CN116010616A

CN116010616A - Multi-source alarm association analysis method and device

Info

Publication number: CN116010616A
Application number: CN202211687034.3A
Authority: CN
Inventors: 敖麒; 陈景妹; 叶晓虎; 李凯
Original assignee: Shenzhou Lvmeng Chengdu Technology Co ltd
Current assignee: Shenzhou Lvmeng Chengdu Technology Co ltd
Priority date: 2022-12-27
Filing date: 2022-12-27
Publication date: 2023-04-25

Abstract

The application relates to the technical field of network security, in particular to a multi-source alarm association analysis method and device. And establishing a knowledge graph according to the relation triplet set. The knowledge graph is used for indicating the relation between the first type of alarm information and the second type of alarm information. And determining a first vector and a second vector according to the received first type of alarm information. A target vector is determined from the first vector and the second vector. And acquiring a plurality of potential target vectors according to the entity set or the relation set of the knowledge graph. A similarity between the target vector and each potential target vector is determined. And determining a third vector corresponding to the relation triplet from the plurality of potential target vectors according to the similarity. Wherein the similarity between the third vector and the target vector is highest. The scheme breaks through the limitation that the traditional alarm analysis method is only suitable for single type alarms, avoids the efficiency problem of manual research and judgment during alarm association analysis, and improves the alarm association analysis efficiency.

Description

Multi-source alarm association analysis method and device

Technical Field

The application relates to the technical field of network security, in particular to a multi-source alarm association analysis method and device.

Background

In the prior art, for alarm association analysis, one is based on statistics mining of single type data, but in the face of multi-source heterogeneous alarm information, the method cannot determine the relation between the multi-source heterogeneous alarm information, so that a user cannot timely control the global information security situation of a system, and the improvement of the security monitoring work efficiency is restricted. For example, in the field of industrial control system security, performing anomaly analysis based solely on network state data fails to meet the needs of security analysis. The other is based on the relation between the alarm information obtained by manual analysis, but the time of manual analysis is long and the efficiency is low facing to massive alarm information.

Therefore, on the basis of improving the alarm association analysis efficiency, how to perform association analysis on the multi-source heterogeneous alarm information is a questionable problem.

Disclosure of Invention

The application provides a multi-source alarm association analysis method and device, which are used for solving the problem of alarm information association analysis of different types and improving alarm association analysis efficiency.

In a first aspect, the present application proposes a multi-source alarm association analysis method. In the method, a first vector and a second vector are determined according to the received first type of alarm information. The vector of the entity in the relation triplet of the first type of alarm information represents a first vector, and the vector of the entity or the relation in the relation triplet represents a second vector. And determining the entity to be inferred or the target vector of the relation in the relation triplet according to the first vector and the second vector. And acquiring a plurality of potential target vectors according to the entity set or the relation set of the knowledge graph. The knowledge graph is used for indicating the relation between the first type of alarm information and the second type of alarm information. A similarity between the target vector and each potential target vector is determined. And determining a third vector corresponding to the relation triplet from the plurality of potential target vectors according to the similarity. Wherein the similarity between the third vector and the target vector is highest.

In the method, the type of the alarm information corresponding to the first vector can be different from the type of the alarm information corresponding to the third vector or the second vector of the target, so that compared with the prior art that the alarm is subjected to association analysis from single type of alarm information, the method breaks through the limitation that the traditional alarm analysis method is only suitable for single type of alarm, and solves the problem of association analysis on multi-source heterogeneous alarm information. Meanwhile, compared with the correlation analysis of the alarms by manual operation, the correlation analysis of the first vector and the second vector can improve the efficiency of the correlation analysis of the alarms, better assist users in deciding the safety protection strategy, have guiding significance for subsequent prevention of the occurrence of the alarms, and have good application and popularization values.

Optionally, determining the target vector according to the first vector and the second vector specifically includes: and performing addition operation or subtraction operation on the first vector and the second vector to determine a target vector.

In the above method, the target vector is determined by the first vector and the second vector. And the similarity between the target vector and the third vector can be calculated through the target vector conveniently, and the target third vector is determined.

Optionally, the method further comprises: a set of relationship triples is obtained. Wherein any one of the relationship triples contained in the relationship triplet set includes two entities and a relationship between the two entities. The two entities are respectively used for indicating the first type of alarm information and the second type of alarm information. And taking any entity contained in the relation triplet set as a starting point, taking the entity which is contained in the relation triplet set and has a relation with the starting point as a next node, and connecting the starting point and the next node. And taking the next node as a new starting point, and returning to execute the connection starting point and the next node until no entity with a relation with the starting point exists in the relation triplet set, so as to obtain a knowledge graph. Vectorizing the entities contained in the knowledge graph to obtain an entity set. And vectorizing the relationship contained in the knowledge graph to obtain a relationship set. Wherein the third vector is a relationship in the vectorized knowledge-graph if the second vector is an entity in the vectorized knowledge-graph or is an entity in the vectorized knowledge-graph if the second vector is a relationship in the vectorized knowledge-graph.

In the method, the knowledge graph is constructed through the relation triplet set, so that the relation among different types of alarm information can be intuitively displayed, and the requirement of the user for intuitively displaying the relation among the alarm information is met. And vectorizing the knowledge graph, so that the similarity between the target vector and the third vector is calculated conveniently according to the vectorized knowledge graph, and the target third vector is determined.

Optionally, determining the first vector and the second vector according to the received first type of alarm information specifically includes: and determining a first vector corresponding to the first type of alarm information from the entity set according to the first type of alarm information. The entity set comprises a corresponding relation between the first type of alarm information and the first vector. And receiving a second vector set by the user, wherein the second vector is a second vector corresponding to the second type of alarm information contained in the entity set. The entity set also comprises a corresponding relation between the second type of alarm information and the second vector. The plurality of potential target vectors are a subset of the relationships contained in the set of relationships.

In the method, the relationship between the first vector and the second vector, namely the target third vector, is determined through the first vector representing the first type of alarm information and the second vector representing the second type of alarm information, so that a user can be helped to accurately position the relationship between the alarm information, and the follow-up relevant protection decision and analysis can be conveniently carried out according to the analysis result. By carrying out association analysis on different types of alarm information, the problem that massive multi-source heterogeneous alarms need association analysis is solved.

Optionally, determining the first vector and the second vector according to the received first type of alarm information further includes: and determining a first vector corresponding to the first type of alarm information from the entity set according to the first type of alarm information. And receiving a second vector set by the user, wherein the second vector is a second vector corresponding to the relation contained in the relation set. The plurality of potential target vectors are a subset of the alert information of the second type contained in the set of entities.

In the method, the first vector representing the first type of alarm information and the second vector representing the relation are used for determining the target third vector representing the second type of alarm information, so that a user is helped to accurately position alarm information associated with the first type. The method is convenient for providing valuable information for users according to known situations, and compared with manually reasoning the relation between the alarm information, the method can shorten the processing time of the alarm information.

In a second aspect, an embodiment of the present application provides a multi-source alarm association analysis device, including:

the determining unit is used for determining a first vector and a second vector according to the received first type of alarm information; the vector of the entity in the relation triplet of the first type of alarm information represents a first vector, and the vector of the entity or the relation in the relation triplet represents a second vector;

The determining unit is further used for determining an entity to be inferred or a target vector of the relationship in the relationship triplet according to the first vector and the second vector;

the acquisition unit is used for acquiring a plurality of potential target vectors according to an entity set or a relation set of a knowledge graph, wherein the knowledge graph is used for indicating the relation between the first type of alarm information and the second type of alarm information;

a processing unit for determining a similarity between the target vector and each potential target vector;

and the processing unit is further used for determining a third vector corresponding to the relation triplet from the plurality of potential target vectors according to the similarity, and the similarity between the third vector and the target vector is the highest.

In a third aspect, the present application provides an electronic device, including:

a memory for storing a computer program;

and the processor is used for realizing the steps of the multi-source alarm association analysis method when executing the computer program stored in the memory.

In a fourth aspect, the present application provides a computer readable storage medium, in which a computer program is stored, the computer program implementing a multi-source alarm association analysis method step as described above when executed by a processor.

The technical effects of each of the second to fourth aspects and the technical effects that may be achieved by each aspect are referred to above for the technical effects that may be achieved by the first aspect or each possible aspect in the first aspect, and the detailed description is not repeated here.

Drawings

FIG. 1 is a schematic diagram of an application scenario of an alternative multi-source alarm association analysis according to an embodiment of the present application;

FIG. 2 is a flowchart of a multi-source alarm association analysis method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a relationship triplet according to an embodiment of the present application;

fig. 4 is a schematic diagram of constructing a knowledge graph according to an embodiment of the present application;

fig. 5 is a schematic diagram of a knowledge graph according to an embodiment of the present application;

fig. 6 is a schematic diagram of a vectorized knowledge graph according to an embodiment of the present application;

FIG. 7 is a schematic diagram of a head entity, a relationship, and a tail entity in a vector space in a relationship triplet according to an embodiment of the present application;

FIG. 8 is a schematic diagram of determining a third vector of a target according to an embodiment of the present disclosure;

FIG. 9 is a flowchart of an exemplary multi-source alert correlation analysis provided in an embodiment of the present application;

FIG. 10 is a schematic structural diagram of a multi-source alarm correlation analysis device according to an embodiment of the present application;

Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings, wherein it is apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein.

Some words appearing hereinafter are explained:

1. in the embodiment of the invention, the term "and/or" describes the association relation of the association objects, which means that three relations can exist, for example, a and/or B can be expressed as follows: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.

2. Industrial control system (Industrial Control System, ICS): the business process management and control system for ensuring the automatic operation, process control and monitoring of the industrial infrastructure is formed by various automatic control components and process control components for collecting and monitoring real-time data.

3. Information Physical Systems (CPS): the system integrates calculation, communication and control depth into a physical system, relies on a calculation process to sense and control the physical process, and realizes seamless combination of an information space and a physical world.

4. Information security (security): the physical units under consideration have no unacceptable risk from outside, and the industrial control system mainly aims to avoid the system vulnerability from being maliciously utilized, so that the confidentiality, the integrity and the usability of the system are damaged.

5. Service alarm: the system is characterized in that the system is used for sensing specific physical parameters (temperature, pressure, distance, position and the like) in the service operation process through a sensor, performing calculation and comparison through a logic unit, sending out notification of abnormal system physical state and reminding a safety personnel of paying attention to a perceptible indication of faults or failures.

6. Network alarm: the network state alarm is a security alarm, an information security protection system represented by an intrusion detection system (Intrusion Detection System, IDS) monitors network transmission data packets or host state information on line, and through extracting and analyzing related data characteristics, abnormal data in the network transmission data packets or host state information is identified, and a notification of system network/host state abnormality is sent out to remind a technician of paying attention to a perceptible indication of attack intrusion.

7. Knowledge graph: essentially a semantic network in which nodes represent entities (or concepts) and edges represent various semantic relationships between entities/concepts.

8. Physical Layer (Physical Layer): is the lowest layer in the open systems interconnection (Open System Interconnect, OSI) model of computer networks. The physical layer provides for the creation, maintenance, and tear down of the physical links required to transfer data, while providing for the mechanical, electrical, functional, and specification characteristics.

In the prior art, the safety protection of an industrial control system is mainly based on the anomaly analysis of network state data. Lack of integration with business operational data. Because the information system is coupled with the physical system, the state parameters of the network space and the physical space are not isolated, and certain relation exists between the state parameters. An attacker can attack various links of the industrial control system by utilizing the coupling relation between the information and the physical system. For example, an attacker may break through traditional network defenses using information security vulnerabilities, disabling the control system of the device. Further, a part of physical nodes can be influenced, and a physical system is attacked, so that dangerous accidents are caused, and damage to life, property, environment and the like is caused.

Therefore, the security protection based on the abnormal analysis of the network state data does not consider the security risk problem from the information physical coupling characteristics, and is not beneficial to the correct formulation of the protection decision.

Meanwhile, the existing alarm correlation technology is based on statistical mining of single isomorphic data. In the face of multi-source heterogeneous data in an industrial control system, the requirement of safe fusion cannot be met. Wherein the single isomorphic data may be the same type of structured alarm information. The multi-source heterogeneous data may be various types of structured and unstructured alert information.

In view of the above problems, the present application provides a multi-source alarm association analysis method, which determines a first vector and a second vector according to received first type alarm information. The vector of the entity in the relation triplet of the first type of alarm information represents a first vector, and the vector of the entity or the relation in the relation triplet represents a second vector. And determining the entity to be inferred or the target vector of the relation in the relation triplet according to the first vector and the second vector. And acquiring a plurality of potential target vectors according to the entity set or the relation set of the knowledge graph. The knowledge graph is used for indicating the relation between the first type of alarm information and the second type of alarm information. A similarity between the target vector and each potential target vector is determined. And determining a third vector corresponding to the relation triplet from the plurality of potential target vectors according to the similarity, wherein the similarity between the third vector and the target vector is highest.

Compared with the prior art, based on the entity and the relation presented by the knowledge graph, the possible alarm information and the relation are analyzed and predicted by adopting the knowledge reasoning technology, and the limitation of single type alarm information analysis is broken through. And the subsequent relevant protection decision and analysis are conveniently carried out according to the analysis result, and the efficiency of alarm association analysis is improved. The system has high practicability for accurately positioning and processing the problems of the users and making preventive response to the future according to the known situation, and can prevent the problems.

The application scenario described in the embodiments of the present application is for more clearly describing the technical solution of the embodiments of the present application, and does not constitute a limitation on the technical solution provided in the embodiments of the present application, and as a person of ordinary skill in the art can know that, with the appearance of a new application scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems. In the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.

As shown in fig. 1, an application scenario of an alternative multi-source alarm association analysis is provided in an embodiment of the present application.

The multi-source alarm association analysis system includes a terminal 100. The terminal 100 may be installed with various client applications, such as a program writing class application, a web browser application, a search class application, and the like. The terminal 100 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, desktop computers, and the like.

The multi-source alarm association analysis system further includes a server 101. The server 101 may be an independent server or a server cluster formed by a plurality of servers.

The server 101 may interact with the terminal 100 through a network to implement the multi-source alarm association analysis method of the present application.

As shown in fig. 2, a flowchart of a multi-source alarm association analysis method provided in an embodiment of the present application may specifically include the following operations. Hereinafter, an example will be described in which a terminal is used as an execution subject.

S201, the terminal determines a first vector and a second vector according to the received first type of alarm information, wherein the vector of an entity in the relation triplet of the first type of alarm information represents the first vector, and the vector of the entity or the relation in the relation triplet represents the second vector;

s202, the terminal determines an entity to be inferred or a target vector of a relation in the relation triplet according to the first vector and the second vector;

s203, the terminal acquires a plurality of potential target vectors according to an entity set or a relation set of a knowledge graph, wherein the knowledge graph is used for indicating the relation between the first type of alarm information and the second type of alarm information;

s204, the terminal determines the similarity between the target vector and each potential target vector;

And S205, the terminal determines a third vector corresponding to the relation triplet from a plurality of potential target vectors according to the similarity, and the similarity between the third vector and the target vector is highest.

In an industrial control system, various safety monitoring devices (such as industrial control intrusion or abnormality detection devices, industrial control network anti-virus systems and the like) arranged on a physical layer and an information layer can judge abnormal data such as physical state parameters (such as temperature, pressure, humidity and the like), device host parameters (such as refrigerating capacity, heating capacity, input power and the like), network state parameters (such as abnormal flow, abnormal instructions, abnormal messages and the like) and the like. When the attack activity occurs, the security monitoring device determines that the abnormal data is alarm information, the security monitoring device may transmit the alarm information to the terminal, and the terminal may determine the first vector and the second vector according to the alarm information from the security monitoring device in S201.

For example, the safety monitoring device may be an SIS. The abnormal temperature data is judged by the SIS, and if the abnormal temperature data exceeds the maximum value of the normal range, the SIS reports alarm information of the excessive temperature to the terminal.

In one possible embodiment, the terminal may receive alert information from the security monitoring device. And the terminal determines a first vector from the entity set according to the alarm information. The entity set comprises a corresponding relation between the first type of alarm information and the first vector. The entity set also comprises a corresponding relation between the second type of alarm information and the second vector.

Alternatively, the terminal may determine the entity set and the relationship set by:

in some embodiments, the terminal may extract security data from the security management document through natural language processing (Natural Language Processing, NLP) techniques. The security data includes, but is not limited to, information such as each security monitoring device, different types of alarm information, relations between alarm information and devices, and the like. For example, the first type of alert information is a service alert and the second type of alert information is a network alert.

The safety management document comprises alarm information, each safety monitoring device and other information in the industrial control system. The security management document may be a document provided by the user or downloaded from an associated website. Optionally, the terminal may also extract security data from the running log of the security monitoring system, which is not specifically limited in this application.

It is understood that the relationship between the first type of alert information and the second type of alert information may also be preset by those skilled in the art.

In other embodiments, the terminal may also obtain different types of alarm information through data anomaly information reported by various security monitoring devices.

In other embodiments, the terminal may also extract the traffic data from the traffic management document by NLP techniques. The business data includes, but is not limited to, various process equipment, control equipment (sensors, actuators, controllers, etc.), monitoring equipment, equipment-to-equipment relationships, and the like. The business management document comprises information such as each device in the industrial control system, the relation between the devices and the like. The business management document may be a document provided by a user or downloaded from a related website, which is not particularly limited in this application.

Optionally, after the different types of alarm information and the device are acquired, the terminal may further determine a relationship between the different types of alarm information. For example, the terminal may obtain the relationship between the first type of alarm information and the second type of alarm information by using security analysis techniques such as injection attack test results, fault tree analysis (Fault Tree Analysis, FTA), potential failure mode and result analysis (Failure Mode and Effects Analysis, FMEA), system theory process analysis (System-Thertic Process Analysis, STPA), and the like.

For example, the relationship between the first type of alert information and the second type of alert information that the terminal may determine through the STPA includes the following types: (1) no control action is provided. (2) providing control actions. (3) Providing potentially safe control actions but providing premature, too late or misorder. (4) providing control action that persists too long or stops too early.

After determining the relationship between the first type of alert information and the second type of alert information, the terminal may construct a relationship triplet in the form of two entities and a relationship between the two entities to obtain a relationship triplet set. Any one of the relationship triples included in the relationship triplet set may include two entities, namely a head entity and a tail entity. The set of relationship triples is stored in a database. The two entities are respectively used for indicating the first type of alarm information and the second type of alarm information. It is understood that the set of relationship triples may also be preset by those skilled in the art. The present application is not particularly limited thereto.

For example, the relationship triplet may be (a relationship between a first type of alert information, and a second type of alert information). The relationship triplet may also be a (relationship between a first type of device, a first type of device and a second type of device). The relationship triplet may also be (a relationship between a device, a device and alert information).

As shown in fig. 3, is a petroleum hydrocracking control process in an industrial control system. The partial relationship triples are shown in table 1:

TABLE 1

In Table 1, the relationship triples include: (head tank, after-process equipment, feed pump), wherein the head entity is "head tank", the relationship is "after-process equipment", and the tail entity is "feed pump". (the furnace, the monitoring device is a furnace level sensor), wherein the head entity is a 'raw material tank', the relationship is a 'later process device', and the tail entity is a 'feed pump'. (heating furnace liquid level sensor, constitution, heating furnace liquid level control loop), wherein, the head entity is "heating furnace liquid level sensor", the relation is "constitution", the tail entity is "heating furnace liquid level control loop" (reactor temperature sensor, send out the warning, the reactor temperature is too high), wherein, the head entity is "reactor temperature sensor", the relation is "send out the warning", the tail entity is "reactor temperature is too high". (the Ethernet traffic exceeds the threshold and no control action is provided to cause the reactor to be over-heated), wherein the head entity is "the Ethernet traffic exceeds the threshold", the relationship is "the control action is not provided to cause the reactor to be over-heated", and the tail entity is "the reactor to be over-heated". The examples herein are merely illustrative and are not particularly limited in this regard.

In one possible embodiment, the terminal may obtain the above-described set of relationship triples from a database. Wherein any one of the relationship triples contained in the relationship triplet set includes two entities and a relationship between the two entities. The two entities are respectively used for indicating the first type of alarm information and the second type of alarm information.

The terminal may use any entity included in the relationship triplet set as a starting point, and use an entity having a relationship with the starting point included in the relationship triplet set as a next node. Connecting the starting point and the next node. And taking the next node as a new starting point, and returning to execute the connection starting point and the next node until no entity with a relation with the starting point exists in the relation triplet set, so as to obtain a knowledge graph.

For example, as shown in fig. 4, an embodiment of the present application provides a schematic diagram for constructing a knowledge graph. In the fourth diagram, the relationship triplet includes "entity a, relationship 1, entity C", "entity B, relationship 2, entity C" using entity C as a starting point, connecting entity a and entity C, and entity B and entity C according to the relationship contained in the relationship triplet. After all the entities having a relation with the entity C contained in the relation triplet set are connected, the next node entity A is taken as a new starting point. "entity D, relationship 5, entity a" connects entity a with the next node entity D. After all entities having a relationship with entity a contained in the relationship triplet set are connected, the next node entity B is taken as a new starting point. And obtaining a knowledge graph until no entity with a relation with the new starting point exists in the relation triplet set.

As shown in fig. 5, embodiments of the present application provide a knowledge graph that represents the relationship between different types of alert information. The solid line represents a known relationship determined from a set of relationship triples. Such as (NA 1, AR1, PA 1), (NA 2, AR2, PA 3) are all known relationships determined from the set of relationship triples. The hidden unknown relationships are represented by dashed lines, which can be subsequently obtained by semantic mining using knowledge reasoning techniques. For example, there may be an implicit unknown relationship between NA1 and PA 2. There may be an implicit unknown relationship between PA4 and NA 2. Wherein NA1, NA2 … represent a first type of alert information. PA1, PA2 … represent a second type of alert information. AR1, AR2 … represent a relationship between the first type of alert information and the second type of alert information. Optionally, the following terminal can also use knowledge reasoning technology to supplement the relation between different types of alarm information, visually display the whole relation of the alarm information without types, and facilitate the user to observe the security situation of the physical layer and the information layer.

In the method, the knowledge graph constructed through the relation triplet set can intuitively display the relation among different types of alarm information. By fusing the alarm information, the problem of isomorphism of a plurality of heterogeneous alarm information is solved, and the requirement of users for intuitively displaying the relation between the alarm information is met.

Optionally, the terminal may also receive the security analysis requirement information, and delete redundant entities and relationships in the relationship triplet set by adopting a knowledge fusion technology, so as to construct a knowledge graph. The method for constructing the knowledge graph by the rest of the relation triples after the terminal deletes the redundant entities and the relation according to the relation triples is the same as the method for constructing the knowledge graph by the terminal according to the relation triples, and is not repeated here. The security analysis requirement information may be in the form of a document, a table, etc., which is not particularly limited in the present application. The security analysis requirement information contains entities and relationships set by the user. The security analysis requirement information can be preset by a person skilled in the art, and the security analysis requirement information can be reasonably set according to specific application scenes.

For example, if the entity included in the security requirement information is NA1, the terminal may delete all relationship triples that do not include NA1 in the relationship triplet set, thereby determining the relationship triplet including NA 1. For another example, if the relationship included in the security requirement information is AR1, the terminal may delete all relationship triples that do not include AR1 from the relationship triplet set, thereby determining the relationship triplet including AR 1.

According to the method, the knowledge graph is constructed according to the safety requirement information, so that the entity and the relation to be observed can be displayed for the user more intuitively, and the use experience of the user is improved.

In order to facilitate subsequent alarm association analysis according to the knowledge graph, the terminal can vectorize the entity and the relationship contained in the knowledge graph to obtain an entity set and a relationship set. Optionally, the knowledge graph vectorization method adopted by the terminal in the embodiment of the present application includes a transfer distance model, a semantic matching model, an additional information model, and the like, which is not specifically limited in the present application.

For example, the terminal may employ an algorithm (Translating Embedding, transform) for representing the embedded representation of the nodes and relationships in the graph structure in a transition distance model to vectorize the entities and relationships contained in the knowledge graph to obtain a set of entities and a set of relationships. As shown in table 2, first, the terminal may list the entities included in the knowledge-graph, the relationship between the two entities, and the codes (Identity document, ID).

TABLE 2

And secondly, the terminal can read the knowledge graph in the form of the relation triples to obtain all relation triples corresponding to the knowledge graph. Finally, the terminal can train each entity and relation in the knowledge graph by using a TransE algorithm. The entity and the relation are embedded into a low-dimensional vector space, and corresponding vectors are generated, so that an entity set and a relation set are obtained.

For example, the vector representations of entities and relationships may be as shown in table 3. In Table 3, the vector values of the entity vector "heating furnace liquid level control loop" are [0.3318647, -0.0017983,0.0017959, … … ], and the vector values of the relation vector "comprising" are [ -0.6639857, -0.5022235, -0.0183657, … … ].

TABLE 3 Table 3

As shown in fig. 6, a schematic diagram of the vectorized knowledge graph is shown. The vectorized knowledge graph is used for indicating the relation among the first vector, the second vector and the third vector. The first vector is an entity contained in the vectorized knowledge-graph, and the third vector is a relationship in the vectorized knowledge-graph in the case where the second vector is an entity in the vectorized knowledge-graph, or is an entity in the vectorized knowledge-graph in the case where the second vector is a relationship in the vectorized knowledge-graph.

In the method, the relationship set and the entity set which can rapidly calculate the semantic similarity between the entities can be obtained by vectorizing the knowledge graph, so that the similar entities in the knowledge graph have similar distances in a low-dimensional space, and the vector of the head entity plus the vector of the relationship vector is basically equal to the vector of the tail entity.

Optionally, the terminal may perform knowledge-graph reasoning based on a transition algorithm. The goal of the TransE algorithm is to learn a low-dimensional vector representation of entities and relationships. For a relationship triplet (h, r, t), where h and t are entities, h is called the head entity, t is the tail entity, and r is their relationship. The (h, r, t) in the TransE algorithm has the following relationship: t.apprxeq.h+l. That is, t is as close as possible to h+l, whereas if the three do not form a relational triplet, it is as far away as possible. h. the relationship between t and r is shown in FIG. 7. After obtaining the distributed vector representation (h+r=t) between the entities and the relationships in the knowledge graph, other tasks may be implemented, for example, predicting the relationship between any two entities, where the vector h may be subtracted from the vector t to find those relationships where t-h is nearest in the space, and the relationship between t-h may be considered as the relationship of the relationship triplet, or, of course, a source entity and the relationship may be given to predict the target entity, i.e. calculate the value of h+r, and predict the vector t of the target entity.

It can be understood that the terminal may adopt a model formed based on a TransE algorithm, or may be a model formed based on a TransR algorithm, or of course, may also be a model formed by other algorithms capable of implementing knowledge graph reasoning to perform knowledge graph reasoning, which is not particularly limited in this application.

The terminal may determine a first vector corresponding to the received first type of alert information from the entity set. The terminal may also receive a second vector set by the user.

1. In one possible scenario, the second vector may represent a second type of alert information contained in the entity set. The second vector is preset by a person skilled in the art, and the second vector can be reasonably set according to a specific application scene.

Optionally, the second vector may also represent alarm information of a second type different from the first type received by the terminal in the first period. The first time period may also be preset by a person skilled in the art, and the first time period may be reasonably set according to a specific application scenario.

In some embodiments, when a first vector corresponding to the first type of alert information is a head entity in the relationship triplet and a second vector corresponding to the second type of alert information is a tail entity in the relationship triplet, the first vector is subtracted from the second vector to determine the target vector. The terminal may obtain a plurality of vectors representing the relationships from the relationship set, and use the vectors representing the relationships as potential target vectors. The terminal selects either the L1 norm or the L2 norm as the scoring function of f (h, r, t). And the terminal determines the similarity between the target vector and each potential target vector in the plurality of potential target vectors through the scoring function. The terminal may take the potential target vector with the highest similarity between the potential target vectors as the third vector.

In other embodiments, the first vector corresponding to the first type of alert information may also be used as a tail entity in the relationship triplet, and the second vector corresponding to the second type of alert information may also be used as a head entity in the relationship triplet. The manner in which the terminal determines the relationship between the first vector of the tail entity and the second vector of the head entity is the same as the manner in which the terminal determines the relationship between the first vector of the head entity and the second vector of the tail entity, which is not described here again.

In the method, through the first vector and the second vector, the corresponding relation between the first type of alarm information and the second type of alarm information can be deduced, so that a user can analyze the relation between different types of alarm information conveniently, and potential attack intention can be found. During the association analysis of the massive alarm information, the problem of efficiency of manual research and judgment is avoided, the efficiency of the association analysis of the alarm is improved, and the decision of a subsequent safety protection strategy is facilitated.

For example, the terminal may make inferences about the knowledge-graph based on the TransE algorithm. The type of the alarm information NA1 received by the terminal is network alarm. From the entity set, the terminal can confirm that the vector corresponding to NA1 is h. The type of the alarm information PR2 set by the terminal receiving user is service alarm. The second vector corresponding to PR2 is t. The terminal may obtain the target vector t-h by subtracting the first vector h from the second vector t. The terminal selects an L2 norm as a scoring function of f (h, r, t), and determines the similarity between the target vector t-h and each potential target vector t in the plurality of potential target vectors. The terminal may rank the values of f (h, r, t) similarity of all the entity vectors, and select the third vector with the largest similarity value from the plurality of potential target vectors.

2. In another possible case, the second vector may correspond to a relationship contained in the set of relationships.

In some embodiments, when the first vector corresponding to the first type of alarm information represents a head entity in the relation triplet and the second vector represents a relation between the head entity and a tail entity, the terminal may add the first vector and the second vector to determine the target vector. And the terminal determines a plurality of potential target vectors corresponding to the second type of alarm information from the relation set. The method for determining the third vector by the terminal through the potential target vector and the target vector is the same as the method for determining the third vector by the terminal through the potential target vector and the target vector, and is not repeated here. Wherein the third vector represents the second type of alert information.

In the method, the second type of alarm information can be deduced through the first vector corresponding to the first type of alarm information and the second vector corresponding to the relation, so that possible alarms can be further predicted conveniently, and a basis is provided for guiding subsequent equipment fault management and maintenance work. When the fault corresponding to the alarm occurs, a preventive response is timely made, and the fault is prevented.

For example, the type of the alarm information NA1 received by the terminal is a service alarm. From the entity set, the terminal can confirm that the vector corresponding to NA1 is h. The terminal receives the relationship set by the user as "no control action is provided. The "no control action is provided resulting in" the corresponding second vector is r. The target vector h+r is obtained by adding the first vector h to the second vector r. The L2 norm is chosen as a scoring function for f (h, r, t). The similarity between the target vector h+r and each potential target vector t of the plurality of potential target vectors is determined. The terminal may rank the similarity results of f (h, r, t) of all the entity vectors, and select, as the third vector, the third vector having the largest similarity value from the plurality of potential target vectors. As shown in fig. 8, the terminal may select PA2 with a large similarity value as the third vector.

In other embodiments, when the first vector corresponding to the first type of alarm information represents the tail entity in the relation triplet and the second vector represents the relation between the head entity and the tail entity, the terminal may subtract the first vector from the second vector to determine the target vector. And the terminal determines potential target vectors corresponding to the second type of alarm information from the relation set. The method for determining the third vector by the terminal through the potential target vector and the target vector is the same as the method for determining the third vector by the terminal through the potential target vector and the target vector, and is not repeated here.

In the method, the first vector representing the tail entity and the second vector representing the relation can be used for deducing the second type of alarm information representing the head entity, so that a user can find the reason of occurrence of the alarm conveniently, further find possible attack activities and prevent the attack activities, and then timely take effective emergency measures to deal with the occurrence of the attack activities.

For example, the type of the alarm information PA1 received by the terminal is a service alarm. From the entity set, the terminal may confirm that the vector corresponding to PA1 is t. The terminal receives the relationship set by the user as "no control action is provided. The "no control action is provided resulting in" the corresponding second vector is r. The target vector t-r is obtained by subtracting the first vector h from the second vector r. The L2 norm is chosen as a scoring function for f (h, r, t). A similarity between the target vector t-r and each of the plurality of potential target vectors t is determined. The terminal may rank the similarity results of f (h, r, t) of all the entity vectors, and select, as the third vector, the third vector having the largest similarity value from the plurality of potential target vectors.

According to the embodiment of the application, the acquired various entities and relations related to the alarm information are fully utilized to construct a knowledge graph, the knowledge graph is used as priori knowledge, and a third vector related to the first vector corresponding to the alarm information is determined by means of a related algorithm of a graph model. Because the type of the alarm information corresponding to the first vector and the type of the alarm information corresponding to the third vector or the second vector can be different, compared with the prior art that the alarm is subjected to the association analysis from the alarm information of the single type, the limitation of the analysis of the alarm of the single type is broken through. The problem of association analysis of multi-source heterogeneous alarm information is solved. Meanwhile, the method and the device can accurately predict the non-occurrence alarms and better assist the user in deciding the safety protection strategy by carrying out the correlation analysis on the known first vector and the second vector, have guiding significance for the subsequent prevention of the occurrence of the alarms, and have good application and popularization values.

As shown in fig. 9, an exemplary multi-source alarm association analysis flowchart is provided in the embodiments of the present application, taking a terminal as an execution body as an example.

S901, a terminal acquires a relation triplet set, wherein any relation triplet contained in the relation triplet set comprises two entities and a relation between the two entities;

s902, the terminal takes any entity contained in the relation triplet set as a starting point, takes the entity which has relation with the starting point and is contained in the relation triplet set as a next node, and connects the starting point and the next node;

s903, the terminal takes the next node as a new starting point, returns to execute the connection of the starting point and the next node until no entity with a relation with the starting point exists in the relation triplet set, and obtains a knowledge graph;

s904, the terminal vectorizes the entity and the relation contained in the knowledge graph to obtain a relation set and an entity set;

s905, determining a first vector from an entity set according to first type alarm information received by a terminal;

s906, the terminal receives a second vector set by a user;

s907, the terminal subtracts the first vector and the second vector to determine a target vector;

S908, the terminal acquires a plurality of potential target vectors from the relation set, wherein a plurality of third vectors are subsets of relations contained in the relation set;

s909, the terminal determines the similarity between the target vector and each potential target vector in the plurality of potential target vectors;

s910, the terminal determines a third vector from a plurality of potential target vectors according to the similarity, wherein the similarity between the third vector and the target vector is the highest.

Fig. 10 is a schematic structural diagram of a multi-source alarm association analysis device according to an embodiment of the present application, where, as shown in fig. 10, the multi-source alarm association analysis device includes: a determination unit 1001, an acquisition unit 1002, and a processing unit 1003.

A determining unit 1001, configured to determine a first vector and a second vector according to the received first type of alarm information; the vector of the entity in the relation triplet of the first type of alarm information represents a first vector, and the vector of the entity or the relation in the relation triplet represents a second vector;

the determining unit 1001 is further configured to determine, according to the first vector and the second vector, a target vector of an entity or a relationship to be inferred in the relationship triplet;

an obtaining unit 1002, configured to obtain a plurality of potential target vectors according to an entity set or a relationship set of a knowledge graph, where the knowledge graph is used to indicate a relationship between the first type of alert information and the second type of alert information;

A processing unit 1003 configured to determine a similarity between the target vector and each potential target vector;

the processing unit 1003 is further configured to determine, according to the similarity, a third vector corresponding to the relation triplet from the plurality of potential target vectors, where the similarity between the third vector and the target vector is the highest.

Optionally, according to the first vector and the second vector, a target vector of an entity or a relationship to be inferred in the relationship triplet is determined, and the determining unit 1001 is specifically configured to:

and performing addition operation or subtraction operation on the first vector and the second vector to determine a target vector.

Optionally, the obtaining unit 1002 is further configured to:

acquiring a relation triplet set, wherein any relation triplet contained in the relation triplet set comprises two entities and a relation between the two entities, and the two entities are respectively used for indicating the first type of alarm information and the second type of alarm information;

the processing unit 1003 is further configured to:

taking any entity contained in the relation triplet set as a starting point, taking the entity which has relation with the starting point and is contained in the relation triplet set as a next node, and connecting the starting point and the next node;

taking the next node as a new starting point, and returning to execute the connection of the starting point and the next node until no entity with a relation with the starting point exists in the relation triplet set, so as to obtain a knowledge graph;

Vectorizing the entities contained in the knowledge graph to obtain an entity set;

vectorizing the relationship contained in the knowledge graph to obtain a relationship set;

wherein the third vector is a relationship in the vectorized knowledge-graph if the second vector is an entity in the vectorized knowledge-graph or is an entity in the vectorized knowledge-graph if the second vector is a relationship in the vectorized knowledge-graph.

Optionally, according to the received first type of alarm information, a first vector and a second vector are determined, and the determining unit 1001 is specifically configured to:

determining a first vector corresponding to the first type of alarm information from the entity set according to the first type of alarm information; the entity set comprises a corresponding relation between the first type of alarm information and the first vector;

receiving a second vector set by a user, wherein the second vector is a second vector corresponding to the second type of alarm information contained in the entity set; the entity set also comprises a corresponding relation between the second type of alarm information and the second vector;

the plurality of potential target vectors are a subset of the relationships contained in the set of relationships.

Optionally, according to the received first type of alarm information, the determining unit 1001 is further configured to:

Determining a first vector corresponding to the first type of alarm information from the entity set according to the first type of alarm information;

receiving a second vector set by a user, wherein the second vector is a second vector corresponding to a relation contained in the relation set;

the plurality of potential target vectors are a subset of the alert information of the second type contained in the set of entities.

Based on the same technical conception, the embodiment of the application also provides electronic equipment which can realize the functions of the multi-source alarm association analysis device.

The present embodiment of the present application does not limit a specific connection medium between the processor 1101 and the memory 1102, and in fig. 11, the processor 1101 and the memory 1102 are exemplified as a connection medium between the processor 1101 and the memory 1102 through the bus 1100. Bus 1100 is shown in bold lines in fig. 11, and the manner in which other components are connected is illustrated schematically and not by way of limitation. The bus 1100 may be divided into an address bus, a data bus, a control bus, etc., and is represented by only one thick line in fig. 11 for convenience of representation, but does not represent only one bus or one type of bus. Alternatively, the processor 1101 may be referred to as a controller, and the names are not limited.

In this embodiment, the memory 1102 stores instructions executable by the at least one processor 1101, and the at least one processor 1101 can execute the method for maintaining the database as described above by executing the instructions stored in the memory 1102. The processor 1101 may implement the functions of the various units in the apparatus shown in fig. 10.

The processor 1101 is a control center of the apparatus, and may be connected to various parts of the entire control device by various interfaces and lines, and by executing or executing instructions stored in the memory 1102 and invoking data stored in the memory 1102, various functions of the apparatus and processing data, thereby performing overall monitoring of the apparatus.

In one possible design, the processor 1101 may include one or more processing units, and the processor 1101 may integrate an application processor and a modem processor, wherein the application processor primarily processes operating systems, driver interfaces, application programs, and the like, and the modem processor primarily processes wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 1101. In some embodiments, the processor 1101 and the memory 1102 may be implemented on the same chip, and in some embodiments they may be implemented separately on separate chips.

The processor 1101 may be a general purpose processor such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, which may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method for maintaining a database disclosed in connection with the embodiments of the present application may be directly embodied as a hardware processor executing, or may be executed by a combination of hardware and software modules in the processor.

Memory 1102 is a non-volatile computer-readable storage medium that can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 1102 may include at least one type of storage medium, and may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory), magnetic Memory, magnetic disk, optical disk, and the like. Memory 1102 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 1102 in the present embodiment may also be circuitry or any other device capable of implementing a memory function for storing program instructions and/or data.

By programming the processor 1101, the code corresponding to the alarm correlation analysis described in the foregoing embodiments may be cured into the chip, thereby enabling the chip to perform the multi-source alarm correlation analysis method of the embodiment shown in fig. 2 at runtime. How to program the processor 1101 is a well-known technique for those skilled in the art, and will not be described in detail herein.

It should be noted that, the electronic device provided in the embodiment of the present application can implement all the method steps implemented in the embodiment of the method, and can achieve the same technical effects, and the same parts and beneficial effects as those of the embodiment of the method in the embodiment are not described in detail herein.

The embodiment of the application also provides a computer readable storage medium, and the computer readable storage medium stores computer executable instructions for causing a computer to execute the method for maintaining the database in the embodiment.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims

1. A method for multi-source alarm association analysis, the method comprising:

determining a first vector and a second vector according to the received first type of alarm information; the vector of the entity in the relation triplet of the first type of alarm information represents a first vector, and the vector of the entity or the relation in the relation triplet represents a second vector;

determining a target vector of an entity or a relationship to be inferred in the relationship triplet according to the first vector and the second vector;

Acquiring a plurality of potential target vectors according to an entity set or a relation set of a knowledge graph, wherein the knowledge graph is used for indicating the relation between the first type of alarm information and the second type of alarm information;

determining a similarity between the target vector and each potential target vector;

and determining a third vector corresponding to the relation triplet from the plurality of potential target vectors according to the similarity, wherein the similarity between the third vector and the target vector is highest.

2. The method according to claim 1, wherein the determining the target vector of the entity or the relationship to be inferred in the relationship triplet according to the first vector and the second vector specifically comprises:

and carrying out addition operation or subtraction operation on the first vector and the second vector to determine the target vector.

3. The method of claim 1, wherein the method further comprises:

Taking any entity contained in the relation triplet set as a starting point, taking an entity which is contained in the relation triplet set and has the relation with the starting point as a next node, and connecting the starting point and the next node;

taking the next node as a new starting point, and returning to execute the connection between the starting point and the next node until no entity with a relation with the starting point exists in the relation triplet set, so as to obtain a knowledge graph;

vectorizing the entities contained in the knowledge graph to obtain the entity set;

vectorizing the relationship contained in the knowledge graph to obtain the relationship set;

wherein the third vector is a relationship in the knowledge-graph after vectorization in case the second vector is an entity in the knowledge-graph after vectorization, or is an entity in the knowledge-graph after vectorization in case the second vector is a relationship in the knowledge-graph after vectorization.

4. The method of claim 1, wherein determining the first vector and the second vector based on the received first type of alert information, specifically comprises:

Determining the first vector corresponding to the first type of alarm information from the entity set according to the first type of alarm information; the entity set comprises the corresponding relation between the first type of alarm information and the first vector;

receiving the second vector set by the user, wherein the second vector is a second vector corresponding to the second type of alarm information contained in the entity set; the entity set also comprises a corresponding relation between the second type of alarm information and the second vector;

the plurality of potential target vectors are a subset of relationships included in the set of relationships.

5. The method of claim 1, wherein determining the first vector and the second vector based on the received first type of alert information further comprises:

determining the first vector corresponding to the first type of alarm information from the entity set according to the first type of alarm information;

receiving the second vector set by the user, wherein the second vector is a second vector corresponding to a relation contained in the relation set;

the plurality of potential target vectors is a subset of a second type of alert information contained in the set of entities.

6. A multi-source alert correlation analysis apparatus, the apparatus comprising:

the determining unit is further configured to determine, according to the first vector and the second vector, a target vector of an entity or a relationship to be inferred in the relationship triplet;

an obtaining unit, configured to obtain a plurality of potential target vectors according to an entity set or a relationship set of a knowledge graph, where the knowledge graph is used to indicate a relationship between the first type of alert information and the second type of alert information;

and the processing unit is further configured to determine a third vector corresponding to the relationship triplet from the plurality of potential target vectors according to the similarity, where the similarity between the third vector and the target vector is the highest.

7. The apparatus of claim 6, wherein the determining unit is configured to determine a target vector of an entity or a relationship to be inferred in the relationship triplet based on the first vector and the second vector, the determining unit being specifically configured to:

8. The apparatus of claim 6, wherein the acquisition unit is further to:

the processing unit is further configured to:

9. The apparatus of claim 6, wherein the determining unit is configured to determine the first vector and the second vector based on the received first type of alert information, the determining unit being configured to:

10. The apparatus of claim 6, wherein the determining unit is further configured to determine a first vector and a second vector based on the received first type of alert information:

11. An electronic device, comprising: a memory and a controller;

a memory for storing program instructions;

a controller for invoking program instructions stored in the memory to perform the method of any of claims 1-5 in accordance with the obtained program.

12. A computer storage medium storing computer executable instructions for performing the steps of the method according to any one of claims 1-5.

13. A computer program product, the computer program product comprising: computer program code for causing a computer to perform the steps of the method as claimed in any one of claims 1 to 5 when said computer program code is run on a computer.