CN116483666A - Multi-source heterogeneous alarm information fusion method and system based on space-time correlation - Google Patents
Multi-source heterogeneous alarm information fusion method and system based on space-time correlation Download PDFInfo
- Publication number
- CN116483666A CN116483666A CN202310220484.XA CN202310220484A CN116483666A CN 116483666 A CN116483666 A CN 116483666A CN 202310220484 A CN202310220484 A CN 202310220484A CN 116483666 A CN116483666 A CN 116483666A
- Authority
- CN
- China
- Prior art keywords
- alarm information
- data
- source
- merging
- source target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007500 overflow downdraw method Methods 0.000 title claims abstract description 9
- 238000000034 method Methods 0.000 claims abstract description 39
- 230000004927 fusion Effects 0.000 claims abstract description 30
- 238000007781 pre-processing Methods 0.000 claims abstract description 20
- 238000012545 processing Methods 0.000 claims description 20
- 238000003860 storage Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 12
- 238000004458 analytical method Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000010606 normalization Methods 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 239000011159 matrix material Substances 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 239000008186 active pharmaceutical agent Substances 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 230000004075 alteration Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010219 correlation analysis Methods 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000008094 contradictory effect Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000007499 fusion processing Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/32—Monitoring with visual or acoustical indication of the functioning of the machine
- G06F11/324—Display of status information
- G06F11/327—Alarm or error message display
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a multi-source heterogeneous alarm information fusion method and system based on space-time correlation, and belongs to the technical field of data fusion. The method of the invention comprises the following steps: reading multi-source heterogeneous weblog data, and extracting alarm information in the weblog data; preprocessing the extracted alarm information to obtain multi-source target alarm information; and determining the credibility of the multi-source target alarm information based on the space-time correlation, and fusing the multi-source target alarm information based on the credibility. The invention has excellent expansibility, and can quickly fuse the data information after reading the data.
Description
Technical Field
The invention relates to the technical field of data fusion, in particular to a multi-source heterogeneous alarm information fusion method and system based on space-time correlation.
Background
The power information physical system (called as power CPS for short) is a new form of the traditional power system under the support of advanced information technology, and is also a main characteristic of the intelligent power grid, but the system also brings potential safety problems, which are caused by a complex mechanism in the coupling process of the primary system and the secondary system. The power CPS mainly comprises a power information system and a power physical system. The stable and reliable information communication system is critical to the safe operation of the power system, and a great amount of safe information is hidden in massive log data generated in the operation process of the information communication system, so that the monitoring of the operation state of the system and the user behavior is realized by using a log analysis technology, and the problem of difficulty at present is solved.
A large amount of log information is generated in the operation of the power information system, and important information of the operation of the power system is reserved in the log information. The log data of the power information system has the characteristics of huge data volume, multi-source heterogeneous log data, no direct correlation among different logs and the like. Since threat propagation follows the decay principle and the superposition principle, a repair function is considered, and space-time correlation exists between threat propagation events. Therefore, the space-time characteristics can be utilized for carrying out association analysis in the preprocessing of the safety alarm log data, and redundant data can be further merged. Security-threatening actions often leave traces in the logs of different devices that are often related in time and space, often the same or similar in time and space, which can be used to effectively discern erroneous data and potential threats.
Disclosure of Invention
Aiming at the problems, the invention provides a multi-source heterogeneous alarm information fusion method based on space-time correlation, which comprises the following steps:
reading multi-source heterogeneous weblog data, and extracting alarm information in the weblog data;
preprocessing the extracted alarm information to obtain multi-source target alarm information;
and determining the credibility of the multi-source target alarm information based on the space-time correlation, and fusing the multi-source target alarm information based on the credibility.
Optionally, the multi-source heterogeneous weblog data includes at least one of: host device log data, network device log data, application system log data, and security device log data.
Optionally, preprocessing the extracted alarm information includes: and carrying out standardization processing and merging processing on the extracted alarm information.
Optionally, the normalizing the extracted alarm information includes: and unifying the log format of the extracted alarm information.
Optionally, merging the extracted alarm information includes: and merging the alarm information from the homologous unified log format to obtain the alarm information in the unified log format of the homologous merging, and merging the alarm information in the unified log format of the homologous merging.
Optionally, merging the alarm information from the homologous unified log format includes: determining the attribute dissimilarity of the two alarm messages, and merging the two alarm messages if the attribute dissimilarity is smaller than a preset threshold value.
Optionally, determining the credibility of the multi-source target alarm information based on the space-time correlation includes: and determining the association degree of any two data sources in the corresponding data sources of the multi-source target alarm information, determining the support degree of the data sources based on the association degree, and determining the credibility of the multi-source target alarm information according to the support degree of the data sources.
Optionally, fusing the multi-source target alarm information based on the reliability includes: dividing the security state of the multi-source target alarm information at a certain moment to obtain a plurality of threat levels of the security state, taking the credibility of the multi-source target alarm information as the weight of a data source, determining the threat value of the multi-source target alarm information based on the weight and the threat level, establishing a membership model of the threat value based on a triangle fuzzy number, and fusing the multi-source target alarm information by using a Dempster combination rule aiming at the membership model.
In still another aspect, the present invention further provides a multi-source heterogeneous alarm information fusion system based on space-time correlation, including:
the reading unit is used for reading the multi-source heterogeneous weblog data and extracting the alarm information in the weblog data;
the preprocessing unit is used for preprocessing the extracted alarm information to obtain multi-source target alarm information;
and the fusion unit is used for determining the credibility of the multi-source target alarm information based on the space-time correlation and fusing the multi-source target alarm information based on the credibility.
Optionally, the multi-source heterogeneous weblog data includes at least one of: host device log data, network device log data, application system log data, and security device log data.
Optionally, preprocessing the extracted alarm information includes: and carrying out standardization processing and merging processing on the extracted alarm information.
Optionally, the normalizing the extracted alarm information includes: and unifying the log format of the extracted alarm information.
Optionally, merging the extracted alarm information includes: and merging the alarm information from the homologous unified log format to obtain the alarm information in the unified log format of the homologous merging, and merging the alarm information in the unified log format of the homologous merging.
Optionally, merging the alarm information from the homologous unified log format includes: determining the attribute dissimilarity of the two alarm messages, and merging the two alarm messages if the attribute dissimilarity is smaller than a preset threshold value.
Optionally, determining the credibility of the multi-source target alarm information based on the space-time correlation includes: and determining the association degree of any two data sources in the corresponding data sources of the multi-source target alarm information, determining the support degree of the data sources based on the association degree, and determining the credibility of the multi-source target alarm information according to the support degree of the data sources.
Optionally, fusing the multi-source target alarm information based on the reliability includes: dividing the security state of the multi-source target alarm information at a certain moment to obtain a plurality of threat levels of the security state, taking the credibility of the multi-source target alarm information as the weight of a data source, determining the threat value of the multi-source target alarm information based on the weight and the threat level, establishing a membership model of the threat value based on a triangle fuzzy number, and fusing the multi-source target alarm information by using a Dempster combination rule aiming at the membership model.
In yet another aspect, the present invention also provides a computing device comprising: one or more processors;
a processor for executing one or more programs;
the method as described above is implemented when the one or more programs are executed by the one or more processors.
In yet another aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed, implements a method as described above.
Compared with the prior art, the invention has the beneficial effects that:
the invention provides a multi-source heterogeneous alarm information fusion method based on space-time correlation, which comprises the following steps: reading multi-source heterogeneous weblog data, and extracting alarm information in the weblog data; preprocessing the extracted alarm information to obtain multi-source target alarm information; and determining the credibility of the multi-source target alarm information based on the space-time correlation, and fusing the multi-source target alarm information based on the credibility. The invention has excellent expansibility, and can quickly fuse the data information after reading the data.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
fig. 2 is a block diagram of the system of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Example 1:
the invention provides a multi-source heterogeneous alarm information fusion method based on space-time correlation, which is shown in figure 1 and comprises the following steps:
step 1, reading multi-source heterogeneous weblog data, and extracting alarm information in the weblog data;
step 2, preprocessing the extracted alarm information to obtain multi-source target alarm information;
and 3, determining the credibility of the multi-source target alarm information based on the space-time correlation, and fusing the multi-source target alarm information based on the credibility.
Wherein the multi-source heterogeneous weblog data includes at least one of: host device log data, network device log data, application system log data, and security device log data.
The method for preprocessing the extracted alarm information comprises the following steps: and carrying out standardization processing and merging processing on the extracted alarm information.
The method for normalizing the extracted alarm information comprises the following steps: and unifying the log format of the extracted alarm information.
The merging processing of the extracted alarm information comprises the following steps: and merging the alarm information from the homologous unified log format to obtain the alarm information in the unified log format of the homologous merging, and merging the alarm information in the unified log format of the homologous merging.
The method for merging the alarm information from the homologous unified log format comprises the following steps: determining the attribute dissimilarity of the two alarm messages, and merging the two alarm messages if the attribute dissimilarity is smaller than a preset threshold value.
The method for determining the credibility of the multi-source target alarm information based on the space-time correlation comprises the following steps: and determining the association degree of any two data sources in the corresponding data sources of the multi-source target alarm information, determining the support degree of the data sources based on the association degree, and determining the credibility of the multi-source target alarm information according to the support degree of the data sources.
The method for fusing the multi-source target alarm information based on the credibility comprises the following steps: dividing the security state of the multi-source target alarm information at a certain moment to obtain a plurality of threat levels of the security state, taking the credibility of the multi-source target alarm information as the weight of a data source, determining the threat value of the multi-source target alarm information based on the weight and the threat level, establishing a membership model of the threat value based on a triangle fuzzy number, and fusing the multi-source target alarm information by using a Dempster combination rule aiming at the membership model.
The invention is further illustrated by the following examples:
the implementation process of the embodiment comprises the following steps:
alarm data preprocessing:
the network log data has wide sources, is roughly divided into a host device log, a network device log, an application system log, a security device log and the like, has large data volume and storage distribution, has numerous noise, blank, overlapping and the like, and has inconsistent data formats, and the characteristics bring a plurality of barriers to subsequent log analysis.
Therefore, the original log data must be preprocessed. The method for selecting reasonable data preprocessing modes aiming at the alarm data fusion requirement mainly comprises the following steps: normalization and merging. Considering that the research focus of the invention is to improve the alarm accuracy through a data fusion technology, the invention directly filters log attributes irrelevant to network security analysis so as to reduce storage pressure.
Alarm log normalization:
different suppliers select different log record formats, which all result in that log data cannot be directly used for data analysis, network security devices are various, including physical security devices, virtual security devices, application layer security devices and the like, and log information formats are not uniform, so that the alarm log needs to be normalized before being analyzed.
Although different vendors do not have a unified log format, the information structure recorded by the log is relatively fixed. Even though the final storage mechanism of different types of logs is different, most of its fields are basically generic. Therefore, the invention selects and extracts the security elements such as the source IP address, the source port, the target IP address, the target port, the timestamp, the exception type, the priority, the other security elements and the like in the normalization process aiming at the frequently-occurring fields. In order to facilitate the subsequent analysis and calculation of the time of the alarm information, the time information of the original log is converted into the number of seconds which pass from 1 month No. 1 to 0 in the data normalization. And finally, after the alarm information fusion is completed, recovering the time information into a time representation mode intuitive to the user. The following is normalized by taking log information of a snort intrusion detection system as an example: "Mar 1 11:56:12bastion snort: [1:2003:8] MS-SQL Worm propagation attempt [ Classification: misc attach ] [ Priority:2]: [ UDP ]12.216.217.167:4934- >11.11.79.71:1434", this information being normalized as shown in Table 1:
table 1 log information normalization
Merging alarm information:
in general, when a network security event occurs, redundant alarms are generated in the same device, and many of these logs are repeated or substantially consistent, so the present invention merges these repeated logs in order to improve efficiency and enhance the effect of alarm information fusion. The invention uses the alarm information merging method based on attribute dissimilarity in the data alarm information merging, merges the alarm information from the same network security equipment respectively, merges the two alarm information when the dissimilarity is smaller than the threshold value, and changes the later alarm information into new alarm information when the dissimilarity is larger than the threshold value. And merging the alarm information of the same equipment, and then merging the merged alarm information uniformly.
In view of large data volume, in order to calculate more efficiently, few important attributes are selected as much as possible to analyze dissimilarity degree of alarm information, and in the merging of the invention, space-time correlation is mainly considered, and redundant alarm information is analyzed by using the space-time correlation. The alarm time, which is represented as alarm information in the time dimension, is represented as an IP address in the space dimension. Namely, the dissimilarity calculation is performed by giving different weights to the time, the source IP address and the destination IP address. The dissimilarity based on attributes is calculated as follows:
D ij =ω t ×d t +ω src_ip ×d src_ip +ω dst_ip ×d dst_ip
d t =(t i -t j )/r
wherein D is ij The dissimilarity between the alarm information i and the alarm information j; omega t Weight for temporal dissimilarity; omega src_ip The source IP address dissimilarity weight; omega dst_ip The weight of the dissimilarity degree of the IP addresses for the purposes; d, d t The time difference after normalization of the alarm information i and the alarm information j is obtained; t is t i ,t j The time of the alarm information j is the alarm information i respectively; r is the maximum time difference that can be merged; d, d src_ip Index for normalized source address dissimilarity of alarm information i and alarm information j src_diff Subscribes are arranged at positions different from the first bit after converting the two source addresses into binary bits; same reason d dst_ip For the dissimilarity degree of the destination address after normalization of the alarm information i and the alarm information j, index dst_diff The first bit after conversion to binary bits for two destination addresses is a different position index.
And if the dissimilarity between the information and all the current alarm information is greater than the threshold value, adding the alarm information into the current alarm information. Therefore, the selection of the dissimilarity threshold is critical to the merging of alarm information, and the specific threshold selection can be obtained through specific experimental tests. The alarm information merging algorithm is as follows:
data source credibility analysis:
D-S evidence theory provides a feasible solution for solving multi-source data fusion, but D-S evidence theory is not good at solving the problem of conflict between different data sources, and if the conflict exists in the evidence, fusion results are likely to be in a situation of contradiction. Therefore, the invention provides a method for determining the weight of each alarm data source by using gray correlation degree and carrying out data fusion, which objectively and effectively solves the conflict problem between the data sources.
Gray correlation analysis of data sources:
the gray correlation degree analysis method is a multi-factor statistical analysis method, and the basic idea is to judge the correlation degree between factors according to the similarity degree between curves. The gray correlation can be used to describe the strength of the relationship between two different variable sequences. For two different variable sequences, their trend over time or other dependent variable has a certain relationship, and in gray theory, the measure of the relationship between such changes is called gray correlation. If the changing situation of two variables has similarity to a certain extent, namely the range of synchronous change is higher, the two variables can be said to have higher association degree under the influence of the same dependent variable; otherwise, the association degree of the two is lower. The gray correlation analysis is used to calculate the support between each data source pair by pair in order to quantify how well each data source is supported in the plurality of data sources.
Assuming that m alarm data sources are shared, n times are given, let x i (t) representing the alarm information of the alarm data source i at the time t, the alarm information of the alarm data source i at each time forms a sequence x i ={x i (t)|t=1,2,…,n}={x i (1),x i (2),…,x i (n) } the alert information sequence for m alert data sources is x 1 ,x 2 ,…,x m . the difference between the two sequences at the moment t is the association degree of the alarm information, and the sequence x i And sequence x j Correlation coefficient ζ at time t ij The calculation is as follows:
wherein delta is ij (min) is the sequence x i And sequence x j The minimum difference in each instant; delta of the same principle ij (max) is the maximum difference; delta ij (t) is the sequence x i And sequence x j The difference at time t; ρ is the resolution coefficient, and the value range is [0,1]。
Sequence x i And sequence x j Gray correlation degree r of (2) ij The calculation is as follows:
r ij the closer the value is to 1, the description sequence x i And sequence x j The better the correlation, the higher the degree of correlation.
Credibility analysis of data sources:
the higher the association of two data sources, the higher the mutual support of the two data sources. In the invention, therefore, the association degree between the data sources is taken as the support degree, namely the support degree S of the alarm data source i to the alarm data source j ij =r ij Thereby obtaining a support matrix:
due to S ji =S ij Therefore, the support matrix is a symmetric matrix, and the gray correlation calculation of m× (m-1)/2 times of alarm information sequences is needed to obtain the support matrix. The total supportability of the data source i by other data sources can be obtained through the supportability matrix:
a network attack can trace multiple security devices, which can be considered as: the higher the total support of a data source, the more accurate the data source information, i.e. the higher the credibility; the lower the total support, the less accurate, i.e., less trustworthy, the data source information. The higher the total degree of support of the other data sources to data source i, the higher the degree of trust of data source i. Normalizing the credibility of each data source to obtain the credibility of the data source i as follows:
it can be seen that the sum of the trustworthiness of the individual data sources is 1.
And (3) multi-source alarm information fusion:
in the multi-source alarm information fusion, the traditional D-S evidence theory cannot well deal with the problem of conflict of each data source, and the reasons of the conflict mainly include error information, equal treatment of information of all the data sources in the fusion and the like. However, in practice, the credibility of each data source is different, so that reasonable difference operation should be performed on the data sources with different credibility, so that the influence of different data sources on the fusion result is more reasonable, and the purpose that the fusion result meets the actual situation better is achieved. In the invention, the alarm information fusion method based on credibility is used for carrying out multi-source alarm information fusion. In the alarm information fusion, firstly, each data source is weighted and assigned, and then, the alarm information fusion is carried out by using a Dempster combination rule.
In the invention, the security state of each data source at a certain moment is divided into four types, namely, at a moment, the four types of security states are respectively quantized into 0,1, 2 and 3, the four threat levels are respectively represented from low to high, 0 represents no security threat, and 3 represents the highest threat level. Let the threat state of the alarm information at time t of the alarm data source i be expressed as k (x i (t)). The credibility of each data source is taken as the weight of the data source, namely omega i =C i Assigning according to the weight to obtain the alarm information threat value of the data source i at the time t:
T i (t)=ω i k(x i (t))
thereby obtaining the alarm information threat value sequence of the data source i as follows:
T i ={T i (t)|t=1,2,…,n}={T i (1),T i (2),…,T i (n)}
the invention adopts the triangle fuzzy number to establish the threat value E i (t) membership distribution model at four threat levels of 0,1, 2, 3. Set membership functions corresponding to four threat levels as mu respectively 0 、μ 1 、μ 2 、μ 3 Namely, the alarm information threat value of each data source at a certain moment corresponds to the membership degree of four threat levels. The model establishes the possibility that one threat value corresponds to each threat level, and provides a basis for threat level grading analysis. The membership function has the characteristic of a basic probability assignment function in DS evidence theory, and provides a theoretical basis for data fusion by using a Dempster combination rule.
Assuming a total of m data sources, the threat value sequence T for the m data sources is then i And i=1, 2 …, and m uses a Dempster combination rule to perform m-1 times of fusion to obtain a final fusion result of the alarm information of the system at each moment. After fusion, if the membership degree of the threat level k at a certain moment is greater than the threshold value a, the threat level at the moment is determined as k, and if the membership degree of the threat level at four threat levels is less than a, the threat level at the moment is determined as 0. The value of a can be obtained through analysis and multiple experimental verification.
Aiming at the characteristics of non-uniform data structure, no direct correlation of information and information redundancy of network logs from different alarm data sources in the power information system, the invention processes multi-source heterogeneous alarm information by adopting a data preprocessing technology and a DS evidence theory-based data fusion technology, utilizes the space-time correlation among data of each data source to perform data fusion, fully utilizes the complementarity of the multi-source data and mutually supplements mutual evidence, thereby having more accurate understanding and evaluation on a monitored target system, and having the following advantages: 1) The network intrusion behavior has great randomness and uncertainty, the priori knowledge is difficult to acquire, and the method provided by the invention does not depend on the priori knowledge, and meets the network security management requirement under the new situation. 2) The method has good expandability, and can be conveniently used for data fusion when a new alarm data source appears.
When there is a conflict in the data, the fusion processing of the conflict data by the DS evidence theory may have an contradictory result. Aiming at the problem, the invention carries out weighted assignment on the alarm information threat value of the data source based on the credibility of the data source to correct conflict data, thereby effectively solving the evidence conflict problem in DS evidence theory.
Example 2:
the invention also provides a multi-source heterogeneous alarm information fusion system based on space-time correlation, as shown in figure 2, comprising:
a reading unit 201, configured to read multi-source heterogeneous weblog data, and extract alarm information in the weblog data;
a preprocessing unit 202, configured to preprocess the extracted alarm information to obtain multi-source target alarm information;
and the fusion unit 203 is configured to determine the reliability of the multi-source target alarm information based on the space-time correlation, and fuse the multi-source target alarm information based on the reliability.
Wherein the multi-source heterogeneous weblog data includes at least one of: host device log data, network device log data, application system log data, and security device log data.
The method for preprocessing the extracted alarm information comprises the following steps: and carrying out standardization processing and merging processing on the extracted alarm information.
The method for normalizing the extracted alarm information comprises the following steps: and unifying the log format of the extracted alarm information.
The merging processing of the extracted alarm information comprises the following steps: and merging the alarm information from the homologous unified log format to obtain the alarm information in the unified log format of the homologous merging, and merging the alarm information in the unified log format of the homologous merging.
The method for merging the alarm information from the homologous unified log format comprises the following steps: determining the attribute dissimilarity of the two alarm messages, and merging the two alarm messages if the attribute dissimilarity is smaller than a preset threshold value.
The method for determining the credibility of the multi-source target alarm information based on the space-time correlation comprises the following steps: and determining the association degree of any two data sources in the corresponding data sources of the multi-source target alarm information, determining the support degree of the data sources based on the association degree, and determining the credibility of the multi-source target alarm information according to the support degree of the data sources.
The method for fusing the multi-source target alarm information based on the credibility comprises the following steps: dividing the security state of the multi-source target alarm information at a certain moment to obtain a plurality of threat levels of the security state, taking the credibility of the multi-source target alarm information as the weight of a data source, determining the threat value of the multi-source target alarm information based on the weight and the threat level, establishing a membership model of the threat value based on a triangle fuzzy number, and fusing the multi-source target alarm information by using a Dempster combination rule aiming at the membership model.
Example 3:
based on the same inventive concept, the invention also provides a computer device comprising a processor and a memory for storing a computer program comprising program instructions, the processor for executing the program instructions stored by the computer storage medium. The processor may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application SpecificIntegrated Circuit, ASIC), off-the-shelf Programmable gate arrays (FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., which are the computational core and control core of the terminal adapted to implement one or more instructions, in particular adapted to load and execute one or more instructions within a computer storage medium to implement the corresponding method flow or corresponding functions to implement the steps of the method in the embodiments described above.
Example 4:
based on the same inventive concept, the present invention also provides a storage medium, in particular, a computer readable storage medium (Memory), which is a Memory device in a computer device, for storing programs and data. It is understood that the computer readable storage medium herein may include both built-in storage media in a computer device and extended storage media supported by the computer device. The computer-readable storage medium provides a storage space storing an operating system of the terminal. Also stored in the memory space are one or more instructions, which may be one or more computer programs (including program code), adapted to be loaded and executed by the processor. The computer readable storage medium herein may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. One or more instructions stored in a computer-readable storage medium may be loaded and executed by a processor to implement the steps of the methods in the above-described embodiments.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the invention can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (18)
1. A multi-source heterogeneous alarm information fusion method based on space-time correlation is characterized by comprising the following steps:
reading multi-source heterogeneous weblog data, and extracting alarm information in the weblog data;
preprocessing the extracted alarm information to obtain multi-source target alarm information;
and determining the credibility of the multi-source target alarm information based on the space-time correlation, and fusing the multi-source target alarm information based on the credibility.
2. The method of claim 1, wherein the multi-source heterogeneous weblog data comprises at least one of: host device log data, network device log data, application system log data, and security device log data.
3. The method of claim 1, wherein preprocessing the extracted alert information comprises: and carrying out standardization processing and merging processing on the extracted alarm information.
4. A method according to claim 3, wherein normalizing the extracted alert information comprises: and unifying the log format of the extracted alarm information.
5. A method according to claim 3, wherein said merging the extracted alert information comprises: and merging the alarm information from the homologous unified log format to obtain the alarm information in the unified log format of the homologous merging, and merging the alarm information in the unified log format of the homologous merging.
6. The method of claim 5, wherein merging alert information from a homogenous unified log format comprises: determining the attribute dissimilarity of the two alarm messages, and merging the two alarm messages if the attribute dissimilarity is smaller than a preset threshold value.
7. The method of claim 1, wherein determining the trustworthiness of the multi-source targeted alert information based on spatiotemporal relevance comprises: and determining the association degree of any two data sources in the corresponding data sources of the multi-source target alarm information, determining the support degree of the data sources based on the association degree, and determining the credibility of the multi-source target alarm information according to the support degree of the data sources.
8. The method of claim 1, wherein fusing the multi-source target alert information based on the confidence level comprises: dividing the security state of the multi-source target alarm information at a certain moment to obtain a plurality of threat levels of the security state, taking the credibility of the multi-source target alarm information as the weight of a data source, determining the threat value of the multi-source target alarm information based on the weight and the threat level, establishing a membership model of the threat value based on a triangle fuzzy number, and fusing the multi-source target alarm information by using a Dempster combination rule aiming at the membership model.
9. A multi-source heterogeneous alert information fusion system based on temporal-spatial correlation, the system comprising:
the reading unit is used for reading the multi-source heterogeneous weblog data and extracting the alarm information in the weblog data;
the preprocessing unit is used for preprocessing the extracted alarm information to obtain multi-source target alarm information;
and the fusion unit is used for determining the credibility of the multi-source target alarm information based on the space-time correlation and fusing the multi-source target alarm information based on the credibility.
10. The system of claim 9, wherein the multi-source heterogeneous weblog data comprises at least one of: host device log data, network device log data, application system log data, and security device log data.
11. The system of claim 9, wherein the preprocessing of the extracted alert information comprises: and carrying out standardization processing and merging processing on the extracted alarm information.
12. The system of claim 11, wherein normalizing the extracted alert information comprises: and unifying the log format of the extracted alarm information.
13. The system of claim 11, wherein the merging the extracted alert information comprises: and merging the alarm information from the homologous unified log format to obtain the alarm information in the unified log format of the homologous merging, and merging the alarm information in the unified log format of the homologous merging.
14. The system of claim 14, wherein merging the alert information from the homologous unified log format comprises: determining the attribute dissimilarity of the two alarm messages, and merging the two alarm messages if the attribute dissimilarity is smaller than a preset threshold value.
15. The system of claim 9, wherein the determining the trustworthiness of the multi-source targeted alert information based on spatiotemporal relevance comprises: and determining the association degree of any two data sources in the corresponding data sources of the multi-source target alarm information, determining the support degree of the data sources based on the association degree, and determining the credibility of the multi-source target alarm information according to the support degree of the data sources.
16. The system of claim 9, wherein the fusing the multi-source target alert information based on the trustworthiness comprises: dividing the security state of the multi-source target alarm information at a certain moment to obtain a plurality of threat levels of the security state, taking the credibility of the multi-source target alarm information as the weight of a data source, determining the threat value of the multi-source target alarm information based on the weight and the threat level, establishing a membership model of the threat value based on a triangle fuzzy number, and fusing the multi-source target alarm information by using a Dempster combination rule aiming at the membership model.
17. A computer device, comprising:
one or more processors;
a processor for executing one or more programs;
the method of any of claims 1-8 is implemented when the one or more programs are executed by the one or more processors.
18. A computer readable storage medium, characterized in that a computer program is stored thereon, which computer program, when executed, implements the method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310220484.XA CN116483666A (en) | 2023-03-08 | 2023-03-08 | Multi-source heterogeneous alarm information fusion method and system based on space-time correlation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310220484.XA CN116483666A (en) | 2023-03-08 | 2023-03-08 | Multi-source heterogeneous alarm information fusion method and system based on space-time correlation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116483666A true CN116483666A (en) | 2023-07-25 |
Family
ID=87220365
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310220484.XA Pending CN116483666A (en) | 2023-03-08 | 2023-03-08 | Multi-source heterogeneous alarm information fusion method and system based on space-time correlation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116483666A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117495592A (en) * | 2023-10-13 | 2024-02-02 | 陕西小保当矿业有限公司 | Alarm grading method and system for mine industrial Internet platform |
-
2023
- 2023-03-08 CN CN202310220484.XA patent/CN116483666A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117495592A (en) * | 2023-10-13 | 2024-02-02 | 陕西小保当矿业有限公司 | Alarm grading method and system for mine industrial Internet platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105590055B (en) | Method and device for identifying user credible behaviors in network interaction system | |
| He et al. | Learning from open-source projects: An empirical study on defect prediction | |
| US10885167B1 (en) | Intrusion detection based on anomalies in access patterns | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| US10693877B2 (en) | Evaluating security of data access statements | |
| Liu et al. | Web intrusion detection system combined with feature analysis and SVM optimization | |
| CN112636957B (en) | Early warning method and device based on log, server and storage medium | |
| CN108092985B (en) | Network security situation analysis method, device, equipment and computer storage medium | |
| CN113468520A (en) | Data intrusion detection method applied to block chain service and big data server | |
| CN116483666A (en) | Multi-source heterogeneous alarm information fusion method and system based on space-time correlation | |
| Kim et al. | Cost-effective valuable data detection based on the reliability of artificial intelligence | |
| CN114493255A (en) | Enterprise abnormity monitoring method based on knowledge graph and related equipment thereof | |
| CN114595765A (en) | Data processing method and device, electronic equipment and storage medium | |
| WO2022126962A1 (en) | Knowledge graph-based method for detecting guiding and abetting corpus and related device | |
| CN110443039A (en) | Detection method, device and the electronic equipment of plug-in security | |
| Chen et al. | BiTCN_DRSN: An effective software vulnerability detection model based on an improved temporal convolutional network | |
| CN111400695B (en) | Equipment fingerprint generation method, device, equipment and medium | |
| US20230300156A1 (en) | Multi-variate anomalous access detection | |
| CN115964701A (en) | Application security detection method and device, storage medium and electronic equipment | |
| Alshammari et al. | Internet of things attacks detection and classification using tiered hidden Markov model | |
| CN112511568A (en) | Correlation analysis method, device and storage medium for network security event | |
| CN113792114A (en) | Credible evaluation method and system for urban field knowledge graph | |
| Shaik et al. | Utilizing Blockchain and Deep Learning for Decentralized Discovery of Deceptive Practices in Healthcare Insurance | |
| CN115706669A (en) | Network security situation prediction method and system | |
| Ahn et al. | Data Embedding Scheme for Efficient Program Behavior Modeling With Neural Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |