CN114826874A - Automatic processing method, system and storage medium for safety alarm log - Google Patents

Automatic processing method, system and storage medium for safety alarm log Download PDF

Info

Publication number
CN114826874A
CN114826874A CN202210456789.6A CN202210456789A CN114826874A CN 114826874 A CN114826874 A CN 114826874A CN 202210456789 A CN202210456789 A CN 202210456789A CN 114826874 A CN114826874 A CN 114826874A
Authority
CN
China
Prior art keywords
data
alarm
alarm data
receiver
standard format
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210456789.6A
Other languages
Chinese (zh)
Inventor
刘光磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Carbon Information Technology Co ltd
Original Assignee
Shanghai Carbon Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Carbon Information Technology Co ltd filed Critical Shanghai Carbon Information Technology Co ltd
Priority to CN202210456789.6A priority Critical patent/CN114826874A/en
Publication of CN114826874A publication Critical patent/CN114826874A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0604Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2423Interactive query statement specification based on a database schema
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application relates to an automatic processing method for a safety alarm log, which comprises the steps of firstly obtaining original alarm data by a receiver, converting the original alarm data into standard format alarm data, then carrying out data filtration, data normalization and data merging on the standard format alarm data, and then carrying out alarm processing on the merged alarm data by an actuator.

Description

Automatic processing method, system and storage medium for safety alarm log
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a system, and a storage medium for automatically handling a security alarm log.
Background
With the increasing enlargement of information construction scale of enterprises and organizations, security architecture is becoming more and more complex, security data and alarm events generated by various security devices, operation and maintenance systems and business systems in the organizations are increasing, the security operation and maintenance pressure of the enterprises and the organizations is increasing, and the security operation and maintenance complexity is increasing. In today's enterprise security management systems, automation solutions have focused more on security event alarm monitoring and collection. A security event monitoring and analyzing system represented by solutions such as SOC (system on chip), SIEM (site information technology) and the like collects massive security event information every day and generates a large number of alarm logs, and most alarms belong to repeated or false alarm information. The alarm information needs the safety operation and maintenance personnel to manually judge the risk level and whether necessary measures need to be taken to handle the alarm. Usually, most alarms have corresponding emergency processing schemes, and the security operation and maintenance personnel find the alarms and manually perform corresponding operations according to the processing schemes, such as sealing and prohibiting illegal IP on a firewall, logging in a server with bugs, making security patches, deleting discovered risk programs and files, and the like.
With respect to the related art among the above, the inventors consider that the following drawbacks exist: daily safe operation and maintenance work faces the current situations of being scattered, repeated, tedious and easy to miss and make mistakes, and the time of safe operation and maintenance personnel is put into a large amount of simple, repeated and time-consuming manual alarm processing, so that the safety problems that the safe operation and maintenance experience is really needed and the time analysis is needed are covered.
Disclosure of Invention
The application provides a safety alarm log automatic processing method, a system and a storage medium, aiming at the problems that the daily safety operation and maintenance work faces the current situations of scattered, repeated, fussy and easy omission and error, and the time of safety operation and maintenance personnel is input into a large amount of simple, repeated and time-consuming manual alarm processing.
In a first aspect, the present application provides an automated handling method for a safety alarm log, including the following steps:
s1: acquiring original alarm data by using a receiver, and converting the original alarm data into alarm data in a standard format;
s2: and performing data preprocessing on the standard format alarm data, wherein the data preprocessing specifically comprises the following steps:
and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to obtain filtered alarm data;
normalizing data: modifying the attributes in the filtered alarm data by using data operational characters to obtain normalized alarm data;
merging data: merging the repeated normalized alarm data in a specified time period into one piece of data to obtain merged alarm data;
s3: and performing alarm treatment on the merged alarm data by using an actuator.
By adopting the technical scheme, the original alarm data is obtained by the receiver, the original alarm data is converted into the alarm data in the standard format, then the data filtration, data normalization and data merging are carried out on the alarm data in the standard format for data preprocessing, then the alarm processing is carried out on the merged alarm data by the actuator, the three steps of receiving, standardization and processing are unified into a whole by the method, scattered and immediate work is brought into a standardized processing system, thus the high automation of alarm processing is realized, the problem of insufficient processing capacity of a security event analysis system is solved, a short automatic processing plate for security alarm is complemented, repeated alarms are processed quickly, the processing efficiency is improved, and the workload of security operation and maintenance personnel is reduced.
Preferably, in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver obtains data from the alert source interface based on a particular policy or frequency, the particular policy including a timed task policy and a Socket-based long connection policy. Therefore, the alarm data can be actively acquired.
Preferably, the alert source comprises a SoC and a SIEM. The alarm data storage performance of the SoC and the SIEM is strong.
Preferably, in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver is utilized to provide a standard API interface through which raw alert data is actively pushed into the receiver by a third party alert source. Thus realizing passive receiving of alarm data.
Preferably, in the step S2, the value of the attribute in the alarm information is obtained by using a variable $ alarm in the standard format alarm data.
Preferably, in step S2, the data operator includes Get, HashGet, HashSet, HashDel, or appendix.
Preferably, the step S3 specifically includes: and performing alarm processing on the merged alarm data by using an actuator, and executing corresponding processing actions, wherein the processing actions comprise executing a section of script, accessing a firewall to add a blocking strategy and calling a certain missed scanning device to initiate scanning.
Preferably, in step S3, the treatment action of each of the merged alarm data is packaged in an executor and is treated independently, so as to reduce the functional coupling degree of different treatment actions.
In a second aspect, the present application further provides an automated handling system for a safety alarm log, where the system includes:
the alarm data receiving module is configured to acquire original alarm data and convert the original alarm data into alarm data in a standard format;
the data preprocessing module is configured to perform data preprocessing on the standard format alarm data, and the data preprocessing specifically includes: and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to form filtered alarm data; normalizing data: modifying the attributes in the filtered alarm data by using the data operational characters to form normalized alarm data; merging data: combining repeated normalized alarm data in a specified time period into one piece of data to obtain the combined alarm data;
and the alarm processing module is configured to perform alarm processing on the merged alarm data.
In a third aspect, the present application also proposes a computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the computing method according to the first aspect.
In summary, the present application at least includes the following beneficial technical effects:
1. firstly, acquiring original alarm data by using a receiver, converting the original alarm data into standard format alarm data, then carrying out data filtration, data normalization and data merging data preprocessing on the standard format alarm data, then carrying out alarm treatment on the merged alarm data by using an actuator, unifying the three steps of receiving, standardizing and treating into a whole by using the method, and bringing scattered and immediate work into a standardized processing system, thereby realizing high automation of alarm treatment;
2. the problem of insufficient handling capacity of a security event analysis system is solved, and a security alarm automatic handling short board is complemented;
3. repeated alarm is rapidly handled, handling efficiency is improved, and the workload of safe operation and maintenance personnel is reduced.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and together with the description serve to explain the principles of the application. Other embodiments and many of the intended advantages of embodiments will be readily appreciated as they become better understood by reference to the following detailed description. The elements of the drawings are not necessarily to scale relative to each other. Like reference numerals designate corresponding similar parts.
Fig. 1 is a flowchart of a method for automatically handling a security alarm log in an embodiment of the present application.
FIG. 2 is a schematic diagram illustrating a specific embodiment of a method for automated handling of a security alarm log according to the present application.
Fig. 3 is a schematic diagram of a receiver structure in one embodiment of the present application.
FIG. 4 is a schematic diagram of data filtering in one embodiment of the present application.
FIG. 5 is a schematic illustration of data normalization in one embodiment of the present application.
FIG. 6 is a schematic illustration of data merging in one embodiment of the present application.
FIG. 7 is a diagram of a chain of data pre-processing rules in one embodiment of the present application.
FIG. 8 is a schematic view of an actuator action chain according to an embodiment of the present application.
FIG. 9 is a schematic illustration of actuator chain parameter delivery in one embodiment of the present application.
FIG. 10 is a block diagram of an automated processing system for a safety alarm log according to an embodiment of the present application.
FIG. 11 is a block diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
Fig. 1 shows a flowchart of an automated handling method based on a security alarm log, to which an embodiment of the present application may be applied, and fig. 2 shows a schematic diagram of a specific embodiment of the automated handling method based on a security alarm log according to the present application, which, with reference to fig. 1 and fig. 2, specifically includes the following steps:
s1: acquiring original alarm data by using a receiver, and converting the original alarm data into alarm data in a standard format;
wherein the receiver can be developed in any programming language that conforms to a set of standard input-output formats to enable unified call management and unified data processing.
Referring to fig. 3, the receiver is resident in the background and operates independently, and supports two modes of actively acquiring alarm data or passively receiving alarm data. The active acquisition mode is to pull the needed alarm data from the alarm source system (such as SoC or SIEM) interface through a certain strategy (such as timing task), while the passive reception mode is to provide an API interface externally, and the third party alarm source actively pushes the alarm log data into the interface to be acquired by the plug-in receiver.
When the operation mode of the receiver is a passive alarm data receiving mode, the receiver starts up in an HTTP service mode and provides a standard API interface, and the alarm data is actively pushed into the receiver by a third party alarm source through the interface. The mode is mainly aimed at warning sources with data push capability or the butt joint of a third-party platform and a current framework. Alert sources include, but are not limited to, SoC and SIEM, among others.
When the receiver operation mode is an active acquisition alarm data mode, the receiver acquires data from the alarm source interface based on a specific strategy or frequency, wherein the specific strategy comprises the following steps: timing tasks, such as accessing the alert source interface to obtain data every 1 hour; based on the Socket long connection, the alert source transmits incremental data to the receiver in real time; and the frequency is customized, so that a developer can develop and access a new receiver by himself according to the input and output standards of the receiver, and the data acquisition mode and strategy are customized through codes.
In a specific embodiment, the receiver has an input/output standard, which is to facilitate the framework to uniformly manage all available receiver life cycles, and includes the main contents of starting up the plug-in, monitoring the operation state, and generating result data by the receiver.
The standard input data structure standard of the receiver is as follows:
Figure BDA0003619041920000071
the standard input of the receiver is used for the entry of the receiver when starting up the receiver, i.e. what parameters need to be passed into the receiver when starting up the receiver process. These parameters are used for specific service parameters that need to be used in the receiver implementation. Taking a certain SIEM system requiring an authorization key to access an interface as an example, when a receiver is developed for the system, parameters such as an address (api url) and an authorization key (auth key) of the SIEM system need to be transmitted to the receiver based on standard input, and the receiver uses the parameters to successfully log in the SIEM system, so as to obtain data.
The receiver standard output format is as follows:
Figure BDA0003619041920000081
the parameters in the standard input data format are different for each receiver due to the different functions and data acquisition modes. However, through the service logic implemented in the receiver, the alarm data after being preliminarily processed and converted is output in the same standard output format so as to be provided for the subsequent preprocessing module for unified processing.
All data output by the receiver need to conform to the above data format standard, and for data and fields which cannot be converted in the alarm, the original data can be directly placed in the Raw attribute and left for the processing of the following modules. The process of converting the alarm original data into the standard output format by the receiver is the primary processing of the receiver data. The preliminary processing is to extract some key fields from the original alarm data, so as to facilitate the operations of filtering, merging, removing duplicate and the like of the subsequent preprocessing module. Fields existing in the original data but not defined in the standard alarm output are uniformly placed in the Raw attribute.
S2: and performing data preprocessing on the standard format alarm data, wherein the data preprocessing specifically comprises data filtering, data normalization and data merging.
And (3) data filtering:
constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to obtain filtered alarm data; wherein, the value of the attribute in the alarm information of the alarm data in the standard format is obtained by using a variable $ alarm.
The filtering rule is to reduce the number of alarms through customized filtering conditions, and for some alarm data meeting the conditions, we can choose to discard or continue execution, thereby reducing the number of alarms that need to be handled finally. Referring to fig. 4, in the definition process of the filtering rule, a special variable $ alarm may be used, and this variable represents that the alarm information output by the receiver in the standard output format receiveoutput is exactly, and the value of the attribute in the alarm information may be obtained by means of $ alarm. $ alarm may be used in all preprocessing rules.
The condition judgment in the preprocessing rule is completed by the basic expression grammar which comprises two main keywords AND AND OR, AND the complete expression is completed by stacking more AND OR OR conditions. For example:
($ align ═ 1.1.1.1 ' OR $ align.sip | = ' 2.2.2 ') AND $ align.
Meanwhile, in order to increase the diversity of data in the expression, besides the alarm data of the preprocessing is obtained through $ alarm, the historical data is inquired from the database for construction and judgment of the expression.
Normalizing data:
modifying the attributes in the filtered alarm data by using data operational characters to obtain normalized alarm data;
referring to fig. 5, the normalization rule is to normalize and standardize the data by modifying the attributes in the alarm data. The data operator comprises Get, HashGet, HashSet, HashDel or appendix.
Get: assigning a specified attribute value to a target attribute, for example, $ alarm.
HashGet: the operation object is data of a HashMap type, and indicates that a specified value is taken from the data of the HashMap type and assigned to a target attribute, for example, $ arm.
HashSet: the operation object is data of a HashMap type, and indicates that a new key-value pair is added to the data of the HashMap type, for example, $ arm.
HashDel: the operation object is data of a HashMap type and indicates that certain data is deleted from the data of the HashMap type.
Appendix: the operand is an Array type of data that indicates the addition of a new element to the Array.
Merging data:
merging the repeated normalized alarm data in a specified time period into one piece of data to obtain merged alarm data;
referring to fig. 6, the purpose of merging data is mainly to reduce the number of alarms, and the merging rule also supports syntax expressions like a filtering rule, and in addition, a time attribute is added, so that a user can set a time range for the merging.
When the merging rule is executed, the alarm data with the same condition can be inquired in the historical data according to the condition in the grammatical expression, and if the alarm data is not found, the alarm data is promoted to be the main alarm record; if the main alarm record exists, the current alarm is the repeated record of the alarm information, and the current alarm is taken as a sub alarm to be merged into the main alarm record.
In a particular embodiment, referring to FIG. 7, data pre-processing supports a rule chain that concatenates multiple pre-processing types together. The multiple preprocessing types are connected in series, the data processed by the former are used for subsequent processing by the latter, and the rule type is used as a processing unit, so that the flexibility of customizing the rule can be increased, and the subsequent addition of new processing logic is facilitated.
S3: and performing alarm treatment on the merged alarm data by using an actuator.
In a specific embodiment, the step S3 specifically includes: and performing alarm processing on the merged alarm data by using an actuator, and executing corresponding processing actions, wherein the processing actions comprise executing a section of script, accessing a firewall to add a blocking strategy and calling a certain missed scanning device to initiate scanning. And encapsulating the handling action of each merged alarm data in an actuator, and independently handling to reduce the functional coupling degree of different handling actions.
An executor is a set of code functions that are used to complete a particular treatment operation. Similar to the receiver, the executor complies with a specific input-output standard, and is convenient to be called and obtain an execution result. Referring to fig. 8, a plurality of actuators may be connected in series, and the latter may use the result data output from the former as input data to streamline the entire treatment process and realize functional linkage.
The executor has a standard input, wherein the standard input data structure standard of the executor is roughly as follows:
Figure BDA0003619041920000111
Figure BDA0003619041920000121
referring to fig. 9, the standard input of the actuator is used for the entry of the actuator when it is activated, i.e. what parameters need to be passed to the actuator when the actuator process is activated. These parameters are used for the specific service parameters needed in the execution process of the executor. For example, when the firewall adds the IP blocking policy, the executor marks the entry to require parameters such as a firewall IP address (IP), a firewall account password (username, password), and policy information (rule). The enforcer uses these parameters to access the specified firewall and write the policy.
The standard output of the executor is the data structure definition of the result of the executor completion, which indicates which parameters are returned by the executor after the execution is successful or failed, and the name and type of the parameters are what. Based on a standard output format, the output result can be used more conveniently, and linkage parameters among actuators can be configured in advance when an actuator chain is constructed.
With further reference to fig. 10, as an implementation of the method described above, the present application provides an embodiment of a system for automatically handling a security alarm log, where the embodiment of the system corresponds to the embodiment of the method shown in fig. 1, and the system may be specifically applied to various electronic devices.
Referring to fig. 10, a secure alarm log automated handling system, comprising:
an alarm data receiving module 101 configured to obtain original alarm data and convert the original alarm data into alarm data in a standard format;
the data preprocessing module 102 is configured to perform data preprocessing on the standard format alarm data, where the data preprocessing specifically includes: and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to form filtered alarm data; normalizing data: modifying the attributes in the filtered alarm data by using the data operational characters to form normalized alarm data; merging data: combining repeated normalized alarm data in a specified time period into one piece of data to obtain the combined alarm data;
the alarm handling module 103 is configured to perform alarm handling on the merged alarm data.
Referring now to FIG. 11, shown is a block diagram of a computer system 500 suitable for use in implementing the electronic device of an embodiment of the present application. The electronic device shown in fig. 11 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 11, the computer system 200 includes a Central Processing Unit (CPU)201 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)202 or a program loaded from a storage section 208 into a Random Access Memory (RAM) 203. In the RAM 203, various programs and data necessary for the operation of the system 200 are also stored. The CPU 201, ROM 202, and RAM 203 are connected to each other via a bus 204. An input/output (I/O) interface 205 is also connected to bus 204.
The following components are connected to the I/O interface 205: an input portion 206 including a keyboard, a mouse, and the like; an output section 207 including a display such as a Liquid Crystal Display (LCD) and a speaker; a storage section 208 including a hard disk and the like; and a communication section 209 including a network interface card such as a LAN card, a modem, or the like. The communication section 209 performs communication processing via a network such as the internet. A drive 210 is also connected to the I/O interface 205 as needed. A removable medium 211 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 210 as necessary, so that the computer program read out therefrom is mounted into the storage section 208 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 209 and/or installed from the removable medium 211. The above-described functions defined in the method of the present application are performed when the computer program is executed by the Central Processing Unit (CPU) 201.
As another aspect, the present application also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable storage medium carries one or more programs which, when executed by the electronic device, cause the electronic device to perform the method shown in fig. 1.
It should be noted that the computer readable storage medium described herein can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
While the present invention has been described with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
In the description of the present application, it is to be understood that the terms "upper", "lower", "inner", "outer", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, are only for convenience in describing the present application and simplifying the description, and do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present application. The word 'comprising' does not exclude the presence of elements or steps not listed in a claim. The word 'a' or 'an' preceding an element does not exclude the presence of a plurality of such elements. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims shall not be construed as limiting the scope.
While the present invention has been described with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
In the description of the present application, it is to be understood that the terms "upper", "lower", "inner", "outer", and the like, indicate orientations or positional relationships based on the orientations or positional relationships shown in the drawings, are only for convenience in describing the present application and simplifying the description, and do not indicate or imply that the referred devices or elements must have a specific orientation, be constructed in a specific orientation, and be operated, and thus, should not be construed as limiting the present application. The word 'comprising' does not exclude the presence of elements or steps not listed in a claim. The word 'a' or 'an' preceding an element does not exclude the presence of a plurality of such elements. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. Any reference signs in the claims shall not be construed as limiting the scope.

Claims (10)

1. An automatic processing method for a safety alarm log is characterized by comprising the following steps:
s1: acquiring original alarm data by using a receiver, and converting the original alarm data into alarm data in a standard format;
s2: and performing data preprocessing on the standard format alarm data, wherein the data preprocessing specifically comprises the following steps:
and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to obtain filtered alarm data;
normalizing data: modifying the attributes in the filtered alarm data by using data operational characters to obtain normalized alarm data;
merging data: merging the repeated normalized alarm data in a specified time period into one piece of data to obtain merged alarm data;
s3: and performing alarm treatment on the merged alarm data by using an actuator.
2. The automated handling method of the safety alarm log according to claim 1, wherein: in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver obtains data from the alert source interface based on a particular policy or frequency, the particular policy including a timed task policy and a Socket-based long connection policy.
3. The automated handling method of the safety alarm log according to claim 2, wherein: the alert sources include SoC and SIEM.
4. The automated handling method of the safety alarm log according to claim 1, wherein: in step S1, the acquiring, by the receiver, the original alarm data specifically includes: the receiver is utilized to provide a standard API interface through which raw alert data is actively pushed into the receiver by a third party alert source.
5. The automated handling method of the safety alarm log according to claim 1, wherein: in step S2, the value of the attribute in the alarm information is obtained by using the variable $ alarm in the standard format alarm data.
6. The automated handling method of the safety alarm log according to claim 1, wherein: in the step S2, the data operator includes Get, HashGet, HashSet, HashDel, or appendix.
7. The method for automatically handling the safety alarm log according to any one of claims 1 to 6, wherein the step S3 specifically includes: and performing alarm processing on the merged alarm data by using an actuator, and executing corresponding processing actions, wherein the processing actions comprise executing a section of script, accessing a firewall to add a blocking strategy and calling a certain missed scanning device to initiate scanning.
8. The automated handling method of the safety alarm log according to claim 7, wherein: in step S3, the treatment action of each of the merged alarm data is packaged in an executor and is treated independently, so as to reduce the functional coupling degree of different treatment actions.
9. A system for automated handling of security alarm logs, the system comprising:
the alarm data receiving module is configured to acquire original alarm data and convert the original alarm data into alarm data in a standard format;
the data preprocessing module is configured to perform data preprocessing on the standard format alarm data, and the data preprocessing specifically includes: and (3) data filtering: constructing a filtering expression by using the value of the attribute in the alarm information of the alarm data in the standard format, and filtering the alarm data in the standard format by using the filtering expression to form filtered alarm data; normalizing data: modifying the attributes in the filtered alarm data by using the data operational characters to form normalized alarm data; merging data: combining repeated normalized alarm data in a specified time period into one piece of data to obtain the combined alarm data;
and the alarm processing module is configured to perform alarm processing on the merged alarm data.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the calculation method according to any one of claims 1 to 8.
CN202210456789.6A 2022-04-24 2022-04-24 Automatic processing method, system and storage medium for safety alarm log Pending CN114826874A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210456789.6A CN114826874A (en) 2022-04-24 2022-04-24 Automatic processing method, system and storage medium for safety alarm log

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210456789.6A CN114826874A (en) 2022-04-24 2022-04-24 Automatic processing method, system and storage medium for safety alarm log

Publications (1)

Publication Number Publication Date
CN114826874A true CN114826874A (en) 2022-07-29

Family

ID=82509848

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210456789.6A Pending CN114826874A (en) 2022-04-24 2022-04-24 Automatic processing method, system and storage medium for safety alarm log

Country Status (1)

Country Link
CN (1) CN114826874A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116562627A (en) * 2023-05-19 2023-08-08 中国电信股份有限公司湖州分公司 Security risk management method, system, equipment, medium and product

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7376969B1 (en) * 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
CN101360313A (en) * 2007-08-01 2009-02-04 中兴通讯股份有限公司 Method for uploading alarm quantity information to network management system by network element management system
CN101562826A (en) * 2008-04-15 2009-10-21 中兴通讯股份有限公司 Alarm merging method
CN104243236A (en) * 2014-09-17 2014-12-24 深圳供电局有限公司 Method, system and server for analyzing operation and maintenance alarm data of monitoring system
CN105915381A (en) * 2016-04-21 2016-08-31 贵州电网有限责任公司信息中心 System for realizing monitoring system business logic online modification
CN110620790A (en) * 2019-10-10 2019-12-27 国网山东省电力公司信息通信公司 Network security device linkage processing method and device
CN110943851A (en) * 2018-09-25 2020-03-31 中国移动通信集团广东有限公司 Alarm processing method and device based on micro-service and electronic equipment
CN111885012A (en) * 2020-07-03 2020-11-03 安徽继远软件有限公司 Network situation perception method and system based on information acquisition of various network devices
CN112416714A (en) * 2020-11-23 2021-02-26 平安普惠企业管理有限公司 Log processing method and device, electronic equipment and readable storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7376969B1 (en) * 2002-12-02 2008-05-20 Arcsight, Inc. Real time monitoring and analysis of events from multiple network security devices
CN101360313A (en) * 2007-08-01 2009-02-04 中兴通讯股份有限公司 Method for uploading alarm quantity information to network management system by network element management system
CN101562826A (en) * 2008-04-15 2009-10-21 中兴通讯股份有限公司 Alarm merging method
CN104243236A (en) * 2014-09-17 2014-12-24 深圳供电局有限公司 Method, system and server for analyzing operation and maintenance alarm data of monitoring system
CN105915381A (en) * 2016-04-21 2016-08-31 贵州电网有限责任公司信息中心 System for realizing monitoring system business logic online modification
CN110943851A (en) * 2018-09-25 2020-03-31 中国移动通信集团广东有限公司 Alarm processing method and device based on micro-service and electronic equipment
CN110620790A (en) * 2019-10-10 2019-12-27 国网山东省电力公司信息通信公司 Network security device linkage processing method and device
CN111885012A (en) * 2020-07-03 2020-11-03 安徽继远软件有限公司 Network situation perception method and system based on information acquisition of various network devices
CN112416714A (en) * 2020-11-23 2021-02-26 平安普惠企业管理有限公司 Log processing method and device, electronic equipment and readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周云静: "《数据结构(C语言版)》", 30 June 2003, 北京:冶金出版社, pages: 49 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116562627A (en) * 2023-05-19 2023-08-08 中国电信股份有限公司湖州分公司 Security risk management method, system, equipment, medium and product

Similar Documents

Publication Publication Date Title
US10025659B2 (en) System and method for batch monitoring of performance data
CN111581291B (en) Data processing method, device, electronic equipment and readable medium
CN107292117B (en) Processing method and device for quality guarantee of mass shared medical images
CN110489310B (en) Method and device for recording user operation, storage medium and computer equipment
WO2020257754A1 (en) Apparatuses, systems, and methods for providing healthcare integrations
CN111159520B (en) Sample identification method, device and safety emergency response system
CN110602043A (en) API gateway implementation system and method for mobile application
CN110069929B (en) Vulnerability disposal analysis method and construction method and device of analysis model thereof
CN113037744A (en) Interactive safety event script arranging and disposing method and device
CN113094269A (en) Application program test exception analysis method and device
CN111753169B (en) Data acquisition system based on internet
CN114826874A (en) Automatic processing method, system and storage medium for safety alarm log
CN113949534A (en) Resource access method and device for information system, electronic equipment and storage medium
CN113901476A (en) Vulnerability verification method, system, equipment and medium based on virtualization environment
US20240154993A1 (en) Scalable reporting system for security analytics
CN113032341A (en) Log processing method based on visual configuration
CN116719697A (en) System monitoring method, device, terminal equipment and storage medium
CN111552770A (en) Safety compliance item management system for power system
CN113779337B (en) Supervision data uploading method, device, equipment and storage medium
CN114579405A (en) Data processing method, data processing apparatus, electronic device, and storage medium
CN114817921A (en) Code rectification method and device
CN113485897A (en) Data processing method and device
CN113992491A (en) Application program server group operation and maintenance management system, method and device
CN112632546A (en) Automatic code analysis method for broadcasting and television industry
CN118227189B (en) Data processing method and abnormality prompting method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination