the frequency is customized, so that a developer can develop and access a new receiver by himself according to the input and output standards of the receiver, and the data acquisition mode and strategy are customized through codes.

In a specific embodiment, the receiver has an input/output standard, which is to facilitate the framework to uniformly manage all available receiver life cycles, and includes the main contents of starting up the plug-in, monitoring the operation state, and generating result data by the receiver.

The standard input data structure standard of the receiver is as follows:

the standard input of the receiver is used for the entry of the receiver when starting up the receiver, i.e. what parameters need to be passed into the receiver when starting up the receiver process. These parameters are used for specific service parameters that need to be used in the receiver implementation. Taking a certain SIEM system requiring an authorization key to access an interface as an example, when a receiver is developed for the system, parameters such as an address (api url) and an authorization key (auth key) of the SIEM system need to be transmitted to the receiver based on standard input, and the receiver uses the parameters to successfully log in the SIEM system, so as to obtain data.

The receiver standard output format is as follows:

the parameters in the standard input data format are different for each receiver due to the different functions and data acquisition modes. However, through the service logic implemented in the receiver, the alarm data after being preliminarily processed and converted is output in the same standard output format so as to be provided for the subsequent preprocessing module for unified processing.

All data output by the receiver need to conform to the above data format standard, and for data and fields which cannot be converted in the alarm, the original data can be directly placed in the Raw attribute and left for the processing of the following modules. The process of converting the alarm original data into the standard output format by the receiver is the primary processing of the receiver data. The preliminary processing is to extract some key fields from the original alarm data, so as to facilitate the operations of filtering, merging, removing duplicate and the like of the subsequent preprocessing module. Fields existing in the original data but not defined in the standard alarm output are uniformly placed in the Raw attribute.

S2: and performing data preprocessing on the standard format alarm data, wherein the data preprocessing specifically comprises data filtering, data normalization and data merging.

And (3) data filtering:

constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to obtain filtered alarm data; wherein, the value of the attribute in the alarm information of the alarm data in the standard format is obtained by using a variable $ alarm.

The filtering rule is to reduce the number of alarms through customized filtering conditions, and for some alarm data meeting the conditions, we can choose to discard or continue execution, thereby reducing the number of alarms that need to be handled finally. Referring to fig. 4, in the definition process of the filtering rule, a special variable $ alarm may be used, and this variable represents that the alarm information output by the receiver in the standard output format receiveoutput is exactly, and the value of the attribute in the alarm information may be obtained by means of $ alarm. $ alarm may be used in all preprocessing rules.

The condition judgment in the preprocessing rule is completed by the basic expression grammar which comprises two main keywords AND AND OR, AND the complete expression is completed by stacking more AND OR OR conditions. For example:

($ align ═ 1.1.1.1 ' OR $ align.sip | = ' 2.2.2 ') AND $ align.

Meanwhile, in order to increase the diversity of data in the expression, besides the alarm data of the preprocessing is obtained through $ alarm, the historical data is inquired from the database for construction and judgment of the expression.

Normalizing data:

modifying the attributes in the filtered alarm data by using data operational characters to obtain normalized alarm data;

referring to fig. 5, the normalization rule is to normalize and standardize the data by modifying the attributes in the alarm data. The data operator comprises Get, HashGet, HashSet, HashDel or appendix.

Get: assigning a specified attribute value to a target attribute, for example, $ alarm.

HashGet: the operation object is data of a HashMap type, and indicates that a specified value is taken from the data of the HashMap type and assigned to a target attribute, for example, $ arm.

HashSet: the operation object is data of a HashMap type, and indicates that a new key-value pair is added to the data of the HashMap type, for example, $ arm.

HashDel: the operation object is data of a HashMap type and indicates that certain data is deleted from the data of the HashMap type.

Appendix: the operand is an Array type of data that indicates the addition of a new element to the Array.

Merging data:

merging the repeated normalized alarm data in a specified time period into one piece of data to obtain merged alarm data;

referring to fig. 6, the purpose of merging data is mainly to reduce the number of alarms, and the merging rule also supports syntax expressions like a filtering rule, and in addition, a time attribute is added, so that a user can set a time range for the merging.

When the merging rule is executed, the alarm data with the same condition can be inquired in the historical data according to the condition in the grammatical expression, and if the alarm data is not found, the alarm data is promoted to be the main alarm record; if the main alarm record exists, the current alarm is the repeated record of the alarm information, and the current alarm is taken as a sub alarm to be merged into the main alarm record.

In a particular embodiment, referring to FIG. 7, data pre-processing supports a rule chain that concatenates multiple pre-processing types together. The multiple preprocessing types are connected in series, the data processed by the former are used for subsequent processing by the latter, and the rule type is used as a processing unit, so that the flexibility of customizing the rule can be increased, and the subsequent addition of new processing logic is facilitated.

In a specific embodiment, the step S3 specifically includes: and performing alarm processing on the merged alarm data by using an actuator, and executing corresponding processing actions, wherein the processing actions comprise executing a section of script, accessing a firewall to add a blocking strategy and calling a certain missed scanning device to initiate scanning. And encapsulating the handling action of each merged alarm data in an actuator, and independently handling to reduce the functional coupling degree of different handling actions.

An executor is a set of code functions that are used to complete a particular treatment operation. Similar to the receiver, the executor complies with a specific input-output standard, and is convenient to be called and obtain an execution result. Referring to fig. 8, a plurality of actuators may be connected in series, and the latter may use the result data output from the former as input data to streamline the entire treatment process and realize functional linkage.

The executor has a standard input, wherein the standard input data structure standard of the executor is roughly as follows:

referring to fig. 9, the standard input of the actuator is used for the entry of the actuator when it is activated, i.e. what parameters need to be passed to the actuator when the actuator process is activated. These parameters are used for the specific service parameters needed in the execution process of the executor. For example, when the firewall adds the IP blocking policy, the executor marks the entry to require parameters such as a firewall IP address (IP), a firewall account password (username, password), and policy information (rule). The enforcer uses these parameters to access the specified firewall and write the policy.

The standard output of the executor is the data structure definition of the result of the executor completion, which indicates which parameters are returned by the executor after the execution is successful or failed, and the name and type of the parameters are what. Based on a standard output format, the output result can be used more conveniently, and linkage parameters among actuators can be configured in advance when an actuator chain is constructed.

With further reference to fig. 10, as an implementation of the method described above, the present application provides an embodiment of a system for automatically handling a security alarm log, where the embodiment of the system corresponds to the embodiment of the method shown in fig. 1, and the system may be specifically applied to various electronic devices.

Referring to fig. 10, a secure alarm log automated handling system, comprising:

an alarm data receiving module 101 configured to obtain original alarm data and convert the original alarm data into alarm data in a standard format;

the data preprocessing module 102 is configured to perform data preprocessing on the standard format alarm data, where the data preprocessing specifically includes: and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to form filtered alarm data; normalizing data: modifying the attributes in the filtered alarm data by using the data operational characters to form normalized alarm data; merging data: combining repeated normalized alarm data in a specified time period into one piece of data to obtain the combined alarm data;

the alarm handling module 103 is configured to perform alarm handling on the merged alarm data.

Referring now to FIG. 11, shown is a block diagram of a computer system 500 suitable for use in implementing the electronic device of an embodiment of the present application. The electronic device shown in fig. 11 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.

As shown in fig. 11, the computer system 200 includes a Central Processing Unit (CPU)201 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)202 or a program loaded from a storage section 208 into a Random Access Memory (RAM) 203. In the RAM 203, various programs and data necessary for the operation of the system 200 are also stored. The CPU 201, ROM 202, and RAM 203 are connected to each other via a bus 204. An input/output (I/O) interface 205 is also connected to bus 204.

The following components are connected to the I/O interface 205: an input portion 206 including a keyboard, a mouse, and the like; an output section 207 including a display such as a Liquid Crystal Display (LCD) and a speaker; a storage section 208 including a hard disk and the like; and a communication section 209 including a network interface card such as a LAN card, a modem, or the like. The communication section 209 performs communication processing via a network such as the internet. A drive 210 is also connected to the I/O interface 205 as needed. A removable medium 211 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 210 as necessary, so that the computer program read out therefrom is mounted into the storage section 208 as necessary.

In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 209 and/or installed from the removable medium 211. The above-described functions defined in the method of the present application are performed when the computer program is executed by the Central Processing Unit (CPU) 201.

As another aspect, the present application also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable storage medium carries one or more programs which, when executed by the electronic device, cause the electronic device to perform the method shown in fig. 1.

It should be noted that the computer readable storage medium described herein can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

While the present invention has been described with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

In the description of the present application, it is to be understood that the terms "upper", "lower", "inner", "outer", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, are only for convenience in describing the present application and simplifying the description, and do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present application. The word 'comprising' does not exclude the presence of elements or steps not listed in a claim. The word 'a' or 'an' preceding an element does not exclude the presence of a plurality of such elements. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims shall not be construed as limiting the scope.

Claims

1. An automatic processing method for a safety alarm log is characterized by comprising the following steps:

2. The automated handling method of the safety alarm log according to claim 1, wherein: in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver obtains data from the alert source interface based on a particular policy or frequency, the particular policy including a timed task policy and a Socket-based long connection policy.

3. The automated handling method of the safety alarm log according to claim 2, wherein: the alert sources include SoC and SIEM.

4. The automated handling method of the safety alarm log according to claim 1, wherein: in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver is utilized to provide a standard API interface through which raw alert data is actively pushed into the receiver by a third party alert source.

5. The automated handling method of the safety alarm log according to claim 1, wherein: in step S2, the value of the attribute in the alarm information is obtained by using the variable $ alarm in the standard format alarm data.

6. The automated handling method of the safety alarm log according to claim 1, wherein: in the step S2, the data operator includes Get, HashGet, HashSet, HashDel, or appendix.

7. The method for automatically handling the safety alarm log according to any one of claims 1 to 6, wherein the step S3 specifically includes: and performing alarm processing on the merged alarm data by using an actuator, and executing corresponding processing actions, wherein the processing actions comprise executing a section of script, accessing a firewall to add a blocking strategy and calling a certain missed scanning device to initiate scanning.

8. The automated handling method of the safety alarm log according to claim 7, wherein: in step S3, the treatment action of each of the merged alarm data is packaged in an executor and is treated independently, so as to reduce the functional coupling degree of different treatment actions.

9. A system for automated handling of security alarm logs, the system comprising:

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the calculation method according to any one of claims 1 to 8.