CN115712646A - Alarm strategy generation method, device and storage medium - Google Patents
Alarm strategy generation method, device and storage medium Download PDFInfo
- Publication number
- CN115712646A CN115712646A CN202110947247.4A CN202110947247A CN115712646A CN 115712646 A CN115712646 A CN 115712646A CN 202110947247 A CN202110947247 A CN 202110947247A CN 115712646 A CN115712646 A CN 115712646A
- Authority
- CN
- China
- Prior art keywords
- event
- alarm
- target
- configuration rule
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The application provides an alarm strategy generation method, an alarm strategy generation device and a storage medium, which relate to the technical field of Internet, and the method comprises the following steps: acquiring event description information of a plurality of safety events, wherein the event description information comprises event object information, event attribute information and event time information of the safety events; acquiring an alarm configuration rule from a configuration rule base, wherein the alarm configuration rule comprises filtering field information and event aggregation conditions; matching the alarm configuration rules in the configuration rule base with a plurality of security events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding security events; matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rules according to the event object information and the event time information; and if the target security events meeting the event aggregation conditions are matched, generating a corresponding alarm strategy based on the target configuration rule. The method and the device can effectively improve the generation efficiency and the strategy quality of the alarm strategy.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to a method and an apparatus for generating an alarm policy, and a storage medium.
Background
A security event refers to an original security problem that different security products (including software or hardware) have discovered for a corresponding detected range (e.g., traffic, terminal or log, etc.). The data of the security event is monitored and analyzed, and an alarm result can be generated in time and corresponding alarm processing is carried out to avoid security risks.
With the popularization of network technology, the number of security events is multiplied, and data information is messy and huge, so that a large number of alarm strategies are involved in alarm analysis of security event data. The existing monitoring alarm is to manually configure an alarm strategy according to software or a hardware system and a service carried by the software or the hardware system and the category of an alarm platform, the labor cost of strategy configuration and maintenance is extremely high, and the generation efficiency is low. Therefore, there is a need to provide an improved alarm strategy generation scheme to solve the above existing problems.
Disclosure of Invention
The application provides an alarm strategy generation method and device, which can effectively improve the alarm strategy generation efficiency and reduce the labor cost.
In one aspect, the present application provides an alarm policy generation method, where the method includes:
acquiring event description information of a plurality of safety events, wherein the event description information comprises event object information, event attribute information and event time information of the safety events;
acquiring an alarm configuration rule from a configuration rule base, wherein the alarm configuration rule comprises filtering field information and event aggregation conditions;
matching the alarm configuration rules in the configuration rule base with the plurality of safety events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding safety events;
according to the event object information and the event time information, matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule;
and if the target security event meeting the event aggregation condition is matched, generating a corresponding alarm strategy based on the target configuration rule for alarm analysis of the security event.
In another aspect, an alert policy generation apparatus is provided, where the apparatus includes:
an event information acquisition module: the system comprises a plurality of pieces of event description information for acquiring a plurality of pieces of security events, wherein the event description information comprises event object information, event attribute information and event time information of the security events;
a configuration rule obtaining module: the method comprises the steps of obtaining an alarm configuration rule from a configuration rule base, wherein the alarm configuration rule comprises filtering field information and event aggregation conditions;
a first matching module: the alarm configuration rule base is used for matching the alarm configuration rules in the configuration rule base with the plurality of safety events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding safety events;
a second matching module: the event aggregation module is used for matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule according to the event object information and the event time information;
an alarm strategy generation module: and if the target security event meeting the event aggregation condition is matched, generating a corresponding alarm strategy based on the target configuration rule for alarm analysis of the security event.
Another aspect provides an alarm policy generation device, the device comprising a processor and a memory, the memory having stored therein at least one instruction or at least one program, the at least one instruction or the at least one program being loaded and executed by the processor to implement the alarm policy generation method as described above.
Another aspect provides a computer-readable storage medium, in which at least one instruction or at least one program is stored, and the at least one instruction or the at least one program is loaded and executed by a processor to implement the alarm policy generation method as described above.
Another aspect provides a server, the server includes a processor and a memory, the device includes a processor and a memory, the memory stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the alarm policy generation method as described above.
In another aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions, so that the computer device executes the alarm policy generation method.
The method, the device, the equipment, the storage medium, the server and the program product for generating the alarm strategy have the following technical effects:
the method comprises the steps of obtaining event description information of a plurality of safety events, wherein the event description information comprises event object information, event attribute information and event time information of the safety events; acquiring alarm configuration rules including filtering field information and event aggregation conditions from a configuration rule base; then matching the alarm configuration rules in the configuration rule base with a plurality of security events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding security events; matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule according to the event object information and the event time information; and if the target security events meeting the event aggregation conditions are matched, generating a corresponding alarm strategy based on the target configuration rule. According to the technical scheme, the automatic generation of the alarm strategy is realized by setting the matching of the configuration rule base and the safety data, the alarm strategy does not need to be configured manually, and the method can be applied to different safety platforms and service systems, so that the repetitive labor of alarm strategy configuration is greatly reduced, and the generation efficiency of the alarm strategy is effectively improved. In addition, the matched alarm configuration rule is determined from the configuration rule base based on the security event data, and then an alarm strategy is generated, so that the correlation between the alarm strategy and the security event to be analyzed can be improved, the number of invalid alarm strategies is reduced, and the alarm analysis efficiency is improved.
Drawings
In order to more clearly illustrate the technical solutions and advantages of the embodiments of the present application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic diagram of an application environment provided by an embodiment of the present application;
fig. 2 is a schematic flowchart of an alarm policy generation method according to an embodiment of the present application;
fig. 3 is a flowchart illustrating an alarm policy generation method according to an embodiment of the present application;
fig. 4 is a flowchart illustrating an alarm policy generation method according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a set of associated security events provided by the present embodiment;
fig. 6 is a schematic structural diagram of an alarm policy generation apparatus according to an embodiment of the present application;
fig. 7 is a block diagram of a hardware structure of a server of an alarm policy generation method according to an embodiment of the present application.
Detailed Description
Cloud computing (cloud computing) refers to a delivery and use mode of an IT infrastructure, and refers to obtaining required resources in an on-demand and easily-extensible manner through a network; the generalized cloud computing refers to a delivery and use mode of a service, and refers to obtaining a required service in an on-demand and easily-extensible manner through a network. Such services may be IT and software, internet related, or other services. Cloud Computing is a product of development and fusion of traditional computers and Network Technologies, such as Grid Computing (Grid Computing), distributed Computing (Distributed Computing), parallel Computing (Parallel Computing), utility Computing (Utility Computing), network Storage (Network Storage Technologies), virtualization (Virtualization), load balancing (Load Balance), and the like.
According to the technical scheme of the embodiment of the application, resource data services such as pattern data generated by the alarm strategy can be provided by utilizing cloud computing and cloud storage technologies. A distributed cloud storage system (hereinafter, referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network through application software or application interfaces to cooperatively work by using functions such as cluster application, grid technology, and a distributed storage file system, and provides a data storage function and a service access function to the outside.
At present, a storage method of a storage system is as follows: logical volumes are created, and when created, each logical volume is allocated physical storage space, which may be the disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as data identification (ID, ID entry), the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can allow the client to access the data according to the storage location information of each object.
The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making creative efforts shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Before further detailed description of the embodiments of the present application, terms and expressions referred to in the embodiments of the present application will be described, and the terms and expressions referred to in the embodiments of the present application will be used for the following explanation.
SOC (Security Operations Center): the method adopts a centralized management mode to uniformly manage related safety products, collects safety information of assets in all networks, deeply analyzes, counts and associates various collected safety events, timely reflects the safety condition of the managed assets, positions safety risks, timely discovers and positions various safety events, timely provides a processing method and a suggestion, and assists an administrator in analyzing events, analyzing risks, managing early warning and processing emergency response.
SIEM (Security Information and Event Management): is a combination of software and services, and is a fusion of SIM (Security Information Management) and SEM (Security Event Management). The SIEM carries out unified real-time monitoring and historical analysis on safety information (including logs, alarms and the like) generated by all IT resources (including networks, systems and applications) in enterprises and organizations, monitors intrusion from the outside and internal violation and misoperation behaviors, audits and analyzes, surveys and obtains evidence, and provides various report reports, so that the goal of IT resource compliance management is realized, and meanwhile, the safety operation, threat management and emergency response capabilities of the enterprises and the organizations are improved.
And (4) safety warning: the method refers to a warning with higher analysis value generated after further processing of security events or operation logs collected from different security products or equipment logs in a security operation center platform such as SOC/SIEM and the like. The security alarm is obtained by performing alarm analysis on the security event according to an alarm strategy, and the security alarm and the alarm strategy are often in a one-to-one relationship.
And (3) alarm strategy: the alarm policy is a generation policy used for converting a security event, a device log, and the like into a security alarm in a security operation center such as SOC/SIEM.
Referring to fig. 1, fig. 1 is a schematic diagram of an application environment according to an embodiment of the present disclosure, and as shown in fig. 1, the application environment may include at least a server 01 and a terminal 02. In practical applications, the server 01 and the terminal 02 may be directly or indirectly connected through a wired or wireless communication manner to realize interaction between the terminal 02 and the server 01, which is not limited herein.
In this embodiment of the application, the server 01 may be an independent physical server, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a Network service, cloud communication, a middleware service, a domain name service, a security service, a CDN (Content Delivery Network), a big data and artificial intelligence platform, and the like. Specifically, the server may include a physical device, may specifically include a network communication unit, a processor, a memory, and the like, may also include software running in the physical device, may specifically include an application program, and the like. In the embodiment of the present application, the server 01 may be configured to obtain event description information of a plurality of security events, store a configuration rule base, and provide a generation service of an alarm policy and an alarm analysis service of a security event.
In this embodiment, the terminal 02 may include a smart phone, a desktop computer, a tablet computer, a notebook computer, a digital assistant, an Augmented Reality (AR)/Virtual Reality (VR) device, a smart television, a smart speaker, a smart wearable device, and a vehicle-mounted terminal device, and may also include software running in the physical device, such as an application program. Specifically, the terminal 02 may be configured to generate a security event and transmit data of the security event, such as event records and device log data, to the server 01.
In addition, it should be noted that fig. 1 illustrates only an application environment of the alarm policy generation method, and the application environment may include more or fewer nodes, which is not limited herein.
An alarm policy generation method of the present application is introduced below based on the above application environment, and is applied to a server side. In some cases, the technical scheme of the application can be applied to common security platforms such as SOC or SIEM, and is suitable for scenes with fewer personnel or large amount of security events, such as small and medium-sized enterprise scenes with less security budget, enterprise scenes with a large amount of assets exposed in a public network, or scenes with great challenges to enterprise security such as security drilling. Fig. 2 is a schematic flow chart of an alarm policy generation method provided in an embodiment of the present application, and the present specification provides the operation steps of the method as in the embodiment or the flowchart, but more or less operation steps may be included based on conventional or non-creative labor. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of sequences, and does not represent a unique order of performance. In practice, the system or server product may be implemented in a sequential or parallel manner (e.g., parallel processor or multi-threaded environment) according to the embodiments or methods shown in the figures. As shown in fig. 2 in particular, the method may include the following.
S201: event description information of a plurality of pieces of security events is acquired, and the event description information comprises event object information, event attribute information and event time information of the security events.
In the embodiment of the present application, a security event refers to an original security problem found by different security products (including software or hardware) for a corresponding detected range (such as traffic, a terminal or a log). Specifically, the multiple security events may originate from the same service system, or may originate from different service systems. Specifically, the event description information may be acquired from security event data such as device log data of a plurality of security events.
In some embodiments, the plurality of security events may be historical security events, and accordingly, corresponding event description information is obtained based on the security event records of the historical security events and corresponding device log data, so as to determine an alarm configuration rule corresponding to the plurality of security events for generating an alarm policy from a configuration rule base, so as to perform alarm analysis aiming at the real-time security events. In some cases, event description information of a plurality of security events for a preset period (e.g., the last day) may be obtained, and the generated alarm policy is used for alarm analysis of the security events for the current day. It should be noted that the preset time period may be set based on actual requirements, and is not limited to the above description, and the application is not limited thereto.
In other embodiments, the multiple security events may be quasi-real-time security events, and accordingly, the corresponding event description information is obtained based on the security event records of the quasi-real-time security events and the corresponding device log data, so as to determine the corresponding alarm configuration rule from the configuration rule base, and further generate the corresponding alarm policy and the corresponding alarm result. And when the preset conditions are met, if the number of the generated alarm strategies reaches a first preset value, or the increasing number of the alarm strategies in a certain time is less than or equal to a second preset value, and the like, performing alarm analysis on subsequent security events based on the generated alarm strategies. It should be noted that the preset condition may be set based on actual requirements, and is not limited to the above description, and the application is not limited thereto.
In practical applications, the event object information is identification information characterizing an object related to a security event, and may include, but is not limited to: the source IP and/or destination IP of the security event, or device identification information of the associated object, etc. Event attribute information is information that characterizes the attributes of a security event and may include, but is not limited to: event name information and event category information (including general category and subcategory, etc.), and so on. Event time information may include, but is not limited to, information such as the time of occurrence, end time, and/or duration of a security event.
The subsequent event screening and rule matching are carried out by reading the event description information of the plurality of security events, the whole security event data (including security event records, equipment log data and the like) does not need to be read, the data quantity of the processes of data reading, event screening, rule matching and the like is reduced, and the data processing efficiency is improved.
S203: and acquiring an alarm configuration rule from a configuration rule base, wherein the alarm configuration rule comprises filtering field information and event aggregation conditions.
In the embodiment of the application, the alarm configuration rule is used for indicating a rule for aggregating security events. Specifically, the alarm configuration rule is compiled based on a general format so as to facilitate the application of the alarm configuration rule on different security platforms, such as SOC, SIEM and the like. Specifically, the configuration rule base includes a plurality of preset alarm configuration rules, and may correspond to the same service system or different service systems.
In practical application, the alarm configuration rule includes a plurality of configuration items, specifically, may include a filtering configuration item and an event aggregation condition item, where the filtering configuration item includes filtering field information used for filtering the security event, and the event aggregation condition item is used for indicating a condition for aggregating the security event obtained by filtering based on the filtering configuration item (e.g., the filtering field information).
S205: and matching the alarm configuration rules in the configuration rule base with the plurality of security events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding security events.
In the embodiment of the application, the alarm configuration rule can be matched with the security event based on the matching result between the filtering field information and the event attribute information. The matching mode between the filtering field information and the event attribute information comprises complete matching or fuzzy matching, and the complete matching can be that the field of the event attribute information is the same as the field of the filtering field information, namely the field values are completely equal; fuzzy matching may specify some or all of the fields included in the filtered field information for the event attribute information. For example, the event attribute information includes an event name, an event category, and an event subcategory, and is exemplarily "xss attack/NAI/VAI"; the xss attack is an event name, the NAI (Network Attacks) is an event category, and the VAI (Vulnerability Attacks) is an event subcategory. In some cases, the filtering field information is "xss attack/NAI/VAI", and the filtering field information and the event attribute information can be matched based on a complete matching manner, so that the event attribute information is "xss attack/NAI/VAI" in the security event corresponding to the target alarm rule. In other cases, the filtering field information may be a field specified in xss attack/NAI/VAI "xss attack/NAI/VAI", for example, "xss attack", and the filtering field information and the event attribute information may be matched based on an fuzzy matching manner, so that the event attribute information includes "xss event" in the security event corresponding to the target alarm rule.
In practical application, the security events corresponding to the target configuration rule include at least two security events. Correspondingly, if the alarm configuration rule in the configuration rule base is matched with at least two security events in the plurality of security events according to the filtering field information and the event attribute information, taking the alarm configuration rule as a target configuration rule; if at least two security events are not matched, the following step S207 is not triggered.
In practical application, the filtering field information of each alarm configuration rule in the configuration rule base can be respectively matched with the event attribute information of a plurality of security events, the alarm configuration rule matched with the security event is used as a target configuration rule, and the security event matched with the filtering field information of the target configuration rule is the corresponding security event.
In some cases, the alarm configuration rules are read from the configuration rule base one by one, and event attribute information of a plurality of security events is subjected to traversal matching based on the read filtering field information of the alarm configuration rules, so that a target configuration rule and a corresponding security event are obtained.
In other cases, all or part of the alarm configuration rules in the configuration rule base can be synchronously read, and the read alarm configuration rules are subjected to traversal matching based on the event attribute information of the currently input security event, so that the target configuration rule and the corresponding security event are obtained. For example, the alarm policy generation engine may read a required alarm configuration rule from the configuration rule base and mount the alarm configuration rule, the input form of the plurality of security events is a security event queue based on a time sequence, and the alarm policy generation engine acquires event description information of the security events based on the time sequence and performs traversal matching on event attribute information of the security events and filter field information of the mounted alarm configuration rule.
S207: and matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule according to the event object information and the event time information.
S209: and if the target security event meeting the event aggregation condition is matched, generating a corresponding alarm strategy based on the target configuration rule for alarm analysis of the security event.
In the embodiment of the application, if a target security event meeting an event aggregation condition of a target configuration rule is matched from corresponding security events based on event object information and event time information, that is, the target security event triggering the target configuration rule exists, a corresponding alarm policy is generated based on the target configuration rule, and the alarm policy is used for aggregating at least two security events to generate a single alarm result. And storing the generated alarm strategy into an alarm strategy library for alarm analysis of subsequent security events. Specifically, the target security event includes at least two security events.
The method comprises the steps of obtaining event description information of a plurality of safety events, wherein the event description information comprises event object information, event attribute information and event time information of the safety events; acquiring alarm configuration rules including filtering field information and event aggregation conditions from a configuration rule base; then, according to the filtering field information and the event attribute information, matching the alarm configuration rule in the configuration rule base with a plurality of safety events to obtain a target configuration rule and a corresponding safety event; matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule according to the event object information and the event time information; and if the target security events meeting the event aggregation conditions are matched, generating a corresponding alarm strategy based on the target configuration rule. According to the technical scheme, the automatic generation of the alarm strategy is realized by setting the matching of the configuration rule base and the safety data, the alarm strategy does not need to be configured manually, and the method can be applied to different safety platforms and service systems, so that the repetitive labor of alarm strategy configuration is greatly reduced, and the generation efficiency of the alarm strategy is effectively improved. In addition, the matched alarm configuration rule is determined from the configuration rule base based on the security event data, and then an alarm strategy is generated, so that the correlation between the alarm strategy and the security event to be analyzed can be improved, the number of invalid alarm strategies is reduced, and the alarm analysis efficiency is improved.
In practical applications, generating a corresponding target alarm policy based on the target configuration rule may include: and calling a strategy generation interface to perform format conversion on the configuration data of the target configuration rule to obtain a corresponding alarm strategy.
It can be understood that, the alarm policies of different security platforms have different formats, and therefore when the target configuration rule is applied to different target security platforms, the policy generation interface needs to be invoked, format conversion is performed on the configuration data of the target configuration rule based on the policy format corresponding to the target security platform, and the configuration data is stored in the corresponding platform, for example, the configuration data is converted and stored as the alarm policy of the SOC or SIEM platform.
In some cases, before performing format conversion, the method further includes a step of detecting a configuration rule, which may specifically include: calling a preset parsing grammar to parse the target configuration rule, and if the target configuration rule can be normally parsed, triggering a strategy generation interface to convert the format of the configuration data of the target configuration rule; and if the configuration rule cannot be analyzed normally, generating analysis error information to prompt a user to check the configuration rule.
Based on some or all of the above embodiments, in the embodiments of the present application, the alarm policy includes a merge policy and an association policy, the merge policy is applied to a scenario in which security events that occur multiple times under the same condition are aggregated uniformly and then a single alarm is generated, and the association policy is applied to a scenario in which associated security events are aggregated uniformly and then a single alarm is generated. Correspondingly, the alarm configuration rule comprises a merging configuration rule and an association configuration rule, wherein the merging configuration rule is a configuration rule corresponding to an alarm strategy for aggregating security events occurring under the same condition into a single alarm result; the association type configuration rule is a configuration rule corresponding to an alarm policy which aggregates the associated security events into a single alarm result.
In practical application, when the alarm configuration rule is a merge type configuration rule, the event aggregation condition includes a merge sub-condition, a lower limit of merge number, and an aggregation time length, where the merge sub-condition represents that event objects of the security events are the same, and the aggregation time length represents that the security events in a time range are aggregated, where the time range may be, for example, 1h or 3 h. Accordingly, step S207 may include the following steps.
S2071: and determining a first security event with the same event object from the corresponding security events according to the event object information and the merging sub-conditions to obtain a first security event set.
Specifically, the event object information may include a source IP and a destination IP, or a device identifier, and accordingly, the source IP and the destination IP of the event object, which are the same as the security event, are the same as another security event, or the device identifier is the same as another security event.
It is understood that, in the merging scenario, the filtered field information includes field information of a security event, and the filtered corresponding security event is a security event with the filtered field information, such as a security event of the same category, a security event of the same sub-category, or a security event of the same name. The event objects obtained from the corresponding security events are the same as the first security event, i.e., the event objects having the filter field information and being identical to each other.
S2072: and determining the target event number of the first safety events which occur in the first safety event set in the aggregation time length according to the event time information.
Specifically, the event occurrence time of each first security event in the first security event set can be determined according to the event time information, and then the first target time period is determined according to the event occurrence time and the aggregation time length of each first security event. In some cases, the first target time period is a time period that starts at the event occurrence time of the first security event and is of an aggregate duration. For example, the first safety event includes 10 first safety events, the event occurs at times of 1.
S2073: and if the number of the target events is greater than or equal to the preset number lower limit, determining that the target security events meeting the event aggregation condition are matched.
Specifically, the event merging number of the merging alarm strategy is limited based on the preset number lower limit, so that the alarm number and the false alarm rate can be reduced.
For example, in a scenario of the merging-type alarm policy, for example, if the host a continuously performs the same type of Web attack on the host B (assuming that the behavior exists within one hour), a security event is generated each time the host a performs the type of Web attack on the host B. In this scenario, the multiple security events may be aggregated into one security alarm through a merging alarm policy (for example, "the host a continuously performs a Web attack on the host B within a certain period of time"), so as to convert a large number of security events into a controllable number of security alarms. For example, a merge class configuration rule may be in the form of "subject: srcip, dstip filter: name- > xss attack-time: 1-10"; name-xss attack-is a filtering configuration item, the filtering field information is xss attack, and the item represents a security event with an event name comprising a xss attack field; the 'subject: srcip, dstip' and 'time: 1-10' are event aggregation conditions, the 'subject: srcip, dstip' are merging sub-condition items, the condition that the event objects are identical is that the source IP and the destination IP are identical, the 'time: 1-10' represents that the aggregation time length is 1h (the merging time range is 1 h), and the lower limit of the merging quantity is 10. The alarm strategy corresponding to the merging configuration rule is as follows: merging the security events which comprise a field of xss attack and have the same source IP and destination IP and occur more than 10 times within 1h in the event name.
In practical application, when the alarm configuration rule is an association-type configuration rule, the event association sub-condition includes an association relation item and a preset event timing, the event aggregation condition includes an association sub-condition, an association event timing and an aggregation duration, the association sub-condition indicates a target association relation that needs to be satisfied between event objects of the associated security events, and the aggregation duration represents aggregation processing of the security events within a time range, which may be the same as or different from the merge class. Accordingly, step S207 may include the following steps.
S2074: and determining a second security event which occurs within the aggregation time length and has a target association relation among the event objects from the corresponding security events according to the event object information, the event time information and the association sub-conditions to obtain a second security event set.
Specifically, the event object information may include a source IP and a destination IP, or an equipment identifier, and correspondingly, the target association relationship between the event objects may be a target association relationship between a source IP and a destination IP of the security event, or a target association relationship between an equipment identifier. The target association relationship may be determined based on a priori knowledge of event associations.
Specifically, the event object information of each security event in the corresponding security events is matched with the association sub-conditions, so that the security events with the target association relationship between the event objects can be obtained. And determining the event occurrence time of each second security event in the second security event set according to the event time information. And then, according to the event occurrence time, a second security event which occurs in the aggregation duration and has a target incidence relation among the event objects can be determined. In some cases, similar to the first target time period, the second target time period may be determined according to the event occurrence time and the aggregation duration of each second security event, which is not described herein again.
It can be understood that, in the association scenario, the filtered field information includes respective field information of each security event that satisfies the target association relationship, and the filtered corresponding security event includes a security event related to the target association relationship and having the filtered field information. A second security event, i.e. event objects having filter field information and having a target association relationship with each other, is obtained from the corresponding security event.
For example, if the host a is lost after being attacked, and then the attacker manipulates the host B through the host a, two types of attack events are generated under this scenario, that is, the event a is an event that the host a is attacked and the event B is an event that the host a attacks the host B, and the corresponding filtering field information may be a field corresponding to the attack event. And because the attacker attacks the host a and handles the attack initiated by the host a, the two types of attack events can be associated through the IP of the host a, and thus the target association relationship can be that the destination IP of the event a is the same as the source IP of the event b. Based on the association type configuration rule, a plurality of events of different types in a plurality of security events can be associated, and the workload of searching events with association relations from a large number of events is greatly reduced.
S2075: a timing of a second security event in the second set of security events is determined based on the event time information.
S2076: and if the time sequence of the second safety event is consistent with the time sequence of the associated event, determining that the target safety event meeting the event aggregation condition is matched.
It is understood that there is usually a causal relationship between related class security events, so there is a sequential relationship between security events that satisfy the target relationship. Therefore, it is necessary to determine whether the timing of the second security event in the second security event set is consistent with the preset timing of the associated event. In some cases, the time sequences of the second security events in the second target time periods may be determined, and if the time sequence of the second security event in any second target time period is consistent with the time sequence of the associated event, the target security event that meets the event aggregation condition is determined.
In some cases, the event aggregation condition may further include a lower limit of the association number of each second security event in which the target association relationship exists, and the lower limit of the association number of each second security event is 1 in a default state.
Illustratively, the event aggregation condition samples in a specific association configuration rule may be in the form of "subject: srcip1, dstip1, srcip2, dstip2, srcip3, dstip3 relationship: dstip1= srcip2, dstip2= srcip3, dstip3= srcip1 time:1order and 3"; the target association relationship among the three security events is characterized in that a target ip of the event 1 is the same as a source ip of the event 2, a source ip of the event 3 is the same as a target ip of the event 2, and a source ip of the event 1 is the same as a target ip of the event 3, and the target ip of the event 1 is the same as the target ip of the event 3; time 1 is the polymerization duration, and the corresponding time range is 1h; "order:1> < 2> < 3" is the associated event time sequence, and the time sequences representing the three security events are as follows from early to late: event 1 → event 2 → event 3. Referring to fig. 5, the example can be applied to the security event scenario shown in the figure, where event 1 is that host a attacks host B, event 2 is that host B attacks host C, and event 3 is that host a operates host B to enable host B to communicate with host a.
Based on some or all of the above embodiments, in the embodiment of the present application, please refer to fig. 3, after step S209, the method may further include the following steps.
S211: and acquiring a target alarm result corresponding to the target alarm strategy.
S213: and performing result verification on the target alarm result based on the target configuration rule to obtain a target verification result.
In practical application, the alarm data in the security platform may be periodically obtained, and whether a target alarm result corresponding to the target alarm policy exists in the current alarm data is detected, where the period time may be 10min as an example. And if so, verifying the target alarm result based on each item in the corresponding target configuration rule. For example, in the case that the target configuration rule is a merging type configuration rule, it is verified whether the merged event object satisfies a merging sub-condition, whether the number of merged events satisfies a lower limit of the merging number, and the like. And if the target configuration rule is the association type configuration rule, verifying whether the event time sequence of the associated safety event is consistent with the associated event time sequence, whether the association relation between the event objects meets the target association relation and the like.
Based on some or all of the above embodiments, in the embodiments of the present application, please refer to fig. 4, after step S209, the method may further include the following steps.
S215: and acquiring statistical information of a target alarm result corresponding to the target alarm strategy within a preset time length.
S217: and optimizing the target configuration rule based on the statistical information to obtain an updated target configuration rule.
Specifically, the preset time duration may be set based on actual requirements, and the preset time duration may be the same as the aggregation time duration or different from the aggregation time duration.
Specifically, steps S215 and S217 may be performed periodically to iteratively optimize the target configuration rule.
In practical application, if the target configuration rule is a merging configuration rule, the statistical information includes the alarm quantity of the target alarm result within a preset time length. Correspondingly, step S217 may specifically include S2171: and if the alarm quantity is greater than the first alarm threshold value, increasing the lower limit of the merging quantity of the target configuration rule to obtain the updated target configuration rule.
Specifically, the lower limit of the merging number may be adjusted in an incremental manner, and for example, the incremental number of the lower limit of the merging number may be 2 each time the optimization process is performed. Therefore, the lower limit of the merging quantity is gradually increased to determine the optimal lower limit of the merging quantity, and the target alarm result within the preset duration is within a certain quantity range.
It can be understood that if the alarm quantity is smaller than the third alarm threshold, and the third alarm threshold is smaller than the first alarm threshold, the lower limit of the merging quantity of the target configuration rule is reduced, the updated target configuration rule is obtained, and further risk missing report is avoided.
Further, in some cases, the event aggregation condition further includes an upper merging number limit, and the method may further include S2172: and if the alarm quantity is greater than the first alarm threshold value and the lower limit of the merging quantity of the target configuration rule is increased to be greater than or equal to the upper limit of the corresponding merging quantity, increasing the aggregation time length of the target configuration rule.
Specifically, in the iterative optimization process, if the lower limit of the merging number is adjusted to be greater than or equal to the upper limit of the merging number, but the alarm number of the target alarm result in the preset time duration is still greater than the first alarm threshold, the aggregation time duration is increased to reduce the generated alarm number in the preset time duration. Similarly, the aggregation time duration may be adjusted in an incremental manner, and for example, the increment of the aggregation time duration may be 1h each time the optimization processing is performed.
Based on the foregoing samples "subject: srcip, dstip filter: name- > xss attack:" time:1-10", and Danggui with an upper limit of 30, the corresponding samples become" subject: srcip, dstip filter: name- > xss attack: "time: 1-10-30". And when the lower limit of the merging quantity is less than 30, optimizing the target configuration rule by increasing the lower limit of the merging quantity in an increasing mode, and when the lower limit of the merging quantity reaches 30, optimizing the target configuration rule by increasing the aggregation time length in an increasing mode.
In practical application, if the target configuration rule is an association type configuration rule, the event aggregation condition further includes an association number lower limit of the security event; the statistical information comprises the alarm quantity of the target alarm result in the preset time length and the corresponding event quantity of the second safety event. Accordingly, step S217 may specifically include the following steps.
S2173: and if the alarm quantity is greater than a second alarm threshold value, determining the second safety event with the maximum quantity according to the event quantity of the corresponding second safety event.
S2174: and increasing the lower limit of the correlation number corresponding to the second security event with the largest number in the target configuration rule to obtain the updated target configuration rule.
Specifically, the event aggregation condition further includes a lower limit of the respective association number of the various security events involved in the target configuration rule. As in the scenario of fig. 5, there is a lower limit to the number of associations for each of event 1, event 2, and event 3. In some cases, the initial lower bound of the number of associations for the target alarm rule may be all 1.
Specifically, the preset durations corresponding to the association configuration rule and the merge configuration rule may be the same or different. In the optimization scene of the association configuration rule, besides obtaining the alarm number of the target alarm result, the number of the events of various second safety events which occur within the preset time and correspond to the target configuration rule needs to be determined, and then the second safety event with the largest number of events is determined and the lower limit of the corresponding association number is increased. Similarly, the lower associated quantity limit may also be adjusted in the incremental manner described above.
As in the scenario in fig. 5, a preset duration is set to 3h, the alarm number of the alarm in the past 3h is obtained, and the event numbers of the event 1, the event 2, and the event 3 in the past 3h are obtained, for example, the event numbers of the event 1, the event 2, and the event 3 are 1,3, 10, respectively, if the alarm proficiency is greater than or equal to the second alarm threshold, the lower limit of the association number of the event 3 in the time aggregation condition of the target configuration rule is increased, and each incremental change may be 2, that is, the corresponding alarm policy is adjusted to: otherwise, the security alarm is not performed until the number of events 3 is 2.
Based on some or all of the foregoing embodiments, in this application example, the method further includes storing an optimization record of the optimization processing. Specifically, target configuration rules before and after optimization and corresponding target alarm strategies are stored, so that subsequent manual intervention or when problems occur, positioning and troubleshooting can be performed quickly. The stored optimization record may include at least one of: optimizing time, optimized strategy name (or strategy ID and other strategy identifiers), name of security event associated with optimized configuration rule, corresponding quantity and time object information thereof, configuration rule before optimization and corresponding alarm strategy, configuration rule after optimization and corresponding alarm strategy, configuration rule and version information of alarm strategy.
Furthermore, the operation data related to the steps of the application can be stored and/or output to a corresponding page, so that an analyst can conveniently view and perform alarm analysis.
Based on the technical scheme, the alarm strategy can be automatically generated based on the existing alarm configuration rules in the security event and configuration rule base for alarm analysis of subsequent security events, alarm strategy configuration of different platforms or different systems is not required to be manually performed, data browsing amount of analysts is reduced, security events with abnormal relations can be quickly and automatically found out from a large amount of data, and efficiency of alarm strategy generation and corresponding alarm analysis is effectively improved. In addition, the existing alarm strategy can be optimized and adjusted based on the alarm result so as to reasonably control the alarm data volume.
An alarm policy generating device 700 is further provided in an embodiment of the present application, as shown in fig. 6, fig. 6 is a schematic structural diagram of an alarm policy generating device provided in an embodiment of the present application, where the device may include:
the event information acquisition module 10: the system comprises a plurality of pieces of event description information, a plurality of pieces of event attribute information and a plurality of pieces of event time information, wherein the event description information comprises event object information, event attribute information and event time information of the security events;
the configuration rule acquisition module 20: the method comprises the steps of acquiring an alarm configuration rule from a configuration rule base, wherein the alarm configuration rule comprises filtering field information and event aggregation conditions;
the first matching module 30: the system comprises a configuration rule base, a filtering field information database and an event attribute information database, wherein the configuration rule base is used for matching alarm configuration rules in the configuration rule base with a plurality of safety events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding safety events;
the second matching module 40: the event aggregation module is used for matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule according to the event object information and the event time information;
the alarm policy generation module 50: and if the target security event meeting the event aggregation condition is matched, generating a corresponding alarm strategy based on the target configuration rule for alarm analysis of the security event.
In some embodiments, the alarm configuration rules include a merging configuration rule, where the merging configuration rule is a configuration rule corresponding to an alarm policy that aggregates security events occurring under the same condition into a single alarm result; the event aggregation condition comprises a merging sub-condition, a merging quantity lower limit and an aggregation duration, wherein the merging sub-condition represents that the event objects of the safety event are the same; the second matching module 40 may include:
a first security event determination unit: the event merging sub-condition is used for determining a first security event with the same event object from corresponding security events according to the event object information and the merging sub-condition to obtain a first security event set;
a target event number determination unit: the event time information is used for determining the target event number of the first security events which occur in the aggregation time length in the first security event set;
a first matching unit: and if the number of the target events is greater than or equal to the preset number lower limit, determining that the target security events meeting the event aggregation condition are matched.
In some embodiments, the alarm configuration rules include association-class configuration rules, which are configuration rules corresponding to an alarm policy that aggregates associated security events into a single alarm result; the event aggregation condition comprises an association sub-condition, an association event time sequence and an aggregation duration, wherein the association sub-condition indicates a target association relation required to be met among event objects of the associated security events; the second matching module 40 may include:
a second security event determination unit: the event processing device is used for determining a second security event which occurs within the aggregation time length and has a target association relation among event objects from corresponding security events according to the event object information, the event time information and the association sub-conditions to obtain a second security event set;
an event timing determination unit: means for determining a timing of a second security event in the second set of security events based on the event time information;
a second matching unit: and if the time sequence of the second security event is consistent with the time sequence of the associated event, determining that the target security event meeting the event aggregation condition is matched.
In some embodiments, after generating a corresponding target alarm policy based on the target configuration rule for alarm analysis of the security event if the target security event meeting the event aggregation condition is matched, the apparatus further includes:
an alarm result acquisition module: the target alarm strategy is used for acquiring a target alarm result corresponding to the target alarm strategy;
a result verification module: and the target configuration rule is used for carrying out result verification on the target alarm result based on the target configuration rule to obtain a target verification result.
In some embodiments, after generating a corresponding target alarm policy based on the target configuration rule for alarm analysis of the security event if the target security event meeting the event aggregation condition is matched, the apparatus further includes:
a statistical information acquisition module: the statistical information is used for acquiring a target alarm result corresponding to a target alarm strategy within a preset time length;
an optimization processing module: and the target configuration rule is optimized based on the statistical information to obtain an updated target configuration rule.
In some embodiments, if the target configuration rule is a merging configuration rule, the statistical information includes the alarm number of the target alarm result within a preset duration; the optimization processing module comprises a merging quantity adjusting unit: and if the alarm quantity is greater than the first alarm threshold, increasing the lower limit of the merging quantity of the target configuration rule to obtain the updated target configuration rule.
In some embodiments, the event aggregation condition further includes an upper limit of the merging number, and the optimization processing module further includes an aggregation duration adjustment unit: and if the alarm quantity is greater than the first alarm threshold value and the lower limit of the merging quantity of the target configuration rule is increased to be greater than or equal to the upper limit of the corresponding merging quantity, increasing the aggregation time length of the target configuration rule.
In some embodiments, if the target configuration rule is an association-class configuration rule, the event aggregation condition further includes a lower limit of the association number of the security events; the statistical information comprises the alarm quantity of the target alarm result in the preset time length and the corresponding event quantity of the second safety event; the optimization processing module comprises:
an event number determination unit: the alarm quantity is greater than a second alarm threshold value, and the second safety events with the maximum quantity are determined according to the event quantity of the corresponding second safety events;
an association number adjustment unit: and the lower limit of the correlation number corresponding to the second security event with the largest number in the target configuration rule is increased to obtain the updated target configuration rule.
The above-described apparatus embodiments and method embodiments are based on the same implementation.
The embodiment of the present application provides an alarm policy generation device, where the alarm policy generation device includes a processor and a memory, where the memory stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the alarm policy generation method provided in the foregoing method embodiment.
The memory may be used to store software programs and modules, and the processor may execute various functional applications and data processing by operating the software programs and modules stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system, application programs needed by functions and the like; the storage data area may store data created according to use of the device, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory may also include a memory controller to provide the processor access to the memory.
The method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal, a server or a similar operation device. Taking the operation on a server as an example, fig. 7 is a block diagram of a hardware structure of the server of the alarm policy generation method provided in the embodiment of the present application. As shown in FIG. 7, the server 800 may have a relatively large difference due to different configurations or performancesAlternatively, one or more Central Processing Units (CPUs) 810 may be included (processor 810 may include, but is not limited to, a Processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 830 for storing data, one or more storage media 820 (e.g., one or more mass storage devices) storing applications 823 or data 822. Memory 830 and storage medium 820 may be, among other things, transitory or persistent storage. The program stored in the storage medium 820 may include one or more modules, each of which may include a series of instruction operations in a server. Still further, the central processor 810 may be configured to communicate with the storage medium 820 to execute a series of instruction operations in the storage medium 820 on the server 800. The Server 800 may also include one or more power supplies 860, one or more wired or wireless network interfaces 850, one or more input-output interfaces 840, and/or one or more operating systems 821, such as Windows Server TM ,Mac OS X TM ,Unix TM LinuxTM, freeBSDTM, etc.
The input-output interface 840 may be used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the server 800. In one example, i/o Interface 840 includes a Network adapter (NIC) that may be coupled to other Network devices via a base station to communicate with the internet. In one example, the input/output interface 840 may be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
It will be understood by those skilled in the art that the structure shown in fig. 7 is only an illustration and is not intended to limit the structure of the electronic device. For example, server 800 may also include more or fewer components than shown in FIG. 7, or have a different configuration than shown in FIG. 7.
Embodiments of the present application further provide a computer-readable storage medium, where the storage medium may be disposed in a server to store at least one instruction or at least one program for implementing an alarm policy generation method in the method embodiments, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the alarm policy generation method provided in the method embodiments.
Alternatively, in this embodiment, the storage medium may be located in at least one network server of a plurality of network servers of a computer network. Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations described above.
As can be seen from the embodiments of the method, the apparatus, the device, the server, the program product, or the storage medium for generating an alarm policy provided by the present application, event description information of a plurality of security events is obtained, where the event description information includes event object information, event attribute information, and event time information of the security events; acquiring alarm configuration rules including filtering field information and event aggregation conditions from a configuration rule base; then matching the alarm configuration rules in the configuration rule base with a plurality of security events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding security events; matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule according to the event object information and the event time information; and if the target security events meeting the event aggregation conditions are matched, generating a corresponding alarm strategy based on the target configuration rule. According to the technical scheme, the automatic generation of the alarm strategy is realized by setting the matching of the configuration rule base and the safety data, the alarm strategy does not need to be configured manually, and the method can be applied to different safety platforms and service systems, so that the repetitive labor of alarm strategy configuration is greatly reduced, and the generation efficiency of the alarm strategy is effectively improved. In addition, the matched alarm configuration rule is determined from the configuration rule base based on the security event data, and then an alarm strategy is generated, so that the correlation between the alarm strategy and the security event to be analyzed can be improved, the number of invalid alarm strategies is reduced, and the alarm analysis efficiency is improved.
It should be noted that: the sequence of the embodiments of the present application is only for description, and does not represent the advantages and disadvantages of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, device and storage medium embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for relevant points.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program to instruct the relevant hardware to implement, and the program may be stored in a computer-readable storage medium, where the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The present invention is not limited to the above embodiments, and any modifications, equivalents, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An alarm policy generation method, the method comprising:
acquiring event description information of a plurality of safety events, wherein the event description information comprises event object information, event attribute information and event time information of the safety events;
acquiring an alarm configuration rule from a configuration rule base, wherein the alarm configuration rule comprises filtering field information and event aggregation conditions;
matching the alarm configuration rules in the configuration rule base with the plurality of safety events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding safety events;
according to the event object information and the event time information, matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule;
and if the target security event meeting the event aggregation condition is matched, generating a corresponding alarm strategy based on the target configuration rule for alarm analysis of the security event.
2. The method of claim 1, wherein the alarm configuration rules include a merge type configuration rule, and the merge type configuration rule is a configuration rule corresponding to an alarm policy that aggregates security events occurring under the same condition into a single alarm result; the event aggregation condition comprises a merging sub-condition, a merging quantity lower limit and an aggregation duration, wherein the merging sub-condition represents that the event objects of the security event are the same;
the matching, according to the event object information and the event time information, the security event in the corresponding security event with the event aggregation condition of the target configuration rule includes:
determining a first security event with the same event object from the corresponding security events according to the event object information and the merging sub-conditions to obtain a first security event set;
determining the target event number of first security events which occur in the first security event set within the aggregation time length according to the event time information;
and if the number of the target events is greater than or equal to a preset number lower limit, determining that the target security events meeting the event aggregation condition are matched.
3. The method of claim 1, wherein the alarm configuration rules include association-class configuration rules, and the association-class configuration rules are configuration rules corresponding to alarm policies that aggregate associated security events into a single alarm result; the event aggregation condition comprises an association sub-condition, an association event time sequence and an aggregation time length, wherein the association sub-condition indicates a target association relation required to be met among event objects of the associated security events;
the matching, according to the event object information and the event time information, the security event in the corresponding security event with the event aggregation condition of the target configuration rule includes:
determining a second security event which occurs within the aggregation time length and has the target association relation among the event objects from the corresponding security events according to the event object information, the event time information and the association sub-conditions to obtain a second security event set;
determining a timing of a second security event in the second set of security events based on the event time information;
and if the time sequence of the second security event is consistent with the time sequence of the associated event, determining that the target security event meeting the event aggregation condition is matched.
4. The method according to any one of claims 1 to 3, wherein after the target security event satisfying the event aggregation condition is matched, generating a corresponding target alarm policy based on the target configuration rule for alarm analysis of the security event, the method further comprises:
acquiring a target alarm result corresponding to the target alarm strategy;
and performing result verification on the target alarm result based on the target configuration rule to obtain a target verification result.
5. The method according to claim 2 or 3, wherein after the target security event satisfying the event aggregation condition is matched and the corresponding target alarm policy is generated based on the target configuration rule for alarm analysis of the security event, the method further comprises:
acquiring statistical information of a target alarm result corresponding to the target alarm strategy within a preset time length;
and optimizing the target configuration rule based on the statistical information to obtain an updated target configuration rule.
6. The method according to claim 5, wherein if the target configuration rule is a merge configuration rule, the statistical information includes the number of alarms of the target alarm result within the preset duration;
the optimizing the target configuration rule based on the statistical information to obtain an updated target configuration rule includes:
and if the alarm quantity is greater than a first alarm threshold value, increasing the lower limit of the merging quantity of the target configuration rule to obtain the updated target configuration rule.
7. The method of claim 6, wherein the event aggregation condition further comprises an upper merging quantity limit, the method further comprising:
and if the alarm quantity is greater than the first alarm threshold value and the lower limit of the merging quantity of the target configuration rule is increased to be greater than or equal to the upper limit of the corresponding merging quantity, increasing the aggregation time length of the target configuration rule.
8. The method according to claim 5, wherein if the target configuration rule is an association-class configuration rule, the event aggregation condition further includes a lower limit of the association number of security events; the statistical information comprises the alarm number of the target alarm result and the event number of the corresponding second safety event in the preset time length;
the optimizing the target configuration rule based on the statistical information to obtain an updated target configuration rule comprises:
if the alarm quantity is larger than a second alarm threshold value, determining a second safety event with the maximum quantity according to the event quantity of the corresponding second safety event;
and increasing the lower limit of the correlation number corresponding to the second security event with the maximum number in the target configuration rule to obtain the updated target configuration rule.
9. An alert policy generation apparatus, the apparatus comprising:
an event information acquisition module: the system comprises a plurality of pieces of event description information for acquiring a plurality of pieces of security events, wherein the event description information comprises event object information, event attribute information and event time information of the security events;
a configuration rule obtaining module: the method comprises the steps of acquiring an alarm configuration rule from a configuration rule base, wherein the alarm configuration rule comprises filtering field information and event aggregation conditions;
a first matching module: the alarm configuration rule base is used for matching the alarm configuration rules in the configuration rule base with the plurality of safety events according to the filtering field information and the event attribute information to obtain target configuration rules and corresponding safety events;
a second matching module: the event aggregation module is used for matching the security events in the corresponding security events with the event aggregation conditions of the target configuration rule according to the event object information and the event time information;
an alarm strategy generation module: and if the target security event meeting the event aggregation condition is matched, generating a corresponding alarm strategy based on the target configuration rule for alarm analysis of the security event.
10. A computer readable storage medium having stored therein at least one instruction or at least one program, the at least one instruction or the at least one program being loaded and executed by a processor to implement the alert policy generation method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110947247.4A CN115712646A (en) | 2021-08-18 | 2021-08-18 | Alarm strategy generation method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110947247.4A CN115712646A (en) | 2021-08-18 | 2021-08-18 | Alarm strategy generation method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115712646A true CN115712646A (en) | 2023-02-24 |
Family
ID=85229910
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110947247.4A Pending CN115712646A (en) | 2021-08-18 | 2021-08-18 | Alarm strategy generation method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115712646A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116016121A (en) * | 2023-03-24 | 2023-04-25 | 卡奥斯工业智能研究院(青岛)有限公司 | Method, device, equipment and storage medium for determining associated data of alarm data |
| CN116560937A (en) * | 2023-03-27 | 2023-08-08 | 中国华能集团有限公司北京招标分公司 | Alarm engine using method |
-
2021
- 2021-08-18 CN CN202110947247.4A patent/CN115712646A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116016121A (en) * | 2023-03-24 | 2023-04-25 | 卡奥斯工业智能研究院(青岛)有限公司 | Method, device, equipment and storage medium for determining associated data of alarm data |
| CN116016121B (en) * | 2023-03-24 | 2023-07-18 | 卡奥斯工业智能研究院(青岛)有限公司 | Method, device, equipment and storage medium for determining associated data of alarm data |
| CN116560937A (en) * | 2023-03-27 | 2023-08-08 | 中国华能集团有限公司北京招标分公司 | Alarm engine using method |
| CN116560937B (en) * | 2023-03-27 | 2024-02-27 | 中国华能集团有限公司北京招标分公司 | Alarm engine using method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9584533B2 (en) | Performance enhancements for finding top traffic patterns | |
| US10140453B1 (en) | Vulnerability management using taxonomy-based normalization | |
| US6704874B1 (en) | Network-based alert management | |
| US20170288974A1 (en) | Graph-based fusing of heterogeneous alerts | |
| WO2019133763A1 (en) | System and method of application discovery | |
| US20200120122A1 (en) | Multi-dimensional periodicity detection of iot device behavior | |
| US11297105B2 (en) | Dynamically determining a trust level of an end-to-end link | |
| CN112422484B (en) | Method, apparatus, and storage medium for determining scenario for processing security event | |
| US11042525B2 (en) | Extracting and labeling custom information from log messages | |
| CN109379390B (en) | Network security baseline generation method based on full flow | |
| CN103152352A (en) | Perfect information security and forensics monitoring method and system based on cloud computing environment | |
| CN110716910A (en) | Log management method, device, equipment and storage medium | |
| US10938847B2 (en) | Automated determination of relative asset importance in an enterprise system | |
| CN112333130A (en) | Data processing method, device and storage medium | |
| CN115712646A (en) | Alarm strategy generation method, device and storage medium | |
| CN113448812A (en) | Monitoring alarm method and device under micro-service scene | |
| CN114039900A (en) | Efficient network data packet protocol analysis method and system | |
| CN116107846A (en) | Linux system event monitoring method and device based on EBPF | |
| CN104246787A (en) | Parameter adjustment for pattern discovery | |
| CN114666101A (en) | Attack tracing detection system, method, device and medium | |
| WO2004017199A1 (en) | Method for monitoring and managing an information system | |
| CN112910842B (en) | Network attack event evidence obtaining method and device based on flow reduction | |
| Najafi et al. | SIEMA: bringing advanced analytics to legacy security information and event management | |
| CN110113301B (en) | Intrusion detection system based on cloud computing | |
| CN114356712A (en) | Data processing method, device, equipment, readable storage medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |