CN115499240A

CN115499240A - Data processing method, device, equipment and medium

Info

Publication number: CN115499240A
Application number: CN202211209749.8A
Authority: CN
Inventors: 赖智全; 肖岩军; 黄楚文; 王津; 陈震杭
Original assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Current assignee: Nsfocus Technologies Inc; Nsfocus Technologies Group Co Ltd
Priority date: 2022-09-30
Filing date: 2022-09-30
Publication date: 2022-12-20

Abstract

The embodiment of the application provides a data processing method, a data processing device, data processing equipment and a data processing medium, which are used for solving the problems that in the prior art, when a security incident occurs, the implementation efficiency of security measures is low due to the fact that manual judgment is excessively relied on, and the accuracy of security measure determination is low due to the fact that the security measures are determined according to manual experience. In the embodiment of the application, after the target threat event is determined to be the preset event and the number of times of carrying the target threat event is received to reach the preset number of times, the electronic device determines the node corresponding to the target threat event in the event processing map and acquires the node related to the safety measure connected with the node, so that when the safety event occurs, the safety measure is prevented from being determined only according to manual experience, the accuracy of safety measure determination can be improved, and the problem that the safety measure implementation efficiency is low due to the fact that manual judgment is excessively relied on is avoided.

Description

Data processing method, device, equipment and medium

Technical Field

The present application relates to the field of information security technologies, and in particular, to a data processing method, apparatus, device, and medium.

Background

The key information basic system provides network information service for the public, can support the operation of important industries such as energy, communication, finance, transportation, public utilities and the like, and is used for providing basic goods and services or forming a basic platform of other key infrastructure, so that the safety of the key information basic system is particularly important. Disruption or destruction of critical information infrastructure systems will have a severe impact on important social functions. Once a network security accident occurs in the key information basic system, the normal operation of important industries can be influenced, and serious loss is caused.

In order to maintain a key information basic system in the prior art, detection equipment is used for detecting information of a security incident, and business personnel determine corresponding security measures according to the information of the security incident and self experience, so that the key information basic system can be maintained conveniently through the security measures. However, the safety measures determined by the service personnel according to the self experience are not accurate, and human resources are wasted.

Disclosure of Invention

Embodiments of the present application provide a data processing method, apparatus, device, and medium, so as to solve the problems in the prior art that when a security event occurs, the efficiency of implementing security measures is low due to excessive dependence on manual judgment, and the accuracy of determining security measures is low due to determining security measures according to manual experience.

In a first aspect, an embodiment of the present application provides a data processing method, where the method includes:

receiving information carrying a target threat event;

if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event reaches a preset number of times, searching a node corresponding to the target threat event in a pre-generated event processing map, and acquiring a node related to a safety measure connected with the node;

and acquiring and sending the information recorded in the node related to the safety measure.

In a second aspect, an embodiment of the present application further provides a data processing apparatus, where the apparatus includes:

the receiving module is used for receiving information carrying a target threat event;

the processing module is used for searching a node corresponding to the target threat event in a pre-generated event processing map and acquiring a node related to a safety measure connected with the node if the target threat event is a preset event and the number of times of receiving information carrying the target threat event reaches a preset number of times;

and the acquisition and sending module is used for acquiring and sending the information recorded in the node related to the safety measure.

In a third aspect, an embodiment of the present application further provides an electronic device, where the electronic device at least includes a processor and a memory, and the processor is configured to execute the steps of any of the data processing methods when executing a computer program stored in the memory.

In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program performs the steps of any of the data processing methods described above.

In the embodiment of the application, the electronic device receives information carrying a target threat event, if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event reaches a preset number of times, the electronic device searches a node corresponding to the target threat event in a pre-generated event processing map, acquires a node related to a security measure connected with the node, and acquires and transmits information recorded in the node related to the security measure. In the embodiment of the application, after determining that the target threat event is a preset event and receiving that the number of times of carrying the target threat event reaches the preset number of times, the electronic device determines the node corresponding to the target threat event in the event processing map and determines the node related to the security measure connected to the node, so that when the target threat event affects the key information basic system, namely when the security event occurs, the corresponding security measure can be determined, and the accuracy of determining the security measure is improved.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.

Fig. 1 is a schematic diagram of a data processing process according to an embodiment of the present application;

FIG. 2 is a diagram of an atlas template structure provided in an embodiment of the present application;

FIG. 3 is a schematic structural diagram of an event processing map provided in an embodiment of the present application;

fig. 4 is a schematic diagram of a part of nodes included in a graph template provided in an embodiment of the present application;

fig. 5 is a schematic diagram illustrating a detailed process for acquiring security measures according to an embodiment of the present application;

fig. 6 is a schematic diagram of a data processing process according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

The present application will now be described in further detail with reference to the accompanying drawings, wherein like reference numerals refer to like elements throughout. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

In the embodiment of the application, the electronic device receives information carrying a target threat event, if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event reaches a preset number of times, the electronic device searches a node corresponding to the target threat event in a pre-generated event processing map, acquires a node related to a security measure connected with the node, and acquires and transmits information recorded in the node related to the security measure.

In order to improve the accuracy of security measure determination, embodiments of the present application provide a data processing method, apparatus, device, and medium.

Example 1:

fig. 1 is a schematic diagram of a data processing process provided in an embodiment of the present application, where the process includes the following steps:

s101: receiving information carrying a target threat event.

The data processing method provided by the embodiment of the application is applied to electronic equipment, and the electronic equipment can be equipment such as a PC (personal computer) or a server.

In the embodiment of the application, when the detection device detects that a security event aiming at a key information basic system occurs currently, a target threat event causing the security event is detected, wherein the target threat event can be 'permanent blue loophole attack', the detection device sends information carrying the target threat event to the electronic device, and the electronic device can receive the information carrying the target threat event.

S102: if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event reaches the preset number, searching a node corresponding to the target threat event in a pre-generated event processing map, and acquiring nodes related to security measures connected with the nodes.

In order to accurately determine the security measures corresponding to the target threat event, in the embodiment of the application, the electronic device stores a pre-generated event processing map, and the electronic device may search for the node corresponding to the target threat event in the pre-generated event processing map, and after the node corresponding to the target threat event is found, the electronic device may acquire the node related to the security measure connected to the node. And the nodes related to the safety measures are the nodes with the types related to the safety measures.

In the embodiment of the application, a base line set by service personnel is pre-stored in the electronic device, the base line comprises preset events which can cause loss to the key information basic system, corresponding preset times are stored for each preset event, the electronic device judges whether the target threat event is a preset event after receiving information carrying the target threat event, if the target threat event is not a preset event, the target threat event is indicated not to cause loss to the key information basic system, and the corresponding safety measure is not required to be determined.

If the target threat event carried in the information received by the electronic device is a preset event, the electronic device determines whether the number of times of receiving the information carrying the target threat event reaches a preset number of times, specifically, when the information carrying the target threat event is received by the electronic device, the number of times of receiving the information carrying the target threat event can be updated according to the number of times of receiving the information carrying the target threat event, and whether the updated number of times reaches the preset number of times at this time is determined, wherein the preset number of times is the number of times of saving for the target threat event, and the preset number of times can be any nonzero number of times such as 2 times, 10 times and the like. In the embodiment of the present application, the preset times corresponding to different threat events may be different, so that the electronic device may store corresponding relationships between different threat events and times.

If the number of times of the received information carrying the target threat event does not reach the preset number of times, the influence of the target threat event on a key information basic system is small, and corresponding safety measures do not need to be determined; if the number of times of the received information carrying the target threat event reaches a preset number of times, it indicates that the target threat event has a certain influence on a key information basic system at the moment, the electronic device searches for a node corresponding to the target threat event in a pre-generated event processing map, specifically, the electronic device searches for a node recording the target threat event, and after the node is found, the electronic device acquires a node related to a security measure connected with the node. And the electronic equipment clears the number of times of receiving the information carrying the target threat event.

For example, the preset event includes "permanent blue bug attack", and the preset number of times stored for the preset event is 10, if the information received by the electronic device carries the "permanent blue bug attack", and the number of times of receiving the information carrying the "permanent blue bug attack" reaches 10, the electronic device obtains a node recording the "permanent blue bug attack", and obtains a node related to a security measure connected to the node.

In the embodiment of the present application, the node related to the security measure may be one or multiple, for example, the node related to the security measure may be a node recorded with a specific security technology and a node recorded with a specific security device. The security technology refers to a specific operation manner, and may be, for example, "access control device", and the security device refers to a specific protected object, and may be, for example, "network boundary", where the specific security technology and the security device are security measures.

S103: and acquiring and sending the information recorded in the node related to the safety measure.

In this embodiment of the application, after obtaining the node related to the security measure, the electronic device may obtain information recorded in the node related to the security measure, where the information recorded in the node related to the security measure is a specific security measure. The acquired information may be "access control device" or "target asset". The target asset opens an object attacked by the target threat event, wherein the object attacked by the target threat event refers to a certain service port or a certain device in the key information base system.

After the information recorded in the node related to the security measure is acquired, the electronic device may send the acquired information, where the acquired information may be sent to a device used by a service person, so that the service person can maintain the key information base system according to the information. If the sent information is the specific security technology of 'access control equipment', service personnel can maintain the key information basic system by adopting the security technology of 'access control equipment'. Specifically, how the service personnel maintain the key information base system according to the information sent by the electronic device is not limited herein.

In the embodiment of the application, the electronic equipment determines the safety event according to the event processing map without depending on manual judgment, and after the safety measure is determined, the business can directly maintain the key information basic system according to the safety measure without judging whether the safety measure is accurate, so that the safety measure implementation efficiency can be improved, and the problem of low safety measure implementation efficiency caused by excessively depending on manual judgment in the prior art is effectively solved.

In the embodiment of the application, after determining that the target threat event is a preset event and receiving that the number of times of carrying the target threat event reaches the preset number of times, the electronic device determines the node corresponding to the target threat event in the event processing map and determines the node related to the security measure connected to the node, so that when the target threat event affects the key information basic system, namely when the security event occurs, the corresponding security measure can be determined, and the accuracy of determining the security measure is improved.

Example 2:

to generate the event processing map, on the basis of the above embodiment, in the embodiment of the present application, the event processing map is generated by:

receiving each text for generating an event processing map;

for each text, extracting each keyword contained in the text, for each keyword, if a graph template does not contain a node recording the keyword, creating a target node in the graph template, recording the keyword in the target node, acquiring a type correspondingly stored for the keyword, storing the corresponding relation between the target node and the type, determining the target type of each other node connected with the node of the type in the graph template according to the connection relation between the nodes in the graph template, determining other nodes of other keywords of the target type in the text, and connecting the target node and the other nodes.

In order to accurately generate the event processing map, in the embodiment of the present application, the electronic device may receive each text for generating the event processing map, in which various keywords are stored. Each text can be sent to the electronic device by the device used by the service personnel to operate the electronic device, and each text can be acquired by the service personnel in files such as compliance standards, management systems, personnel records, asset lists, operation flows, security event logs, sandbox analysis, vulnerability scanning, configuration checking and the like.

The electronic equipment extracts each keyword contained in each received text, wherein the text received by the electronic equipment can be called unstructured data, when the keywords in the text are obtained, the electronic equipment can extract each keyword in the text through an entity extraction technology, a keyword library is pre-stored in the specific electronic equipment, a plurality of keywords are stored in the keyword library, if the keywords identical to any keyword in the keyword library exist in the text, the electronic equipment extracts the keywords, and the electronic equipment can obtain each keyword in the text through the method. For example, the keywords extracted by the electronic device from "the unneeded system service should be turned off, the default shared port, and the high-risk port" are "the unneeded system service", "the default shared port", and "the high-risk port", respectively.

After each keyword contained in the text is acquired, the electronic equipment judges whether the map template contains a node for recording the keyword, if the map template does not contain the node for recording the keyword, the electronic equipment can create a target node in the map template and record the keyword in the target node, if the map template contains the node for recording the keyword, the electronic equipment does not need to create the target node in the map template, and the electronic equipment can enable the map template to contain the node for recording each keyword in the text in the mode. In embodiments of the present application, the graph template may be referred to as a security compliance knowledgegraph ontology.

After the electronic device creates a node corresponding to each keyword in the text, for each keyword, determining a type stored in advance for the keyword, for example, a type stored for the keyword, namely "persistent blue loophole attack", is a "threat event", after obtaining the type corresponding to the keyword, the electronic device stores a corresponding relationship between a target node and the type, and also obtains a target type of each other node connected with the node of the type in the graph template, and connects the target node recording the keyword with the other nodes of the target type. For example, a target type for each other node to which a node of type "threat event" is connected includes "object". In an embodiment of the present application, the types of nodes included in the graph template include threat events, fragile events, objects, key information base systems, inspection items, compliance standards, standard regulations, organization personnel, security events, and security measure related types.

The nodes with the types of threat events record specific threat events, namely specific attack modes, the nodes with the types of vulnerability events record specific vulnerability events, the nodes with the types of objects record open ports or devices attacked by the threat events, the nodes with the types of inspection items record specific inspection modes, the nodes with the types of compliance standards record standards to be followed by maintaining a key information basic system, the nodes with the types of standard regulations record specific regulations under the compliance standards, the nodes with the types of organization personnel record specific service personnel responsible for the organization personnel, the nodes with the types of security events record specific security events to which the threat events belong, and the nodes with the types of security measure related types record information related to the security measures.

In this embodiment, a module having a management adjustment function in the electronic device may be responsible for generating the event processing map.

Specifically, in the embodiment of the present application, a plurality of keywords correspond to the same type, and the keywords recorded in other nodes of each target type do not have an association relationship with the keywords, so that when the target node and the other nodes of the target type are connected, the electronic device may acquire the target type and the recorded keywords are nodes of the keywords in the text, and connect the target node and the acquired nodes.

For example, if a certain keyword is "persistent blue-leak attack", the type stored for the keyword is "threat event", the target type of the node connected to the type in the graph template is "object", the graph template includes two nodes with target types of "object", and "SMB service 445 port" and "SMB service 442 port" are recorded respectively, and the text only includes "SMB service 445 port", the electronic device connects the node recording the keyword with another node recording "SMB service 445 port".

In this embodiment, for each keyword, after connecting the target node recording the keyword with other nodes, the electronic device may obtain a relationship between the node of the type corresponding to the keyword in the graph template and the nodes of the types corresponding to the other nodes, and record the obtained relationship between the target node and the other nodes.

For example, from a text "an access control device should be deployed at a network boundary and an access control function is enabled", the electronic device extracts keywords of "network boundary", "access control device" and "access control function", and determines that a node of a type corresponding to the "network boundary" is connected to a node of a type corresponding to the "access control device" according to a connection relationship between nodes of different types stored in the graph template, so that the electronic device connects the node recorded with the "network boundary" and the node recorded with the "access control device", and a connection relationship between a node of a type corresponding to the "network boundary" and a node of a type corresponding to the "access control device" in the graph template is "deployment", so that a connection relationship between the "network boundary" and the "access control device" can be recorded as "deployment".

Fig. 2 is a schematic diagram of an atlas template structure provided in the embodiments of the present application.

Fig. 2 is a partial map template, information recorded in the map template in fig. 2 is a type corresponding to each node, and as can be seen from fig. 2, the type corresponding to the node includes: "key information base system", "compliance standard", "standard regulation", "inspection item", "organization personnel", "object", "security measure", "fragile event", "threat event", and "security event", wherein "security measure" is a security measure-related type.

As can be seen from fig. 2, a node with a type of "security event" has a connection relationship with a node with a type of "threat event", and the security event includes a threat event; the node with the type of threat event, the node with the type of security measure and the node with the type of fragile event have a connection relation, the relation between the node with the type of threat event and the node with the type of security measure is relieved, and the relation between the node with the type of threat event and the node with the type of fragile event is utilized; the node with the type of fragile event has a connection relation with the node with the type of object and the node with the type of safety measure, the relation between the node with the type of fragile event and the node with the type of safety measure is relieved, and the relation between the node with the type of fragile event and the node with the type of object exists; the node with the type of the object and the node with the type of the safety measure, the node with the type of the check item and the node with the type of the key information basic system have a connection relationship, the node with the type of the safety measure, the node with the type of the check item and the node with the type of the object are protected, and the node with the type of the key information basic system and the node with the type of the object are owned; the node with the type of 'safety measure' has a connection relation with the node with the type of 'organization personnel' and the node with the type of 'inspection item', the relation between the node with the type of 'safety measure' and the node with the type of 'organization personnel' is execution, and the relation between the node with the type of 'safety measure' and the node with the type of 'inspection item' is use; the node with the type of 'inspection item' and the node with the type of 'organization personnel' and the node with the type of 'standard regulation' have a connection relation, the relation between the node with the type of 'inspection item' and the node with the type of 'organization personnel' is required and responsible, and the relation between the node with the type of 'standard regulation' and the node with the type of 'inspection item' is used for guiding implementation; the node with the type of 'organization personnel' and the node with the type of 'key information basic system' have a connection relation, and the relation between the node with the type of 'key information basic system' and the node with the type of 'organization personnel' is owned; the node with the type of the key information basic system and the node with the type of the compliance standard have a connection relation, and the relation between the node with the type of the key information basic system and the node with the type of the compliance standard is followed; the node with the type of the compliance standard and the node with the type of the safety regulation have a connection relation.

In this embodiment of the present application, the keywords stored in different texts and expressing the same content may be different, for example, "attack a" in the text a represents "persistent blue loophole attack," and "attack B" in the text B represents "persistent blue loophole attack," so in this embodiment of the present application, the electronic device stores in advance a relationship between different keywords and the expressed standard keywords, after each keyword in the text is obtained, the electronic device needs to perform a canonicalization process on each obtained keyword, standardizes the keywords expressing the same content, specifically, the electronic device performs a canonicalization process mainly in a field mapping manner, that is, the electronic device determines, for each keyword, the standard keyword stored in advance for the keyword, and performs a subsequent specific step of generating an event processing map for the standard keyword. In the embodiment of the present application, the keywords with the corresponding types of the following types generally need to be normalized: attack source, attack target, attack technology, vulnerability event, etc.

Fig. 3 is a schematic structural diagram of an event processing map provided in the embodiment of the present application.

As can be seen from fig. 3, the event processing map includes a plurality of nodes, and each node is recorded with "level four equal protection", "network security", "access control equipment should be deployed at a network boundary, and an access control function", "access control equipment", "network boundary", "access control function", "intrusion detection system", "firewall", "target asset", "SMB service (445 port)", "CVE-2017-0144", "permanent blue loophole attack", "attack source a", and "a unit intrusion event".

As can be seen from fig. 3, the node recorded with the "a unit intrusion event" has a connection relationship with the node recorded with the "persistent blue bug attack", the node recorded with the "attack source a", and the node recorded with the "target asset", specifically, the relationship between the "a unit intrusion event" and the "target asset" is the target, the relationship between the "a unit intrusion event" and the "persistent blue bug attack" is the attack means, and the relationship between the "a unit intrusion event" and the "attack source a" is the attack source; the node recorded with the attack source A and the node recorded with the perpetual blue bug attack have a connection relation, and the relation between the attack source A and the perpetual blue bug attack is specifically initiation; the node recorded with the 'permanent blue vulnerability attack' has a connection relation with the node recorded with the 'CVE-2017-0144', and the relation between the 'permanent blue vulnerability attack' and the 'CVE-2017-0144' is specifically pointed; the node recorded with the CVE-2017-0144 has a connection relationship with the node recorded with the SMB service (445 port), and the specific relationship between the CVE-2017-0144 and the SMB service (445 port) exists; the node recorded with the "SMB service (445 port)" has a connection relationship with the node recorded with the "target asset", the node recorded with the "access control function", and the node recorded with the "network boundary", respectively, and specifically, the relationship between the "target asset" and the "SMB service (445 port)" is development, the relationship between the "access control function" and the "SMB service (445 port)" is open, and the relationship between the "network boundary" and the "SMB service (445 port)" belongs to development.

As can be seen from fig. 3, the node recorded with the "target asset" has a connection relationship with the node recorded with the "intrusion detection system" and the node recorded with the "firewall", and the specific relationship between the "intrusion detection system" and the "firewall" and the "target asset" is protection; the node recorded with the intrusion detection system and the node recorded with the firewall have connection relations with the node recorded with the access control equipment respectively, and the specific relation among the intrusion detection system, the firewall and the access control equipment belongs to; the node recorded with the access control function and the node recorded with the access control equipment have a connection relation, and the relation between the access control equipment and the access control function is a function composition; the method comprises the steps that a node recorded with ' access control equipment should be deployed at a network boundary and an access control function is started up ' has a connection relation with the node recorded with ' access control equipment ' and the node recorded with ' network boundary ', specifically, the node recorded with ' access control equipment should be deployed at the network boundary, the relation between the access control function and the ' access control equipment ' is started up is a safety measure, and the relation between the access control function and the ' network boundary ' is a protection object; the node recorded with the access control and the node recorded with the access control function which is to be deployed at the network boundary have a connection relation, and the relation between the access control and the access control function which is to be deployed at the network boundary is a checking requirement; the node recorded with the network security has a connection relation with the node recorded with the access control; the node recorded with the 'four-level equal protection' has a connection relation with the node recorded with the 'network security'.

In the embodiment of the application, the electronic device may implement association between information related to specific threat event security measures through connection relationships between different types of nodes in a map template, for example, the electronic device may connect a node recording "target asset" and a node recording "SMB service (445 port)", and may connect a node recording "persistent blue vulnerability attack" and a node recording "SMB service (445 port)", that is, there is a connection relationship between a node recording "persistent blue vulnerability attack" and a node recording "target asset", and the node recording "target asset" is a node related to security measures, so that when a node related to security measures connected to a node recording "persistent blue vulnerability attack" is obtained, the connected "target asset" may be obtained, and thus a specific security measure may be obtained.

In the embodiment of the present application, the keywords extracted from the text by the electronic device include: the system comprises threat keywords, fragile keywords and management keywords, wherein the threat keywords refer to specific threat events, the fragile keywords refer to specific fragile events, the management keywords refer to certain keywords relevant to the management of a key information basic system, and the management keywords comprise specific safety measures. In the embodiment of the application, the management keywords are mainly recorded in texts such as compliance standards, management systems, operation flows and the like, the threat keywords are mainly recorded in texts such as security event logs and sandbox analysis and the threat keywords are mainly recorded in texts such as vulnerability scanning and configuration checking.

Table 1 is a description of partial types corresponding to keywords in the embodiments of the present application.

Type (B)	Description of the invention
		Compliance standard	Managing knowledge-affiliated management documents
Standard regulation	Belonging to the safety classification
		Examination item	Safe implementation of operational requirements
Object	Security enforcement objects, including devices, systems, services, components
		Safety measures	Management and technical means for protecting
Organiser personnel	Executive, responsible organization or post personnel
		Fragile event	Vulnerabilities to attack, etc

TABLE 1

Wherein, the first column in table 1 refers to the type corresponding to the keyword, the second column in table 1 is the description of different types, as can be seen from table 1, the type of "compliance standard" refers to the management document belonging to the management knowledge; the type of "Standard regulations" refers to "safety enforcement operating requirements"; the type of "check item" refers to "safe enforcement operating requirements"; the "object" type refers to "security enforcement objects, including devices, systems, services, components"; the type of "security measures" refers to "administrative, technical means used for protection"; "organiser" refers to the "executive, responsible organization or post personnel"; the type of "vulnerable event" refers to "vulnerability to attack, etc.

As can be seen from fig. 2 and 3, the event processing map generated in the embodiment of the present application includes four levels, specific standard regulations in the four levels, and each inspection item information under the standard regulations, that is, includes a top-level standard policy, that is, the event processing map uses the top-level standard policy as a safety management guidance, wherein a service person in a map template generated in advance constructs a connection between a top-level standard and other nodes through a research design on a standard structure. And secondly, the other nodes comprise the connection relationship between the nodes of the monitoring layer and the nodes of the management layer, so that the loss of the management layer can be reflected and the adjustment can be guided through the threat event.

Example 3:

in order to accurately determine a security measure, on the basis of the foregoing embodiments, in an embodiment of the present application, the searching for a node corresponding to the target threat event in the pre-generated event processing graph includes:

if the information also carries a target fragile event, searching a keyword recorded in a pre-generated event processing map as a first node of the target threat event, and searching a keyword recorded in a pre-generated event processing map as a second node of the target fragile event;

and if the information does not carry the target fragile event, searching a keyword recorded in a pre-generated event processing map as a node of the target threat event.

In an actual application scenario, the detection device may further detect a target fragile event, where the target fragile event may be a vulnerability utilized when the target threat event attacks, for example, "CVE-2017-0144", and if the detection device detects the target fragile event, the detection device sends information carrying the target threat event, where the information also carries the detected target fragile event, and if the information also carries the target fragile event, the electronic device may search, in a pre-generated event processing map, a recorded keyword as a first node of the target threat event, and search, in a pre-generated event processing map, a recorded keyword as a second node of the target fragile event.

If the information received by the electronic device does not carry a target fragile event but only carries a target threat event, the electronic device may search the recorded keyword in the event processing map generated in advance as a node of the target threat event when determining the security measure.

In this embodiment of the application, in order to further determine a security measure, if the received information carrying the target threat event does not include the target fragile event, the electronic device may further complete the target fragile event according to a connection relationship between a node of which the type is "threat event" and a node of which the type is "fragile event" in the event processing graph, that is, determine a node that records the target threat event, and determine a node of which the type is fragile event and which is connected to the node.

In the embodiment of the application, the target fragile event is used for describing hidden dangers and relevant business information of an attack target, and the target fragile event specifically includes a specific target type, specific version information, specific network information, specific improper configuration and the like besides a vulnerability utilized when the target threat event attacks.

Table 2 is a detailed description of the target fragile event in the embodiment of the present application.

Type (B)	Description of the invention
		Object type	Host, network device, application, software system, platform, etc
Version information	Version number
		Network information	Network address, domain name
Leak hole	Available defects, serial numbers of CVE, CNNVD and the like
		Is not properly configured	Insufficient strength of the password and the like

TABLE 2

The first column in table 2 indicates the type to which the target fragile event belongs, and the second column in table 2 is a description of the type, and as can be seen from table 2, the type to which the target fragile event belongs may be a target type, where the target type indicates a host, a network device, an application, a software system, a platform, and the like, that is, the target fragile event may be a specific target type to which an attack target belongs; as can be seen from table 2, the type to which the target fragile event belongs may be version information, where the version information refers to a specific version number, that is, the target fragile event may be version information of an attack target; as can be seen from table 2, the type to which the target fragile event belongs may be network information, where the network information refers to a specific network address, domain name, and the like, that is, the target fragile event may be network information of an attack target; as can be seen from table 2, the type to which the target vulnerable event belongs may be a vulnerability, where the vulnerability refers to an available flaw and has a CVE number, a CNNVD number, and the like, that is, the target vulnerable event may be a vulnerability that is utilized by the target threat event; as can be seen from table 2, the type to which the target fragile event belongs may be misconfiguration, where misconfiguration includes insufficient password strength, and the like, that is, the target fragile event may be a hidden danger of attacking the target.

In order to accurately determine a security measure, on the basis of the foregoing embodiments, in an embodiment of the present application, if the information further carries a target fragile event, the acquiring a node related to a security measure connected to the node includes:

and acquiring a node of a security measure related type connected with the first node, and acquiring a node of a security measure related type connected with the second node.

In this embodiment of the application, if the information received by the electronic device also carries a target fragile event, the electronic device may obtain a node of a type related to a security measure connected to a first node after finding the first node recorded with the target threat event and finding a second node recorded with the target fragile event, and obtain a node of a type related to a security measure connected to the second node.

In the embodiment of the application, a node of which the type is an "object" is connected to a node of which the type is a "fragile event", a node of which the type is a "threat event" is connected to a node of which the type is a "fragile event", and a node of which the type is a "security measure" is connected to a node of which the type is a "fragile event" and a node of which the type is a "threat event", so that the electronic device can determine a node of which the type is related to the security measure connected to a first node recording a target threat event and determine a node of which the type is related to the security measure connected to a second node recording a target fragile event, thereby determining the security measure according to the nodes of which the types are related to the security measures connected to the first node and the second node respectively.

In this embodiment of the present application, nodes of the security measure related type connected to the first node and nodes of the security measure related type connected to the second node may have the same node, and therefore in this embodiment of the present application, after acquiring each node of the security measure related type this time, the electronic device determines whether a node with the same recorded keyword exists in each acquired node, and if a node with the same recorded keyword exists, one of the nodes with the same recorded keyword is retained in each node.

In order to accurately maintain the key information infrastructure system, on the basis of the foregoing embodiments, in the embodiment of the present application, the security measure related types include: assets, objects, security resources, security technologies, security devices, and security measures.

In the embodiment of the present application, the acquired related types of security measures are assets, objects, security resources, security technologies, security devices, and security measures, respectively.

Taking the received target threat event as "persistent blue vulnerability attack" as an example, the electronic device obtains each connected node in the event processing map shown in fig. 3, as can be seen from fig. 3, a node recording "SMB service (445 port)" can be obtained, the type of the node is an "object", and the electronic device obtains a node recording "target asset" connected to the node recording "SMB service (445 port)", the type corresponding to the node is an "asset", and the electronic device can send the "target asset" and the "SMB service (445 port)", so that service personnel can protect the target asset, and specific service personnel can close the SMB service (445 port) of the target asset.

In one possible implementation, the electronic device may acquire a node recording a "target threat event", a node connected with the node of the type "asset", determine whether the node of the type "asset" has a node connected with the node of the type "security resource", and if so, send information recorded in the node of the type "security resource". Taking fig. 3 as an example, the electronic device may obtain the "detection system" and the "firewall" to facilitate the adjustment of the "detection system" and the "firewall" by the service personnel, thereby implementing the protection of the "SMB service (445 port)".

Specifically, in the embodiment of the present application, when determining the security measure, the electronic device generally performs the determination of the security measure by using a connection relationship between a node recording a "target fragile event" and a node of a type of "object". In a possible implementation manner, a service person can maintain a key information basic system by cutting off the logic association between the information recorded in the node with the type of the object and the information recorded in the node with the type of the attack technical means.

In this embodiment of the application, when the electronic device acquires a node of a security measure type connected to a node recording a target threat event, the electronic device may first determine a node of an "object" type connected to the node recording the target threat event, and after acquiring the node of the "object" type, the electronic device may determine nodes of "protection", "patch", "upgrade", and the like, which are connected to the node, and determine the nodes as the security measure type. After acquiring the information sent by the electronic equipment, service personnel can keep the information recorded in the node of the object type by providing an external protection means; the information recorded in the "object" type node may also be removed from the logical association.

Taking fig. 3 as an example, a target threat event, "persistent blue loophole attack", a node whose connection type is "object" records "SMB service (445 port)", and nodes whose relation with the node connection is "protection", "patch", and "upgrade" acquired by the electronic device include "access control device", so that a service person can use "access control device" as a security measure on one hand, and on the other hand, the service person can close the SMB service (445 port) to realize that the object entity is moved out of the logical association. Specific service personnel can select a proper disposal mode according to service requirements.

In the embodiment of the present application, the key point of obtaining the information recorded in the node of the type related to the security measure is the node of the type "object", in the embodiment of the present application, when determining the node related to the security measure, from the perspective of an attacker, the object uses a fragile event as a carrier, so the node of the type "object" is connected to the node of the type "fragile event", and the object is a target for the threat event, so the node of the type "object" is connected to the node of the type "threat event", and in addition, from the perspective of a protector, the object is a protection object of the check item and is a target for implementing the security measure, so the node of the type "object" is connected to the node of the type "check item" and the node of the type "security measure", respectively, and therefore the electronic device can determine the security measure through the connection relationship between the node of the type "object" and other nodes.

Example 4:

in order to ensure the security of the key information infrastructure system, on the basis of the foregoing embodiments, in an embodiment of the present application, the method further includes:

if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event is less than the preset number of times, searching a node corresponding to the target threat event in a pre-generated event processing map, and acquiring a node which is connected with the node and of which the type is an inspection item;

and acquiring the check item information recorded in the node of which the type is the check item, if the acquired number of times of the check item information exceeds a target number of times, sending the check item information, and clearing the acquired number of times of the check item information.

In this embodiment of the application, if a target threat event carried in information received by an electronic device is a preset event and the number of times of receiving the target threat event carried is less than the preset number of times, the electronic device may search, in a pre-generated event processing map, a recorded keyword as a node of the target threat event, and after the recorded keyword is found as the node of the target threat event, obtain a node which is connected with the node and of which the type is an inspection item.

Taking the target threat event as a "persistent blue vulnerability attack", the target threat event being a preset event, and the number of times of receiving the information carrying the target threat event does not reach the preset number of times as an example, as can be seen from fig. 3, when checking item information is searched, the electronic device may determine that a node recording the "persistent blue vulnerability attack" is connected to a node recording the "CVE-2017-0144", and the node recording the "CVE-2017-0144" is connected to a node recording the "SMB service (445 port)", and the node recording the "access control device" and the node recording the "network boundary" are respectively connected to a node recording the "SMB service (445 port)", and the type of the check item record "the access control device should be deployed at the network boundary, and the node enabling the access control function" is connected to a node recording the "access control device" and a node recording the "network boundary", so that the node determined by the electronic device as the type of the check item records "the access control device should be deployed at the network boundary, the access control function should be enabled. Therefore, after receiving the information carrying the 'permanent blue bug attack', the node which records the target threat event and is connected with the node of which the type is the check item can be obtained, and the 'access control equipment should be deployed at the network boundary and the access control function is started' is recorded.

In this embodiment, after acquiring a node which is connected to the node and of which the type is an inspection item, the electronic device acquires inspection item information recorded in the node of which the type is the inspection item, where the inspection item information may be "an access control device should be deployed at a network boundary and an access control function is enabled", after acquiring the inspection item information, the electronic device determines the number of times that the inspection item information is acquired, and if the number of times that the inspection item information is acquired exceeds a target number of times, that is, it is possible to indicate that the inspection item information is not implemented, the electronic device sends the inspection item information, where the target number of times may be any number of times such as 10, 15, and the like. The information of the inspection item can be sent to equipment used by business personnel, so that the business personnel can inspect the inspection item, and maintenance of a key information basic system is realized. In this embodiment of the application, if the electronic device sends the check item information, the electronic device clears the acquired check item information.

In this embodiment of the application, when determining whether to send check item information, the electronic device may locally store a corresponding score for each check item information, after obtaining a certain check item information, obtain a score that is stored correspondingly for the check item information, subtract a preset value from the score, obtain a target score from which the preset score is subtracted, update the score corresponding to the locally stored check item information with the target score, after obtaining the target score, the electronic device may determine whether the target score is lower than a threshold score, and if the target score is lower than the threshold score, the electronic device sends the check item information.

Fig. 4 is a schematic diagram of a part of nodes included in a graph template provided in an embodiment of the present application.

As can be seen from fig. 4, the graph template includes nodes recording "four levels", where the four levels include ten requirements, which are "network security", "host security", "application security", … …, and "data security and backup recovery", respectively, where the "network security" includes seven specific requirements, which are "access control", … …, and "security audit", respectively, and examination item information corresponding to the access control "is" access control equipment should be deployed at a network boundary, access control function is enabled ", … …, and" data band common protocol should not be allowed to pass through ", and examination item information corresponding to the security audit" is "network equipment operating condition, network traffic, user behavior, etc. should be able to perform log recording", … …, and "analyze according to the recorded data, and generate an audit report".

In this embodiment of the present application, taking inspection item information as "access control devices should be deployed at a network boundary and access control functions are enabled", for example, a preset score corresponding to the inspection item information is determined in the following manner: as can be seen from fig. 4, the "access control device should be deployed at the network boundary, and the access control function" is enabled, this check item information is one of five check item information under the "access control", the "access control" is one of seven requirements under the "network security", and the "network security" is one of ten requirements under the "four-level equal protection", so when the preset score corresponding to the check item information is determined, each corresponding numerical value is 5, 7, and 10, respectively, the electronic device can determine the product of each numerical value, and determine the ratio of the preset total score to the product, which is the preset score corresponding to the check item information, and if the total score is 100, the preset score corresponding to the check item information is 100/(5 × 7 × 10) ≈ 0.29.

As can be seen from fig. 4, the graph template includes nodes in which compliance standards of a tree hierarchy are recorded. In this embodiment of the application, when determining the preset score corresponding to each check item information, the electronic device may store a corresponding weight value for each check item information and each requirement, where the weight value may be any numerical value, and the electronic device may determine, according to each check item information and a weight value corresponding to each requirement to which the check item information belongs, the preset score corresponding to each check item information. Specifically, for each check item information, the electronic device may determine the preset score corresponding to the check item information in the above manner, determine a product of the preset score and the weight value corresponding to each requirement to which the check item information belongs, and update the preset score corresponding to the check item information by using the product. And transmitting the check item information when the score is below the threshold score. And service personnel can maintain the key information basic system conveniently according to the inspection item information. When the check item information is transmitted, the electronic equipment adjusts the score saved for the check item information to a preset highest score.

For example, if the detection device finds that the unit boundary device a is subjected to a persistent blue bug attack, the electronic device may receive information carrying the "persistent blue bug attack", and since the target threat event is a preset event and the number of times of receiving the target threat event does not reach the preset number, the electronic device obtains corresponding check item information, where the obtained check item information is "an access control device should be deployed at a network boundary, and an access control function is enabled", it indicates that the check item information does not reach the standard, and corresponding deduction is performed. And transmitting the check item information when the score after the deduction is a first threshold score. And service personnel can maintain the key information basic system conveniently according to the inspection item information.

In the traditional safety measure determination scheme, safety measures are determined mainly based on self experiences of service personnel, and lack of guidance of a top layer rule standard results in low accuracy of the determined safety measures, the determined safety measures are not comprehensive enough and cannot meet the requirement of a key information basic system.

In the embodiment of the application, when a service person pre-constructs a graph template, tree-structure hierarchical division is performed on a compliance standard to be followed by a key information basic system, that is, the graph template is divided into structures shown in fig. 4, and information of an inspection item at the bottommost layer in the compliance standard is disassembled into nodes of security measure related types such as an inspection item and an object, so that when a security measure corresponding to a target threat event is determined, the security measure can be accurately determined under the condition of meeting the compliance standard.

Example 5:

in order to accurately maintain the key information infrastructure system, on the basis of the foregoing embodiments, in an embodiment of the present application, the method further includes:

and if the node related to the safety measure connected with the node is not acquired, sending preset reminding information.

In the embodiment of the application, after the node corresponding to the target threat event is acquired, if the node related to the security measure connected with the node is not acquired, the preset reminding information is sent.

Specifically, if the received information only carries a target threat event, the electronic device acquires a node in which the target threat event is recorded, acquires a node which is connected with the node and is of a type related to a safety measure, and if the node which is connected with the node and is of the type related to the safety measure is not acquired, sends preset reminding information.

If the received information carries a target threat event and a target fragile event, the electronic equipment acquires a first node recorded with the target threat event and a second node recorded with the target fragile event, acquires a node which is connected with the first node and is of a type related to safety measures and a node which is connected with the second node and is of a type related to safety measures, and if the nodes which are connected with the first node and the second node and are of a type related to safety measures are not acquired, the electronic equipment outputs preset reminding information.

Fig. 5 is a schematic diagram of a detailed process for acquiring a security measure according to an embodiment of the present application, where the process includes the following steps:

s501: receiving information carrying a target threat event.

S502: and judging whether the received information carries the target fragile event, if so, executing S503, and if not, executing S505.

S503: a first node recording the target threat event and a second node recording the target fragile event are searched in the event processing graph, and S504 is executed.

S504: searching the node of the security measure related type connected to the first node and the node of the security measure related type connected to the second node, and executing S507.

S505: the node recording the target threat event is looked up in the event processing graph and S506 is performed.

S506: the node of the security measure related type connected to the node is searched, and S507 is executed.

S507: and judging whether the node related to the safety measure is found, if so, executing S508, and if not, executing S509.

S508: and acquiring the information recorded in the searched node, sending the information and executing S510.

S509: and sending preset reminding information, and executing S510.

S510: and (6) ending.

Fig. 6 is a schematic diagram of a data processing process according to an embodiment of the present application.

As can be seen from fig. 6, the electronic device extracts a text of a keyword including a management system, a personnel record, an asset list, a vulnerability scan, a configuration check, a security log, a sandbox log, and the like, and proposes the keyword in the text, wherein the extracted keyword includes a management keyword, a fragile keyword, a threat keyword, and the electronic device realizes connection between nodes recording the "keyword" according to a connection relationship between nodes of different types in a graph template, generates an event processing graph, and after receiving a target threat event, according to a preconfigured baseline, namely a preconfigured preset event and preset times, if the target threat event is a preset event and the received times of carrying the target threat event reach the preset times, acquires the node recording the target threat event, acquires a node related to a security measure connected to the node, and acquires and transmits information recorded in the node related to the security measure.

The event processing map in the embodiment of the application initially establishes a security protection system, service personnel can complete the event processing map by combining daily security operation and maintenance, and compared with the traditional security measure determination method, the method has real-time dynamic adjustment capability, can quickly trace the risk and quickly respond after receiving information carrying a target threat event, determines information in nodes related to corresponding security measures, and is mainly used for solving the problem of security measure determination of a key information basic system with higher requirements on service security and continuity.

For example, if a certain event "SMB remote code executes vulnerability attack" occurs, and the event utilizes a persistent blue vulnerability attack, the electronic device receives information carrying the persistent blue vulnerability attack, and from the event processing map shown in fig. 3, it can be known that the unit a needs to comply with the requirement of the four-level protection standard, and the tree structure that basically requires level protection is divided into "network security, access control, and access control device that should be deployed at the network boundary, and the access control function is enabled". The check item uses a port access control function, and the protected object is a network boundary. Attackers use the "persistent blue-loophole attack" technique, which exists on the network boundary of open SMB services.

It is therefore possible to establish a relationship between management knowledge and monitoring event knowledge by having an association relationship with network boundaries and security measures through the SMB service, as shown in fig. 4. When the relevant events of 'permanent blue bug attack' occur, the management implementation process of the access control can be fed back to be missing through the event processing map.

Because the key information infrastructure system has high requirements on service continuity, data integrity and confidentiality, the traditional long-period risk assessment mode cannot ensure that the key information infrastructure can effectively discover potential safety hazards latent for a long time and deal with sudden network security events in time; secondly, due to industry differences, key information infrastructure needs to meet requirements of different national network complex standards, the current safety assessment process is lack of top level standard guidance for landing, assessment is incomplete, meanwhile, landing of the compliance standards mainly depends on-site manual investigation and interview for data collection, a system cannot effectively process management data, and the standard conformity is decoupled from actual monitoring threat monitoring. The scheme of the application can quickly and accurately determine the safety measures.

The embodiment of the application mainly solves the problems of comprehensiveness and timeliness of key information infrastructure safety condition evaluation, and meanwhile, the relevance between compliance standard regulations and actual monitoring data is established, so that automatic compliance evaluation is realized, and the implementation of compliance standards is guided.

Example 6:

fig. 7 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application, and based on the foregoing embodiments, a data processing apparatus according to an embodiment of the present application further includes:

a receiving module 701, configured to receive information carrying a target threat event;

a processing module 702, configured to, if the target threat event is a preset event and the number of times that information carrying the target threat event is received reaches a preset number of times, search for a node corresponding to the target threat event in a pre-generated event processing graph, and acquire a node related to a security measure connected to the node;

an obtaining and sending module 703 is configured to obtain and send information recorded in the node related to the security measure.

Further, the processing module 702 is further configured to receive each text used for generating the event processing map; for each text, extracting each keyword contained in the text, for each keyword, if a graph template does not contain a node recording the keyword, creating a target node in the graph template, recording the keyword in the target node, acquiring a type correspondingly stored for the keyword, storing the corresponding relation between the target node and the type, determining the target type of each other node connected with the node of the type in the graph template according to the connection relation between the nodes in the graph template, determining other nodes of other keywords of the target type in the text, and connecting the target node and the other nodes.

Further, the processing module 702 is specifically configured to, if the information also carries a target fragile event, search a keyword recorded in a pre-generated event processing graph as a first node of the target threat event, and search a keyword recorded as a second node of the target fragile event; and if the information does not carry the target fragile event, searching keywords recorded in a pre-generated event processing map as nodes of the target threat event.

Further, the processing module 702 is specifically configured to, if the information also carries a target fragile event, acquire a node of a type related to a security measure connected to the first node, and acquire a node of a type related to a security measure connected to the second node.

Further, the processing module 702 is further configured to, if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event is smaller than a preset number of times, search for a node corresponding to the target threat event in a pre-generated event processing graph, and acquire a node connected to the node and having a type of an examination item; and acquiring the check item information recorded in the node of which the type is the check item, if the acquired times of the check item information exceed the target times, sending the check item information, and clearing the acquired times of the check item information.

In this embodiment of the present application, fig. 8 is a schematic structural diagram of another data processing apparatus provided in this embodiment of the present application, as shown in fig. 8:

the device includes: a data acquisition module 801, a management monitoring correlation module 802 and a safety management module 803.

The management monitoring association module 802 and the security administration module 803 are configured to receive information carrying a target threat event; if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event reaches the preset number, searching a node corresponding to the target threat event in a pre-generated event processing map, and acquiring a node related to a security measure connected with the node; this part of the functionality corresponds to the corresponding functionality of the receiving module 701 and the processing module 702 in fig. 7.

The safety management module 803 is configured to obtain information recorded in the node related to the safety measure and send the information. This part of the functionality corresponds to the corresponding functionality of the acquisition and sending module 703 in fig. 7.

Further, the data collection module 801 and the management monitoring association module 802 are configured to receive each text for generating an event processing map; for each text, extracting each keyword contained in the text, for each keyword, if a graph template does not contain a node recording the keyword, creating a target node in the graph template, recording the keyword in the target node, acquiring a type correspondingly stored for the keyword, storing the corresponding relation between the target node and the type, determining the target type of each other node connected with the node of the type in the graph template according to the connection relation between the nodes in the graph template, determining other nodes of other keywords of the target type in the text, and connecting the target node and the other nodes. This portion of the functionality is consistent with the corresponding functionality of processing module 702 in fig. 7.

Further, the management monitoring association module 802 is configured to, if the information also carries a target fragile event, search a keyword recorded in a pre-generated event processing graph as a first node of the target threat event, and search a keyword recorded as a second node of the target fragile event; and if the information does not carry the target fragile event, searching keywords recorded in a pre-generated event processing map as nodes of the target threat event. This part of the functionality corresponds to the corresponding functionality of the processing module 702 in fig. 7.

Further, the management monitoring association module 802 is configured to, if the information also carries a target fragile event, acquire a node of a type related to a security measure connected to the first node, and acquire a node of a type related to a security measure connected to the second node. This part of the functionality corresponds to the corresponding functionality of the processing module 702 in fig. 7.

Further, the security management module 803 is configured to, if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event is smaller than a preset number of times, search for a node corresponding to the target threat event in a pre-generated event processing map, and acquire a node connected to the node and having a type of an examination item; and acquiring the check item information recorded in the node of which the type is the check item, if the acquired times of the check item information exceed the target times, sending the check item information, and clearing the acquired times of the check item information. This part of the functionality corresponds to the corresponding functionality of the processing module 702 in fig. 7.

Further, the management monitoring association module 802 is configured to send a preset reminding message if a node related to the security measure connected to the node is not obtained. This portion of the functionality is consistent with the corresponding functionality of processing module 702 in fig. 7.

Example 7:

fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application, as shown in fig. 9, including: a processor 901, a communication interface 902, a memory 903 and a communication bus 904, wherein the processor 901, the communication interface 902 and the memory 903 are communicated with each other through the communication bus 904.

The memory 903 has stored therein a computer program which, when executed by the processor 901, causes the processor 901 to perform the steps of:

receiving information carrying a target threat event;

Further, the processor 901 is further configured to receive each text used for generating the event processing map;

Further, the processor 901 is specifically configured to, if the information also carries a target fragile event, search a keyword recorded in a pre-generated event processing graph as a first node of the target threat event, and search a keyword recorded as a second node of the target fragile event;

and if the information does not carry the target fragile event, searching keywords recorded in a pre-generated event processing map as nodes of the target threat event.

Further, the processor 901 is specifically configured to, if the information also carries a target fragile event, acquire a node of a type related to a security measure connected to the first node, and acquire a node of a type related to a security measure connected to the second node.

Further, the processor 901 is further configured to, if the target threat event is a preset event and the number of times of receiving the information carrying the target threat event is smaller than a preset number of times, search a node corresponding to the target threat event in a pre-generated event processing graph, and obtain a node connected to the node and having a type of a check item;

Further, the processor 901 is further configured to send a preset reminding message if a node related to a security measure connected to the node is not obtained.

The communication bus mentioned in the above server may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.

The communication interface 902 is used for communication between the electronic apparatus and other apparatuses.

The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.

The Processor may be a general-purpose Processor, including a central processing unit, a Network Processor (NP), and the like; but may also be a Digital instruction processor (DSP), an application specific integrated circuit, a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like.

Example 8:

on the basis of the foregoing embodiments, an embodiment of the present application further provides a computer-readable storage medium, where a computer program executable by an electronic device is stored in the computer-readable storage medium, and when the program is run on the electronic device, the electronic device is caused to perform the following steps:

the memory having stored therein a computer program that, when executed by the processor, causes the processor to perform the steps of:

receiving information carrying a target threat event;

In one possible embodiment, the event processing map is generated by:

receiving each text for generating an event processing map;

In a possible implementation manner, the searching for a node corresponding to the target threat event in the pre-generated event processing graph includes:

In a possible implementation manner, if the information further carries a target fragile event, the acquiring a node related to a security measure connected to the node includes:

and acquiring a node of a safety measure related type connected with the first node, and acquiring a node of a safety measure related type connected with the second node.

In one possible embodiment, the method further comprises:

In one possible embodiment, the security measure related types include: assets, objects, security resources, security technologies, security devices, and security measures.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims

1. A method of data processing, the method comprising:

receiving information carrying a target threat event;

2. The method of claim 1, wherein the event processing graph is generated by:

receiving each text for generating an event processing map;

3. The method according to claim 1, wherein the searching for the node corresponding to the target threat event in the pre-generated event processing graph comprises:

4. The method of claim 3, wherein if the information further carries a target fragile event, the obtaining the node related to the security measure of the node connection comprises:

5. The method of claim 1, further comprising:

and acquiring the check item information recorded in the node of which the type is the check item, if the acquired times of the check item information exceed the target times, sending the check item information, and clearing the acquired times of the check item information.

6. The method of claim 1, further comprising:

7. The method of claim 2, wherein the security measure related types comprise: assets, objects, security resources, security technologies, security devices, and security measures.

8. A data processing apparatus, characterized in that the apparatus comprises:

9. An electronic device, characterized in that the electronic device comprises at least a processor and a memory, the processor being adapted to perform the steps of the data processing method of any of claims 1-7 when executing a computer program stored in the memory.

10. A computer-readable storage medium, characterized in that it stores a computer program which, when being executed by a processor, carries out the steps of the data processing method according to any one of claims 1 to 7.