CN116010969A - Security rule matching method, device, electronic equipment and storage medium - Google Patents
Security rule matching method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116010969A CN116010969A CN202211732041.0A CN202211732041A CN116010969A CN 116010969 A CN116010969 A CN 116010969A CN 202211732041 A CN202211732041 A CN 202211732041A CN 116010969 A CN116010969 A CN 116010969A
- Authority
- CN
- China
- Prior art keywords
- log data
- security rule
- tree model
- node
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 230000015654 memory Effects 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 2
- 238000012806 monitoring device Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application provides a security rule matching method, electronic equipment and a storage medium. The method comprises the following steps: acquiring a multi-tree model, wherein each node of the multi-tree model is preset with a corresponding target security rule; matching the log data with each node of the multi-tree model; and determining whether the log data hit the corresponding target security rule according to the matching result so as to determine whether the log data have security threat. Therefore, the method can improve the matching efficiency compared with the matching of the security rule in the form of text or character string with the log data.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a security rule matching method, an electronic device, and a storage medium.
Background
With the development of technology, information security protection is receiving more and more attention. In practical application, a security risk monitoring device such as a firewall may be generally set in the protected object, where the security risk monitoring device has a plurality of security rules, so that, for log data in the protected object, the security risk monitoring device may match the log data with each security rule, and if one or a plurality of security rules can be matched through the matching, it is indicated that the protected object has a security threat.
However, since the security rules are typically words or strings, the matching efficiency is typically low when such words or strings are matched to the log data.
Disclosure of Invention
An embodiment of the application aims to provide a security rule matching method, electronic equipment and a storage medium, which are used for solving the problem of low efficiency in the prior art.
An embodiment of the present application provides a method for matching security rules, where the method includes:
acquiring a multi-tree model, wherein each node of the multi-tree model is preset with a corresponding target security rule;
matching the log data with each node of the multi-tree model;
and determining whether the log data hit the corresponding target security rule according to the matching result so as to determine whether the log data have security threat.
In an embodiment, the target security rule includes a single security rule and a combined security rule, the combined security rule is formed by combining at least two single security rules, and each node of the multi-tree model includes at least: parent nodes and leaf nodes, each of the parent nodes including down to
At least one leaf node, the leaf node corresponds to the single security rule, the parent node 5 corresponds to the combined security rule, and the obtaining the multi-tree model specifically includes:
acquiring the single security rule, and generating the combined security rule based on a logical connection relation between the single security rules;
generating corresponding leaf nodes based on the single security rule;
generating a corresponding parent node based on the combined security rule;
the multi-tree model is generated based on a hierarchical relationship between the parent node and the leaf nodes.
In one embodiment, the method further comprises:
acquiring an initial security rule, wherein the initial security rule comprises characters and character strings;
and converting the initial security rule into json format data serving as the target security rule. 5 in one embodiment, the matching log data with each node of the multi-tree model
The preparation method specifically comprises the following steps:
and matching the log data with the nodes of the multi-tree model layer by adopting a layer traversal algorithm and adopting a layer by layer recursion sequence from bottom to top, wherein:
if the log data is successfully matched with the nodes of each layer in the multi-tree model, the matching 0 result is that the log data is successfully matched with the multi-tree model; or alternatively, the first and second heat exchangers may be,
and if the log data fails to be matched with at least one node in the multi-tree model, the matching result is that the log data fails to be matched with the multi-tree model.
In an embodiment, the parent node of the highest hierarchy of the parent nodes is a root node of the multi-tree model, and the step of matching the 5 log data with the nodes of the multi-tree model layer by adopting a layer-by-layer recursion order from bottom to top by using a layer traversal algorithm specifically includes:
matching the log data with a single security rule corresponding to each leaf node of the bottom layer of the multi-tree model;
under the condition that the log data is successfully matched with the single security rule corresponding to each leaf node of the bottom layer of the multi-way tree model, matching the log data with the combined security rule corresponding to the parent node of the upper layer of the multi-way tree model, and under the condition that the matching is successful, continuing to match the log data with the combined security rule corresponding to the parent node of the upper layer until the matching of the log data with the combined security rule corresponding to the root node is completed; or alternatively, the first and second heat exchangers may be,
and stopping matching the log data with the node of the previous level under the condition that the log data fails to be matched with the node of any level in the multi-tree model.
In an embodiment, the determining whether the log data hits the corresponding target security rule according to the matching result includes:
when the log data is successfully matched with the combined security rule corresponding to the root node, determining that the log data hits a corresponding target security rule;
and under the condition that the log data fails to be matched with any level of nodes in the multi-tree model, determining that the log data does not hit the corresponding target security rule.
In an embodiment, after determining that the log data hits the corresponding target security rule, the method further comprises:
outputting hit target security rules; and/or
Determining that the log data contains a security threat; and/or the number of the groups of groups,
and determining a security event corresponding to the hit target security rule, and generating an alarm message corresponding to the security event.
In one embodiment, the method further comprises:
acquiring an initial log file;
and carrying out structuring processing on the initial log file to obtain the log data.
In one embodiment, the logical connection relationship is characterized by any one or more of the following logical connection words and, or and not.
A second aspect of the present application provides an electronic device, including:
a memory for storing a computer program;
a processor configured to perform a method according to any one of the method embodiments of the present application.
A third aspect of the present embodiment provides a storage medium, including: a program which, when run on an electronic device, causes the electronic device to perform a method as described in any one of the method embodiments of the present application.
The security rule matching method provided by the embodiment of the application comprises the steps of firstly obtaining a multi-tree model, wherein each node of the multi-tree model is preset with a corresponding target security rule; and then matching the log data with each node of the multi-tree model, and determining whether the log data hits a corresponding target security rule according to a matching result so as to determine whether the log data has security threat. Therefore, the target security rules can be respectively used as the target security rules aiming at a plurality of security rules in the security risk monitoring device, and the target security rules hit by the log data can be finally determined through the matching result of the log data and the multi-way tree model.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 2 is a schematic diagram illustrating interaction between an electronic device and a data terminal according to an embodiment of the present application;
fig. 3 is a specific flow chart of a security rule matching method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a specific structure of a multi-tree model according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a security rule matching device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. In the description of the present application, terms such as "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance or order.
As mentioned above, as technology advances, information security has received increasing attention. In practical application, a security risk monitoring device such as a firewall may be generally set in the protected object, where the security risk monitoring device has a plurality of security rules, so that, for log data in the protected object, the security risk monitoring device may match the log data with each security rule, and if one or a plurality of security rules can be matched through the matching, it is indicated that the protected object has a security threat. However, in this method, since the security rule is usually a text or character string, when the security rule in the form of such text or character string is matched with log data, the matching efficiency is generally low.
As shown in fig. 1, the present embodiment provides an electronic apparatus 1 including: at least one processor 11 and a memory 12, one processor being exemplified in fig. 1. The processor 11 and the memory 12 may be connected by a bus 10, the memory 12 storing instructions executable by the processor 11, the instructions being executable by the processor 11 to cause the electronic device 1 to perform all or part of the flow of the method in the embodiments described below. The electronic device 1 may be a notebook computer, a desktop computer, a server or a server cluster composed of the same, and a security risk monitoring device may be generally disposed in the electronic device 1.
As shown in fig. 2, in practical application, the electronic device 1 may also interface with one or more data terminals 2, and the electronic device 1 may respectively communicate data with each data terminal 2. The data terminal 2 may be a mobile phone, a notebook computer, a desktop computer, or other monitored objects of the user, so that log data can be obtained from the data terminal 2.
As shown in fig. 3, a flowchart of a security rule matching method according to an embodiment of the present application, where some or all of the steps of the method may be performed by the electronic device 1 shown in fig. 1, and some or all of the steps of the method may also be performed by the data terminal 2 shown in fig. 2, where the method may be performed by taking the electronic device 1 as a server, and the method is described as an example, and the method includes the following steps:
step S31: a multi-way tree model is obtained.
In the multi-tree model, each node is preset with a corresponding target security rule, wherein the target security rule comprises a single security rule and a combined security rule, and the combined security rule is formed by combining at least two single security rules, such as combining two single security rules into a combined security rule.
For example, the single security rule may be used to determine whether the log data is single or basic, for example, whether the number of login failures (denoted by n in the following) is greater than a preset threshold, whether the time interval between the time of the last login failure and the current time is greater than a preset time interval, whether the login time (denoted by t in the following) is within a preset period (such as 24 hours), and so on.
In addition, the mode of combining at least two single security rules into a combined security rule reflects the logical connection relation among the single security rules which are combined. In practical applications, multiple single security rules may be obtained and then combined (i.e., generated) based on logical connection relationships between the single security rules. The logical connection relationship may include a logical connection relationship indicating that conditions need to be satisfied at the same time, a logical connection relationship indicating that conditions are satisfied alternatively, and a logical connection relationship indicating that the conditions are reversed. The logic connection relation which indicates that the conditions need to be met at the same time can be generally characterized by logic connection words such as AND, AND and the like; the logic connection relation which indicates that the condition selection is satisfied can be characterized by logic connection words such as OR and the like; the representation of the logical connections representing the negation may be characterized generally by logical connections including "not", and the like.
It is mentioned above that the combination security rules may be combined based on the logical connection relationship between the plurality of single security rules, for example, the two single security rules have a percentage of n > =3 and t < =24, where n > =3 represents that it is determined whether the login failure number is greater than or equal to the preset threshold 3, and t < =24 represents that the login time is within the preset period of 24 hours. At this time, the two single security rules are logical connection relationships that indicate that conditions need to be satisfied simultaneously, so a combination security rule n > =3 and t < =24 is obtained by combining the logical connection words and, where the combination security rule is used to determine whether the number of login failures in 24 hours is greater than or equal to 3.
For the multi-tree model acquired in step S31, in which the multi-tree model is mentioned, each node is preset with a corresponding target security rule, so that a description can be given of a 5-dimensional structure of the multi-tree model, in which multiple levels can be included, and in which the multi-tree model
At least comprises: a parent node and a leaf node, wherein each parent node comprises at least one leaf node, the leaf node corresponds to a single security rule, for example, the leaf node is generated by the corresponding single security rule, and the parent node corresponds to a combined security rule. And the parent node of the highest level among the parent nodes is the root node of the multi-tree model.
0 for example, for a multi-tree model as shown in FIG. 4, the multi-tree model has two levels, separate
The method comprises the steps of respectively arranging an A layer and a B layer, wherein the A layer is provided with two child nodes A1 and A2, the A1 child node corresponds to a single safety rule of 'n > =3', the A2 child node corresponds to a single safety rule of't < =24', father nodes of the two child nodes are node B1 in the B layer, and the node B1 corresponds to a combined safety rule of n > =3 and t < =24. In addition, the two child nodes A1 and A2 are also leaf nodes.
5 it is further noted that the type of the multi-tree model may be a binary tree,
the tree may be a three-tree or other multi-tree model, which is not limited herein.
In addition, in step S31, the specific method of acquiring the multi-tree model may be, for example, directly generating the multi-tree model or acquiring the multi-tree model from a model library. Such as a solid
The present method may be that a plurality of 0-multi-tree models are generated in advance using each security rule in the security risk monitoring apparatus, and then the multi-tree models are stored in a model library, so that in this step S31,
the multi-tree model can be obtained from a model library.
It may be described here how a multi-way tree model of the target security rule is generated, wherein,
multiple single security rules may be obtained first and based on logical connections between the single security rules
The relationship, generating a combined security rule, then generating a corresponding leaf node based on the single security rule, 5, and generating a corresponding parent node based on the combined security rule, then based on the parent node and the leaf node
And (5) generating the multi-tree model according to the hierarchical relation among the multi-tree models.
For example, for two single security rules n > =3 and t < =24, corresponding leaf nodes A1 and A2 are generated based on n > =3 and t < =24, respectively, corresponding parent node B1 is generated based on a combined security rule n > =3 and t < =24, and then the multi-tree model shown in fig. 4 is generated based on the level relationship between A1 and A2, B1. Of course, after the multi-tree model is generated, the multi-tree model may be further stored in a model library, so as to facilitate the subsequent acquisition of the multi-tree model from the model library, thereby improving the efficiency of acquiring the multi-tree model.
In practical application, since the json format data itself is a multi-tree structure, in order to facilitate generation of the multi-tree model of the target security rule, the data format of the target security rule may be json format, and in this case, the target security rule includes a single security rule and a combined security rule, and may be json format data. For the json-format target security rules, the multi-way tree model can be quickly generated by combining the data structure of the multi-way tree.
Of course, in order to obtain the target security rule in the json format, an initial security rule of the target security rule may be obtained first, where the initial security rule includes a text and a character string, and then the initial security rule is converted into json format data as the target security rule, so that after the initial security rule is converted into the json format target security rule, the characteristics of the json format data itself as a multi-way tree structure are utilized, so as to facilitate generation of a multi-way tree model.
Step S32: the log data is matched to each node of the multi-way tree model.
Step S33: and determining whether the log data hit the corresponding target security rule according to the matching result so as to determine whether the log data have security threat.
Here, the same explanation can be made for the above-described step S32 and step S33.
In the step S32, the log data may be matched with each node of the multi-tree model, and at this time, for the node corresponding to the single security rule, if the log data is successfully matched with the node, it is indicated that the log data hits the single security rule, otherwise, if the log data fails to be matched with the node, it is indicated that the log data does not hit the single security rule. And for the node corresponding to the combined safety rule, if the log data is successfully matched with the node, the log data is proved to hit the combined safety rule, otherwise, if the log data is failed to be matched with the node, the log data is proved to miss the combined safety rule. In this way, after the log data is matched with each node of the multi-tree model in step S32, a matching result reflecting whether the log data hits the target security rule corresponding to each node can be obtained.
At this time, if the matching result reflects that the log data totally hits the target security rules corresponding to the nodes, it is indicated that the matching is successful, and at this time, it can be determined that the log has a security threat, or if the matching result reflects that the log data does not totally hit the target security rules corresponding to the nodes, for example, if one or more of the target security rules corresponding to the nodes are not hit, it is indicated that the matching is failed, and at this time, it can be determined that the log does not have a security threat.
Therefore, in practical application, aiming at a plurality of security rules in the security risk monitoring device, a multi-way tree model can be generated as a target security rule, and then the method provided by the embodiment of the application is used for firstly acquiring the multi-way tree model, then matching log data with each node of the multi-way tree model to obtain a matching result, and further determining whether the log has security threat or not according to the matching result. Compared with the matching of the security rules in the form of characters or character strings with the log data, the matching efficiency of the log data with each node of the multi-tree model is higher, so that the problems in the prior art are solved.
It should be further noted that in the step S32, it is mentioned that the log data is matched with each node of the multi-tree model, in practical application, in order to further improve the matching efficiency, a hierarchical traversal algorithm may be generally used to match the log data with the nodes of the multi-tree model layer by layer, where if the log data is successfully matched with the nodes of each layer in the multi-tree model, the matching result is that the log data is successfully matched with the multi-tree model; or if the log data and at least one node in the multi-tree model are failed to match, the matching result is that the log data and the multi-tree model are failed to match.
When the log data is matched with the nodes of the multi-tree model layer by using a hierarchical traversal algorithm, for example, the log data can be in a bottom-up layer-by-layer recursion sequence or a top-down layer recursion sequence, and at this time, the matching is performed along one direction (bottom-up or top-down), so that the probability of errors can be reduced and the efficiency can be improved.
In practical applications, considering that the leaf nodes of the multi-tree model are generated by single security rules, and the matching of the log data and the multi-tree model is actually mostly the matching with each single security rule, the matching can be performed in a recursive order from bottom to top layer by layer.
Therefore, by using a hierarchical traversal algorithm and adopting a bottom-up layer-by-layer recursion sequence, the step-by-layer matching of the log data with the nodes of the multi-tree model can be specifically performed by firstly matching the log data with a single security rule corresponding to each leaf node of the bottom layer of the multi-tree model, and if the single security rule corresponding to any one or more leaf nodes of the bottom layer of the multi-tree model fails to match with the log data, then the matching result of the log data and the multi-tree model can be determined to be the matching failure, and further the log is determined to have no security threat.
Of course, if the single security rule corresponding to each leaf node of the bottom layer of the multi-tree model is successfully matched with the log data, the log data is further matched with the combined security rule corresponding to the parent node of the first level on the multi-tree model, and if the matching is successful, the log data is continuously matched with the combined security rule corresponding to the parent node of the first level until the matching of the log data and the combined security rule corresponding to the root node is completed. Of course, in the case that the log data fails to match with a node of any level in the multi-tree model, it is possible to determine that the log data does not hit the corresponding target security rule and stop matching the log data with a node of the previous level.
For example, if a single security rule corresponding to each leaf node at the bottom layer of the multi-tree model is successfully matched with the log data, further matching the log data with a combined security rule corresponding to a parent node of a previous level, if one or more parent nodes of the level fail to match, determining that a matching result of the log data and the multi-tree model is failed to match, and stopping matching the log data with the node of the previous level; if each father node of the hierarchy is successfully matched, the matching of the combined security rule corresponding to the father node of the upper hierarchy and the log data is continued until the matching between one or more nodes of a certain hierarchy and the log data fails, at this time, the matching failure of the log data and the multi-way tree model is described until the matching of the log data and the combined security rule corresponding to the root node is completed, and under the condition that the combined security rule corresponding to the root node and the log data are successfully matched, at this time, the log data hit the target security rule corresponding to the root node can be determined, and then whether the log has security threat or not is determined.
For example, in combination with the multi-tree model shown in fig. 4, a bottom-up layer-by-layer recursion order is adopted, the log data is firstly matched with each leaf node (i.e., each node A1 and A2 in layer a) of the bottom layer of the multi-tree model, corresponding single security rules n > =3 and t < = 24, if the single security rule of any one or more leaf nodes in layer A1 and layer A2 fails to match with the log data, the matching result of the log data and the multi-tree model can be determined to be the matching failure, and at the moment, the log data is determined to miss the corresponding target security rule (i.e., single security rules n > =3 and/or t < = 24), and the log data is stopped to match with the node of the previous layer; or, the leaf nodes A1 and A2 are both successfully matched with the log data, and further the log data is matched with the parent node of the previous layer, namely the parent node B1 of the layer B, because the parent node B1 is the root node, if the matching is successful, the log data is successfully matched with the multi-way tree model, the combined safety rule n > =3 and t < = 24 corresponding to the log data hit the root node can be determined, if the matching is failed, the log data is failed to be matched with the multi-way tree model, and the log data does not hit the corresponding combined safety rule n > =3 and t < = 24.
In addition, in practical application, through the step S33, after determining that the log data has a security threat according to the matching result, the method may further include determining a security event corresponding to the hit target security rule, and generating an alarm message corresponding to the security event, so as to alarm through the alarm message. Of course, after determining that the target security rule is not a security rule matching the log data according to the matching result, no alert message may be generated.
In addition, after determining that the log data has a security threat, the hit target security rule may be output, and the security threat contained in the job-entering data may be determined, for example, the log data may be further parsed, so as to determine the type, the hazard level, and the like of the security threat.
Of course, before the step S32, the method may further include obtaining the log data, and for a specific manner of obtaining the log data, for example, the log data may be obtained from a database, or the log data may be obtained from a data terminal, where the data terminal may be a monitored object.
In practical applications, a log collector may be generally disposed at a data terminal, so that initial log data generated by the data terminal may be collected by the log collector and sent to a server, and after the server obtains the initial log data, the server may firstly perform a structuring process on the initial log data to obtain structured log data in order to facilitate matching with nodes of the multi-tree model in the subsequent step S32, where the log data in the step S32 may be structured log data. In this way, in the step S32, the structured log data may be matched with each node of the multi-tree model, so that the matching efficiency may also be improved. Of course, after the initial log data is structured, the structured log data may be stored in the database, so that the structured log data may be obtained from the database before the step S32, and then matched with each node of the multi-tree model.
It should be further noted that, in practical application, each security rule in the security risk monitoring device is usually a combined security rule, so for each combined security rule, a corresponding multi-tree model may be generated by using the combined security rule, for example, each single security rule in the combined security rule, a leaf node of the multi-tree model is generated, and a logical connection word for representing a logical connection relationship between the single security rules is used as a parent node, so as to generate the multi-tree model.
Then, the method provided by the embodiment of the application matches the log data with the multi-tree model, and finally determines whether the log data hits the combined security rule, in this way, whether the log data hits each security rule in the security risk monitoring device can be determined one by one, and further whether the log data has security risk is determined, for example, if one or more security rules hit in the log data, the log data is determined to have security risk, otherwise, the log data is determined to not have security risk.
Based on the same inventive concept as the security rule matching method provided in the embodiments of the present application, the embodiments of the present application also provide a security rule matching device, for which, if it is unclear, reference may be made to the corresponding content of the method embodiments. As shown in fig. 5, which is a schematic structural diagram of the apparatus 50, the apparatus 50 includes: a multi-tree model acquisition unit 501, a matching unit 502, and a determination unit 503, wherein:
a multi-tree model obtaining unit 501, configured to obtain a multi-tree model, where each node of the multi-tree model is preset with a corresponding target security rule;
a matching unit 502, configured to match log data with each node of the multi-tree model;
a determining unit 503, configured to determine whether the log data hits a corresponding target security rule according to the matching result, so as to determine whether the log data has a security threat.
By adopting the device 50 provided in the embodiment of the present application, since the device 50 adopts the same inventive concept as the security rule matching method provided in the embodiment of the present application, the device 50 can solve the technical problem on the premise that the method can solve the technical problem, and the description thereof is omitted here.
In addition, in practical application, the technical effect obtained by combining the device 50 with a specific hardware device is also within the scope of protection of the present application, for example, the device 50 is set in a server, and the server is arranged in a distributed cluster, so that different units in the device 50 are arranged in different nodes in the distributed cluster, so as to improve efficiency and the like; or the device 50 is arranged on a cloud server to reduce hardware cost.
The target security rule comprises a single security rule and a combined security rule, the combined security rule is formed by combining at least two single security rules, and each node of the multi-tree model at least comprises: a parent node and leaf nodes, wherein each parent node comprises at least one leaf node, each leaf node corresponds to the single security rule, and each parent node corresponds to the combined security rule; and, the multi-tree model obtaining unit 501 may specifically include a multi-tree model obtaining subunit, configured to obtain the single security rule, and generate the combined security rule based on a logical connection relationship between the single security rules; generating corresponding leaf nodes based on the single security rule; generating a corresponding parent node based on the combined security rule; the multi-tree model is generated based on a hierarchical relationship between the parent node and the leaf nodes.
The apparatus 50 may further include a target security rule generating unit configured to acquire an initial security rule, where the initial security rule includes a text and a character string; and converting the initial security rule into json format data serving as the target security rule.
The matching unit 502 may specifically include a matching subunit, configured to match the log data with the nodes of the multi-tree model layer by using a layer traversal algorithm in a bottom-up layer-by-layer recursive order, where: if the log data is successfully matched with the nodes of each layer in the multi-tree model, the matching result is that the log data is successfully matched with the multi-tree model; or if the log data fails to match with at least one node in the multi-tree model, the matching result is that the log data fails to match with the multi-tree model.
The father node of the highest level in the father nodes is the root node of the multi-fork tree model; the matching subunit may specifically include a matching submodule, configured to match the log data with a single security rule corresponding to each leaf node of the bottom layer of the multi-tree model; under the condition that the log data is successfully matched with the single security rule corresponding to each leaf node of the bottom layer of the multi-way tree model, matching the log data with the combined security rule corresponding to the parent node of the upper layer of the multi-way tree model, and under the condition that the matching is successful, continuing to match the log data with the combined security rule corresponding to the parent node of the upper layer until the matching of the log data with the combined security rule corresponding to the root node is completed; or if the log data fails to be matched with the node of any level in the multi-tree model, stopping matching the log data with the node of the previous level.
The determining unit 503 may specifically include a determining subunit, configured to determine that the log data hits a corresponding target security rule when the log data is successfully matched with a combined security rule corresponding to the root node; and under the condition that the log data fails to be matched with any level of nodes in the multi-tree model, determining that the log data does not hit the corresponding target security rule.
The apparatus 50 may further include an output unit for outputting the hit target security rule after determining that the log data hits the corresponding target security rule; and/or determining that the log data contains a security threat; and/or determining a security event corresponding to the hit target security rule, and generating an alarm message corresponding to the security event.
The apparatus 50 may further include a log data acquisition unit for acquiring initial log data; and carrying out structuring processing on the initial log data to obtain the log data.
And carrying out structuring processing on the initial log file to obtain the log data.
The logical connection is characterized by any one or more of the following logical connection words and, or and not.
The embodiment of the invention also provides a storage medium, which comprises: a program which, when run on an electronic device, causes the electronic device to perform all or part of the flow of the method in the above-described embodiments. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD), etc. The storage medium may also comprise a combination of memories of the kind described above.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations are within the scope of the invention as defined by the appended claims.
Claims (11)
1. A method of security rule matching, the method comprising:
acquiring a multi-tree model, wherein each node of the multi-tree model is preset with a corresponding target security rule;
matching the log data with each node of the multi-tree model;
and determining whether the log data hit the corresponding target security rule according to the matching result so as to determine whether the log data have security threat.
2. The method of claim 1, wherein the target security rule comprises a single security rule and a combined security rule, the combined security rule being formed by combining at least two of the single security rules, each node of the multi-way tree model comprising at least: the parent node and the leaf nodes, each parent node comprises at least one leaf node, each leaf node corresponds to the single security rule, each parent node corresponds to the combined security rule, and the method for acquiring the multi-tree model specifically comprises the following steps:
acquiring the single security rule, and generating the combined security rule based on a logical connection relation between the single security rules;
generating corresponding leaf nodes based on the single security rule;
generating a corresponding parent node based on the combined security rule;
the multi-tree model is generated based on a hierarchical relationship between the parent node and the leaf nodes.
3. The method according to claim 2, wherein the method further comprises:
acquiring an initial security rule, wherein the initial security rule comprises characters and character strings;
and converting the initial security rule into json format data serving as the target security rule.
4. The method according to claim 2, wherein said matching log data with each node of said multi-tree model, in particular comprises:
and matching the log data with the nodes of the multi-tree model layer by adopting a layer traversal algorithm and adopting a layer by layer recursion sequence from bottom to top, wherein:
if the log data is successfully matched with the nodes of each layer in the multi-tree model, the matching result is that the log data is successfully matched with the multi-tree model; or alternatively, the first and second heat exchangers may be,
and if the log data fails to be matched with at least one node in the multi-tree model, the matching result is that the log data fails to be matched with the multi-tree model.
5. The method according to claim 4, wherein the parent node of the highest hierarchy of the parent nodes is the root node of the multi-tree model, and the step-by-step matching of the log data with the nodes of the multi-tree model by using a hierarchical traversal algorithm in a bottom-up layer-by-layer recursion order specifically includes:
matching the log data with a single security rule corresponding to each leaf node of the bottom layer of the multi-tree model;
under the condition that the log data is successfully matched with the single security rule corresponding to each leaf node of the bottom layer of the multi-way tree model, matching the log data with the combined security rule corresponding to the parent node of the upper layer of the multi-way tree model, and under the condition that the matching is successful, continuing to match the log data with the combined security rule corresponding to the parent node of the upper layer until the matching of the log data with the combined security rule corresponding to the root node is completed; or alternatively, the first and second heat exchangers may be,
and stopping matching the log data with the node of the previous level under the condition that the log data fails to be matched with the node of any level in the multi-tree model.
6. The method of claim 5, wherein determining whether the log data hits the corresponding target security rule based on the matching result comprises:
when the log data is successfully matched with the combined security rule corresponding to the root node, determining that the log data hits a corresponding target security rule;
and under the condition that the log data fails to be matched with any level of nodes in the multi-tree model, determining that the log data does not hit the corresponding target security rule.
7. The method of claim 6, wherein after determining that the log data hits the corresponding target security rule, the method further comprises:
outputting hit target security rules; and/or
Determining that the log data contains a security threat; and/or the number of the groups of groups,
and determining a security event corresponding to the hit target security rule, and generating an alarm message corresponding to the security event.
8. The method according to claim 1, wherein the method further comprises:
acquiring an initial log file;
and carrying out structuring processing on the initial log file to obtain the log data.
9. The method of claim 2, wherein the logical connection relationship is characterized by any one or more of the following logical connection words and, or and not.
10. An electronic device, comprising:
a memory for storing a computer program;
a processor for performing the method of any one of claims 1 to 9.
11. A storage medium, comprising: program which, when run on an electronic device, causes the electronic device to perform the method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732041.0A CN116010969A (en) | 2022-12-30 | 2022-12-30 | Security rule matching method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211732041.0A CN116010969A (en) | 2022-12-30 | 2022-12-30 | Security rule matching method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116010969A true CN116010969A (en) | 2023-04-25 |
Family
ID=86036911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211732041.0A Pending CN116010969A (en) | 2022-12-30 | 2022-12-30 | Security rule matching method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116010969A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118069898A (en) * | 2024-04-25 | 2024-05-24 | 北京长亭科技有限公司 | Log generalization method and device for multiple log sources |
-
2022
- 2022-12-30 CN CN202211732041.0A patent/CN116010969A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118069898A (en) * | 2024-04-25 | 2024-05-24 | 北京长亭科技有限公司 | Log generalization method and device for multiple log sources |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11727305B2 (en) | System and method for detecting anomalies in prediction generation systems | |
| CN104462534B (en) | network information sharing method and device | |
| WO2021247752A1 (en) | Semantic map generation from natural-language-text documents | |
| US9710122B1 (en) | Customer support interface | |
| CN116010969A (en) | Security rule matching method, device, electronic equipment and storage medium | |
| CN112087530B (en) | Method, device, equipment and medium for uploading data to block chain system | |
| CN106776795B (en) | Data writing method and device based on Hbase database | |
| CN112738088A (en) | Behavior sequence anomaly detection method and system based on unsupervised algorithm | |
| CN108073703A (en) | A kind of comment information acquisition methods, device, equipment and storage medium | |
| EP3980955A1 (en) | Subscription to edits of blockchain transaction | |
| CN112308455B (en) | Root cause positioning method, root cause positioning device, root cause positioning equipment and computer storage medium | |
| CN113407374A (en) | Fault processing method and device, fault processing equipment and storage medium | |
| CN114756401B (en) | Abnormal node detection method, device, equipment and medium based on log | |
| US10970341B2 (en) | Predictive modeling in event processing systems for big data processing in cloud | |
| WO2023050670A1 (en) | False information detection method and system, computer device, and readable storage medium | |
| CN112541548B (en) | Method, device, computer equipment and storage medium for generating relational network | |
| CN110401582B (en) | Detection method and device for storage health distress of cloud computing system and storage medium | |
| CN117407204B (en) | Application program fault positioning method, device, equipment and storage medium | |
| CN113760856A (en) | Database management method and device, computer readable storage medium and electronic device | |
| CN117171800B (en) | Sensitive data identification method and device based on zero trust protection system | |
| CN116909752B (en) | Page mirror image storage method, device, equipment and storage medium | |
| CN112800185B (en) | Method and device for generating and matching text of interface node in mobile terminal | |
| CN114844778B (en) | Abnormality detection method and device for core network, electronic equipment and readable storage medium | |
| CN114640572B (en) | Method, device and equipment for processing data disaster tolerance and computer readable storage medium | |
| CN112861093B (en) | Verification method, device and equipment for access data and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |