CN115481395A - Processing method and system of process chain and electronic equipment - Google Patents

Processing method and system of process chain and electronic equipment Download PDF

Info

Publication number
CN115481395A
CN115481395A CN202211026280.4A CN202211026280A CN115481395A CN 115481395 A CN115481395 A CN 115481395A CN 202211026280 A CN202211026280 A CN 202211026280A CN 115481395 A CN115481395 A CN 115481395A
Authority
CN
China
Prior art keywords
matching
rule
terminal
index
yield
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211026280.4A
Other languages
Chinese (zh)
Inventor
许祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CLP Cloud Digital Intelligence Technology Co Ltd
Original Assignee
CLP Cloud Digital Intelligence Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CLP Cloud Digital Intelligence Technology Co Ltd filed Critical CLP Cloud Digital Intelligence Technology Co Ltd
Priority to CN202211026280.4A priority Critical patent/CN115481395A/en
Publication of CN115481395A publication Critical patent/CN115481395A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a processing method and a processing system of a process chain and electronic equipment, wherein the processing method comprises the following steps: acquiring events matched with the preset tail end rules and the tail ends of the process chains to obtain tail end rule matching counts; obtaining a terminal matching output index based on the terminal rule matching count by using a pre-configured index statistical strategy; and determining the response state of the terminal rule based on the terminal matching output index by using a pre-configured matching strategy. According to the invention, by acquiring the process chain matching state of the terminal rule in real time, when the current terminal rule compiling quality can not meet the requirement, the terminal rule can be triggered to be stopped, so that the problems that massive basic system calls are matched due to the fact that the terminal rule is too loose, faults are caused or the matching capability is seriously reduced and the like are avoided, and the problem that the overall detection performance of the process chain is influenced due to the fact that the rule is improperly compiled can be effectively solved.

Description

Processing method and system of process chain and electronic equipment
Technical Field
The invention relates to the technical field of host security detection, in particular to a processing method and system of a process chain and electronic equipment.
Background
In the field of host security detection, it is a very common method to detect a process behavior link, and there is a typical detection scenario, i.e., process chain detection, where, for example, if a parent process is Nginx, a child process executes lua, and a child process of lua executes an abnormal bash command, an alarm that Nginx executed the abnormal bash command is output, and such detection has multiple implementation manners, where lower resource occupancy and better comprehensiveness are client-side local process chain detection, i.e., configuration rules are as follows:
"child process name matches canonical whoami and parent process name matches canonical nginx"
At this time, the process chain rule engine generally performs matching from the end rule (in the above example, the sub-process rule), if the end rule is matched, an interface of the operating system is called in real time to obtain the upstream process data of the process, and the detection is performed through recursion on the network once, but there is an obvious problem in this scenario, if the number of matching times of the end rule is too many, a large number of internal calls of the operating system are walked into real-time process chain backtracking detection, so that the pressure of the detection engine and the system is rapidly increased, and the matching is abnormal, while the conventional method has no means to guarantee the quality of writing of the end rule, or a large number of matching of the originally normal end rule is caused in a special business scenario, and the like, so that a fault or serious reduction of matching capability is easily caused by factors such as environmental factors or improper writing of the custom rule and the like after the rule is finally brought online.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: when the number of matching times of the end rule is too many, internal calls of a large number of operating systems are moved to real-time process chain backtracking detection, so that the pressure of a detection engine and the system is rapidly increased, and the matching is abnormal, so that the writing quality of the end rule is necessary to be managed, controlled and processed. In view of this, the present invention provides a method and a system for processing a process chain, and an electronic device.
The technical scheme adopted by the invention is that the processing method of the process chain comprises the following steps: acquiring events of matching of a preset terminal rule and the terminals of a plurality of process chains to obtain a terminal rule matching count; utilizing a pre-configured index statistical strategy to obtain a terminal matching output index based on the terminal rule matching count; and determining the response state of the terminal rule based on the terminal matching output index by using a pre-configured matching strategy.
In one embodiment, the obtaining an end matching yield index based on the end rule matching count by using a pre-configured index statistical strategy includes: counting the matching hit times of the tail end rule per minute and the tail ends of the plurality of process chains to obtain a tail end matching output index; or counting the matching hit times of the terminal rule and the terminals of the process chains every day to obtain a terminal matching output index.
In one embodiment, the determining, using a pre-configured matching strategy, a response status of the end rule based on an end matching yield indicator includes; comparing the end matched yield indicator to a preconfigured first threshold; and determining the response state of the terminal rule corresponding to the terminal matching yield index according to the comparison condition of the terminal matching yield index and the first threshold value.
In one embodiment, the determining, according to the comparison between the end matching yield indicators and the first threshold, the response status of the end rule corresponding to the end matching yield indicator includes: and when the end matching output index is larger than the first threshold value, stopping the end rule corresponding to the end matching output index.
In one embodiment, the determining, by using a pre-configured matching strategy, a response status of the end rule based on an end matching yield indicator includes; comparing the end matched yield indicator with a first threshold value and a second threshold value which are configured in advance, wherein the second threshold value is larger than the first threshold value; and determining the response state of the terminal rule corresponding to the terminal matching yield index according to the comparison condition of the terminal matching yield index with the first threshold and the second threshold respectively.
In one embodiment, the determining the response status of the end rule corresponding to the end matching yield index according to the comparison between the end matching yield index and the first threshold and the second threshold respectively includes: when the end matching output index is larger than the second threshold value, stopping the end rule corresponding to the end matching output index; when the terminal matching yield index is smaller than the second threshold and larger than the first threshold, determining the terminal rule corresponding to the terminal matching yield index as a terminal rule to be observed; and when the end matching yield index is smaller than the first threshold value, determining the end rule corresponding to the end matching yield index as a normal operation end rule.
In one embodiment, the method further comprises: optimizing the terminal rule to be observed; and executing the matching of the upstream process chain of the normal operation terminal rule and the corresponding rule.
Another aspect of the present invention provides a processing system for a process chain, including: the counting module is configured to acquire an event that a preset terminal rule is matched with the terminals of the plurality of process chains to obtain a terminal rule matching count; the statistical module is configured to count to obtain a terminal matching output index based on the terminal matching rule by using a pre-configured index statistical strategy; a policy selection module configured to determine a response status of the end rule based on an end matching yield indicator using a pre-configured matching policy.
Another aspect of the present invention provides an electronic device, including: memory, processor and computer program stored on the memory and executable on the processor, which computer program, when executed by the processor, implements the steps of the processing method of the process chain as described in any one of the above.
Another aspect of the invention provides a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of a method of processing a process chain as recited in any one of the above.
By adopting the technical scheme, the invention at least has the following advantages:
according to the processing method of the process chain, the process chain matching state of the terminal rule is collected in real time, when the compiling quality of the current terminal rule cannot meet the requirement, the terminal rule can be triggered to be stopped, and the problems that massive basic systems are matched due to the fact that the terminal rule is too loose, faults are caused or the matching capability is seriously reduced and the like are avoided.
Drawings
FIG. 1 is a flow diagram of a method for processing a process chain according to an embodiment of the invention;
FIG. 2 is a flowchart of an application example of a processing method of a process chain according to an embodiment of the present invention;
FIG. 3 is a block diagram of a processing system component of a process chain according to an embodiment of the invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the invention.
Detailed Description
To further explain the technical means and effects of the present invention adopted to achieve the intended purpose, the present invention will be described in detail with reference to the accompanying drawings and preferred embodiments.
The description of the method flow in the present specification and the steps of the flow chart in the drawings of the present specification are not necessarily strictly performed by the step numbers, and the execution order of the method steps may be changed. Moreover, certain steps may be omitted, multiple steps combined into one step execution, and/or a step broken into multiple step executions.
A first embodiment of the present invention is a method for processing a process chain, as shown in fig. 1 and fig. 2, including the following specific steps:
step S1, acquiring events of matching of a preset terminal rule and the terminals of a plurality of process chains to obtain a terminal rule matching count.
And S2, obtaining a terminal matching output index based on the terminal rule matching count by using a pre-configured index statistical strategy.
And S3, determining the response state of the terminal rule based on the terminal matching output index by using a preset matching strategy.
Each step will be described in detail below based on the flow of this embodiment.
Step S1, acquiring a preset event that the end rule is matched with the ends of a plurality of process chains to obtain an end rule matching count.
In this embodiment, the end rule is pre-written and configured in the device, and multiple end rules may be pre-configured in the same device, and correspondingly, the number of process chains may also be multiple, and in general, the number of process chains may be thousands or tens of thousands. Specifically, this step is directed to an end rule, and when a match occurs with the ends of the process chains, the end rule is used as an "event matching with the ends of the process chains", and the event is sent to the next module in the form of a count for processing.
And S2, obtaining a terminal matching output index based on the terminal rule matching count by using a pre-configured index statistical strategy.
Referring to fig. 2, illustratively, the number of matching hits (index 1) of the end rule with the ends of a plurality of process chains per minute may be counted to obtain an end matching yield index; or the matching hit times (index 2) of the tail end rule and the tail ends of the process chains every day can be counted to obtain a tail end matching output index, and the corresponding tail end matching output index can be counted according to a user-defined index counting strategy.
That is, for an end rule, a certain time range may be divided, and the count of events matching the end of the process chains in the time range according to the end rule is used as the end matching output index.
And S3, determining the response state of the terminal rule based on the terminal matching output index by using a preset matching strategy.
In this embodiment, the preconfigured matching policy may be to compare the end matching output index with a preconfigured threshold, and perform corresponding different processing according to different comparison results.
For example, a threshold value may be set, and the threshold value is referred to as a first threshold value, the first threshold value may be compared with the end matching yield index, and when the end matching yield index exceeds the first threshold value, the end rule corresponding to the end matching yield index is deactivated, that is, the response status of the end rule is determined as a deactivated status. Obviously, the specific value of the first threshold may be adjusted according to an actual situation, and when the end matching yield index is equal to the first threshold, the response state of the end rule may be determined as the deactivated state, or the response state of the end rule is not determined as the deactivated state, and the specific policy may also be adjusted according to the actual situation.
For example, two thresholds, referred to as a first threshold and a second threshold, may be set, where the second threshold is greater than the first threshold, the end matching yield indicator is compared with the first threshold and the second threshold, respectively, and when the end matching yield indicator exceeds the second threshold, the end rule corresponding to the end matching yield indicator is deactivated, that is, the response status of the end rule is determined as a deactivated status; when the end matching output index exceeds a first threshold value and is smaller than a second threshold value, determining an end rule corresponding to the end matching output index as an end rule to be observed, namely determining the response state of the end rule as a state to be observed; when the end matching yield index is smaller than the first threshold, the end rule corresponding to the end matching yield index is determined as the end rule which runs normally, that is, the response state of the end rule is determined as the normal state.
Obviously, the specific values of the first threshold and the second threshold may be adjusted according to actual conditions, and when the end matching yield index is equal to the second threshold, the response state of the end rule may be determined as a disabled state, or the end rule may be determined as an end rule to be observed, that is, the response state of the end rule is determined as the state to be observed; when the end matching yield index is equal to the first threshold, determining the end rule as the end rule to be observed, that is, determining the response state of the end rule as the state to be observed; or determining the end rule as a normal operation end rule, namely determining the response state of the end rule as a normal state; the specific strategy can be adjusted according to actual conditions.
In this embodiment, for the response states of different end rules determined by the above processing, the normally-running end rule and the end rule to be observed may be further processed. Specifically, the writing optimization processing may be performed on the end rule to be observed, and the matching between the upstream process chain executing the normally running end rule and the corresponding rule may be performed.
In this embodiment, more response states and corresponding threshold conditions thereof may also be set according to actual needs, which is not limited herein.
A second embodiment of the present invention is a processing system of a process chain, which can be understood as an entity apparatus, as shown in fig. 3, the processing system includes:
the counting module is configured to acquire an event that a preset terminal rule is matched with the terminals of the plurality of process chains to obtain a terminal rule matching count;
the statistical module is configured to count to obtain a terminal matching output index based on the terminal matching rule by using a pre-configured index statistical strategy;
a policy selection module configured to determine a response status of the end rule based on an end matching yield indicator using a pre-configured matching policy.
In this embodiment, the statistics module is further configured to: counting the matching hit times of the tail end rule per minute and the tail ends of the plurality of process chains to obtain a tail end matching output index; or counting the matching hit times of the terminal rule and the terminals of the process chains every day to obtain a terminal matching output index.
In this embodiment, the policy selection module is further configured to: comparing the end-matched yield indicator to a preconfigured first threshold; and determining the response state of the terminal rule by the terminal matching yield index according to the comparison condition of the terminal matching yield index and the first threshold value.
In this embodiment, the policy selection module is further configured to: and when the end matching output index is larger than the first threshold value, stopping the end rule corresponding to the end matching output index.
In this embodiment, the policy selection module is further configured to: comparing the end-matched yield indicator with a preconfigured first threshold value and a second threshold value, wherein the second threshold value is greater than the first threshold value; and determining the response state of the terminal rule by the terminal matching yield index according to the comparison condition of the terminal matching yield index with the first threshold and the second threshold respectively.
In this embodiment, the policy selection module is further configured to: when the end matching output index is larger than the second threshold value, stopping the end rule corresponding to the end matching output index; when the terminal matching yield index is smaller than the second threshold and larger than the first threshold, determining the terminal rule corresponding to the terminal matching yield index as a terminal rule to be observed; and when the end matching yield index is smaller than the first threshold value, determining the end rule corresponding to the end matching yield index as a normal operation end rule.
In this embodiment, the policy selection module is further configured to: optimizing the terminal rule to be observed; and executing the matching of the upstream process chain of the normal operation terminal rule and the corresponding rule.
In a third embodiment of the present invention, an electronic device, as shown in fig. 4, includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when executed by the processor, the computer program performs the following operations:
step S1, acquiring a preset event that the end rule is matched with the ends of a plurality of process chains to obtain an end rule matching count.
And S2, obtaining a terminal matching output index based on the terminal rule matching count by using a pre-configured index statistical strategy.
And S3, determining the response state of the terminal rule based on the terminal matching output index by using a preset matching strategy.
The content of the processing method is based on the same idea as the embodiment of the processing method of the process chain, and will not be described herein again.
In a fourth embodiment of the present invention, the flow of the process chain processing method in this embodiment is the same as that in the first, second, or third embodiments, but the difference is that in terms of engineering implementation, this embodiment can be implemented by software plus a necessary general hardware platform, and certainly, the process chain processing method can also be implemented by hardware, but the former is a better implementation in many cases. With this understanding in mind, the method of the present invention may be embodied in the form of a computer software product stored on a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and including instructions for causing a device (e.g., a network device such as a base station) to perform the method of the present invention.
A fifth embodiment of the present invention is an application example of the present invention, which is described with reference to fig. 1 and fig. 2 on the basis of the above embodiments.
The specific flow is similar to the first embodiment, and is substantially as follows:
s1, acquiring events of matching of a preset terminal rule and the terminals of a plurality of process chains to obtain a terminal rule matching count.
Aiming at an end rule, the end rule is matched from the end of a process chain, and the synchronous acquisition process chain end is matched with the end rule and hits the condition: each time the end rule matches the end of the process chain, it is marked as an event and counted.
And S2, obtaining a terminal matching output index based on the terminal rule matching count by using a pre-configured index statistical strategy.
Two index statistical strategies are configured in advance: the first strategy is to count the matching hit frequency output index A of each terminal rule and the terminal of the process chain every minute, and the second strategy is to count the matching hit frequency output index B of each terminal rule and the terminal of the process chain every day. Meanwhile, other statistical strategies can be customized to output customized index data.
And S3, determining the response state of the terminal rule based on the terminal matching output index by using a pre-configured matching strategy.
Two default matching strategies are built in:
and determining the response state of the index A (counting the output index of the matching hit times per minute of each terminal rule) to be the terminal rule to be observed for more than 10 times, determining the response state to be the terminal rule to be observed for more than 100 times, and deactivating the corresponding terminal rule by triggering the observation mode three times in one day.
And B, stopping the corresponding end rule when the index B (the index for counting the number of matching hits per day of each end rule) exceeds 10000 times.
The rule ID determined as the terminal rule to be observed is recorded in the observation record table by the system, and related index data is recorded at the same time, so that the terminal rule is not processed, and the analysis and the optimization of the subsequent terminal rule can be guided.
The disabled end rule ID will be marked by the system as an end rule of poor quality and the cause noted until the end rule is optimized and then brought back on line. Illustratively, the user configures the loosely bound process chain rules as follows:
rule [ if the child process rule is the process name, configure any link upstream to satisfy the parent process name java ]
The rule can cause that all system call behaviors generated by java need to be traced back once, aiming at an application system mainly comprising java, the detection engine has high load so that other correct rules cannot be processed, the traditional rule engine cannot prevent the conditions, in the patent, the hit rate of the tail end rule process name which collects the rule in real time is extremely high within 1 minute, the rule is automatically triggered to be stopped and a user is prompted to stop the rule, the self-defined rule is too loose so that mass basic system calls are matched, the system is automatically stopped, and the system is required to be optimized and then is on line again. The problem is solved successfully.
Compared with the prior art, the embodiment of the invention has at least the following technical advantages:
by acquiring the process chain matching state of the terminal rule in real time, when the current terminal rule compiling quality cannot meet the requirement, the terminal rule can be triggered to be stopped, the problems that massive basic system calling is caused by too loose terminal rule, the fault is caused or the matching capability is seriously reduced and the like are avoided, and the problem that the overall detection performance of the process chain is influenced due to improper rule compiling can be effectively solved.
While the invention has been described in connection with specific embodiments thereof, it is to be understood that it is intended by the appended drawings and description that the invention may be embodied in other specific forms without departing from the spirit or scope of the invention.

Claims (10)

1. A method for processing a process chain, comprising:
acquiring events matched with the preset tail end rules and the tail ends of the process chains to obtain tail end rule matching counts;
obtaining a terminal matching output index based on the terminal rule matching count by using a pre-configured index statistical strategy;
and determining the response state of the terminal rule based on the terminal matching output index by using a pre-configured matching strategy.
2. The method as claimed in claim 1, wherein the obtaining the end matching yield index based on the end rule matching count by using a pre-configured index statistical strategy comprises:
counting the number of times of hits of the tail end rule per minute and the tail ends of the plurality of process chains to obtain a tail end matching output index; or
And counting the matching hit times of the terminal rule and the terminals of the plurality of process chains every day to obtain a terminal matching output index.
3. The method according to claim 1, wherein the determining the response status of the end rule based on the end matching yield indicator by using the pre-configured matching strategy comprises;
comparing the end matched yield indicator to a preconfigured first threshold;
and determining the response state of the terminal rule corresponding to the terminal matching yield index according to the comparison condition of the terminal matching yield index and the first threshold value.
4. The method as claimed in claim 3, wherein the determining the response status of the end rule corresponding to the end matching yield indicator according to the comparison between the end matching yield indicator and the first threshold comprises:
and when the end matching output index is larger than the first threshold value, stopping the end rule corresponding to the end matching output index.
5. The method according to claim 1, wherein the determining the response status of the end rule based on the end matching yield indicator by using the pre-configured matching strategy comprises;
comparing the end matched yield indicator with a first threshold value and a second threshold value which are configured in advance, wherein the second threshold value is larger than the first threshold value;
and determining the response state of the terminal rule corresponding to the terminal matching yield index according to the comparison condition of the terminal matching yield index with the first threshold and the second threshold respectively.
6. The method as claimed in claim 5, wherein the determining the response status of the end rule corresponding to the end matching yield indicator according to the comparison of the end matching yield indicator with the first threshold and the second threshold respectively comprises:
when the end matching output index is larger than the second threshold value, stopping the end rule corresponding to the end matching output index;
when the terminal matching yield index is smaller than the second threshold and larger than the first threshold, determining the terminal rule corresponding to the terminal matching yield index as a terminal rule to be observed;
and when the end matching yield index is smaller than the first threshold value, determining the end rule corresponding to the end matching yield index as a normal operation end rule.
7. The method for processing the process chain according to claim 6, wherein the method further comprises:
optimizing the terminal rule to be observed;
and executing the matching of the upstream process chain of the normal operation end rule and the corresponding rule.
8. A system for processing a chain of processes, comprising:
the counting module is configured to acquire a preset event that the terminal rule is matched with the terminals of the plurality of process chains to obtain a terminal rule matching count;
the statistical module is configured to count to obtain a terminal matching output index based on the terminal matching rule by using a pre-configured index statistical strategy;
a policy selection module configured to determine a response status of the end rule based on an end matching yield indicator using a pre-configured matching policy.
9. An electronic device, characterized in that the electronic device comprises: memory, processor and computer program stored on the memory and executable on the processor, which computer program, when being executed by the processor, carries out the steps of the processing method of a process chain according to any one of claims 1 to 7.
10. A computer storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method of processing a process chain according to any one of claims 1 to 7.
CN202211026280.4A 2022-08-25 2022-08-25 Processing method and system of process chain and electronic equipment Pending CN115481395A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211026280.4A CN115481395A (en) 2022-08-25 2022-08-25 Processing method and system of process chain and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211026280.4A CN115481395A (en) 2022-08-25 2022-08-25 Processing method and system of process chain and electronic equipment

Publications (1)

Publication Number Publication Date
CN115481395A true CN115481395A (en) 2022-12-16

Family

ID=84422751

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211026280.4A Pending CN115481395A (en) 2022-08-25 2022-08-25 Processing method and system of process chain and electronic equipment

Country Status (1)

Country Link
CN (1) CN115481395A (en)

Similar Documents

Publication Publication Date Title
CN101201786B (en) Method and device for monitoring fault log
CN107038107B (en) Method and device for acquiring application blocking information
US6598179B1 (en) Table-based error log analysis
US20130219053A1 (en) Method for improved handling of incidents in a network monitoring system
CN106780133A (en) Electrical power distribution automatization system appraisal procedure and device
CN110083575A (en) Fulfilling monitoring method, device, equipment and computer readable storage medium
CN110659147B (en) Self-repairing method and system based on module self-checking behavior
EP1785866A1 (en) Alarm consolidaton in IT infrastructures
CN115481395A (en) Processing method and system of process chain and electronic equipment
CN112596938A (en) Abnormity monitoring method and device
US20050154688A1 (en) Automated performance monitoring and adaptation system
CN113285824B (en) Method and device for monitoring security of network configuration command
US20030229803A1 (en) Communication systems automated security detection based on protocol cause codes
CN113595833B (en) CRC exception handling method and system
CN112256539B (en) PCIE link error statistical method, device, terminal and storage medium
CN113434747A (en) Abnormal behavior tracking device and method based on sequence mode
CN113259322B (en) Method, system and medium for preventing Web service abnormity
CN116938606B (en) Network traffic detection method and device
CN115499291B (en) Processing method and device for service zero-drop alarm information and storage medium
CN114564369B (en) Application program abnormity monitoring method and device, electronic equipment and storage medium
Kuhn et al. Ordered t-way combinations for testing state-based systems
US11862007B2 (en) Method for automatically analyzing and filtering out redundant alarms in the fault management system of radio transceiver stations
CN114338189B (en) Situation awareness defense method, device and system based on node topology relation chain
CN117633310A (en) Regular matching death polling processing method, device, computer equipment and storage medium
US8290889B2 (en) Identification of relevant metrics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination