CN116015873A - Network security alarm processing method, device, equipment and storage medium - Google Patents

Network security alarm processing method, device, equipment and storage medium Download PDF

Info

Publication number
CN116015873A
CN116015873A CN202211685256.1A CN202211685256A CN116015873A CN 116015873 A CN116015873 A CN 116015873A CN 202211685256 A CN202211685256 A CN 202211685256A CN 116015873 A CN116015873 A CN 116015873A
Authority
CN
China
Prior art keywords
alarm
terminal
information
terminals
maintenance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211685256.1A
Other languages
Chinese (zh)
Other versions
CN116015873B (en
Inventor
庞瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211685256.1A priority Critical patent/CN116015873B/en
Publication of CN116015873A publication Critical patent/CN116015873A/en
Application granted granted Critical
Publication of CN116015873B publication Critical patent/CN116015873B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Alarm Systems (AREA)

Abstract

The disclosure relates to a network security alarm processing method, a device, equipment and a storage medium, wherein the method comprises the following steps: acquiring first alarm vectors and alarm handling information of a plurality of safety operation and maintenance terminals for a plurality of alarm rules respectively, and storing the first alarm vectors and the alarm handling information in an interaction scoring matrix; acquiring second alarm vectors of the terminals to be sequenced for a plurality of alarm rules, and calling an interaction scoring matrix to acquire first alarm vectors of a plurality of safety operation and maintenance terminals; calculating the similarity between the second alarm vector and each first alarm vector, and determining the safe operation and maintenance terminal with the highest similarity as the most similar terminal of the terminals to be sequenced; and sorting and pushing the alarm information of the terminal to be sorted according to the alarm handling information of the most similar terminal. According to the technical scheme, threat alarms which need to be treated urgently can be determined from a large number of original alarm information, personalized alarm information sequencing is provided, and the accuracy of alarm information priority sequencing is improved.

Description

Network security alarm processing method, device, equipment and storage medium
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to a network security alarm processing method, device, equipment and storage medium.
Background
More and more network security devices, such as firewalls, intrusion detection defenses, situational awareness devices, etc., are deployed in business units. The network security operation and maintenance personnel need to pay attention to and handle the alarm information of the network security equipment, find the data threatening the current unit network from the alarm information, and handle the data correspondingly. However, the increasing network security devices bring a large number of alarms, and threat alarms needing to be handled need to be selected from massive original alarm information and pushed to operation and maintenance personnel for viewing.
In the related art, the original log is aggregated by utilizing the alarm characteristics and is filtered according to the set threshold rule, however, the alarm aggregation dependency rule in the mode is relatively fixed, and personalized processing cannot be carried out in the field of industries.
Disclosure of Invention
In order to solve the technical problems, the present disclosure provides a network security alarm processing method, device, equipment and storage medium.
In a first aspect, an embodiment of the present disclosure provides a network security alarm processing method, including:
acquiring first alarm vectors of a plurality of safety operation and maintenance terminals for a plurality of alarm rules respectively, and acquiring alarm disposal information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively, wherein the first alarm vectors are sequentially composed of report information, the report information is used for indicating whether the safety operation and maintenance terminals trigger the alarm rules in a designated time interval, and the alarm disposal information is used for indicating the priority disposal degree of the alarm rules;
generating and storing interaction scoring matrixes of the terminal and the alarm rules according to the first alarm vectors and the alarm handling information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively;
acquiring second alarm vectors of the terminals to be sequenced for the plurality of alarm rules, and calling the interaction scoring matrix to acquire first alarm vectors of the plurality of safety operation and maintenance terminals;
calculating the similarity between the second alarm vector and each first alarm vector, and determining the safe operation and maintenance terminal with the highest similarity as the most similar terminal of the terminals to be sequenced;
and sorting and pushing the alarm information of the terminal to be sorted according to the alarm handling information of the most similar terminal.
Optionally, the acquiring alarm handling information of the plurality of secure operation and maintenance terminals for a plurality of alarm rules respectively includes:
for each safe operation and maintenance terminal, obtaining the score of each preset item and the user behavior characteristics of each preset item, wherein the user behavior characteristics are as follows: whether to click to check, whether to download the evidence obtaining package, the alarm page residence time and whether to click the associated disposition key;
and weighting the user behavior characteristics according to the scores of the preset items to obtain the priority score of the alarm rule.
Optionally, the secure operation and maintenance terminal with highest similarity is the most similar terminal of the terminals to be ranked, including:
if a plurality of safety operation and maintenance terminals with the highest similarity exist, calculating alarm treatment information of the safety operation and maintenance terminals with the highest similarity by adopting a maximum function;
and determining the security operation and maintenance terminal with the largest calculation result from the security operation and maintenance terminals with the highest similarity as the most similar terminal.
Optionally, the generating and storing an interaction scoring matrix of the terminal and the alarm rule according to the first alarm vectors and the alarm handling information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively includes:
grouping a plurality of security operation and maintenance terminals according to the service type to obtain a plurality of groups of terminal sets, wherein each group of terminal sets comprises security operation and maintenance terminals with the same service type;
and for each group of terminal set, generating an interaction scoring matrix of the service type according to the first alarm vector and alarm handling information of each security operation terminal in the terminal set.
Optionally, the calculating the similarity between the second alarm vector and each first alarm vector includes:
the similarity is calculated by the following formula,
Figure BDA0004019480700000031
wherein x is i Report information, y, representing the first alert vector i Report information representing the second alert vector.
Optionally, in the first alarm vector, for the case that the report information triggers the alarm rule in the specified time interval, the corresponding position record value in the first alarm vector is 1, and for the case that the report information does not trigger the alarm rule in the specified time interval, the corresponding position record value in the first alarm vector is-1.
In a second aspect, an embodiment of the present disclosure provides a network security alarm processing apparatus, including:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring first alarm vectors of a plurality of safety operation and maintenance terminals for a plurality of alarm rules respectively and acquiring alarm disposal information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively, wherein the first alarm vectors are sequentially composed of report information, the report information is used for indicating whether the safety operation and maintenance terminals trigger the alarm rules in a specified time interval, and the alarm disposal information is used for indicating the priority disposal degree of the alarm rules;
the storage module is used for generating and storing interaction scoring matrixes of the terminal and the alarm rules according to the first alarm vectors and the alarm disposal information of the plurality of alarm rules respectively by the plurality of safety operation and maintenance terminals;
the acquisition module is used for acquiring second alarm vectors of the terminals to be sequenced for the plurality of alarm rules and calling the interaction scoring matrix to acquire first alarm vectors of the plurality of safety operation and maintenance terminals;
the matching module is used for calculating the similarity between the second alarm vector and each first alarm vector and determining the safety operation terminal with the highest similarity as the most similar terminal of the terminals to be sequenced;
and the sorting module is used for sorting and pushing the alarm information of the terminal to be sorted according to the alarm handling information of the most similar terminal.
Optionally, the acquisition module is specifically configured to:
for each safe operation and maintenance terminal, obtaining the score of each preset item and the user behavior characteristics of each preset item, wherein the user behavior characteristics are as follows: whether to click to check, whether to download the evidence obtaining package, the alarm page residence time and whether to click the associated disposition key;
and weighting the user behavior characteristics according to the scores of the preset items to obtain the priority score of the alarm rule.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: a processor; a memory for storing the processor-executable instructions; the processor is configured to read the executable instructions from the memory and execute the instructions to implement the network security alarm processing method according to the first aspect.
In a fourth aspect, an embodiment of the present disclosure provides a computer readable storage medium, where a computer program is stored, where the computer program is executed by a processor to implement the network security alarm processing method described in the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages: the method comprises the steps of acquiring first alarm vectors and alarm handling information of a plurality of alarm rules of a plurality of safety operation and maintenance terminals respectively, storing the first alarm vectors and the alarm handling information in an interaction scoring matrix, determining the most similar terminal with the highest similarity through the similarity between a second alarm vector of the terminal to be sequenced and each first alarm vector, and sequencing and pushing the alarm information of the terminal to be sequenced according to the alarm handling information of the most similar terminal, so that threat alarms needing to be treated can be determined from a large number of original alarm information and pushed to operation and maintenance personnel to check, and providing personalized alarm information sequencing for different terminals, and improving the accuracy of alarm information priority sequencing.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments of the present disclosure or the solutions in the prior art, the drawings that are required for the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
Fig. 1 is a flow chart of a network security alarm processing method according to an embodiment of the disclosure;
fig. 2 is a schematic structural diagram of a network security alarm processing device according to an embodiment of the disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, a further description of aspects of the present disclosure will be provided below. It should be noted that, without conflict, the embodiments of the present disclosure and features in the embodiments may be combined with each other.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it will be apparent that the embodiments in the specification are only some, but not all, embodiments of the disclosure.
Fig. 1 is a schematic flow chart of a network security alarm processing method according to an embodiment of the present disclosure, where the method provided by the embodiment of the present disclosure may be performed by a network security alarm processing apparatus, and the apparatus may be implemented by software and/or hardware and may be integrated on any electronic device with computing capability.
As shown in fig. 1, the network security alarm processing method provided by the embodiment of the present disclosure may include:
step 101, acquiring first alarm vectors of a plurality of safety operation and maintenance terminals for a plurality of alarm rules respectively, and acquiring alarm handling information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively.
The first alarm vector is composed of report information in sequence, the report information is used for indicating whether the safety operation and maintenance terminal triggers the alarm rule in a designated time interval, and the alarm handling information is used for indicating the priority handling degree of the alarm rule.
And 102, generating and storing interaction scoring matrixes of the terminal and the alarm rules according to the first alarm vectors and the alarm handling information of the plurality of alarm rules respectively by the plurality of safety operation and maintenance terminals.
In this embodiment, a plurality of security operation and maintenance terminals are grouped according to a service type to obtain a plurality of terminal sets, where each terminal set includes security operation and maintenance terminals with the same service type, and further, for each terminal set, an interaction scoring matrix of the service type is generated according to a first alarm vector and alarm handling information of each security operation and maintenance terminal in the terminal set.
As an example, the service types include, for example, an operator industry, an education industry, a financial industry, and the like, by grouping a plurality of security operation and maintenance terminals connected to a cloud platform, the security operation and maintenance terminals running in the same industry can be set as a group, the cloud platform can receive alarm feature information uploaded by a terminal alarm log, and can also issue a log recommendation model, a policy, and the like generated by the platform.
The interaction scoring matrix is described below.
And for each security operation terminal connected with the cloud platform, establishing a terminal alarm rule interaction scoring matrix according to the alarm rule information uploaded by the security operation terminal.
Figure BDA0004019480700000061
The alarm rules a, b, and c … … refer to rule numbers corresponding to each alarm log. The terminals 1,2,3 and … … refer to terminal numbers of the network security alarm device.
T 1a It refers to whether the alarm rule a is reported in the specified time interval of the terminal 1, so as to reflect whether the alarm log exists. If the first specified value is reported, the second specified value is not reported. S is S 1a Refers to the alert handling information collected by the cloud platform on the terminal 1, which refers to the priority handling degree of the alert rule a.
There are various ways of determining the alarm handling information.
Optionally, the cloud platform issues alarm handling information of each security operation and maintenance terminal for a plurality of alarm rules, for example, for alarm rules a, b and c, the alarm handling information is priority scores 3, 1 and 2 in sequence, that is, the priority is from high to low, namely, alarm rule a, alarm rule c and alarm rule b.
Optionally, in one embodiment of the present disclosure, acquiring alarm handling information of the plurality of secure operation and maintenance terminals for the plurality of alarm rules respectively includes: for each safe operation and maintenance terminal, obtaining the score of each preset item and the user behavior characteristics of each preset item; and weighting the user behavior characteristics according to the scores of the preset items to obtain the priority score of the alarm rule.
Wherein, the user behavior is characterized by: whether to click to view, whether to download the forensic package, alert page dwell time, and whether to click the associated disposition key. In this embodiment, the priority score of the alert rule may be specifically obtained by a weighting algorithm.
As an example, the weighting algorithm is as follows: priority score = m (whether to click view) +n (whether to download forensic packets) +p (operator alert page dwell time) +q (whether to click associated disposition button), and so forth.
In this example, m, n, p, q is a preset weight score, where the above-mentioned case of whether to click to view, whether to download the evidence obtaining package, and whether to click the associated disposition key may be given a value of 1, the case of no may be given a value of 0, the operation and maintenance personnel alarm page residence time may be a time value, and the case of not opening the alarm page may be given a value of 0. In summary, the treatment priority of the alarm rule on the terminal can be calculated, and if the rule does not trigger an alarm, the priority score is 0. Therefore, the safe operation and maintenance terminal automatically gathers and calculates the user behavior characteristics, quantifies the user behavior characteristics into alarm treatment priority scores, stores the alarm treatment priority scores into an interaction scoring matrix of the terminal and an alarm rule, and uploads the interaction scoring matrix to the cloud platform for unified processing.
And step 103, obtaining second alarm vectors of the terminals to be sequenced for a plurality of alarm rules, and calling the interaction scoring matrix to obtain first alarm vectors of a plurality of safety operation and maintenance terminals.
And 104, calculating the similarity between the second alarm vector and each first alarm vector, and determining the security operation terminal with the highest similarity as the most similar terminal of the terminals to be sequenced.
And 105, sorting and pushing the alarm information of the terminal to be sorted according to the alarm handling information of the most similar terminal.
The method of the embodiment of the disclosure can be applied to products such as intrusion detection equipment, and particularly used for sorting and pushing medium-low priority or suspected threat alarms, correspondingly, high-priority alarms are alarms which need to be treated urgently, and the high-priority alarms can be manually judged and determined. In the scene, the alarm logs generated on each terminal can be screened and sequenced according to a preset priority strategy, the priority strategy is set by a user or issued by a cloud platform, and then the alarm information of the terminal to be sequenced is sequenced and pushed based on an interaction scoring matrix.
In this embodiment, the interaction scoring matrix of the terminal and the alarm rule stored on the cloud platform is used to search the security operation and maintenance terminal which is most similar to the terminal to be ranked and is in the same industry field, for example, for the terminal N to be ranked in the table, the terminal 1-3 searches for the most similar known object for the object to be ranked, and then analogizes the ranking policy of the object to be ranked according to the ranking policy of the most similar known object. Optionally, according to the service type corresponding to the terminal to be sequenced, calling the interaction scoring matrix corresponding to the service type.
As an example, calculating the similarity between the second alert vector and each first alert vector includes: the similarity is calculated by the following formula,
Figure BDA0004019480700000081
wherein x is i Report information, y, representing the first alert vector i Report information representing the second alert vector.
In this example, in the first alert vector, for the case where the report information is that the alert rule is triggered within the specified time interval, the corresponding position record value in the first alert vector is 1, and for the case where the report information is that the alert rule is not triggered within the specified time interval, the corresponding position record value in the first alert vector is-1.
Similarly, in the second alarm vector, for the case that the report information triggers the alarm rule in the specified time interval, the corresponding position record value in the second alarm vector is 1, and for the case that the report information does not trigger the alarm rule in the specified time interval, the corresponding position record value in the second alarm vector is-1.
Specifically, as shown in the foregoing table, the T element in the interaction scoring matrix of the terminal and the alert rule is extracted separately, that is, if the alert rule is triggered in a selected time period for the terminal, the vector position where the alert rule is located is recorded as 1, otherwise-1 is recorded. For example, for terminal 1, denoted as P 1 =(T 1a ,T 1b ,T 1c … …) = (1, -1,1 … …). It should be noted that, for different application scenarios, other values may be used instead of 1 and-1 as needed, which is not limited herein.
Thus, the alert vectors for terminals 1,2,3 are denoted P1, P2, P3, respectively, the terminal alert vectors to be ordered are Pn, respectively calculated (P1,pn), (P2, pn), (P3, pn). Wherein cosine similarity is defined as: for the rule alert vector P x =(x 1 ,x 2 ,……x n ) And rule alert vector P y =(y 1 ,y 2 ,……y n ) The similarity can be calculated from the formula in the above example, where if cos (θ) =1, -1 or θ=0, pi, it is stated that the two are identical, and if cos (θ) =0 or θ=pi/2, the two a and B are completely different, and the closer the value of cos (θ) is to 1, the more similar the two are.
Further, there may be a case where the similarities between the plurality of first alert vectors and the plurality of second alert vectors are the same, that is, there are a plurality of secure operation and maintenance terminals with the highest similarity, in which case, the secure operation and maintenance terminal with the highest similarity is determined to be the most similar terminal of the terminals to be ranked, including: if a plurality of safety operation and maintenance terminals with the highest similarity exist, the alarm treatment information of the safety operation and maintenance terminals with the highest similarity is calculated by adopting a maximum function, and the safety operation and maintenance terminal with the highest calculation result is determined from the safety operation and maintenance terminals with the highest similarity and is used as the most similar terminal.
Specifically, if a plurality of candidate terminals are found according to the similarity, the S values in the interaction scoring matrix are further compared. For example, for candidate terminals 1,2 found simultaneously, if max (S 1a ,S 1b ,S 1c )>max(S 2a ,S 2b ,S 3c ) Terminal 1 is considered to be the most similar terminal to the demand ordering terminal. Where max is the calculated maximum function, and further, if the above formulas are still equal, one terminal is randomly selected as the most similar terminal from the terminals 1 and 2.
In this embodiment, according to the processing degree of the generated alarm priority on the matched terminal, the alarm information on the terminal to be sequenced is sequenced. The alarm rules which are identical can be directly ordered according to the alarm priority of the rule, and the new alarm rules which are not appeared on the matched most similar terminals can be ordered according to the time sequence.
For example, the terminal most similar to terminal NTerminal 1, and alarms a, b, c are coincident with terminal N, with S 1c >S 1b >S 1a And displaying the alarm to the security operation and maintenance personnel according to the sequence of c, b and a on the terminal N, and prompting the priority of the security operation and maintenance personnel.
The following illustrates, for example, a rule base with 5 alarm rules and terminals 1,2,3,4 accessed to a cloud management platform, where terminals 1,2,3 are security operation and maintenance terminals, terminal No. 4 is an alarm to-be-recommended sorting terminal, and a terminal-alarm rule interaction scoring matrix is illustrated as follows:
Figure BDA0004019480700000101
P1=(1,-1,1,1,1),P2=(-1,1,-1,1,1),P3=(1,1,-1,-1,-1),PN=(1,1,1,1,1)
the cosine similarity is calculated as follows:
sim(P1,PN)=3/(5*5)=0.2
sim(P2,PN)=1/(5*5)=0.04
sim(P3,PN)=-1/(5*5)=-0.04
and if the absolute value of the (P1, PN) cosine similarity is closer to 1, selecting P1 as the most similar terminal of PN, synchronously issuing the alarm priority of P1 to the terminal N, and carrying out alarm sequencing recommendation according to the sequence of c, d, e, a and b by the terminal N.
According to the technical scheme of the embodiment of the disclosure, the first alarm vectors and alarm handling information of a plurality of alarm rules are respectively acquired by a plurality of safety operation and maintenance terminals and stored in the interaction scoring matrix, the most similar terminal with the highest similarity is determined through the similarity between the second alarm vector and each first alarm vector of the terminal to be sequenced, so that the alarm information of the terminal to be sequenced is sequenced and pushed according to the alarm handling information of the most similar terminal, thereby, threat alarms needing to be handled can be determined from a large number of original alarm information and pushed to operation and maintenance personnel to check, the alarm priority sequencing problem under the conditions of effectively coping with the plurality of alarm terminals and accessing a cloud platform is solved, the operation and maintenance efficiency is improved, and for different terminals, personalized alarm information sequencing can be provided, compared with the modes of fixed threshold calculation and the like, actual demands of each industry can be more adhered, the accuracy of alarm information priority sequencing is improved, for example, personalized processing can be made for different service types, valuable alarm operation and maintenance information can be preferentially prompted, and intelligent individual screening demands for different industries can be realized.
Fig. 2 is a schematic structural diagram of a network security alarm processing apparatus according to an embodiment of the disclosure, where, as shown in fig. 2, the network security alarm processing apparatus includes: the device comprises an acquisition module 21, a storage module 22, an acquisition module 23, a matching module 24 and a sequencing module 25.
The acquisition module 21 is configured to acquire first alarm vectors of a plurality of security operation and maintenance terminals for a plurality of alarm rules respectively, and acquire alarm handling information of the plurality of security operation and maintenance terminals for the plurality of alarm rules respectively, where the first alarm vectors are sequentially composed of report information, the report information is used to indicate whether the security operation and maintenance terminals trigger the alarm rules in a specified time interval, and the alarm handling information is used to indicate a priority handling degree of the alarm rules;
the storage module 22 is configured to generate and store an interaction scoring matrix of the terminal and the alarm rules according to the first alarm vectors and the alarm handling information of the plurality of alarm rules for the plurality of secure operation and maintenance terminals, respectively;
the obtaining module 23 is configured to obtain second alert vectors of the to-be-sequenced terminals for the plurality of alert rules, and call the interaction scoring matrix to obtain first alert vectors of the plurality of secure operation and maintenance terminals;
the matching module 24 is configured to calculate a similarity between the second alert vector and each first alert vector, and determine a secure operation and maintenance terminal with the highest similarity as a most similar terminal of the terminals to be ranked;
and the sorting module 25 is configured to sort and push the alarm information of the terminal to be sorted according to the alarm handling information of the most similar terminal.
In one embodiment of the present disclosure, the acquisition module 21 is specifically configured to: for each safe operation and maintenance terminal, obtaining the score of each preset item and the user behavior characteristics of each preset item, wherein the user behavior characteristics are as follows: whether to click to check, whether to download the evidence obtaining package, the alarm page residence time and whether to click the associated disposition key; and weighting the user behavior characteristics according to the scores of the preset items to obtain the priority score of the alarm rule.
In one embodiment of the present disclosure, the matching module 24 is specifically configured to: if a plurality of safety operation and maintenance terminals with the highest similarity exist, calculating alarm treatment information of the safety operation and maintenance terminals with the highest similarity by adopting a maximum function; and determining the security operation and maintenance terminal with the largest calculation result from the security operation and maintenance terminals with the highest similarity as the most similar terminal.
In one embodiment of the present disclosure, the storage module 22 is specifically configured to: grouping a plurality of security operation and maintenance terminals according to the service type to obtain a plurality of groups of terminal sets, wherein each group of terminal sets comprises security operation and maintenance terminals with the same service type; and for each group of terminal set, generating an interaction scoring matrix of the service type according to the first alarm vector and alarm handling information of each security operation terminal in the terminal set.
In one embodiment of the present disclosure, the matching module 24 is specifically configured to: the similarity is calculated by the following formula,
Figure BDA0004019480700000121
wherein x is i Report information, y, representing the first alert vector i Report information representing the second alert vector.
In one embodiment of the disclosure, in the first alert vector, for a case where the report information is that the alert rule is triggered within a specified time interval, the corresponding position record value in the first alert vector is 1, and for a case where the report information is that the alert rule is not triggered within a specified time interval, the corresponding position record value in the first alert vector is-1.
The network security alarm processing device provided by the embodiment of the disclosure can execute any network security alarm processing method provided by the embodiment of the disclosure, and has the corresponding functional modules and beneficial effects of the execution method. Details of the embodiments of the apparatus of the present disclosure that are not described in detail may refer to descriptions of any of the embodiments of the method of the present disclosure.
The embodiment of the disclosure also provides an electronic device, which comprises one or more processors and a memory. The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device to perform the desired functions. The memory may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. Volatile memory can include, for example, random Access Memory (RAM) and/or cache memory (cache) and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on a computer readable storage medium and a processor may execute the program instructions to implement the methods of embodiments of the present disclosure above and/or other desired functions. Various contents such as an input signal, a signal component, a noise component, and the like may also be stored in the computer-readable storage medium.
In one example, the electronic device may further include: input devices and output devices, which are interconnected by a bus system and/or other forms of connection mechanisms. In addition, the input device may include, for example, a keyboard, a mouse, and the like. The output device may output various information including the determined distance information, direction information, etc., to the outside. The output means may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, etc. In addition, the electronic device may include any other suitable components, such as a bus, input/output interface, etc., depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the present disclosure may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform any of the methods provided by the embodiments of the present disclosure.
The computer program product may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present disclosure may also be a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, cause the processor to perform any of the methods provided by the embodiments of the present disclosure.
A computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that in this document, relational terms such as "first" and "second" and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing is merely a specific embodiment of the disclosure to enable one skilled in the art to understand or practice the disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown and described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A network security alarm processing method, comprising:
acquiring first alarm vectors of a plurality of safety operation and maintenance terminals for a plurality of alarm rules respectively, and acquiring alarm disposal information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively, wherein the first alarm vectors are sequentially composed of report information, the report information is used for indicating whether the safety operation and maintenance terminals trigger the alarm rules in a designated time interval, and the alarm disposal information is used for indicating the priority disposal degree of the alarm rules;
generating and storing interaction scoring matrixes of the terminal and the alarm rules according to the first alarm vectors and the alarm handling information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively;
acquiring second alarm vectors of the terminals to be sequenced for the plurality of alarm rules, and calling the interaction scoring matrix to acquire first alarm vectors of the plurality of safety operation and maintenance terminals;
calculating the similarity between the second alarm vector and each first alarm vector, and determining the safe operation and maintenance terminal with the highest similarity as the most similar terminal of the terminals to be sequenced;
and sorting and pushing the alarm information of the terminal to be sorted according to the alarm handling information of the most similar terminal.
2. The method of claim 1, wherein the obtaining alert handling information for the plurality of secure operation and maintenance terminals for a plurality of alert rules, respectively, comprises:
for each safe operation and maintenance terminal, obtaining the score of each preset item and the user behavior characteristics of each preset item, wherein the user behavior characteristics are as follows: whether to click to check, whether to download the evidence obtaining package, the alarm page residence time and whether to click the associated disposition key;
and weighting the user behavior characteristics according to the scores of the preset items to obtain the priority score of the alarm rule.
3. The method of claim 1, wherein the determining that the secure operation terminal with the highest similarity is the most similar terminal of the terminals to be ranked comprises:
if a plurality of safety operation and maintenance terminals with the highest similarity exist, calculating alarm treatment information of the safety operation and maintenance terminals with the highest similarity by adopting a maximum function;
and determining the security operation and maintenance terminal with the largest calculation result from the security operation and maintenance terminals with the highest similarity as the most similar terminal.
4. The method of claim 1, wherein generating and storing the interaction scoring matrix of the terminal and the alert rules based on the first alert vectors and the alert disposition information of the plurality of secure operation and maintenance terminals for the plurality of alert rules, respectively, comprises:
grouping a plurality of security operation and maintenance terminals according to the service type to obtain a plurality of groups of terminal sets, wherein each group of terminal sets comprises security operation and maintenance terminals with the same service type;
and for each group of terminal set, generating an interaction scoring matrix of the service type according to the first alarm vector and alarm handling information of each security operation terminal in the terminal set.
5. The method of claim 1, wherein the calculating the similarity between the second alert vector and each first alert vector comprises:
the similarity is calculated by the following formula,
Figure FDA0004019480690000021
wherein x is i Report information, y, representing the first alert vector i Report information representing the second alert vector.
6. The method of claim 5, wherein in the first alert vector, the corresponding location record value in the first alert vector is 1 for the case where the alert message is that the alert rule is triggered within a specified time interval, and the corresponding location record value in the first alert vector is-1 for the case where the alert message is that the alert rule is not triggered within a specified time interval.
7. A network security alarm processing apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring first alarm vectors of a plurality of safety operation and maintenance terminals for a plurality of alarm rules respectively and acquiring alarm disposal information of the plurality of safety operation and maintenance terminals for the plurality of alarm rules respectively, wherein the first alarm vectors are sequentially composed of report information, the report information is used for indicating whether the safety operation and maintenance terminals trigger the alarm rules in a specified time interval, and the alarm disposal information is used for indicating the priority disposal degree of the alarm rules;
the storage module is used for generating and storing interaction scoring matrixes of the terminal and the alarm rules according to the first alarm vectors and the alarm disposal information of the plurality of alarm rules respectively by the plurality of safety operation and maintenance terminals;
the acquisition module is used for acquiring second alarm vectors of the terminals to be sequenced for the plurality of alarm rules and calling the interaction scoring matrix to acquire first alarm vectors of the plurality of safety operation and maintenance terminals;
the matching module is used for calculating the similarity between the second alarm vector and each first alarm vector and determining the safety operation terminal with the highest similarity as the most similar terminal of the terminals to be sequenced;
and the sorting module is used for sorting and pushing the alarm information of the terminal to be sorted according to the alarm handling information of the most similar terminal.
8. The apparatus of claim 7, wherein the acquisition module is specifically configured to:
for each safe operation and maintenance terminal, obtaining the score of each preset item and the user behavior characteristics of each preset item, wherein the user behavior characteristics are as follows: whether to click to check, whether to download the evidence obtaining package, the alarm page residence time and whether to click the associated disposition key;
and weighting the user behavior characteristics according to the scores of the preset items to obtain the priority score of the alarm rule.
9. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the network security alarm processing method of any of the preceding claims 1-6.
10. A computer readable storage medium, characterized in that the storage medium stores a computer program which, when executed by a processor, implements the network security alarm processing method of any of the preceding claims 1-6.
CN202211685256.1A 2022-12-27 2022-12-27 Network security alarm processing method, device, equipment and storage medium Active CN116015873B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211685256.1A CN116015873B (en) 2022-12-27 2022-12-27 Network security alarm processing method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211685256.1A CN116015873B (en) 2022-12-27 2022-12-27 Network security alarm processing method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116015873A true CN116015873A (en) 2023-04-25
CN116015873B CN116015873B (en) 2023-08-29

Family

ID=86035074

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211685256.1A Active CN116015873B (en) 2022-12-27 2022-12-27 Network security alarm processing method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116015873B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111030857A (en) * 2019-12-06 2020-04-17 深圳前海微众银行股份有限公司 Network alarm method, device, system and computer readable storage medium
CN114978757A (en) * 2022-06-23 2022-08-30 杭州安恒信息技术股份有限公司 Alarm aggregation method and device, electronic equipment and storage medium
WO2022257423A1 (en) * 2021-06-08 2022-12-15 天翼云科技有限公司 Warning information association method and apparatus, and electronic device and readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111030857A (en) * 2019-12-06 2020-04-17 深圳前海微众银行股份有限公司 Network alarm method, device, system and computer readable storage medium
WO2022257423A1 (en) * 2021-06-08 2022-12-15 天翼云科技有限公司 Warning information association method and apparatus, and electronic device and readable storage medium
CN114978757A (en) * 2022-06-23 2022-08-30 杭州安恒信息技术股份有限公司 Alarm aggregation method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN116015873B (en) 2023-08-29

Similar Documents

Publication Publication Date Title
US9398034B2 (en) Matrix factorization for automated malware detection
US9805022B2 (en) Generation of topic-based language models for an app search engine
US10216848B2 (en) Method and system for recommending cloud websites based on terminal access statistics
CN112131249B (en) Attack intention recognition method and device
CN114528457B (en) Web fingerprint detection method and related equipment
US11303666B1 (en) Systems and methods for intelligent cyber security threat detection and mitigation through an extensible automated investigations and threat mitigation platform
CN112306820B (en) Log operation and maintenance root cause analysis method and device, electronic equipment and storage medium
CN112738040A (en) Network security threat detection method, system and device based on DNS log
Ma et al. An API Semantics‐Aware Malware Detection Method Based on Deep Learning
CN112766288A (en) Image processing model construction method and device, electronic equipment and readable storage medium
CN114579636A (en) Data security risk prediction method, device, computer equipment and medium
CN112765003A (en) Risk prediction method based on APP behavior log
CN116015873B (en) Network security alarm processing method, device, equipment and storage medium
CN107729206A (en) Real-time analysis method, system and the computer-processing equipment of alarm log
US20140172874A1 (en) Intelligent analysis queue construction
CN115481299A (en) Method, system and equipment for detecting product exposure abnormity and computer storage medium
CN111143203B (en) Machine learning method, privacy code determination method, device and electronic equipment
CA3208731A1 (en) Systems and methods for automated threat detection
CN116991680B (en) Log noise reduction method and electronic equipment
CN114549880B (en) Method and device for acquiring identification information and electronic equipment
Malarvizhi et al. Multilabel classification of documents with MAPREDUCE
CN117076783B (en) Scientific and technological information recommendation method, device, medium and equipment based on data analysis
CN112380418B (en) Data processing method and system based on web crawler and cloud platform
CN115664863B (en) Network attack event processing method, device, storage medium and equipment
CN110460592B (en) URL analysis method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant