CN115834345A - Alarm data processing method, device, equipment and medium - Google Patents
Alarm data processing method, device, equipment and medium Download PDFInfo
- Publication number
- CN115834345A CN115834345A CN202211437587.3A CN202211437587A CN115834345A CN 115834345 A CN115834345 A CN 115834345A CN 202211437587 A CN202211437587 A CN 202211437587A CN 115834345 A CN115834345 A CN 115834345A
- Authority
- CN
- China
- Prior art keywords
- alarm
- data
- preset
- degree
- processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Alarm Systems (AREA)
Abstract
The invention relates to the technical field of data processing, and discloses a method, a device, equipment and a medium for processing alarm data, which comprise the steps of obtaining alarm log data of target equipment; classifying the alarm log data based on a preset feature classification rule to obtain alarm feature data of multiple categories; acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table, and generating an alarm degree data set; inputting the alarm degree data set into a preset confidence model to output the confidence of the alarm log data; judging whether the trust degree is greater than a preset trust degree threshold value or not; and if the confidence level is greater than a preset confidence level threshold value, generating an alarm message based on the alarm characteristic data. By the method, the device, the equipment and the medium for processing the alarm data, the processing efficiency of the alarm data can be improved.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a medium for processing alarm data.
Background
In the safety operation, various network devices may be attacked by the network in the operation process to generate abnormal alarm data. Security personnel need to monitor the generated alarm data in real time in order to analyze the alarm problem.
However, the amount of network attacks is increasing at present, and security personnel need to process a large amount of alarm data. The safety personnel have lower processing efficiency on the alarm data and can not meet the requirement of safe operation.
Disclosure of Invention
In view of the above-mentioned shortcomings of the prior art, an object of the present invention is to provide a method, an apparatus, a device and a medium for processing alarm data, which can improve the processing efficiency of the alarm data.
In a first aspect, a method for processing alarm data is provided, including:
acquiring alarm log data of target equipment;
classifying the alarm log data based on a preset feature classification rule to obtain alarm feature data of multiple categories;
acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table; summarizing the alarm degree data corresponding to each type of alarm characteristic data to generate an alarm degree data set;
inputting the alarm degree data set into a preset confidence model to output the confidence of the alarm log data;
judging whether the trust degree is greater than a preset trust degree threshold value or not;
and if the alarm characteristic data is not greater than the preset confidence threshold, determining the alarm characteristic data as invalid alarm data.
In a second aspect, an apparatus for processing alarm data is provided, including:
the acquisition module is used for acquiring alarm log data of the target equipment;
the classification module is used for classifying the alarm log data based on a preset characteristic classification rule so as to acquire alarm characteristic data of a plurality of categories;
the processing module is used for acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table;
the summarizing module is used for summarizing the alarm degree data corresponding to each type of alarm characteristic data to generate an alarm degree data set;
the generating module is used for inputting the alarm degree data set into a preset confidence model so as to output the confidence of the alarm log data;
the judging module is used for judging whether the trust degree is greater than a preset trust degree threshold value;
and the pushing module is used for generating an alarm message based on the alarm characteristic data if the alarm characteristic data is greater than a preset confidence threshold, and determining the alarm characteristic data as invalid alarm data if the alarm characteristic data is not greater than the preset confidence threshold.
In a third aspect, a computer device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the steps of the method for processing alarm data are implemented.
In a fourth aspect, a computer-readable storage medium is provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the above-mentioned alarm data processing method.
In the scheme implemented by the method, the device, the equipment and the medium for processing the alarm data, the server can obtain the alarm log data of the target equipment. Since there are different categories of data in the alarm log data. The alarm log data can be classified based on preset characteristic classification rules to obtain alarm characteristic data of multiple categories. Based on a preset alarm degree relation table, alarm degree data corresponding to each type of alarm characteristic data can be obtained, and an alarm degree data set is generated. The trust degree of the whole alarm log data is calculated based on the alarm degree of each type of data, and the accuracy of the trust degree can be improved. Therefore, the alarm degree data set is input into a preset trust degree model, and the trust degree of the alarm log data can be output. And finally, judging whether the trust is greater than a preset trust threshold, and if so, generating an alarm message based on alarm characteristic data. And if the alarm characteristic data is not greater than the preset confidence threshold, determining the alarm characteristic data as invalid alarm data. In the invention, the credibility of the alarm log data is calculated through the various types of characteristic data to obtain credible alarm data and remove invalid alarm data, thereby improving the processing efficiency of the alarm data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of an application environment of a method for processing alarm data according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a method for processing alarm data according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating one embodiment of step S10 of FIG. 2;
FIG. 4 is a flowchart illustrating one embodiment of step S20 of FIG. 2;
FIG. 5 is a flowchart illustrating one embodiment of step S70 of FIG. 2;
FIG. 6 is a schematic flow chart diagram illustrating one embodiment of FIG. 2 after step S70;
FIG. 7 is a flowchart illustrating one embodiment of step S713 of FIG. 6;
FIG. 8 is a schematic diagram of a structure of an apparatus for processing alarm data according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a computer apparatus according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of another embodiment of a computer device.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The method for processing alarm data provided by the embodiment of the present invention may be applied to an application environment as shown in fig. 1, where the server 110 may serve as a security processing platform, and the server 110 may communicate with the target device 120 through a network. When the target device 120 is attacked, corresponding alarm log data is generated. The server 110 may obtain alarm log data for the target device 120. In order to improve the processing efficiency of the alarm log data, the alarm log data can be screened to remove useless alarm log data. Therefore, the confidence level of the alarm log data can be calculated, and the alarm log data with low confidence level is judged as invalid alarm data, so that the processing amount of the alarm log data is reduced. Since the alarm log data has different categories of data, the degree of alarm for each category of data may indicate the extent to which this data needs to be alarmed. The trust degree of the whole alarm log data is calculated based on the alarm degree of each type of data, and the accuracy of the trust degree can be improved. Therefore, the alarm log data can be classified based on preset feature classification rules to obtain alarm feature data of multiple categories. Based on a preset alarm degree relation table, alarm degree data corresponding to each type of alarm characteristic data can be obtained, and an alarm degree data set is generated. And inputting the alarm degree data set into a preset confidence model to output the confidence of the alarm log data. Whether the confidence level is greater than a preset confidence level threshold value or not can be judged, if so, an alarm message can be generated based on the alarm characteristic data and sent to the target processing terminal 130, and if not, the alarm characteristic data is determined to be invalid alarm data. In the invention, effective alarm data is obtained by calculating the trust degree of the alarm log data, and invalid alarm data is removed, thereby improving the processing efficiency of the alarm data. The target device 120 may be, but is not limited to, various computers, servers, laptops, tablets, mobile terminals, switches, routers, and other devices capable of transmitting data based on a network. The server 110 may be implemented by a stand-alone server or a server cluster composed of a plurality of servers. The target processing terminal 130 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices.
Referring to fig. 2, fig. 2 is a schematic flowchart of a method for processing alarm data according to an embodiment of the present invention, including the following steps:
s10, acquiring alarm log data of target equipment;
step S20, based on a preset characteristic classification rule, classifying the alarm log data to obtain alarm characteristic data of multiple categories;
s30, acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table;
s40, summarizing alarm degree data corresponding to each type of alarm characteristic data to generate an alarm degree data set;
s50, inputting the alarm degree data set into a preset confidence model to output the confidence of the alarm log data;
step S60, judging whether the trust level is greater than a preset trust level threshold value;
and step S70, if the confidence level is greater than a preset confidence level threshold value, generating an alarm message based on the alarm characteristic data, and if the confidence level is not greater than the preset confidence level threshold value, determining the alarm characteristic data as invalid alarm data.
With respect to step S10, it should be noted that the target device 120 may be under a network attack during the operation. After the target device 120 is attacked by the network, an alarm mechanism of the target device 120 is triggered, and alarm log data is generated. The alarm log data may include an IP address of the source device of the attack event, an IP address of the target device, a type of the attack event, a network segment to which the attack event belongs, whether a security blocking device exists in an area where the attack event is located, and the like. It should be further explained that the network segment to which the attack event belongs may refer to an intranet area, an isolated area, and the like, and the intranet area may refer to a closed network formed by multiple computers and network devices in a certain area, for example, a campus network, a government network, and the like, through which file management, application software sharing, printer sharing, and the like may be implemented. An isolated area may refer to a small network area between an intranet area and an external network where servers that need to be published, such as enterprise website servers, enterprise forums, and other servers that need to be published, may be located. The security blocking device may refer to a firewall, a RASP security protection tool, an IPS intrusion prevention device, and the like, and may block an attack behavior when an attack event occurs. Of course, the security blocking device may be other devices having an attack blocking effect.
It should be noted that, when acquiring the alarm log data of the target device, the alarm log data may be acquired from the target log information of the target device. The target log information may include log information of all events in the target device, including daily log information and alarm log data. When alarm log data is obtained, an alarm attribute set can be preset, and the alarm attribute set can comprise various alarm attributes. Based on various alarm attributes, log information with corresponding attributes in target log information can be inquired, and required alarm log data can be obtained by summarizing the log information corresponding to various alarm attributes.
For step S20, it should be noted that the alarm log data may include multiple types of data, such as an IP address of the source device of the attack event, an IP address of the target device, a type of the attack event, a network segment to which the attack event belongs, and whether a security blocking device exists in an area where the attack event is located, and the alarm degree of each type of data may indicate the degree to which the data needs to be alarmed. The alarm degree of each type of alarm characteristic data has certain influence on the trust degree of the alarm log data, so that the overall trust degree of the alarm log data can be calculated based on the alarm degrees of the alarm characteristic data of a plurality of types, and the accuracy of the trust degree is improved.
It should be further noted that the alarm log data may be classified into multiple categories of alarm characteristic data based on the characteristic classification rule, where the multiple categories of alarm characteristic data may include alarm characteristic data related to the attack event type, alarm characteristic data related to the IP address of the attack event source device, alarm characteristic data related to the IP address of the target device, and alarm characteristic data related to the network segment to which the attack event belongs.
It should be explained that the feature classification rule may include a related field corresponding to the IP address of the attack event source device, a related field corresponding to the attack event type, a related field corresponding to the IP address of the target device, and a related field corresponding to the network segment to which the attack event belongs. When the alarm characteristic data related to the attack event type is obtained, data with the same field as the related field can be inquired in the alarm log data based on the related field corresponding to the attack event type, and the data can be determined as the alarm characteristic data related to the attack event type. Similarly, alarm characteristic data related to the IP address of the source device of the attack event, alarm characteristic data related to the IP address of the target device, and alarm characteristic data related to the network segment to which the attack event belongs may be obtained.
For step S30, it should be noted that in a type of alarm characteristic data, different specific data correspond to different alarm degrees. Therefore, an alarm degree relation table can be preset to determine the alarm degrees corresponding to different specific data, and the alarm degree relation table can include the alarm degrees corresponding to various alarm characteristic data. It should be further explained that the alarm degree relation table may include specific data of multiple categories of alarm characteristic data and an alarm degree corresponding to each specific data. Specifically, in the alarm degree relationship table, the alarm characteristic data related to the attack event type may include injection attack (INJECT attack) and remote code execution vulnerability attack (RCE attack), where the alarm degree corresponding to the attack event type is 0.6 when the attack event type is injection attack (INJECT attack), and the alarm degree corresponding to the attack event type is 0.4 when the attack event type is remote code execution vulnerability attack (RCE attack). The alarm characteristic data related to the network segment to which the attack event belongs may include an intranet region and an isolation region, where the corresponding alarm degree may be set to 0.65 when the network segment to which the attack event belongs is the intranet region, and the corresponding alarm degree may be set to 0.35 when the network segment to which the attack event belongs is the isolation region.
For step S40, when the alarm degree corresponding to each type of alarm characteristic data needs to be obtained, the alarm degree relation table may be queried to obtain the alarm degree corresponding to the specific data of each type of alarm characteristic data. By summarizing each type of alarm characteristic data and the corresponding alarm degree, an alarm degree data set can be generated.
For step S50, it should be noted that, based on the alarm degree of each type of alarm characteristic data, the trust degree of the overall alarm log data can be calculated. And when the trust degree is calculated, inputting the alarm degree data set into a preset trust degree model so as to output the trust degree of the alarm log data. It is further specified that the confidence model P can be expressed as: p = A1 × X1+ A2 × X2.. The. + Ai × Xi, where Xi represents the ith alarm degree data, and Ai represents the weight of the alarm feature data corresponding to the ith alarm degree data relative to the alarm log data.
As an example of calculating the trust level of the alarm log data, if the alarm log data includes alarm characteristic data related to a network segment to which the attack event belongs, alarm characteristic data related to the type of the attack event, alarm characteristic data related to whether the security blocking device exists, and alarm characteristic data related to whether the type of the attack event succeeds, the alarm characteristic data is obtained. The weight of the alarm characteristic data related to the network segment to which the attack event belongs with respect to the alarm log data may be set to A1=0.15, the weight of the alarm characteristic data related to the attack event type with respect to the alarm log data may be set to A2=0.3, the weight of the alarm characteristic data related to the presence or absence of the security breaking device with respect to the alarm log data may be set to A3=0.15, and the weight of the alarm characteristic data related to the success or absence of the attack event type with respect to the alarm log data may be set to A4=0.4. If the alarm characteristic data related to the network segment to which the attack event belongs is an intranet region, the alarm degree may be set to X1=0.65. If the alarm characteristic data related to the attack event type is a remote code execution vulnerability attack (RCE attack), the alarm degree may be set to X2=0.4. The alarm degree may be set to X3=0.3 if the alarm characteristic data regarding whether the security breaking device exists is the presence of the security breaking device, and may be set to X4=0.7 if the alarm characteristic data regarding whether the attack event type was successful is the remote code execution vulnerability attack success. Based on the above settings, confidence model P, P =0.15 × 0.65+0.3 × 0.4+0.15 × 0.3+0.4 × 0.7=0.5425 may be computed. Thus, the confidence level of the alarm log data available is 0.5425.
It should be noted that the alarm characteristic data included in the alarm log data is only an example, and the alarm log data may also include other types of alarm characteristic data, and may be specifically set based on the confidence calculation requirement of the alarm log data.
For step S60, in order to reasonably judge the severity of the alarm log data, a confidence threshold may be preset. And if the confidence level of the alarm log data is greater than the threshold of the confidence level, the alarm log data is in urgent need of processing. The various types of alarm characteristic data corresponding to the alarm log data can be sent to the target processing terminal so as to remind a user of the target processing terminal to process the alarm log data in time.
As an example, the confidence threshold may be set to 0.65, and if the confidence level of the alarm log data is higher than the confidence threshold, for example, 0.78, it may be stated that the alarm log data is reliable alarm data and needs to be processed in time. If the confidence level of the alarm log data is equal to the confidence threshold value of 0.65, the alarm log data is invalid alarm data and does not need to be processed. If the confidence level of the alarm log data is lower than the confidence level threshold, for example, 0.58, it can be said that the alarm log data is invalid alarm data and does not need to be processed. Therefore, the processing efficiency of the alarm log data is improved.
For step S70, when the confidence level of the alarm log data is greater than the preset confidence level threshold, an alarm message may be generated based on multiple types of alarm feature data corresponding to the alarm log data, and the alarm message is sent to the target processing end, and after receiving the data alert, the user of the target processing end may log into the security management platform to process the alarm log data.
It should be noted that the alarm characteristic data with the confidence level not greater than the threshold of the confidence level may indicate that the success rate of the attack event corresponding to such data is extremely low, and may not affect the target device. Such alarm characteristic data may be determined to be invalid alarm data without processing. However, when the number of occurrences of certain invalid alarm data is extremely high, the target device may also be affected. Therefore, the history generation times of each invalid alarm data can be counted, and when the history generation times are higher than a preset time threshold value, for example, nine hundred times, the invalid alarm data can be sent to a target processing terminal to remind a user of processing.
As shown in fig. 3, the process of obtaining alarm log data of the target device includes,
and step S11, acquiring target log information of the target equipment.
And S12, acquiring log information matched with a preset alarm attribute set from the target log information to generate alarm log data.
It should be noted that, the target log information of the target device includes many useless fields, which affect the calculation of the alarm trust level. Therefore, the extraction of available fields can be carried out on the target log information so as to obtain the required alarm log data. For the extraction of the available fields, matching extraction can be performed based on a preset alarm attribute set, and all the available fields can be included in the alarm attribute set. For example, the alarm attribute set includes an address field g _ dest _ ip of the target device, a field g _ type of the device name, a field g _ event of the event name, a field g _ msg of the event information, and other available fields. According to the information of the alarm attribute set, the log information with the available fields in the target log information can be inquired. All the inquired log information is collected, and alarm log data can be generated.
It is worth mentioning that the confidence level of the alarm log data is calculated based on different types of alarm characteristic data, and each type of alarm characteristic data corresponds to one type of available fields. Thus, for available fields in the alarm attribute set, adaptive improvements can be made based on the confidence computation requirements of the alarm log data. For example, other available fields may be added as part of the confidence calculation, and some available fields may be deleted.
It should be explained that, in the attack process of the attack event, multiple target devices may be attacked, and repeated alarms are triggered to generate repeated alarm log data. The alarm log data can be subjected to duplicate removal processing, and the duplicate alarm log data can be deleted, so that the alarm log data can be ensured to be only once when the same attacker attacks the same target at the same time.
As shown in fig. 4, the process of classifying the alarm log data based on the preset feature classification rule to obtain multiple classes of alarm feature data includes,
and S21, classifying the alarm log data based on a preset feature classification rule to generate intermediate feature data of multiple categories.
And S22, acquiring identifier information corresponding to the intermediate characteristic data of each category based on a preset identifier corresponding table.
And S23, combining the intermediate characteristic data of each category with the corresponding identifier information to generate alarm characteristic data of a plurality of categories.
As an example, the preset feature classification rule may include a relevant field corresponding to an IP address of the attack event source device, a relevant field corresponding to an attack event type, and a relevant field corresponding to an IP address of the target device. Based on the feature classification rule, when the intermediate feature data related to the attack event type is obtained, the data with the same field as the related field can be inquired in the alarm log data based on the related field corresponding to the attack event type, and the data can be determined as the intermediate feature data related to the attack event type. Similarly, intermediate signature data associated with the IP address of the source device of the attack event and intermediate signature data associated with the IP address of the target device may be generated.
It should be noted that, in order to improve the queryability of the alarm characteristic data, the identifier of each type of intermediate characteristic data may be generated by performing identification processing on each type of intermediate characteristic data, and the intermediate characteristic data with the identifier is used as the alarm characteristic data. Specifically, the identifier corresponding to each type of intermediate characteristic data may be queried based on a preset identifier correspondence table. The identifier corresponding table comprises various intermediate characteristic data and identifiers corresponding to the intermediate characteristic data. For example, for the intermediate feature data of the attack event type, when the attack event type is injection attack, the identifier INJECT may be corresponded. When the attack event type is a remote code execution vulnerability attack, the identifier RCE can be corresponded. And combining each type of intermediate characteristic data and the corresponding identifier thereof to generate each type of alarm characteristic data.
It is worth mentioning that in order to implement the visual analysis of the security processing platform, a visual analysis page may be built in the security processing platform. By pre-calculating the processing duration, the successful attack times per day, the average recovery time and the like of various alarm characteristic data, the detailed information of various alarm characteristic data can be displayed in a visual analysis page, so that a user can inquire and analyze the alarm characteristic data and adjust the processing measures of attack events.
As shown in fig. 5, if the confidence level is greater than the preset confidence level threshold, the process of generating the alarm message based on the alarm characteristic data includes,
and S71, if the confidence level is greater than a preset confidence level threshold value, establishing a corresponding alarm work order based on the alarm characteristic data.
And S72, generating an alarm message according to the alarm work order, and sending the alarm message to a target processing end to inform a user of processing the alarm work order.
It should be noted that, if the confidence level of the alarm log data is greater than the threshold of the confidence level, it indicates that the alarm log data needs to be processed urgently. An alarm work order can be established for the alarm log data in the security management platform. And multiple types of alarm characteristic data, processing time limit, processing responsible person and the like corresponding to the alarm log data can be displayed in the alarm work order. To alert the process responsible for the process, an alarm message may be generated based on the alarm work order. The alarm message may include alarm characteristic data to be processed, processing time limit, etc. And sending the alarm message to the target processing end, and reminding a user of the target processing end of processing the alarm work order in time. And after receiving the prompt, the user of the target processing end can log in the safety management platform to process the alarm work order. And when the user processes the alarm work order, the log information of the processing process can be automatically recorded in the alarm work order for subsequent inquiry.
It should be noted that the manner of pushing the alarm characteristic data to the target processing end may be mail, short message, or other pushing manners. Specifically, the security management platform may push the alarm characteristic data to the target processing terminal based on a preset push correspondence table. The push mapping table may include a plurality of alarm degree ranges and IP addresses of target processing terminals corresponding thereto. For example, when the alarm degree is greater than 0 and less than 0.35, the corresponding IP address of the target processing end is IP1. And when the alarm degree is greater than or equal to 0.35 and less than 0.65, the corresponding IP address of the target processing end is IP2. And when the alarm degree is more than or equal to 0.65 and less than or equal to 1, the corresponding IP address of the target processing end is IP3. It should be understood that the target processing end user level corresponding to the IP3 address may be set to be greater than the target processing end user level corresponding to the IP2 address, and the target processing end user level corresponding to the IP2 address may be set to be greater than the target processing end user level corresponding to the IP1 address.
It should be noted that, the push correspondence table may also be set to include attack event types of different alarm log data and IP addresses of corresponding target processing terminals. And pushing the attack event to different target processing ends according to different attack event types.
As shown in fig. 6, if the value is not greater than the preset confidence threshold, after the process of determining the alarm characteristic data as invalid alarm data, further includes,
and step S711, acquiring the historical generation times of the invalid alarm data.
And step 712, judging whether the history generation times are larger than a preset time threshold value.
And S713, if the frequency is larger than a preset frequency threshold, determining the invalid alarm data as high-frequency invalid alarm data, and if the frequency is not larger than the preset frequency threshold, updating the historical generation frequency of the invalid alarm data.
It should be noted that the alarm characteristic data with the confidence level not greater than the confidence level threshold may be determined as invalid alarm data, and does not need to be processed. However, when the number of occurrences of certain invalid alarm data is extremely high, the target device may also be affected. Therefore, when determining an invalid alarm data, the history generation number of the invalid alarm data may be counted, and when the history generation number is higher than a preset number threshold, for example, nine hundred times, the invalid alarm data may be determined as a high-frequency invalid alarm data. The high-frequency invalid alarm data may affect the target equipment, and an alarm message of the high-frequency invalid alarm data can be sent to the target processing end to remind a user of analysis processing.
It should be further noted that, if the historical generation times of the invalid alarm data is not greater than the preset time threshold, one generation time may be continuously added to the historical generation times to ensure that the generation times are updated each time, so as to determine whether the invalid alarm data is the high-frequency invalid alarm data according to the generation times in the following.
As shown in fig. 7, if the number of times is greater than the preset number of times threshold, the determining the invalid alarm data as the high-frequency invalid alarm data includes,
and S7131, if the number of times is larger than a preset time threshold value, determining the invalid alarm data as high-frequency invalid alarm data.
And S7132, sending the high-frequency invalid alarm data to a target processing end.
It should be noted that the preset threshold of times may not be limited, and may be 900 times, 800 times or other thresholds of times.
When the invalid alarm data is determined to be high-frequency invalid alarm data, an alarm work order of the high-frequency invalid alarm data can be created on the security management platform. The alarm work order can display the concrete data information of the high-frequency invalid alarm data, the processing time limit, the processing responsible person and the like. In order to remind the processing responsible person of processing the alarm work order of the safety management platform in time, an alarm message can be generated based on the alarm work order and sent to the target processing end so as to remind the user of the target processing end of processing the alarm work order in time. It should be noted that the alarm message may include the high-frequency invalid alarm data to be processed, the processing time limit, and the like. And after receiving the prompt, the user of the target processing end can log in the safety management platform to process the alarm work order. And when the user processes the alarm work order, the log information of the processing process can be automatically recorded in the alarm work order for subsequent inquiry.
Therefore, in the scheme, a large amount of invalid alarm data can be removed, the processing amount of the alarm log data is reduced, and the processing efficiency of the alarm log data is improved.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
In an embodiment, an apparatus for processing alarm data is provided, where the apparatus for processing alarm data corresponds to the method for processing alarm data in the foregoing embodiments one to one. As shown in fig. 8, the intelligent question and answer processing device includes an acquisition module 101, a classification module 102, a processing module 103, a summarization module 104, a generation module 105, a judgment module 106, and a push module 107. The obtaining module 101 may be configured to obtain alarm log data of a target device. The classification module 102 may be configured to perform classification processing on the alarm log data based on a preset feature classification rule, so as to obtain alarm feature data of multiple categories. The processing module 103 may be configured to obtain alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table. The summarizing module 104 may be configured to summarize the alarm degree data corresponding to each type of the alarm characteristic data, and generate an alarm degree data set. The generating module 104 may be configured to input the alarm degree data set into a preset confidence model, so as to output the confidence of the alarm log data. The determining module 105 may be configured to determine whether the confidence level is greater than a preset confidence level threshold. The pushing module 106 may be configured to generate an alarm message based on the alarm characteristic data if the confidence level is greater than a preset confidence level threshold, and determine the alarm characteristic data as invalid alarm data if the confidence level is not greater than the preset confidence level threshold.
In one embodiment, the obtaining module 101 is specifically configured to,
and acquiring target log information of the target equipment.
And acquiring log information matched with a preset alarm attribute set in the target log information to generate alarm log data.
In one embodiment, the classification module 102 is specifically operable to,
and classifying the alarm log data based on a preset feature classification rule to generate intermediate feature data of a plurality of categories.
And acquiring identifier information corresponding to the intermediate characteristic data of each category based on a preset identifier corresponding table.
Merging the intermediate characteristic data of each category with the corresponding identifier information to generate alarm characteristic data of a plurality of categories.
In one embodiment, the push module 107, in particular,
and if the confidence level is greater than a preset confidence level threshold value, establishing a corresponding alarm work order based on the alarm characteristic data.
And generating an alarm message according to the alarm work order, and sending the alarm message to a target processing end to inform a user of processing the alarm work order.
The push module 107, in one embodiment, may also be used to,
and acquiring the historical generation times of the invalid alarm data.
And judging whether the historical generation times are larger than a preset time threshold value or not.
And if the frequency is not greater than the preset frequency threshold, updating the historical generation frequency of the invalid alarm data.
The push module 107, in one embodiment, may also be used to,
if the number of times is larger than a preset time threshold value, determining the invalid alarm data as high-frequency invalid alarm data;
and sending the high-frequency invalid alarm data to a target processing end.
The invention provides a processing device of alarm data, which can remove a large amount of invalid alarm data, reduce the processing amount of alarm log data and improve the processing efficiency of the alarm log data.
For specific limitations of the alarm data processing apparatus, reference may be made to the above limitations of the alarm data processing method, which is not described herein again. The modules in the alarm data processing device can be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 9. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes non-volatile and/or volatile storage media, internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external client through a network connection. The computer program is executed by a processor to implement the functions or steps of the service side of a method of handling alarm data.
In one embodiment, a computer device is provided, which may be a client, and its internal structure diagram may be as shown in fig. 10. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external server through a network connection. The computer program is executed by a processor to implement functions or steps at the client side of a method of handling alarm data.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
acquiring alarm log data of target equipment;
classifying the alarm log data based on a preset feature classification rule to obtain alarm feature data of multiple categories;
acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table;
summarizing the alarm degree data corresponding to each type of alarm characteristic data to generate an alarm degree data set;
inputting the alarm degree data set into a preset confidence model to output the confidence of the alarm log data;
judging whether the trust degree is greater than a preset trust degree threshold value or not;
and if the alarm characteristic data is not greater than the preset confidence threshold, determining the alarm characteristic data as invalid alarm data.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, performs the steps of:
acquiring alarm log data of target equipment;
classifying the alarm log data based on a preset feature classification rule to obtain alarm feature data of multiple categories;
acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table;
summarizing the alarm degree data corresponding to each type of alarm characteristic data to generate an alarm degree data set;
inputting the alarm degree data set into a preset confidence model to output the confidence of the alarm log data;
judging whether the trust degree is greater than a preset trust degree threshold value or not;
and if the alarm characteristic data is not greater than the preset confidence threshold, determining the alarm characteristic data as invalid alarm data.
It should be noted that, the functions or steps that can be implemented by the computer-readable storage medium or the computer device can be referred to the related descriptions of the server side and the client side in the foregoing method embodiments, and are not described here one by one to avoid repetition.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions.
The above-mentioned embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (10)
1. A method for processing alarm data is characterized by comprising the following steps:
acquiring alarm log data of target equipment;
classifying the alarm log data based on a preset feature classification rule to obtain alarm feature data of multiple categories;
acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table;
summarizing the alarm degree data corresponding to each type of alarm characteristic data to generate an alarm degree data set;
inputting the alarm degree data set into a preset confidence model to output the confidence of the alarm log data;
judging whether the trust degree is greater than a preset trust degree threshold value or not;
and if the alarm characteristic data is not greater than the preset confidence threshold, determining the alarm characteristic data as invalid alarm data.
2. The method for processing alarm data according to claim 1, wherein the step of obtaining alarm log data of the target device includes:
acquiring target log information of target equipment;
and acquiring log information matched with a preset alarm attribute set in the target log information to generate alarm log data.
3. The method for processing alarm data according to claim 1, wherein the step of classifying the alarm log data based on a preset feature classification rule to obtain multiple classes of alarm feature data comprises:
classifying the alarm log data based on a preset feature classification rule to generate intermediate feature data of a plurality of categories;
acquiring identifier information corresponding to the intermediate characteristic data of each category based on a preset identifier corresponding table;
merging the intermediate characteristic data of each category with the corresponding identifier information to generate alarm characteristic data of a plurality of categories.
4. The method for processing alarm data according to claim 1, wherein the confidence model P is expressed as: p = A1 × X1+ A2 × X2.. The. + Ai × Xi, where Xi represents the ith alarm degree data, and Ai represents the weight of the alarm feature data corresponding to the ith alarm degree data relative to the alarm log data.
5. The method for processing alarm data according to claim 1, wherein the step of generating an alarm message based on the alarm characteristic data if the alarm characteristic data is greater than a preset confidence threshold comprises:
if the confidence level is greater than a preset confidence level threshold value, establishing a corresponding alarm work order based on the alarm characteristic data;
and generating an alarm message according to the alarm work order, and sending the alarm message to a target processing end to inform a user of processing the alarm work order.
6. The method for processing alarm data according to claim 1, wherein after the step of determining the alarm characteristic data as invalid alarm data if the alarm characteristic data is not greater than the predetermined confidence threshold, the method further comprises:
acquiring the historical generation times of the invalid alarm data;
judging whether the historical generation times are larger than a preset time threshold value or not;
and if the frequency is not greater than the preset frequency threshold, updating the historical generation frequency of the invalid alarm data.
7. The method for processing alarm data according to claim 6, wherein the step of determining the invalid alarm data as high-frequency invalid alarm data if the number of times is greater than a preset number threshold comprises:
if the number of times is larger than a preset time threshold value, determining the invalid alarm data as high-frequency invalid alarm data;
and sending the high-frequency invalid alarm data to a target processing end.
8. An apparatus for processing alarm data, comprising:
the acquisition module is used for acquiring alarm log data of the target equipment;
the classification module is used for classifying the alarm log data based on a preset characteristic classification rule so as to acquire alarm characteristic data of a plurality of categories;
the processing module is used for acquiring alarm degree data corresponding to each type of alarm characteristic data based on a preset alarm degree relation table;
the summarizing module is used for summarizing the alarm degree data corresponding to each type of alarm characteristic data to generate an alarm degree data set;
the generating module is used for inputting the alarm degree data set into a preset confidence model so as to output the confidence of the alarm log data;
the judging module is used for judging whether the trust degree is greater than a preset trust degree threshold value;
and the pushing module is used for generating an alarm message based on the alarm characteristic data if the alarm characteristic data is greater than a preset confidence threshold value, and determining the alarm characteristic data as invalid alarm data if the alarm characteristic data is not greater than the preset confidence threshold value.
9. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method for processing alarm data according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method for processing alarm data according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211437587.3A CN115834345A (en) | 2022-11-17 | 2022-11-17 | Alarm data processing method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211437587.3A CN115834345A (en) | 2022-11-17 | 2022-11-17 | Alarm data processing method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115834345A true CN115834345A (en) | 2023-03-21 |
Family
ID=85528627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211437587.3A Pending CN115834345A (en) | 2022-11-17 | 2022-11-17 | Alarm data processing method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834345A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116342008A (en) * | 2023-03-26 | 2023-06-27 | 广州智卡物流科技有限公司 | Logistics road transportation management method and system |
-
2022
- 2022-11-17 CN CN202211437587.3A patent/CN115834345A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116342008A (en) * | 2023-03-26 | 2023-06-27 | 广州智卡物流科技有限公司 | Logistics road transportation management method and system |
| CN116342008B (en) * | 2023-03-26 | 2024-01-12 | 广州智卡物流科技有限公司 | Logistics road transportation management method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112073389B (en) | Cloud host security situation awareness system, method, device and storage medium | |
| CN108304704B (en) | Authority control method and device, computer equipment and storage medium | |
| CN111404909A (en) | Security detection system and method based on log analysis | |
| CN113162953B (en) | Network threat message detection and source tracing evidence obtaining method and device | |
| CN109766694B (en) | Program protocol white list linkage method and device of industrial control host | |
| US12013951B2 (en) | Cross-site scripting (XSS) risk analysis method and apparatus based on bayesian network and stride model | |
| EP2577552A2 (en) | Dynamic multidimensional schemas for event monitoring priority | |
| EP2973138A1 (en) | Event correlation based on confidence factor | |
| CN111835737B (en) | WEB attack protection method based on automatic learning and related equipment thereof | |
| WO2019035120A1 (en) | Cyber threat detection system and method | |
| WO2015160357A1 (en) | Rating threat submitter | |
| CN112000719A (en) | Data security situation awareness system, method, device and storage medium | |
| CN115834345A (en) | Alarm data processing method, device, equipment and medium | |
| CN110618977B (en) | Login anomaly detection method, device, storage medium and computer equipment | |
| CN114826880A (en) | Method and system for online monitoring of data safe operation | |
| CN112668005A (en) | Webshell file detection method and device | |
| CN116614287A (en) | Network security event evaluation processing method, device, equipment and medium | |
| CN113965406A (en) | Network blocking method, device, electronic device and storage medium | |
| CN114584391B (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN115333770A (en) | Network security risk monitoring system and method for electric power system | |
| US20190363925A1 (en) | Cybersecurity Alert Management System | |
| CN115878932A (en) | Website security event processing method, device, equipment and medium | |
| CN110493240B (en) | Website tampering detection method and device, storage medium and electronic device | |
| CN115102725B (en) | Security audit method, device and medium for industrial robot | |
| US12026253B2 (en) | Determination of likely related security incidents |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |