CN116702133A - Alarm information noise reduction strategy determination method and device and storage medium - Google Patents
Alarm information noise reduction strategy determination method and device and storage medium Download PDFInfo
- Publication number
- CN116702133A CN116702133A CN202310665449.9A CN202310665449A CN116702133A CN 116702133 A CN116702133 A CN 116702133A CN 202310665449 A CN202310665449 A CN 202310665449A CN 116702133 A CN116702133 A CN 116702133A
- Authority
- CN
- China
- Prior art keywords
- noise
- warning information
- information
- warning
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本公开提供一种告警信息降噪策略确定方法、装置及存储介质,涉及通信技术领域,解决了相关技术中无法高效的确定降噪策略准确进行降噪的技术问题。该方法包括:确定来自至少一个安全设备的第一告警信息;第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息;将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息;检测模型中包含至少一个第一噪声告警信息判断规则;基于噪声告警信息确定至少一个安全设备的降噪策略。本公开用于告警信息降噪的场景中。
The present disclosure provides a method, device, and storage medium for determining a noise reduction strategy for alarm information, which relate to the field of communication technology, and solve the technical problem that the noise reduction strategy cannot be efficiently determined for accurate noise reduction in related technologies. The method includes: determining first warning information from at least one security device; the first warning information includes at least one of the following: noise warning information and non-noise warning information; inputting the first warning information into a noise warning information detection model, Determine the noise warning information in the first warning information; the detection model includes at least one judgment rule for the first noise warning information; and determine at least one noise reduction strategy for the security device based on the noise warning information. The present disclosure is used in the scenario of alarm information noise reduction.
Description
技术领域technical field
本公开涉及通信技术领域,尤其涉及一种告警信息降噪策略确定方法、装置及存储介质。The present disclosure relates to the field of communication technologies, and in particular, to a method, device and storage medium for determining an alarm information noise reduction strategy.
背景技术Background technique
目前,互联网企业部署着各种安全设备,安全设备对企业网络进行实时监控保障企业网络安全,对网络攻击进行阻断并记录攻击告警日志。但是,由于攻击告警误报频频发生,对安全设备的正常的使用带来了一定的影响,如何对安全设备告警日志进行准确降噪成为目前亟待解决的技术问题。At present, Internet enterprises deploy various security devices, which monitor the enterprise network in real time to ensure enterprise network security, block network attacks and record attack alarm logs. However, due to the frequent occurrence of attack alarm false alarms, which have a certain impact on the normal use of security equipment, how to accurately reduce the noise of security equipment alarm logs has become a technical problem that needs to be solved urgently.
目前常见的降噪方法主要是通过人工登录每个安全设备,查看告警信息,由人工分析确定是否为误报,并手工修改监控策略、处置策略。通过该方法对安全设备告警进行降噪的工作量过大且涉及人员多,无法高效的确定降噪策略减少噪声告警信息。The current common noise reduction method is mainly to manually log in to each security device, check the alarm information, manually analyze to determine whether it is a false alarm, and manually modify the monitoring strategy and disposal strategy. The workload of noise reduction for safety equipment alarms by this method is too large and many people are involved, and it is impossible to efficiently determine a noise reduction strategy to reduce noise alarm information.
发明内容Contents of the invention
本公开提供一种告警信息降噪策略确定方法、装置及存储介质。解决了相关技术中无法高效的确定降噪策略减少噪声告警信息的技术问题。The present disclosure provides a method, device and storage medium for determining an alarm information noise reduction strategy. The technical problem in the related art that the noise reduction strategy cannot be efficiently determined to reduce the noise warning information is solved.
为达到上述目的,本公开采用如下技术方案:In order to achieve the above purpose, the present disclosure adopts the following technical solutions:
第一方面,提供一种告警信息降噪策略确定方法,包括:确定来自至少一个安全设备的第一告警信息;第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息;将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息;检测模型中包含至少一个第一噪声告警信息判断规则;基于噪声告警信息确定至少一个安全设备的降噪策略。In the first aspect, a method for determining a warning information noise reduction strategy is provided, including: determining first warning information from at least one security device; the first warning information includes at least one of the following: noise warning information, non-noise warning information; The first warning information is input into the noise warning information detection model, and the noise warning information in the first warning information is determined; the detection model contains at least one judgment rule for the first noise warning information; and the noise reduction of at least one safety device is determined based on the noise warning information Strategy.
结合上述第一方面,在一种可能实现的方式中,该方法具体包括:确定每条第二告警信息的目标数据;其中,第二告警信息为从至少一个安全设备获取的告警信息;述目标数据中包括:攻击网际互联协议IP地址、攻击行为类型、攻击方式、被攻击IP地址;获取每条第二告警信息的归属信息;归属信息为目标数据中的攻击IP地址的归属信息;确定第一告警信息包括每条第二告警信息的目标数据,以及归属信息。With reference to the first aspect above, in a possible implementation manner, the method specifically includes: determining target data of each piece of second alarm information; wherein, the second alarm information is alarm information acquired from at least one security device; the target The data includes: attacking Internet protocol IP address, attack behavior type, attack method, and attacked IP address; obtain the attribution information of each second alarm information; the attribution information is the attribution information of the attacking IP address in the target data; determine the attribution information of the second alarm information; An alarm message includes target data and attribution information of each second alarm message.
结合上述第一方面,在一种可能实现的方式中,该方法还包括:接收来自至少一个安全设备的第三告警信息;删除第三告警信息中的已确定降噪策略的告警信息,确定第二告警信息。In combination with the first aspect above, in a possible implementation manner, the method further includes: receiving third warning information from at least one security device; deleting the warning information of the determined noise reduction strategy in the third warning information, and determining the third warning information 2. Warning information.
结合上述第一方面,在一种可能实现的方式中,噪声告警信息检测模型用于根据目标第一告警信息中的目标数据和/或归属信息,判断目标第一告警信息的目标数据是否为需告警的目标数据;在目标第一告警信息的目标数据不是需告警的目标数据的情况下确定目标第一告警信息为噪声告警信息。In combination with the first aspect above, in a possible implementation manner, the noise warning information detection model is used to judge whether the target data of the target first warning information is required according to the target data and/or attribution information in the target first warning information. The target data of the alarm; if the target data of the target first alarm information is not the target data to be alarmed, it is determined that the target first alarm information is the noise alarm information.
结合上述第一方面,在一种可能实现的方式中,至少一个第一噪声告警信息判断规则包括以下至少之一:病毒类噪声告警判断规则;网站攻击方式类噪声警告判断规则;网络攻击行为类噪声告警判断规则;行为异常类噪声警告判断规则。病毒类噪声告警判断规则包括:基于第一告警信息中的攻击IP地址以及攻击IP地址的归属信息,确定攻击IP地址是否已具备杀毒和防护功能,在攻击IP地址已具备杀毒和防护功能的情况下判断第一告警信息为噪声告警信息;网站攻击方式类噪声警告判断规则包括:基于第一告警信息中的攻击方式,确定攻击方式是否为预设攻击方式,在攻击方式为预设攻击方式的情况下判断第一告警信息为噪声告警信息;网络攻击行为类噪声告警判断规则包括:基于第一告警信息中的攻击行为类型,确定攻击行为类型是否为预设的非攻击行为,在攻击行为类型为预设的非攻击行为的情况下判断第一告警信息为噪声告警信息;行为异常类噪声警告判断规则包括:基于第一告警信息中的攻击IP地址与被攻击IP地址,确定第一告警信息中的数据传输是否为安全设备之间的流量数据传输,在第一告警信息中的数据传输为安全设备之间的流量数据传输的情况下,判断第一告警信息为噪声告警信息。In combination with the first aspect above, in a possible implementation manner, at least one first noise warning information judgment rule includes at least one of the following: a virus-like noise warning judgment rule; a website attack method-like noise warning judgment rule; a network attack behavior-like judgment rule. Judgment rules for noise alarms; judgment rules for abnormal behavior noise warnings. Virus-like noise alarm judgment rules include: based on the attacking IP address in the first alarm information and the attribution information of the attacking IP address, determine whether the attacking IP address has anti-virus and protection functions, and if the attacking IP address already has anti-virus and protection functions Next, it is judged that the first warning information is noise warning information; the website attack method noise warning judgment rule includes: based on the attack method in the first warning information, it is determined whether the attack method is a preset attack method, and if the attack method is a preset attack method In this case, it is judged that the first warning information is noise warning information; the network attack behavior type noise warning judgment rule includes: based on the attack behavior type in the first warning information, it is determined whether the attack behavior type is a preset non-attack behavior, and in the attack behavior type In the case of a preset non-aggressive behavior, it is judged that the first warning information is noise warning information; the rules for judging abnormal behavior noise warnings include: determining the first warning information based on the attacking IP address and the attacked IP address in the first warning information Whether the data transmission in is traffic data transmission between security devices, if the data transmission in the first warning information is traffic data transmission between security devices, it is judged that the first warning information is noise warning information.
结合上述第一方面,在一种可能实现的方式中,该方法还包括:确定第一告警信息中的噪声告警信息和非噪声告警信息;基于噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第二噪声告警信息判断规则;基于非噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第三噪声告警信息判断规则;基于第二噪声告警信息判断规则,和第三噪声告警信息判断规则,更新噪声告警信息检测模型。With reference to the first aspect above, in a possible implementation manner, the method further includes: determining the noise warning information and the non-noise warning information in the first warning information; based on the target data and/or attribution information of the noise warning information, generating A second noise warning information judgment rule for judging noise data; based on the target data and/or attribution information of non-noise warning information, generate a third noise warning information judgment rule for judging noise data; judge based on the second noise warning information The rule, and the third noise warning information judgment rule update the noise warning information detection model.
结合上述第一方面,在一种可能实现的方式中,该方法还包括:向至少一个安全设备中的任一安全设备发送降噪策略,以使得任一安全设备基于降噪策略,确定任一安全设备的告警信息中的噪声告警信息。With reference to the first aspect above, in a possible implementation manner, the method further includes: sending a noise reduction strategy to any security device in at least one security device, so that any security device determines any Noise warning information in the warning information of safety equipment.
第二方面,提供一种告警信息降噪策略确定装置,该告警信息降噪策略确定装置,包括:处理单元;处理单元,用于确定来自至少一个安全设备的第一告警信息;第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息;处理单元,还用于将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息;检测模型中包含至少一个第一噪声告警信息判断规则;处理单元,还用于基于噪声告警信息确定至少一个安全设备的降噪策略。In a second aspect, an apparatus for determining a noise reduction strategy for alarm information is provided. The apparatus for determining a noise reduction strategy for alarm information includes: a processing unit; a processing unit configured to determine first alarm information from at least one security device; the first alarm information Including at least one of the following: noise warning information, non-noise warning information; the processing unit is also used to input the first warning information into the noise warning information detection model, and determine the noise warning information in the first warning information; in the detection model Contains at least one first noise warning information judging rule; the processing unit is further configured to determine at least one noise reduction strategy of the security device based on the noise warning information.
结合上述第二方面,在一种可能实现的方式中,告警信息降噪策略确定装置还包括:通信单元;处理单元,具体用于:确定每条第二告警信息的目标数据;其中,第二告警信息为从至少一个安全设备获取的告警信息;目标数据中包括:攻击网际互联协议IP地址、攻击行为类型、攻击方式、被攻击IP地址;指示通信单元获取每条第二告警信息的归属信息;归属信息为目标数据中的攻击IP地址的归属信息;确定第一告警信息中每条第二告警信息的目标数据,以及归属信息。With reference to the second aspect above, in a possible implementation manner, the device for determining a noise reduction strategy for alarm information further includes: a communication unit; a processing unit, specifically configured to: determine the target data of each piece of second alarm information; wherein, the second The alarm information is alarm information obtained from at least one security device; the target data includes: IP address of the attacking Internet Protocol, attack behavior type, attack method, and IP address of the attacked; instructs the communication unit to obtain the attribution information of each second alarm information ; The attribution information is the attribution information of the attacking IP address in the target data; determining the target data and the attribution information of each piece of the second warning information in the first warning information.
结合上述第二方面,在一种可能实现的方式中,通信单元,还用于接收来自至少一个安全设备的第三告警信息;处理单元,具体用于删除第三告警信息中的已确定降噪策略的告警信息,确定第二告警信息。With reference to the second aspect above, in a possible implementation manner, the communication unit is further configured to receive third warning information from at least one safety device; the processing unit is specifically configured to delete the determined noise reduction in the third warning information The alert information of the policy is used to determine the second alert information.
结合上述第二方面,在一种可能实现的方式中,噪声告警信息检测模型用于,根据目标第一告警信息中的目标数据和/或归属信息,判断目标第一告警信息的目标数据是否为需告警的目标数据;处理单元在目标第一告警信息的目标数据不是需告警的目标数据的情况下,确定目标第一告警信息为噪声告警信息。In combination with the second aspect above, in a possible implementation manner, the noise warning information detection model is used to determine whether the target data of the target first warning information is The target data that needs to be warned: the processing unit determines that the target first warning information is noise warning information when the target data of the target first warning information is not the target data that needs to be warned.
结合上述第二方面,在一种可能实现的方式中,至少一个第一噪声告警信息判断规则包括以下至少之一:病毒类噪声告警判断规则;网站攻击方式类噪声警告判断规则;网络攻击行为类噪声告警判断规则;行为异常类噪声警告判断规则;病毒类噪声告警判断规则包括:基于第一告警信息中的攻击IP地址以及攻击IP地址的归属信息,确定攻击IP地址是否已具备杀毒和防护功能,在攻击IP地址已具备杀毒和防护功能的情况下判断第一告警信息为噪声告警信息;网站攻击方式类噪声警告判断规则包括:基于第一告警信息中的攻击方式,确定攻击方式是否为预设攻击方式,在攻击方式为预设攻击方式的情况下判断第一告警信息为噪声告警信息;网络攻击行为类噪声告警判断规则包括:基于第一告警信息中的攻击行为类型,确定攻击行为类型是否为预设的非攻击行为,在攻击行为类型为预设的非攻击行为的情况下判断第一告警信息为噪声告警信息;行为异常类噪声警告判断规则包括:基于第一告警信息中的攻击IP地址与被攻击IP地址,确定第一告警信息中的数据传输是否为安全设备之间的流量数据传输,在第一告警信息中的数据传输为安全设备之间的流量数据传输的情况下,判断第一告警信息为噪声告警信息。In combination with the second aspect above, in a possible implementation manner, at least one first noise warning information judgment rule includes at least one of the following: a virus-like noise warning judgment rule; a website attack method-like noise warning judgment rule; a network attack behavior-like judgment rule. Judgment rules for noise alarms; judgment rules for abnormal behavior noise warnings; judgment rules for virus noise alarms include: based on the attacking IP address in the first alarm information and the attribution information of the attacking IP address, determine whether the attacking IP address has antivirus and protection functions , in the case that the attacking IP address already has antivirus and protection functions, it is judged that the first warning information is noise warning information; the website attack method noise-like warning judgment rule includes: based on the attack method in the first warning information, determine whether the attack method is a warning Assuming an attack mode, when the attack mode is a preset attack mode, it is judged that the first warning information is noise warning information; the network attack behavior type noise warning judgment rule includes: based on the attack behavior type in the first warning information, determine the attack behavior type Whether it is a preset non-aggressive behavior, if the type of offensive behavior is a preset non-aggressive behavior, it is judged that the first warning information is noise warning information; the rules for judging abnormal behavior noise warnings include: based on the attack in the first warning information The IP address and the attacked IP address determine whether the data transmission in the first warning information is traffic data transmission between security devices, and if the data transmission in the first warning information is traffic data transmission between security devices, It is judged that the first warning information is noise warning information.
结合上述第二方面,在一种可能实现的方式中,处理单元,还用于:确定第一告警信息中的噪声告警信息和非噪声告警信息;基于噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第二噪声告警信息判断规则;基于非噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第三噪声告警信息判断规则;基于第二噪声告警信息判断规则,和第三噪声告警信息判断规则,更新噪声告警信息检测模型。With reference to the second aspect above, in a possible implementation manner, the processing unit is further configured to: determine noise warning information and non-noise warning information in the first warning information; target data and/or attribution information based on the noise warning information , generate a second noise warning information judgment rule for judging noise data; generate a third noise warning information judgment rule for judging noise data based on target data and/or attribution information of non-noise warning information; generate a third noise warning information judgment rule for judging noise data; The information judgment rule and the third noise warning information judgment rule update the noise warning information detection model.
结合上述第二方面,在一种可能实现的方式中,通信单元,还用于:向至少一个安全设备中的任一安全设备发送降噪策略,以使得任一安全设备基于降噪策略,确定任一安全设备的告警信息中的噪声告警信息。With reference to the second aspect above, in a possible implementation manner, the communication unit is further configured to: send a noise reduction strategy to any security device in at least one security device, so that any security device determines based on the noise reduction strategy Noise warning information in the warning information of any security device.
第三方面,提供一种告警信息降噪策略确定装置,包括:处理器以及存储器;其中,存储器用于存储计算机执行指令,当告警信息降噪策略确定装置运行时,处理器执行存储器存储的计算机执行指令,以使告警信息降噪策略确定装置执行如上述第一方面及其任一种可能的实现方式中记载的告警信息降噪策略确定方法。In a third aspect, there is provided an alarm information noise reduction strategy determination device, including: a processor and a memory; wherein the memory is used to store computer-executable instructions, and when the alarm information noise reduction strategy determination device is running, the processor executes the computer stored in the memory Execute the instruction, so that the device for determining an alarm information noise reduction strategy executes the method for determining an alarm information noise reduction strategy as described in the above first aspect and any possible implementation manner thereof.
第四方面,提供一种计算机可读存储介质,计算机可读存储介质中存储有指令,当计算机可读存储介质中的指令由告警信息降噪策略确定装置的处理器执行时,以使告警信息降噪策略确定装置执行如上述第一方面及其任一种可能的实现方式中记载的告警信息降噪策略确定方法。In a fourth aspect, a computer-readable storage medium is provided. Instructions are stored in the computer-readable storage medium. When the instructions in the computer-readable storage medium are executed by the processor of the alarm information noise reduction strategy determination device, the alarm information The device for determining a noise reduction strategy executes the method for determining a noise reduction strategy for alarm information as described in the above first aspect and any possible implementation thereof.
第五方面,提供一种芯片,芯片包括处理器和通信接口,通信接口和处理器耦合,处理器用于运行计算机程序或指令,以实现如上述第一方面及其任一种可能的实现方式中记载的告警信息降噪策略确定方法。In the fifth aspect, there is provided a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run computer programs or instructions, so as to implement the above-mentioned first aspect and any possible implementation thereof. The method for determining the noise reduction strategy for the recorded alarm information.
在本公开中,上述告警信息降噪策略确定装置的名字对设备或功能模块本身不构成限定,在实际实现中,这些设备或功能模块可以以其他名称出现。只要各个设备或功能模块的功能和本公开类似,属于本公开及其等同技术的范围之内。In the present disclosure, the name of the apparatus for determining the noise reduction strategy for alarm information does not limit the device or functional module itself, and in actual implementation, these devices or functional modules may appear with other names. As long as the function of each device or functional module is similar to the present disclosure, it belongs to the scope of the present disclosure and its equivalent technologies.
本公开的这些方面或其他方面在以下的描述中会更加简明易懂。These or other aspects of the present disclosure will be more clearly understood in the following description.
本公开提供的技术方案至少带来以下有益效果:本公开中告警信息降噪策略确定装置获取来自至少一个安全设备的第一告警信息;第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息;将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息;检测模型中包含至少一个第一噪声告警信息判断规则;这样,告警信息降噪策略确定装置可以通过检测模型进行筛选,确定了来自安全设备第一告警信息中的噪声告警信息;基于噪声告警信息确定至少一个安全设备的降噪策略。这样,本申请提供的告警信息降噪策略确定装置能够使用模型直接识别告警信息中的噪声告警信息,并生成相应的降噪策略,解决了现有技术中人工降噪时工作量过大且涉及人员多,无法高效的确定降噪策略减少噪声告警信息的问题。The technical solution provided by the present disclosure brings at least the following beneficial effects: the alarm information noise reduction policy determination device in the present disclosure obtains the first alarm information from at least one security device; the first alarm information includes at least one of the following: noise alarm information, Non-noise warning information; the first warning information is input into the noise warning information detection model, and the noise warning information in the first warning information is determined; the detection model contains at least one judgment rule for the first noise warning information; in this way, the warning information is denoised The strategy determining means can filter through the detection model, and determine the noise warning information in the first warning information from the security equipment; determine the noise reduction strategy of at least one security equipment based on the noise warning information. In this way, the alarm information noise reduction strategy determination device provided by the present application can use the model to directly identify the noise alarm information in the alarm information, and generate a corresponding noise reduction strategy, which solves the problem of excessive workload and involved in manual noise reduction in the prior art. There are too many people, and it is impossible to efficiently determine the noise reduction strategy to reduce the noise alarm information.
附图说明Description of drawings
为了更清楚地说明本公开实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍。In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the following briefly introduces the drawings that need to be used in the description of the embodiments or the prior art.
图1为本公开实施例提供的一种告警信息降噪策略确定系统的结构示意图;FIG. 1 is a schematic structural diagram of a system for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure;
图2为本公开实施例提供的又一种告警信息降噪策略确定系统的结构示意图;FIG. 2 is a schematic structural diagram of another alarm information noise reduction strategy determination system provided by an embodiment of the present disclosure;
图3为本公开实施例提供的一种告警信息降噪策略确定装置的硬件结构示意图;FIG. 3 is a schematic diagram of a hardware structure of an apparatus for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure;
图4为本公开实施例提供的一种告警信息降噪策略确定方法的流程示意图;FIG. 4 is a schematic flowchart of a method for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure;
图5为本公开实施例提供的又一种告警信息降噪策略确定方法的流程示意图;FIG. 5 is a schematic flowchart of another method for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure;
图6为本公开实施例提供的又一种告警信息降噪策略确定方法的流程示意图;FIG. 6 is a schematic flowchart of another method for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure;
图7为本公开实施例提供的又一种告警信息降噪策略确定方法的流程示意图;FIG. 7 is a schematic flowchart of another method for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure;
图8为本公开实施例提供的又一种告警信息降噪策略确定方法的流程示意图;FIG. 8 is a schematic flowchart of another method for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure;
图9为本公开实施例提供的又一种告警信息降噪策略确定装置的结构示意图。FIG. 9 is a schematic structural diagram of another apparatus for determining a noise reduction strategy for alarm information provided by an embodiment of the present disclosure.
具体实施方式Detailed ways
下面结合附图对本公开实施例提供的一种告警信息降噪策略确定方法、装置及存储介质进行详细地描述。A method, device, and storage medium for determining an alarm information noise reduction strategy provided by embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。The term "and/or" in this article is just an association relationship describing associated objects, which means that there can be three relationships, for example, A and/or B can mean: A exists alone, A and B exist simultaneously, and there exists alone B these three situations.
本公开的说明书以及附图中的术语“第一”和“第二”等是用于区别不同的对象,或者用于区别对同一对象的不同处理,而不是用于描述对象的特定顺序。The terms “first” and “second” in the specification and drawings of the present disclosure are used to distinguish different objects, or to distinguish different processes for the same object, rather than to describe a specific order of objects.
此外,本公开的描述中所提到的术语“包括”和“具有”以及它们的任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括其他没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。需要说明的是,本公开实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本公开实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。In addition, the terms "including" and "having" and any variations thereof mentioned in the description of the present disclosure are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but optionally also includes other unlisted steps or units, or optionally also includes Other steps or elements inherent to the process, method, product or apparatus are included. It should be noted that, in the embodiments of the present disclosure, words such as "exemplary" or "for example" are used as examples, illustrations or illustrations. Any embodiment or design described as "exemplary" or "for example" in the embodiments of the present disclosure shall not be construed as being preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete manner.
在本公开的描述中,除非另有说明,“多个”的含义是指两个或两个以上。In the description of the present disclosure, unless otherwise specified, the meaning of "plurality" refers to two or more.
目前,互联网公司为了保护公司的网络信息安全,部署了各种安全设备用于保护公司的网络信息安全,示例性的,安全设备包括:网络应用防护系统(web applicationfirewall,WAF)、入侵检测系统(intrusion detection system,IDS)、入侵防护系统(intrusion prevention system,IPS)、终端防护中心(endpoint detection andresponse,EDR)、态势感知平台、动态网络应用防火墙等。安全设备对网络安全进行实时监控,当发现如漏洞扫描、系统命令注入、口令爆破等网络攻击行为时,对网络攻击进行阻断以及记录攻击告警日志。At present, in order to protect the company's network information security, Internet companies have deployed various security devices to protect the company's network information security. Exemplarily, the security devices include: a web application firewall (WAF), an intrusion detection system ( intrusion detection system (IDS), intrusion prevention system (IPS), endpoint protection center (endpoint detection and response, EDR), situational awareness platform, dynamic network application firewall, etc. The security device monitors network security in real time. When network attacks such as vulnerability scanning, system command injection, and password blasting are discovered, the network attacks are blocked and the attack alarm logs are recorded.
但是,安全设备的种类较多,各种安全设备的功能、侦测手段、监控方法、监控策略配置也不相同。在安全设备的使用过程中,当网络环境、网络应用部署、网络会话协议以及网络数据包内容发生变化的时,可能由于未对安全设备的监控策略配置进行及时更新,导致经常出现告警信息误报,影响安全设备正常的使用,这些误报的告警信息即为噪声告警信息。However, there are many types of security devices, and the functions, detection methods, monitoring methods, and monitoring policy configurations of various security devices are also different. During the use of security devices, when the network environment, network application deployment, network session protocol, and network data packet content change, it may be that the monitoring policy configuration of the security device has not been updated in time, resulting in frequent alarm information false alarms , affecting the normal use of safety equipment, these false alarm information is the noise alarm information.
噪声告警信息会妨碍到网络安全监控人员的判断,网络安全监控人员需要花费大量的时间精力对告警信息进行判断,确定告警信息是否为噪声告警信息。安全设备需要对告警信息进行保存,噪声告警信息将会严重浪费安全设备的计算和存储资源。因此,如何高效的确定降噪策略减少噪声告警信息成为目前亟待解决的技术问题。Noise alarm information will hinder the judgment of network security monitoring personnel, and network security monitoring personnel need to spend a lot of time and energy to judge the alarm information and determine whether the alarm information is noise alarm information. The security device needs to save the alarm information, and the noise alarm information will seriously waste the computing and storage resources of the security device. Therefore, how to efficiently determine a noise reduction strategy to reduce noise alarm information has become a technical problem to be solved urgently.
目前常见的降噪策略是通过技术人员对每个安全设备的告警日志中每一条告警信息进行逐一分析,确定其中的噪声告警信息,在确定噪声告警信息后之后,根据噪声告警信息在每个安全设备布置降噪策略。工作量巨大且涉及技术人员较多,无法高效的确定降噪策略减少噪声告警信息。At present, the common noise reduction strategy is to analyze each alarm information in the alarm log of each security device one by one by technicians to determine the noise alarm information. After the noise alarm information is determined, according to the noise alarm information in each security Equipment layout noise reduction strategy. The workload is huge and many technicians are involved, so it is impossible to efficiently determine the noise reduction strategy to reduce the noise alarm information.
为解决相关技术中存在的技术问题,本公开提供了一种告警信息降噪策略确定方法:告警信息降噪策略确定装置获取来自至少一个安全设备的第一告警信息;第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息;将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息;检测模型中包含至少一个第一噪声告警信息判断规则;这样,告警信息降噪策略确定装置可以通过检测模型进行筛选,确定了来自安全设备第一告警信息中的噪声告警信息;基于噪声告警信息确定至少一个安全设备的降噪策略。这样,本申请提供的告警信息降噪策略确定装置能够使用模型直接识别告警信息中的噪声告警信息,并生成相应的降噪策略,解决了现有技术中人工降噪时工作量过大且涉及人员多,无法高效的确定降噪策略减少噪声告警信息的问题。In order to solve the technical problems existing in related technologies, the present disclosure provides a method for determining an alarm information noise reduction strategy: the device for determining an alarm information noise reduction strategy acquires first alarm information from at least one security device; the first alarm information includes at least One of the following: noise warning information, non-noise warning information; input the first warning information into the noise warning information detection model, and determine the noise warning information in the first warning information; the detection model includes at least one first noise warning information judgment Rules; in this way, the device for determining the noise reduction strategy for the warning information can filter through the detection model, and determine the noise warning information in the first warning information from the safety device; determine the noise reduction strategy for at least one safety device based on the noise warning information. In this way, the alarm information noise reduction strategy determination device provided by the present application can use the model to directly identify the noise alarm information in the alarm information, and generate a corresponding noise reduction strategy, which solves the problem of excessive workload and involved in manual noise reduction in the prior art. There are too many people, and it is impossible to efficiently determine the noise reduction strategy to reduce the noise alarm information.
该告警信息降噪策略确定方法可以应用于告警信息降噪策略确定系统100中。以下,结合图1对本申请实施例提供的一种告警信息降噪策略确定系统100进行详细说明。如图1所示,图1为本公开实施例提供的一种告警信息降噪策略确定系统100,该系统包括:告警信息降噪策略确定装置101、至少一个安全设备102以及互联网设备103。The method for determining an alarm information noise reduction strategy can be applied to the system 100 for determining an alarm information noise reduction strategy. Hereinafter, a system 100 for determining an alarm information noise reduction strategy provided by an embodiment of the present application will be described in detail with reference to FIG. 1 . As shown in FIG. 1 , FIG. 1 is a system 100 for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure. The system includes: an apparatus 101 for determining an alarm information noise reduction strategy, at least one security device 102 and an Internet device 103 .
其中,告警信息降噪策略确定装置101用于从至少一个安全设备102的全部的告警信息中筛选出噪声告警信息并确定噪声告警信息的降噪策略。在降噪策略确定后,将降噪策略发送至至少一个安全设备,以使安全设备基于降噪策略,确定该安全设备告警信息中的噪声告警信息。从而达到高效的确定降噪策略减少噪声告警信息的目的。Wherein, the alarm information noise reduction strategy determination unit 101 is used to filter noise alarm information from all alarm information of at least one security device 102 and determine a noise reduction strategy for the noise alarm information. After the noise reduction strategy is determined, the noise reduction strategy is sent to at least one safety device, so that the safety device determines the noise warning information in the safety device warning information based on the noise reduction strategy. In this way, the purpose of efficiently determining the noise reduction strategy to reduce the noise alarm information is achieved.
可选的,告警信息降噪策略确定装置101中包括存储模块101a、噪声告警信息检测模块101b以及策略生成模块101c,存储模块101a用与保存采集来自至少一个安全设备102的告警信息以及基于存储模块101a中告警信息目标数据从互联网设备103中获取告警信息的目标数据中攻击网际互连协议(internet protocol,IP)地址的归属信息。噪声告警信息检测模块101b用于获取来子存储模块101a中的目标数据与归属信息,通过噪声告警信息检测模块中的噪声告警信息检测模型,确定噪声告警信息;并在确定噪声告警信息后将噪声告警信息、目标数据以及目标数据的归属信息发送至策略生成模块101c;策略生成模块101c基于噪声告警信息、目标数据以及目标数据的归属信息确定至少一个安全设备的降噪策略。Optionally, the apparatus 101 for determining an alarm information noise reduction strategy includes a storage module 101a, a noise alarm information detection module 101b, and a policy generation module 101c. The alarm information target data in 101a acquires attribution information of an Internet Protocol (internet protocol, IP) address from the Internet device 103 in the target data of the alarm information. The noise warning information detection module 101b is used to obtain the target data and the attribution information in the sub-storage module 101a, and determines the noise warning information by the noise warning information detection model in the noise warning information detection module; The alarm information, target data, and attribution information of the target data are sent to the policy generation module 101c; the policy generation module 101c determines a noise reduction policy for at least one security device based on the noise alarm information, target data, and attribution information of the target data.
一种可能实现的方式中,结合图1,如图2所示,告警信息降噪策略确定系统100中的告警信息降噪策略确定装置101具体可以包括:告警数据采集模块201、数据预处理模块202、存储模块203、处理模块204、策略生成模块205、策略部署模块206。In a possible implementation manner, referring to FIG. 1 , as shown in FIG. 2 , the alarm information noise reduction strategy determination device 101 in the alarm information noise reduction strategy determination system 100 may specifically include: an alarm data collection module 201, a data preprocessing module 202 , a storage module 203 , a processing module 204 , a policy generation module 205 , and a policy deployment module 206 .
安全设备102具体可以包括:网络应用防护系统207、态势感知系统208、动态安全防御系统209、网络防火墙210、终端防护中心211。Specifically, the security device 102 may include: a network application protection system 207 , a situation awareness system 208 , a dynamic security defense system 209 , a network firewall 210 , and a terminal protection center 211 .
其中,告警数据采集模块201用于获取上述多个安全设备的告警信息,并将告警信息传递到数据预处理模块202。Wherein, the alarm data acquisition module 201 is used to acquire the alarm information of the above-mentioned multiple security devices, and transmit the alarm information to the data preprocessing module 202 .
数据预处理模块202对来自告警数据采集器的告警信息进行预处理,确定目标数据,并根据目标数据从互联网设备212获取目标数据中攻击I P地址的归属信息,并将目标数据及目标数据的归属信息发送至存储模块203进行保存。The data preprocessing module 202 preprocesses the alarm information from the alarm data collector, determines the target data, and obtains the attribution information of the attacking IP address in the target data from the Internet device 212 according to the target data, and assigns the target data and the attribution of the target data The information is sent to the storage module 203 for storage.
处理模块204中分为模型层、算法层、平台框架层及基础层,其中,基础层包括为中央处理器(central processing unit,CPU)、图形处理器(graphics processing unit,GPU)、现场可编程逻辑门阵列(field programmable gate array,FPGA)用于对数据进行计算处理;平台框架层中包括用于构成平台的引擎框架;算法层包括机器学习、深度学习、神经网管等算法;模型层包括模型编排及模型训练,用于基于存储模块203中保存的目标数据及目标数据的归属信息以及噪声告警信息检测模型确定噪声告警信息;以及在预设时间段内的根据告警信息的目标数据和归属信息进行模型训练,更新噪声告警信息检测模型;在确定噪声告警信息后发送至策略生成模块205。The processing module 204 is divided into a model layer, an algorithm layer, a platform framework layer and a base layer, wherein the base layer includes a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU), field programmable The logic gate array (field programmable gate array, FPGA) is used to calculate and process the data; the platform framework layer includes the engine framework used to form the platform; the algorithm layer includes machine learning, deep learning, neural network management and other algorithms; the model layer includes the model Arranging and model training, used to determine the noise warning information based on the target data and the attribution information of the target data stored in the storage module 203 and the noise warning information detection model; and the target data and attribution information according to the warning information within a preset time period Carry out model training, update the noise warning information detection model; send to the policy generation module 205 after the noise warning information is determined.
策略生成模块205对噪声告警信息进行处理编排,确定上述网络应用防护系统207、态势感知系统208、动态安全防御系统209、网络防火墙210、终端防护中心211的降噪策略,并发送至策略部署模块206。The strategy generation module 205 processes and arranges the noise alarm information, determines the noise reduction strategies of the network application protection system 207, the situation awareness system 208, the dynamic security defense system 209, the network firewall 210, and the terminal protection center 211, and sends them to the strategy deployment module 206.
策略部署模块206将降噪策略部署到网络应用防护系统207、态势感知系统208、动态安全防御系统209、网络防火墙210、终端防护中心211中,以使得上述安全设备基于降噪策略,确定上述安全设备的告警信息中的噪声告警信息。The policy deployment module 206 deploys the noise reduction strategy to the network application protection system 207, the situational awareness system 208, the dynamic security defense system 209, the network firewall 210, and the terminal protection center 211, so that the above-mentioned security devices determine the above-mentioned security Noise alarm information in the alarm information of the device.
示例性的,从安全设备中获取的不同告警信息的数量统计表如表1所示。Exemplarily, Table 1 shows a statistical table of quantities of different alarm information obtained from security devices.
表1Table 1
其中,不同告警信息的比例为:僵尸网络13%、系统命令注入6%、Socks流量异常17%、木马病毒16%、感染型病毒19%、信息窃取程序5%、SNMP弱口令15%、远控行为2%、流氓软件1%、挖矿病毒5%、其它1%。上述告警信息的攻击类型主要包括木马病毒,网络攻击,行为异常以及SNMP弱口令四类。一种可能实现的方式中,可以针对上述四类攻击类型,对属于不同攻击类型的告警信息预置不同的噪声告警信息判断规则。Among them, the proportions of different alarm information are: botnet 13%, system command injection 6%, Socks traffic abnormality 17%, Trojan horse virus 16%, infectious virus 19%, information stealing program 5%, SNMP weak password 15%, remote Controlling behavior 2%, rogue software 1%, mining virus 5%, other 1%. The attack types of the above alarm information mainly include Trojan horse virus, network attack, abnormal behavior and weak SNMP password. In a possible implementation manner, for the above four types of attack types, different noise alarm information judging rules may be preset for alarm information belonging to different attack types.
上述告警信息降噪策略确定系统中的告警信息降噪策略确定装置101的基本硬件结构包括图3所示的告警信息降噪策略确定装置300所包括的元件,下面以图3所示的告警信息降噪策略确定装置300为例介绍告警信息降噪策略确定装置101的硬件结构。如图3所示,该告警信息降噪策略确定装置300包括至少一个处理器301,通信线路302,以及至少一个通信接口304,还可以包括存储器303。其中,处理器301,存储器303以及通信接口304三者之间可以通过通信线路302连接。The basic hardware structure of the alarm information noise reduction strategy determination device 101 in the above alarm information noise reduction strategy determination system includes the elements included in the alarm information noise reduction strategy determination device 300 shown in FIG. 3 , and the alarm information shown in FIG. The device 300 for determining a noise reduction strategy is used as an example to introduce the hardware structure of the device 101 for determining a noise reduction strategy for alarm information. As shown in FIG. 3 , the apparatus 300 for determining an alarm information noise reduction strategy includes at least one processor 301 , a communication line 302 , and at least one communication interface 304 , and may also include a memory 303 . Wherein, the processor 301 , the memory 303 and the communication interface 304 may be connected through a communication line 302 .
处理器301可以是一个中央处理器(central processing unit,CPU),也可以是特定集成电路(application specific integrated circuit,ASIC),或者是被配置成实施本公开实施例的一个或多个集成电路,例如:一个或多个数字信号处理器(digital signalprocessor,DSP),或,一个或者多个现场可编程门阵列(field programmable gate array,FPGA)。The processor 301 may be a central processing unit (central processing unit, CPU), or a specific integrated circuit (application specific integrated circuit, ASIC), or one or more integrated circuits configured to implement the embodiments of the present disclosure, For example: one or more digital signal processors (digital signal processor, DSP), or one or more field programmable gate arrays (field programmable gate array, FPGA).
通信线路302可以包括一通路,用于在上述组件之间传送信息。Communication line 302 may include a path for communicating information between the aforementioned components.
通信接口304,用于与其他设备或通信网络通信,可以使用任何收发器一类的装置,如以太网,无线接入网(radio access network,RAN),无线局域网(wireless localarea networks,WLAN)等。The communication interface 304 is used to communicate with other devices or communication networks, and any device such as a transceiver can be used, such as Ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), etc. .
存储器303可以是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器(random access memory,RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是电可擦可编程只读存储器(electricallyerasable programmable read-only memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其他光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其他磁存储设备、或者能够用于包括或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质,但不限于此。The memory 303 may be a read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions, and a random access memory (random access memory, RAM) or other types that can store information and instructions The dynamic storage device can also be an electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), a compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc storage ( including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to include or store desired program code in the form of instructions or data structures and can be stored by a computer Any other medium, but not limited to.
一种可能的设计中,存储器303可以独立于处理器301存在,即存储器303可以为处理器301外部的存储器,此时,存储器303可以通过通信线路302与处理器301相连接,用于存储执行指令或者应用程序代码,并由处理器301来控制执行,实现本公开下述实施例提供的告警信息降噪策略确定方法。又一种可能的设计中,存储器303也可以和处理器301集成在一起,即存储器303可以为处理器301的内部存储器,例如,该存储器303为高速缓存,可以用于暂存一些数据和指令信息等。In a possible design, the memory 303 may exist independently of the processor 301, that is, the memory 303 may be a memory outside the processor 301. At this time, the memory 303 may be connected to the processor 301 through the communication line 302 for storing and executing Instructions or application program codes are controlled and executed by the processor 301 to implement the method for determining an alarm information noise reduction strategy provided in the following embodiments of the present disclosure. In yet another possible design, the memory 303 can also be integrated with the processor 301, that is, the memory 303 can be an internal memory of the processor 301, for example, the memory 303 is a cache, which can be used to temporarily store some data and instructions information etc.
作为一种可实现方式,处理器301可以包括一个或多个CPU,例如图3中的CPU0和CPU1。作为另一种可实现方式,告警信息降噪策略确定装置300可以包括多个处理器,例如图3中的处理器301和处理器307。作为再一种可实现方式,告警信息降噪策略确定装置300还可以包括输出设备305和输入设备306。As an implementable manner, the processor 301 may include one or more CPUs, for example, CPU0 and CPU1 in FIG. 3 . As another implementable manner, the apparatus 300 for determining an alarm information noise reduction strategy may include multiple processors, for example, the processor 301 and the processor 307 in FIG. 3 . As yet another implementable manner, the apparatus 300 for determining an alarm information noise reduction strategy may further include an output device 305 and an input device 306 .
以下,对本公开实施例提供的告警信息降噪策略确定方法进行详细说明。Hereinafter, the method for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure will be described in detail.
如图4所示,图4为本公开提供的告警信息降噪策略确定方法,该方法包括以下S401-S403,以下进行详细说明。As shown in FIG. 4, FIG. 4 is a method for determining an alarm information noise reduction strategy provided by the present disclosure. The method includes the following S401-S403, which will be described in detail below.
S401、告警信息降噪策略确定装置确定来自至少一个安全设备的第一告警信息。S401. The device for determining an alarm information noise reduction strategy determines first alarm information from at least one security device.
其中,第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息。Wherein, the first warning information includes at least one of the following: noise warning information and non-noise warning information.
可以理解的是,噪声告警信息是在安全设备的使用过程中,当网络环境、网络应用部署、网络会话协议以及网络数据包内容发生变化时,由于未对安全设备的监控策略配置进行及时更新,导致安全设备误报的告警信息。It can be understood that the noise alarm information is due to the failure to update the monitoring policy configuration of the security device in time when the network environment, network application deployment, network session protocol, and network data packet content change during the use of the security device. Alarm information that causes false alarms from security devices.
S402、告警信息降噪策略确定装置将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息。S402. The device for determining a noise reduction strategy for warning information inputs the first warning information into a noise warning information detection model, and determines noise warning information in the first warning information.
其中,检测模型中包含至少一个第一噪声告警信息判断规则。Wherein, the detection model includes at least one first noise warning information judgment rule.
一种可能实现的方式中,噪声告警信息检测模型中包含至少一个第一噪声告警信息判断规则,告警信息降噪策略确定装置可以根据第一噪声告警信息判断规则确定第一噪声告警信息中的噪声告警信息。In a possible implementation manner, the noise warning information detection model includes at least one first noise warning information judging rule, and the device for determining the noise reduction strategy for the warning information can determine the noise in the first noise warning information according to the first noise warning information judging rule. Warning message.
示例性的,来自安全设备的第一告警信息为:包括攻击IP地址为病毒IP地址。Exemplarily, the first warning information from the security device includes: the attack IP address is a virus IP address.
告警信息降噪策略确定装置将该第一告警信息输入到噪声告警信息检测模型中,确定该病毒IP地址为具有病毒防护功能的IP地址,该第一告警信息属于误报的告警信息。此时,告警信息降噪策略确定装置确定该第一告警信息为噪声告警信息。The alarm information noise reduction strategy determination device inputs the first alarm information into the noise alarm information detection model, determines that the virus IP address is an IP address with virus protection function, and the first alarm information belongs to false alarm information. At this time, the device for determining a noise reduction strategy for warning information determines that the first warning information is noise warning information.
S403、告警信息降噪策略确定装置基于噪声告警信息确定至少一个安全设备的降噪策略。S403. The device for determining a noise reduction strategy for alarm information determines a noise reduction strategy for at least one security device based on the noise alarm information.
结合上述S402中的示例,告警信息降噪策略确定装置,生成针对该具有病毒防护功能的IP地址的降噪策略,并将降噪策略发送给至少一个安全设备,以使得安全设备能够根据该降噪策略,滤除将该具有病毒防护功能的IP地址识别为病毒IP地址的告警信息。With reference to the example in S402 above, the device for determining the noise reduction strategy for alarm information generates a noise reduction strategy for the IP address with virus protection function, and sends the noise reduction strategy to at least one security device, so that the security device can use the noise reduction strategy according to the noise reduction strategy. Noise policy to filter out the alarm information that identifies the IP address with virus protection function as a virus IP address.
上述实施例提供的技术方案至少能够带来以下有益效果:告警信息降噪策略确定装置获取来自至少一个安全设备的第一告警信息;第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息;将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息;检测模型中包含至少一个第一噪声告警信息判断规则;从而通过检测模型进行筛选,确定了来自安全设备第一告警信息中的噪声告警信息;基于噪声告警信息确定至少一个安全设备的降噪策略;即通过检测模型对来自安全设备的第一告警信息进行统一筛选,高效的确定了噪声告警信息以及噪声告警信息对应的降噪策略,从而达到高效的确定降噪策略减少噪声告警信息的目的。The technical solutions provided by the above embodiments can at least bring about the following beneficial effects: the alarm information noise reduction policy determination device acquires the first alarm information from at least one security device; the first alarm information includes at least one of the following: noise alarm information, Noise alarm information; input the first alarm information into the noise alarm information detection model, and determine the noise alarm information in the first alarm information; the detection model includes at least one judgment rule for the first noise alarm information; thereby screening through the detection model, The noise warning information from the first warning information of the security equipment is determined; the noise reduction strategy of at least one security equipment is determined based on the noise warning information; that is, the first warning information from the security equipment is uniformly screened through the detection model, and the The noise warning information and the noise reduction strategy corresponding to the noise warning information, so as to achieve the purpose of efficiently determining the noise reduction strategy to reduce the noise warning information.
一种可能实现的方式中,结合图4,如图5所示,上述S401、告警信息降噪策略确定装置确定来自至少一个安全设备的第一告警信息的过程,具体可以通过以下S501-S503实现,以下进行详细说明。In a possible implementation manner, referring to FIG. 4, as shown in FIG. 5, the process of determining the first alarm information from at least one security device in the above S401, the alarm information noise reduction strategy determination device can be specifically implemented through the following S501-S503 , which will be described in detail below.
S501、告警信息降噪策略确定装置确定每条第二告警信息的目标数据。S501. The device for determining a noise reduction strategy for alarm information determines target data for each piece of second alarm information.
其中,第二告警信息为从至少一个安全设备获取的告警信息;目标数据中包括:攻击网际互联协议IP地址、攻击行为类型、攻击方式、被攻击IP地址。Wherein, the second alarm information is alarm information obtained from at least one security device; the target data includes: attacking Internet protocol IP address, attack behavior type, attack method, and attacked IP address.
应理解,目标数据包括所有攻击端数据、所有被攻击端数据以及攻击发生时间等,不仅限于上述攻击网际互联协议IP地址、攻击行为类型、攻击方式、被攻击IP地址信息,一种可能实现的方式中,目标数据至少还包括以下之一:被攻击端端口号、攻击端请求协议、攻击端请求方法、Host头信息、统一资源定位(uniform resource locator,URL)、攻击端参数、被攻击端返回的状态码、攻击端请求字节、被攻击端返回字节、攻击日期时间。It should be understood that the target data includes all attacking end data, all attacked end data, and attack occurrence time, etc., and is not limited to the above-mentioned attacking Internet protocol IP address, attack behavior type, attack method, and attacked IP address information. In the method, the target data also includes at least one of the following: port number of the attacked end, request protocol of the attacking end, request method of the attacking end, Host header information, uniform resource locator (uniform resource locator, URL), attacking end parameters, attacked end The returned status code, the byte requested by the attacking end, the byte returned by the attacked end, and the date and time of the attack.
S502、告警信息降噪策略确定装置获取每条第二告警信息的归属信息。S502. The device for determining an alarm information noise reduction strategy acquires attribution information of each piece of second alarm information.
其中,归属信息为目标数据中的攻击IP地址的归属信息。Wherein, the attribution information is the attribution information of the attacking IP address in the target data.
一种可能实现的方式中,告警信息降噪策略确定装置可以从互联网设备中获取攻击IP地址的归属信息。In a possible implementation manner, the device for determining an alarm information noise reduction strategy may obtain attribution information of an attacking IP address from an Internet device.
示例性的,归属信息至少包括以下之一:攻击IP地址所属地区、攻击IP地址所属网络业务服务商、攻击IP地址所属自治域(autonomous system,AS)、攻击IP地址近期的攻击活动信息。Exemplarily, the attribution information includes at least one of the following: the region to which the attacking IP address belongs, the network service provider to which the attacking IP address belongs, the autonomous system (AS) to which the attacking IP address belongs, and recent attack activity information of the attacking IP address.
S503、告警信息降噪策略确定装置确定第一告警信息包括每条第二告警信息的目标数据,以及归属信息。S503. The device for determining a noise reduction strategy for alarm information determines that the first alarm information includes target data and attribution information of each piece of second alarm information.
可以理解的是,告警信息降噪策略确定装置可以基于每条第二告警信息的目标数据中的攻击IP地址,获取攻击IP地址的归属信息,攻击IP地址的归属信息可以用于提高告警信息降噪策略确定装置确定噪声告警信息的正确率以及更新噪声告警信息检测模型。It can be understood that the alarm information noise reduction strategy determination device can obtain the attribution information of the attack IP address based on the attack IP address in the target data of each second alarm information, and the attribution information of the attack IP address can be used to improve the alarm information reduction. The noise strategy determining device determines the accuracy of the noise warning information and updates the noise warning information detection model.
需要指出的是,告警信息降噪策略确定装置并不一定能获取到所有攻击IP地址的归属信息。针对没有获取到归属信息的目标数据,告警信息降噪策略确定装置也可以根据目标数据中的相关信息判断第一告警信息是否为噪声告警信息。It should be pointed out that the device for determining the alarm information noise reduction strategy may not necessarily obtain the attribution information of all attacking IP addresses. For target data for which no attribution information has been obtained, the device for determining a noise reduction strategy for warning information may also determine whether the first warning information is noise warning information according to relevant information in the target data.
上述实施例提供的技术方案至少能够带来以下有益效果:告警信息降噪策略确定装置确定了每条第二告警信息的目标数据。第二告警信息为从至少一个安全设备获取的告警信息;目标数据中包括:攻击网际互联协议IP地址、攻击行为类型、攻击方式、被攻击IP地址。并基于目标数据中的攻击IP地址获取攻击IP地址的归属信息。即对来自至少一个安全设备的第二告警信息进行预处理,从而确定了用于输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息的目标数据以及目标数据的归属信息。The technical solutions provided by the above embodiments can at least bring about the following beneficial effects: the device for determining the noise reduction strategy for alarm information determines the target data of each piece of second alarm information. The second alarm information is alarm information obtained from at least one security device; the target data includes: attacking Internet protocol IP address, attack behavior type, attack method, and attacked IP address. And the attribution information of the attacking IP address is obtained based on the attacking IP address in the target data. That is, the second alarm information from at least one security device is preprocessed, so as to determine the target data and the attribution information of the target data for inputting into the noise alarm information detection model in the first alarm information.
一种可能实现的方式中,结合图5,如图6所示,在上述S501、告警信息降噪策略确定装置确定每条第二告警信息的目标数据前,该方法还包括以下S601-S602,以下进行详细说明。In a possible implementation manner, referring to FIG. 5, as shown in FIG. 6, before the above S501, the alarm information noise reduction strategy determination device determines the target data of each second alarm information, the method further includes the following S601-S602, The details will be described below.
S601、告警信息降噪策略确定装置接收来自至少一个安全设备的第三告警信息。S601. The apparatus for determining an alarm information noise reduction strategy receives third alarm information from at least one security device.
可以理解的是,第三告警信息为从至少一个安全设备直接获取的,未经过筛选处理的所有告警信息,第三告警信息中包括已确定降噪策略的告警信息和未确定降噪策略的告警信息。It can be understood that the third alarm information is all alarm information obtained directly from at least one security device without screening and processing, and the third alarm information includes alarm information for which the noise reduction strategy has been determined and alarm information for which the noise reduction strategy has not been determined information.
S602、告警信息降噪策略确定装置删除第三告警信息中的已确定降噪策略的告警信息,确定第二告警信息。S602. The device for determining the noise reduction strategy for the warning information deletes the warning information of the determined noise reduction strategy in the third warning information, and determines the second warning information.
一种可能实现的方式中,告警信息降噪策略确定装置在接收到来自至少一个安全设备的所有第三告警信息后,对第三告警信息进行筛选处理,基于已确定降噪策略的告警信息,确定三告警信息中未确定降噪策略的告警信息为第二告警信息。In a possible implementation manner, after receiving all the third warning information from at least one security device, the device for determining the noise reduction strategy for the warning information screens the third warning information, and based on the warning information for which the noise reduction strategy has been determined, It is determined that the alarm information for which the noise reduction strategy is not determined among the three alarm information is the second alarm information.
上述实施例提供的技术方案至少能够带来以下有益效果:告警信息降噪策略确定装置在接收到来自至少一个安全设备的第三告警信息后,确定对第三告警信息进行筛选处理,基于已确定降噪策略的告警信息,确定三告警信息中未确定降噪策略的告警信息为第二告警信息。从而达到从所有来自至少一个安全设备的第三告警信息中,筛选出未确定降噪策略的告警信息的目的。The technical solutions provided by the above embodiments can at least bring about the following beneficial effects: after receiving the third alarm information from at least one security device, the device for determining the noise reduction strategy for alarm information determines to perform screening processing on the third alarm information, based on the determined For the alarm information of the noise reduction strategy, it is determined that the alarm information for which the noise reduction strategy is not determined among the three alarm information is the second alarm information. In this way, the purpose of filtering out the alarm information for which the noise reduction strategy has not been determined from all the third alarm information from at least one security device is achieved.
一种可能实现的方式中,噪声告警信息检测模型用于根据目标第一告警信息中的目标数据和/或归属信息,判断目标第一告警信息的目标数据是否为需告警的目标数据;在目标第一告警信息的目标数据不是需告警的目标数据的情况下确定目标第一告警信息为噪声告警信息。In a possible implementation manner, the noise warning information detection model is used to judge whether the target data in the target first warning information is the target data that needs to be warned according to the target data and/or attribution information in the target first warning information; If the target data of the first warning information is not the target data to be warned, it is determined that the target first warning information is noise warning information.
一种可能实现的方式中,上述第一噪声告警信息判断规则包括以下至少之一:病毒类噪声告警判断规则;网站攻击方式类噪声警告判断规则;网络攻击行为类噪声告警判断规则;行为异常类噪声警告判断规则。In a possible implementation manner, the above-mentioned first noise alarm information judgment rule includes at least one of the following: a virus-like noise alarm judgment rule; a website attack method-like noise warning judgment rule; a network attack behavior-type noise alarm judgment rule; Judgment rules for noise warnings.
其中,病毒类噪声告警判断规则包括:基于第一告警信息中的攻击IP地址以及攻击IP地址的归属信息,确定攻击IP地址是否已具备杀毒和防护功能,在攻击IP地址已具备杀毒和防护功能的情况下判断第一告警信息为噪声告警信息;Among them, the virus noise alarm judgment rules include: based on the attacking IP address in the first alarm information and the attribution information of the attacking IP address, determine whether the attacking IP address has anti-virus and protection functions, and the attacking IP address already has anti-virus and protection functions In the case of judging that the first warning information is noise warning information;
其中,网站攻击方式类噪声警告判断规则包括:基于第一告警信息中的攻击方式,确定攻击方式是否为预设攻击方式,在攻击方式为预设攻击方式的情况下判断第一告警信息为噪声告警信息;Among them, the website attack method noise warning judgment rule includes: based on the attack method in the first warning information, determine whether the attack method is a preset attack method, and judge that the first warning information is noise if the attack method is a preset attack method. warning information;
其中,所述网络攻击行为类噪声告警判断规则包括:基于所述第一告警信息中的所述攻击行为类型,确定所述攻击行为类型是否为预设的非攻击行为,在所述攻击行为类型为预设的非攻击行为的情况下判断所述第一告警信息为所述噪声告警信息;Wherein, the network attack behavior type noise alarm judgment rule includes: based on the attack behavior type in the first alarm information, determine whether the attack behavior type is a preset non-attack behavior, and in the attack behavior type judging that the first warning information is the noise warning information when it is a preset non-aggressive behavior;
其中,行为异常类噪声警告判断规则包括:基于第一告警信息中的攻击IP地址与被攻击IP地址,确定第一告警信息中的数据传输是否为安全设备之间的流量数据传输,在第一告警信息中的数据传输为安全设备之间的流量数据传输的情况下,判断第一告警信息为噪声告警信息。Wherein, the abnormal behavior noise warning judgment rule includes: based on the attacking IP address and the attacked IP address in the first warning information, determine whether the data transmission in the first warning information is traffic data transmission between security devices, in the first When the data transmission in the warning information is traffic data transmission between security devices, it is determined that the first warning information is noise warning information.
一种可能实现的方式中,噪声告警信息检测装置根据目标第一告警信息中的目标数据和/或归属信息,确定第一告警信息属于上述四类攻击类型中的某一类攻击类型,并根据相应类型的噪声警告判断规则判断第一告警信息是否为噪声告警信息。In a possible implementation manner, the noise warning information detection device determines that the first warning information belongs to one of the above four types of attack types according to the target data and/or attribution information in the target first warning information, and according to The noise warning judging rule of the corresponding type judges whether the first warning information is noise warning information.
示例性的,噪声告警信息检测装置根据目标第一告警信息中的目标数据和/或归属信息,确定第一告警信息属于网络攻击行为类型中的网络管理协议SNMP弱口令,进一步的,确定SNMP弱口令是否为网络打印机或计算机网络外设,在所述攻击行为类型为网络打印机或计算机网络外设的情况下判断所述第一告警信息为所述噪声告警信息。Exemplarily, the device for detecting noise alarm information determines that the first alarm information belongs to the network management protocol SNMP weak password in the network attack behavior type according to the target data and/or attribution information in the target first alarm information, and further determines that the SNMP weak password Whether the password is a network printer or a computer network peripheral, and if the attack behavior type is a network printer or a computer network peripheral, it is determined that the first warning information is the noise warning information.
可以理解的是,上述第一噪声告警信息判断规则仅作为示例,本公开中的第一噪声告警信息判断规则不仅限于上述判断规则。告警信息降噪策略确定装置可基于告警信息的目标数据和归属信息可生成新的用于判断噪声数据的噪声告警信息判断规则,对噪声告警信息检测模型中的第一噪声告警信息判断规则进行更新。It can be understood that the above first noise warning information judgment rule is only an example, and the first noise warning information judgment rule in the present disclosure is not limited to the above judgment rule. The alarm information noise reduction strategy determination device can generate a new noise alarm information judgment rule for judging noise data based on the target data and attribution information of the alarm information, and update the first noise alarm information judgment rule in the noise alarm information detection model .
一种可能实现的方式中,结合图4,如图7所示,在上述S402、告警信息降噪策略确定装置将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息后,该方法还包括以下S701-S704,以下进行详细说明。In a possible implementation manner, referring to FIG. 4 , as shown in FIG. 7 , in the above S402, the alarm information noise reduction strategy determination device inputs the first alarm information into the noise alarm information detection model, and determines the noise alarm information in the first alarm information. After the noise warning information, the method also includes the following S701-S704, which will be described in detail below.
S701、告警信息降噪策略确定装置确定第一告警信息中的噪声告警信息和所述非噪声告警信息。S701. The device for determining a noise reduction strategy for alarm information determines the noise alarm information and the non-noise alarm information in the first alarm information.
一种可能实现的方式中,在告警信息降噪策略确定装置将第一告警信息输入到噪声告警信息检测模型后,可根据噪声告警信息检测模型中的第一噪声告警信息判断规则确定第一告警信息中的噪声告警信息和非噪声告警信息。In a possible implementation manner, after the alarm information noise reduction strategy determination device inputs the first alarm information into the noise alarm information detection model, it can determine the first alarm information according to the first noise alarm information judgment rule in the noise alarm information detection model Noise warning information and non-noise warning information in the information.
S702、告警信息降噪策略确定装置基于噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第二噪声告警信息判断规则。S702. The device for determining an alarm information noise reduction strategy generates a second noise alarm information judgment rule for judging the noise data based on the target data and/or attribution information of the noise alarm information.
示例性的,噪声告警信息的目标数据中包括攻击IP地址为染毒IP地址,则告警信息降噪策略确定装置基于该噪声告警信息,确定第二噪声告警信息判断规则包括:若告警信息降噪策略确定装置接收到的第一告警信息中包括攻击IP地址为染毒IP地址,则确定该第一告警信息为噪声告警信息。Exemplarily, if the target data of the noise warning information includes the attacking IP address as a poisoned IP address, the device for determining the noise reduction strategy for the warning information based on the noise warning information determines that the second judgment rule for the noise warning information includes: if the noise reduction of the warning information If the first warning information received by the policy determining device includes that the attacking IP address is a poisoned IP address, the first warning information is determined to be noise warning information.
S703、告警信息降噪策略确定装置基于非噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第三噪声告警信息判断规则。S703. The device for determining a noise reduction strategy for alarm information generates a third noise alarm information judgment rule for judging noise data based on target data and/or attribution information of non-noise alarm information.
示例性的,非噪声告警信息的目标数据中包括攻击类型为信息窃取程序,攻击IP地址归属于地区A,则告警信息降噪策略确定装置基于该非噪声告警信息,确定第三噪声告警信息判断规则包括:若告警信息降噪策略确定装置接收到的第一告警信息中,包括攻击类型为信息窃取程序且攻击IP地址归属于地区A,则确定该第一告警信息为非噪声告警信息。Exemplarily, if the target data of the non-noise warning information includes the attack type as an information theft program, and the attacking IP address belongs to region A, the device for determining the noise reduction strategy for the warning information determines the third noise warning information based on the non-noise warning information. The rules include: if the first alarm information received by the alarm information noise reduction strategy determination device includes the attack type as information stealing program and the attack IP address belongs to region A, then determine that the first alarm information is non-noise alarm information.
S704、告警信息降噪策略确定装置基于第二噪声告警信息判断规则,和第三噪声告警信息判断规则,更新噪声告警信息检测模型。S704. The device for determining an alarm information noise reduction strategy updates the noise alarm information detection model based on the second noise alarm information judgment rule and the third noise alarm information judgment rule.
一种可能实现的方式中,告警信息降噪策略确定装置在每次进行噪声告警信息判断后,会将目标数据及归属信息以及对应的判断结果保存至告警信息降噪策略确定装置的存储模块,在预设时间段内告警信息降噪策略确定装置会根据存储模块中的数据确定多个第二噪声告警信息判断规则以及多个第三噪声告警信息判断规则,当噪声告警信息检测模型中不包括上述多个第二噪声告警信息判断规则,以及多个第三噪声告警信息判断规则时,将多个第二噪声告警信息判断规则,以及多个第三噪声告警信息判断规则更新至噪声告警信息检测模型。In a possible implementation, the device for determining the noise reduction strategy for the alarm information will save the target data, the attribution information and the corresponding judgment results to the storage module of the device for determining the noise reduction strategy for the alarm information after each judgment of the noise alarm information. During the preset period of time, the alarm information noise reduction strategy determination device will determine a plurality of second noise alarm information judgment rules and a plurality of third noise alarm information judgment rules according to the data in the storage module, when the noise alarm information detection model does not include When the above multiple second noise warning information judgment rules and multiple third noise warning information judgment rules are used, the multiple second noise warning information judgment rules and the multiple third noise warning information judgment rules are updated to the noise warning information detection Model.
上述实施例提供的技术方案至少能够带来以下有益效果:当告警信息降噪策略确定装置确定第一告警信息中的噪声告警信息和所述非噪声告警信息后,基于噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第二噪声告警信息判断规则。基于非噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第三噪声告警信息判断规则。并装置基于第二噪声告警信息判断规则,和第三噪声告警信息判断规则,更新噪声告警信息检测模型。从而使告警信息降噪策略确定装置可以基于每次噪声告警信息判断的数据及判断结果更新噪声告警信息检测模型。The technical solutions provided by the above embodiments can bring at least the following beneficial effects: after the alarm information noise reduction strategy determination device determines the noise alarm information in the first alarm information and the non-noise alarm information, based on the target data of the noise alarm information and and/or attributable information to generate a second noise warning information judging rule for judging noise data. Based on the target data and/or attribution information of the non-noise warning information, a third noise warning information judging rule for judging noise data is generated. The combining device updates the noise warning information detection model based on the second noise warning information judging rule and the third noise warning information judging rule. Therefore, the device for determining the noise reduction strategy for the alarm information can update the noise alarm information detection model based on the data and determination results of each noise alarm information determination.
一种可能实现的方式中,结合图4,如图8所示,在上述S403、告警信息降噪策略确定装置基于噪声告警信息确定至少一个安全设备的降噪策略之后,该方法还包括以下S801,以下进行详细说明。In a possible implementation manner, referring to FIG. 4, as shown in FIG. 8, after the above S403, the alarm information noise reduction strategy determination device determines the noise reduction strategy of at least one security device based on the noise alarm information, the method further includes the following S801 , which will be described in detail below.
S801、告警信息降噪策略确定装置向至少一个安全设备中的任一安全设备发送降噪策略,以使得任一安全设备基于降噪策略,确定任一安全设备的告警信息中的噪声告警信息。S801. The apparatus for determining an alarm information noise reduction strategy sends a noise reduction strategy to any security device in at least one security device, so that any security device determines noise alarm information in alarm information of any security device based on the noise reduction strategy.
一种可能实现的方式中,告警信息降噪策略确定装置将生成的降噪策略发送至上述任一安全设备,使安全设备将降噪策略中包括的噪声告警信息特征加入该设备的白名单中,从而使安全设备可以基于噪声告警信息特征确定其告警信息中的噪声告警信息。In a possible implementation manner, the device for determining the noise reduction strategy for alarm information sends the generated noise reduction strategy to any of the above-mentioned security devices, so that the security device adds the characteristics of the noise alarm information included in the noise reduction strategy to the white list of the device , so that the security device can determine the noise warning information in its warning information based on the characteristics of the noise warning information.
上述实施例提供的技术方案至少能够带来以下有益效果:告警信息降噪策略确定装置向至少一个安全设备中的任一安全设备发送降噪策略,以使得任一安全设备基于降噪策略,确定任一安全设备的告警信息中的噪声告警信息。从而达到了减少安全设备的噪声告警信息的目的。The technical solutions provided by the above embodiments can bring at least the following beneficial effects: the device for determining the noise reduction strategy for alarm information sends the noise reduction strategy to any security device in at least one security device, so that any security device determines based on the noise reduction strategy Noise warning information in the warning information of any security device. Therefore, the purpose of reducing the noise warning information of the safety equipment is achieved.
以上,对本公开实施例涉及到的告警信息降噪策略确定方法进行了详细说明。Above, the method for determining the alarm information noise reduction strategy involved in the embodiments of the present disclosure has been described in detail.
可以看出,上述主要从方法的角度对本公开实施例提供的技术方案进行了介绍。为了实现上述功能,其包含了执行各个功能相应的硬件结构和/或软件模块。本领域技术人员应该很容易意识到,结合本文中所公开的实施例描述的各示例的模块及算法步骤,本公开实施例能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本公开的范围。It can be seen that the foregoing mainly introduces the technical solutions provided by the embodiments of the present disclosure from the perspective of methods. In order to realize the above functions, it includes corresponding hardware structures and/or software modules for performing various functions. Those skilled in the art should easily realize that, in combination with the modules and algorithm steps of the examples described in the embodiments disclosed herein, the embodiments of the present disclosure can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software drives hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementation should not be considered beyond the scope of the present disclosure.
本公开实施例可以根据上述方法示例对告警信息降噪策略确定装置进行功能模块的划分,例如,可以对应各个功能划分各个功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。可选的,本公开实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。The embodiments of the present disclosure can divide the function modules of the alarm information noise reduction strategy determination device according to the above method example, for example, each function module can be divided corresponding to each function, or two or more functions can be integrated into one processing module middle. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules. Optionally, the division of modules in the embodiments of the present disclosure is schematic, and is only a logical function division, and there may be another division manner in actual implementation.
如图9所示,图9为本公开实施例提供的一种告警信息降噪策略确定装置900的结构示意图。As shown in FIG. 9 , FIG. 9 is a schematic structural diagram of an apparatus 900 for determining an alarm information noise reduction strategy provided by an embodiment of the present disclosure.
该告警信息降噪策略确定装置900,包括:处理单元902;处理单元902,用于确定来自至少一个安全设备的第一告警信息;第一告警信息中至少包括以下之一:噪声告警信息、非噪声告警信息;处理单元902,还用于将第一告警信息输入到噪声告警信息检测模型中,确定第一告警信息中的噪声告警信息;检测模型中包含至少一个第一噪声告警信息判断规则;处理单元902,还用于基于噪声告警信息确定至少一个安全设备的降噪策略。The apparatus 900 for determining a noise reduction strategy for warning information includes: a processing unit 902; the processing unit 902 is configured to determine first warning information from at least one security device; the first warning information includes at least one of the following: noise warning information, Noise warning information; the processing unit 902 is further configured to input the first warning information into the noise warning information detection model, and determine the noise warning information in the first warning information; the detection model includes at least one judgment rule for the first noise warning information; The processing unit 902 is further configured to determine a noise reduction policy of at least one security device based on the noise warning information.
一种可能实现的方式中,告警信息降噪策略确定装置900还包括:通信单元901;处理单元902,具体用于确定每条第二告警信息的目标数据;其中,第二告警信息为从至少一个安全设备获取的告警信息;述目标数据中包括:攻击网际互联协议IP地址、攻击行为类型、攻击方式、被攻击IP地址;指示通信单元901,获取每条第二告警信息的归属信息;归属信息为目标数据中的攻击IP地址的归属信息;处理单元902,具体用于确定第一告警信息中每条第二告警信息的目标数据,以及归属信息。In a possible implementation manner, the apparatus 900 for determining an alarm information noise reduction strategy further includes: a communication unit 901; a processing unit 902, specifically configured to determine target data for each piece of second alarm information; wherein, the second alarm information is from at least The alarm information obtained by a security device; the target data includes: attacking Internet protocol IP address, attack behavior type, attack mode, and attacked IP address; instructing the communication unit 901 to obtain the attribution information of each second alarm information; attribution The information is the attribution information of the attacking IP address in the target data; the processing unit 902 is specifically configured to determine the target data and the attribution information of each piece of second warning information in the first warning information.
一种可能实现的方式中,通信单元901,还用于接收来自至少一个安全设备的第三告警信息;处理单元902,具体用于删除第三告警信息中的已确定降噪策略的告警信息,确定第二告警信息。In a possible implementation manner, the communication unit 901 is further configured to receive third alarm information from at least one security device; the processing unit 902 is specifically configured to delete the alarm information of the determined noise reduction strategy in the third alarm information, Determine the second alarm information.
一种可能实现的方式中,噪声告警信息检测模型用于,根据目标第一告警信息中的目标数据和/或归属信息,判断目标第一告警信息的目标数据是否为需告警的目标数据;处理单元902在目标第一告警信息的目标数据不是需告警的目标数据的情况下,确定目标第一告警信息为噪声告警信息。In a possible implementation manner, the noise warning information detection model is used to determine whether the target data in the target first warning information is the target data that needs to be warned according to the target data and/or attribution information in the target first warning information; processing Unit 902 determines that the target first warning information is noise warning information when the target data of the target first warning information is not the target data to be warned.
一种可能实现的方式中,至少一个第一噪声告警信息判断规则包括以下至少之一:病毒类噪声告警判断规则;网站攻击方式类噪声警告判断规则;网络攻击行为类噪声告警判断规则;行为异常类噪声警告判断规则;In a possible implementation manner, at least one first noise warning information judgment rule includes at least one of the following: a virus-like noise warning judgment rule; a website attack method noise-like warning judgment rule; a network attack behavior-like noise warning judgment rule; an abnormal behavior Noise-like warning judgment rules;
所述病毒类噪声告警判断规则包括:基于所述第一告警信息中的所述攻击IP地址以及所述攻击IP地址的归属信息,确定所述攻击IP地址是否已具备杀毒和防护功能,在所述攻击IP地址已具备杀毒和防护功能的情况下判断所述第一告警信息为所述噪声告警信息;The virus-like noise alarm judgment rule includes: based on the attack IP address in the first alarm information and the attribution information of the attack IP address, determine whether the attack IP address has anti-virus and protection functions. In the case where the attacking IP address has antivirus and protection functions, it is judged that the first warning information is the noise warning information;
所述网站攻击方式类噪声警告判断规则包括:基于所述第一告警信息中的所述攻击方式,确定所述攻击方式是否为预设攻击方式,在所述攻击方式为所述预设攻击方式的情况下判断所述第一告警信息为所述噪声告警信息;The website attack method noise-like warning judgment rule includes: based on the attack method in the first warning information, determine whether the attack method is a preset attack method, and if the attack method is the preset attack method In the case of judging that the first warning information is the noise warning information;
所述网络攻击行为类噪声告警判断规则包括:基于所述第一告警信息中的所述攻击行为类型,确定所述攻击行为类型是否为预设的非攻击行为,在所述攻击行为类型为预设的非攻击行为的情况下判断所述第一告警信息为所述噪声告警信息;The network attack behavior type noise alarm judgment rule includes: based on the attack behavior type in the first alarm information, determine whether the attack behavior type is a preset non-attack behavior, and if the attack behavior type is a preset Judging that the first warning information is the noise warning information under the assumed non-aggressive behavior;
所述行为异常类噪声警告判断规则包括:基于所述第一告警信息中的所述攻击IP地址与所述被攻击IP地址,确定所述第一告警信息中的数据传输是否为安全设备之间的流量数据传输,在所述第一告警信息中的数据传输为安全设备之间的流量数据传输的情况下,判断所述第一告警信息为所述噪声告警信息。The abnormal behavior noise warning judgment rule includes: based on the attacking IP address and the attacked IP address in the first warning information, determine whether the data transmission in the first warning information is between security devices If the data transmission in the first warning information is traffic data transmission between security devices, it is determined that the first warning information is the noise warning information.
一种可能实现的方式中,处理单元902,还用于:确定第一告警信息中的噪声告警信息和非噪声告警信息;基于噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第二噪声告警信息判断规则;基于非噪声告警信息的目标数据和/或归属信息,生成用于判断噪声数据的第三噪声告警信息判断规则;基于第二噪声告警信息判断规则,和第三噪声告警信息判断规则,更新噪声告警信息检测模型。In a possible implementation manner, the processing unit 902 is further configured to: determine the noise warning information and the non-noise warning information in the first warning information; based on the target data and/or attribution information of the noise warning information, generate The second noise warning information judging rule of the data; based on the target data and/or attribution information of the non-noise warning information, generating a third noise warning information judging rule for judging the noise data; based on the second noise warning information judging rule, and the first Three noise alarm information judgment rules, update the noise alarm information detection model.
一种可能实现的方式中,通信单元901,还用于:向至少一个安全设备中的任一安全设备发送降噪策略,以使得任一安全设备基于降噪策略,确定任一安全设备的告警信息中的噪声告警信息。In a possible implementation manner, the communication unit 901 is further configured to: send a noise reduction policy to any security device in at least one security device, so that any security device determines an alarm of any security device based on the noise reduction policy Noise warning message in message.
本公开实施例还提供一种告警信息降噪策略确定装置,该告警信息降噪策略确定装置包含处理器以及存储器;其中,存储器用于存储计算机执行指令,当告警信息降噪策略确定装置运行时,处理器执行存储器存储的计算机执行指令,以使告警信息降噪策略确定装置执行本公开实施例所记载的告警信息降噪策略确定方法。An embodiment of the present disclosure also provides a device for determining a noise reduction strategy for alarm information. The device for determining a noise reduction strategy for alarm information includes a processor and a memory; wherein the memory is used to store computer-executable instructions. When the device for determining a noise reduction strategy for alarm information is running The processor executes the computer-executable instructions stored in the memory, so that the apparatus for determining an alarm information noise reduction strategy executes the method for determining an alarm information noise reduction strategy described in the embodiments of the present disclosure.
本公开的实施例提供一种包含指令的计算机程序产品,当指令在计算机上运行时,使得计算机执行上述方法实施例中的告警信息降噪策略确定方法。Embodiments of the present disclosure provide a computer program product containing instructions, and when the instructions are run on a computer, the computer is made to execute the method for determining an alarm information noise reduction strategy in the above method embodiments.
本公开的实施例提供一种芯片,芯片包括处理器和通信接口,通信接口和处理器耦合,处理器用于运行计算机程序或指令,以实现如上述方法实施例中的告警信息降噪策略确定方法。An embodiment of the present disclosure provides a chip, the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is used to run computer programs or instructions, so as to implement the method for determining the alarm information noise reduction strategy in the above method embodiments .
其中,计算机可读存储介质,例如可以是但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘。随机存取存储器(Random Access Memory,RAM)、只读存储器(Read-Only Memory,ROM)、可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、寄存器、硬盘、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的人以合适的组合、或者本领域数值的任何其他形式的计算机可读存储介质。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于特定用途集成电路(Application Specific Integrated Circuit,ASIC)中。在本公开实施例中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。Wherein, the computer-readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples (non-exhaustive list) of computer readable storage media include: electrical connection having one or more wires, portable computer disk, hard disk. Random Access Memory (Random Access Memory, RAM), Read-Only Memory (Read-Only Memory, ROM), Erasable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), registers, hard disk, optical fiber, portable compact Disk read-only memory (Compact Disc Read-Only Memory, CD-ROM), an optical storage device, a magnetic storage device, or any other form of computer-readable storage medium in a suitable combination of the above, or values in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be a component of the processor. The processor and the storage medium may be located in an application specific integrated circuit (Application Specific Integrated Circuit, ASIC). In the embodiments of the present disclosure, a computer-readable storage medium may be any tangible medium containing or storing a program, and the program may be used by or in combination with an instruction execution system, apparatus, or device.
由于本公开的实施例中的装置、设备、计算机可读存储介质、计算机程序产品可以应用于上述方法,因此,其所能获得的技术效果也可参考上述方法实施例,本公开实施例在此不再赘述。Since the devices, equipment, computer-readable storage media, and computer program products in the embodiments of the present disclosure can be applied to the above-mentioned methods, the technical effects that can be obtained can also refer to the above-mentioned method embodiments, and the embodiments of the present disclosure are hereby No longer.
以上所示,仅为本公开的具体实施方式,但本公开的保护范围并不局限于此,任何在本公开揭露的技术范围内的变化或替换,都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应该以权利要求的保护范围为准。The above is only a specific implementation of the present disclosure, but the protection scope of the present disclosure is not limited thereto, and any changes or replacements within the technical scope disclosed in the present disclosure shall be covered within the protection scope of the present disclosure . Therefore, the protection scope of the present disclosure should be determined by the protection scope of the claims.
Claims (16)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310665449.9A CN116702133A (en) | 2023-06-06 | 2023-06-06 | Alarm information noise reduction strategy determination method and device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310665449.9A CN116702133A (en) | 2023-06-06 | 2023-06-06 | Alarm information noise reduction strategy determination method and device and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116702133A true CN116702133A (en) | 2023-09-05 |
Family
ID=87842782
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310665449.9A Pending CN116702133A (en) | 2023-06-06 | 2023-06-06 | Alarm information noise reduction strategy determination method and device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116702133A (en) |
-
2023
- 2023-06-06 CN CN202310665449.9A patent/CN116702133A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11882128B2 (en) | Improving incident classification and enrichment by leveraging context from multiple security agents | |
US9838426B2 (en) | Honeyport active network security | |
JP4373779B2 (en) | Stateful distributed event processing and adaptive maintenance | |
CN100530208C (en) | Network isolation techniques suitable for virus protection | |
EP1995929B1 (en) | Distributed system for the detection of eThreats | |
JP4196989B2 (en) | Method and system for preventing virus infection | |
CN111193719A (en) | Network intrusion protection system | |
CN102694820B (en) | Processing method of signature rule, server and intrusion defending system | |
US11924235B2 (en) | Leveraging user-behavior analytics for improved security event classification | |
US20060037077A1 (en) | Network intrusion detection system having application inspection and anomaly detection characteristics | |
CA3021285C (en) | Methods and systems for network security | |
JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
KR20060013491A (en) | Attack signature generation method, signature generation application application method, computer readable recording medium and attack signature generation device | |
CN111726364B (en) | Host intrusion prevention method, system and related device | |
CN106657019A (en) | Network security protection method and device | |
CN101018119A (en) | Hardware-based server network security centralized management system without relevance to the operation system | |
CN102469098B (en) | Information safety protection host machine | |
Bukac et al. | Advances and challenges in standalone host-based intrusion detection systems | |
CN116702133A (en) | Alarm information noise reduction strategy determination method and device and storage medium | |
CN110489969A (en) | The system and electronic equipment of mine virus are dug based on SOAR disposition host | |
CN116318771A (en) | Network boundary violation interconnection detection method and system | |
Luo et al. | Ddos defense strategy in software definition networks | |
CN108471428B (en) | DDoS attack active defense technology and equipment applied to CDN system | |
CN113328976A (en) | Security threat event identification method, device and equipment | |
CN101789885A (en) | Network Intrusion Detection System |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |